ARZ101

Jul 26, 2021

5 min read

HackTheBox-Armageddon

Hello everyone , I hope you are doing well , in this post I will be sharing my writeup for an easy level HTB machine called Armageddon , the machine 2 ports open http which was running drupal 7 on apache server and ssh , the foothold involve exploiting a vulnerability in druapl called Drupalgeddon that allowed us to get remote code execution and get a reverse shell as a low level user (apache) through that we enumerated the users and found brucetherealadmin was user we also found mysql creds but the issue was we didn’t have a stabilized shell and since the distro of linux used in this box was centos so it was sensitive about not allowing us to spawn bash so the only way was by brute forcing the user’s password on ssh , after getting the password we could use sudo -l to see what the user can run and he was allowed to install any snap package using snap , through which can create and install malicious package by creating a user adding him to sudeors by giving him all permissions.

Rustscan

rustscan -a 10.129.89.150 -- -A -sC -sVOpen 10.129.89.150:22                                              
Open 10.129.89.150:80 PORT   STATE SERVICE REASON         VERSION                               
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:       
|   2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)      
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDC2xdFP3J4cpINVArODYtbhv+uQNECQHDkzTeWL+4aLgKcJuIoA8dQdVuP2UaLUJ0XtbyuabPEBzJl3IHg3vztFZ8UEcS94KuWP09ghv6fhc
7JbFYONVJTYLiEPD8nrS/V2EPEQJ2ubNXcZAR76X9SZqt11JTyQH/s6tPH+m3m/84NUU8PNb/dyhrFpCUmZzzJQ1zCDStLXJnCAOE7EfW2wNm1CBPCXn1wNvO3SKwokCm4GoMKHSM9rNb9FjGLIY
0nq+8mt7RTJZ+WLdHsje3AkBk1yooGFF+0TdOj42YK2OtAKDQBWnBm1nqLQsmm/Va9T2bPYLLK5aUd4/578u7h
|   256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE4kP4gQ5Th3eu3vz/kPWwlUCm+6BSM6M3Y43IuYVo3ppmJG+wKiabo/gVYLOwzG7js497Vr7e
GIgsjUtbIGUrY=                                                            
|   256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG9ZlC3EA13xZbzvvdjZRWhnu9clFOUe7irG8kT0oR4A
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-favicon: Unknown favicon MD5: 1487A9908F898326EBABFFFD2407920D
|_http-generator: Drupal 7 (http://drupal.org)                            
| http-methods:                                                           
|_  Supported Methods: GET HEAD POST OPTIONS                              
| http-robots.txt: 36 disallowed entries                   
| /includes/ /misc/ /modules/ /profiles/ /scripts/               
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt   
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php          
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/     
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16                    
|_http-title: Welcome to  Armageddon |  Armageddon

PORT 80 (HTTP)

Let’s create a new account

But we can’t login as it says activation email has been sent but the box doesn’t have any internet connection so we can’t really do much here

So I tried fuzzing but couldn’t find anything interesting stuff other than default files

But if we go through these files

We can see that it’s using Druapl CMS and going to modules we can see it's using Agggregator module

Now the website hints us about Drupalgeddon , since # Armageddon isn't anything in drupal so I searched for bunch of drupal 7 exploits as we can see the versions through wappalyzer

I tried getting the stabilized shell but was getting permission denied

We can find the credentials for database from /var/www/html/sites/default/settings.php

database => drupal,                                             
username => drupaluser,                                         
password => CQHEy@9M*m23gBVj

Doing /bin/bash -i will give you a bash shell

No we know that there’s a user on machine

So the only option is to brute force the user

Doing sudo -l

Now here we could try to install a custom snap package to do that let’s test this locally on our machine so first let’s install snap which is a package manager like apt

Then install snapcraft which build the snap packages

We can see that it’s installed

To see if we can run snapcraft

Everything was installed but it gave me an error when I was trying to build snap package so I tried to find some publicaly available exploits for snap and came across this

https://0xdf.gitlab.io/2019/02/13/playing-with-dirty-sock.html

Here we can just copy the base64 encoded text which is being printed with python and then pipe it to base64 -d and write it to any file name with .snap extensions. What's happening in that encoded text that's it's creating a user dirty_sock and adding to sudoers giving all permissions to it so it can give us root.

But still it was giving errors that the package must be verified so to avoid these signature checks

Now it was finally installed , now to switch the user and become root

Ctf
Hackthebox
Centos
Pentesting

--

--

More from ARZ101

Smol Pentester | CTF Player | UwU

AboutHelpTermsPrivacy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ARZ101

ARZ101

400 Followers

Smol Pentester | CTF Player | UwU

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech