HackTheBox: Armageddon | My Journey

First of all, i started to scan the open port using nmap

got 2 active port. port 22 for ssh service and port 80 for web server using Drupal7.

Check on browser and i found login page with some functionality like create new account, login, reset password, etc.

I try to create new account but it seems like not working 🤨.

let’s check the web directory or file lists using tools caled dirscan.

200 317B
200 174B
200 1KB
200 109KB
200 2KB
200 18KB
200 2KB
200 9KB
200 18KB
200 5KB
200 10KB
301 237B -> REDIRECTS TO:
200 10KB
200 7KB
200 3KB
200 132KB
301 233B -> REDIRECTS TO:
301 236B -> REDIRECTS TO:
200 9KB
301 237B -> REDIRECTS TO:
200 271B
200 278B
200 743B
200 2KB
200 3KB
301 236B -> REDIRECTS TO:
301 234B -> REDIRECTS TO:
200 0B
200 151B
200 1KB
200 1020B
200 904B
301 235B -> REDIRECTS TO:
200 2KB
200 2KB
200 42B

well, it seem like the configuration file didn’t have enough permission so we can read it😏. Let’s find something usefull from the configuration file

after reading some documentation and opened directories on the web above, i knew that drupal site configuration was located in /sites/default/settings.php

but after i looked up the file, it dosn’t render anything 😣

so, i started to search drupal7 exploit on internet and found something that might be usefull here https://github.com/dreadlocked/Drupalgeddon2.

let’s exploit!

and boom, i got the shell.

let’s see the drupal conf file again

and we got the database credential

because the mysql just accept authentication from localhost and the shell doesn’t support any other terminal to run, so i use this command to execute mysql command just in one line

The first command that i use is SHOW TABLES and there was interesting tables

Let’s check the colums available with SHOW * FROM users and there was some credential information. Let’s get the usefull columns only with SELECT name,pass FROM users.

hmm, i found some password hashes from there. And my assumption. brucetherealadmin is the user account on this machine. Let’s check it with cat /etc/passwd | grep /bin/bash

and yeah, my assumption was right.

Because the password was hashed… can i just crack the password ?

first, i tried to identify the hashes using this website https://hashes.com/en/tools/hash_identifier and found the hash type (it was drupal7)

now i can crack the password using hashcat with these command

7900 is a drupal7 hash mode from hashcat. Reference: https://hashcat.net/wiki/doku.php?id=hashcat

And gotcha. let’s try to ssh with this credential.

got the user flag. now let’s see if i can privesc this accoynt into root🔥.

first of all, i checked sudo available command with sudo -l

i can install any snap package with root permission. let’s check the exploit on internet.

found this CVE https://github.com/initstring/dirty_sock. lets download it and use that on the machine.

on host :

on machine :

but the script didn’t work as expected☹️

started searching again on internet and found this interesting article https://notes.vulndev.io/notes/redteam/privilege-escalation/misc-1

following step on that article, now the snap package was installed and i have new user with this credential dirty_sock:dirty_sock and i can execute all command with sudo on that account.

i can execute sudo su and becoming root user.

that’s the end! Hope you’all enjoyed my long long long (little short?) journey xD

Thank’s for reading. You can reach me in telegram if you want to talk with me. Cheers!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store