Hello everyone , I hope you are doing well , in this post I will be sharing my writeup for an easy level HTB machine called Armageddon , the machine 2 ports open http which was running drupal 7 on apache server and ssh , the foothold involve exploiting a vulnerability in druapl called Drupalgeddon that allowed us to get remote code execution and get a reverse shell as a low level user (apache) through that we enumerated the users and found brucetherealadmin was user we also found mysql creds but the issue was we didn’t have a stabilized shell and since the distro of linux used in this box was centos so it was sensitive about not allowing us to spawn bash so the only way was by brute forcing the user’s password on ssh , after getting the password we could use sudo -l to see what the user can run and he was allowed to install any snap package using snap , through which can create and install malicious package by creating a user adding him to sudeors by giving him all permissions.
Rustscan
rustscan -a 10.129.89.150 -- -A -sC -sVOpen 10.129.89.150:22
Open 10.129.89.150:80 PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDC2xdFP3J4cpINVArODYtbhv+uQNECQHDkzTeWL+4aLgKcJuIoA8dQdVuP2UaLUJ0XtbyuabPEBzJl3IHg3vztFZ8UEcS94KuWP09ghv6fhc
7JbFYONVJTYLiEPD8nrS/V2EPEQJ2ubNXcZAR76X9SZqt11JTyQH/s6tPH+m3m/84NUU8PNb/dyhrFpCUmZzzJQ1zCDStLXJnCAOE7EfW2wNm1CBPCXn1wNvO3SKwokCm4GoMKHSM9rNb9FjGLIY
0nq+8mt7RTJZ+WLdHsje3AkBk1yooGFF+0TdOj42YK2OtAKDQBWnBm1nqLQsmm/Va9T2bPYLLK5aUd4/578u7h
| 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE4kP4gQ5Th3eu3vz/kPWwlUCm+6BSM6M3Y43IuYVo3ppmJG+wKiabo/gVYLOwzG7js497Vr7e
GIgsjUtbIGUrY=
| 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG9ZlC3EA13xZbzvvdjZRWhnu9clFOUe7irG8kT0oR4A
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-favicon: Unknown favicon MD5: 1487A9908F898326EBABFFFD2407920D
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to Armageddon | Armageddon
PORT 80 (HTTP)
Let’s create a new account
But we can’t login as it says activation email has been sent but the box doesn’t have any internet connection so we can’t really do much here
So I tried fuzzing but couldn’t find anything interesting stuff other than default files
But if we go through these files
We can see that it’s using Druapl CMS and going to modules we can see it's using Agggregator module
Now the website hints us about Drupalgeddon , since # Armageddon isn't anything in drupal so I searched for bunch of drupal 7 exploits as we can see the versions through wappalyzer
I tried getting the stabilized shell but was getting permission denied
We can find the credentials for database from /var/www/html/sites/default/settings.php
database => drupal,
username => drupaluser,
password => CQHEy@9M*m23gBVjDoing /bin/bash -i will give you a bash shell
No we know that there’s a user on machine
So the only option is to brute force the user
Doing sudo -l
Now here we could try to install a custom snap package to do that let’s test this locally on our machine so first let’s install snap which is a package manager like apt
Then install snapcraft which build the snap packages
We can see that it’s installed
To see if we can run snapcraft
Everything was installed but it gave me an error when I was trying to build snap package so I tried to find some publicaly available exploits for snap and came across this
https://0xdf.gitlab.io/2019/02/13/playing-with-dirty-sock.html
Here we can just copy the base64 encoded text which is being printed with python and then pipe it to base64 -d and write it to any file name with .snap extensions. What's happening in that encoded text that's it's creating a user dirty_sock and adding to sudoers giving all permissions to it so it can give us root.
But still it was giving errors that the package must be verified so to avoid these signature checks
Now it was finally installed , now to switch the user and become root
