HackTheBox: Armageddon | My Journey

First of all, i started to scan the open port using nmap

got 2 active port. port 22 for ssh service and port 80 for web server using Drupal7.

Check on browser and i found login page with some functionality like create new account, login, reset password, etc.

I try to create new account but it seems like not working 🤨.

let’s check the web directory or file lists using tools caled dirscan.


200 317B http://10.10.10.233:80/.editorconfig
200 174B http://10.10.10.233:80/.gitignore
200 1KB http://10.10.10.233:80/COPYRIGHT.txt
200 109KB http://10.10.10.233:80/CHANGELOG.txt
200 2KB http://10.10.10.233:80/INSTALL.mysql.txt
200 18KB http://10.10.10.233:80/INSTALL.txt
200 2KB http://10.10.10.233:80/INSTALL.pgsql.txt
200 9KB http://10.10.10.233:80/MAINTAINERS.txt
200 18KB http://10.10.10.233:80/LICENSE.txt
200 5KB http://10.10.10.233:80/README.txt
200 10KB http://10.10.10.233:80/UPGRADE.txt
301 237B http://10.10.10.233:80/includes -> REDIRECTS TO: http://10.10.10.233/includes/
200 10KB http://10.10.10.233:80/includes/
200 7KB http://10.10.10.233:80/index.php
200 3KB http://10.10.10.233:80/install.php
200 132KB http://10.10.10.233:80/includes/bootstrap.inc
301 233B http://10.10.10.233:80/misc -> REDIRECTS TO: http://10.10.10.233/misc/
301 236B http://10.10.10.233:80/modules -> REDIRECTS TO: http://10.10.10.233/modules/
200 9KB http://10.10.10.233:80/modules/
301 237B http://10.10.10.233:80/profiles -> REDIRECTS TO: http://10.10.10.233/profiles/
200 271B http://10.10.10.233:80/profiles/minimal/minimal.info
200 278B http://10.10.10.233:80/profiles/testing/testing.info
200 743B http://10.10.10.233:80/profiles/standard/standard.info
200 2KB http://10.10.10.233:80/robots.txt
200 3KB http://10.10.10.233:80/scripts/
301 236B http://10.10.10.233:80/scripts -> REDIRECTS TO: http://10.10.10.233/scripts/
301 234B http://10.10.10.233:80/sites -> REDIRECTS TO: http://10.10.10.233/sites/
200 0B http://10.10.10.233:80/sites/example.sites.php
200 151B http://10.10.10.233:80/sites/all/libraries/README.txt
200 1KB http://10.10.10.233:80/sites/all/modules/README.txt
200 1020B http://10.10.10.233:80/sites/all/themes/README.txt
200 904B http://10.10.10.233:80/sites/README.txt
301 235B http://10.10.10.233:80/themes -> REDIRECTS TO: http://10.10.10.233/themes/
200 2KB http://10.10.10.233:80/themes/
200 2KB http://10.10.10.233:80/web.config
200 42B http://10.10.10.233:80/xmlrpc.php

well, it seem like the configuration file didn’t have enough permission so we can read it😏. Let’s find something usefull from the configuration file

after reading some documentation and opened directories on the web above, i knew that drupal site configuration was located in /sites/default/settings.php

but after i looked up the file, it dosn’t render anything 😣

so, i started to search drupal7 exploit on internet and found something that might be usefull here https://github.com/dreadlocked/Drupalgeddon2.

let’s exploit!

and boom, i got the shell.

let’s see the drupal conf file again

and we got the database credential

because the mysql just accept authentication from localhost and the shell doesn’t support any other terminal to run, so i use this command to execute mysql command just in one line

The first command that i use is SHOW TABLES and there was interesting tables

Let’s check the colums available with SHOW * FROM users and there was some credential information. Let’s get the usefull columns only with SELECT name,pass FROM users.

hmm, i found some password hashes from there. And my assumption. brucetherealadmin is the user account on this machine. Let’s check it with cat /etc/passwd | grep /bin/bash

and yeah, my assumption was right.

Because the password was hashed… can i just crack the password ?

first, i tried to identify the hashes using this website https://hashes.com/en/tools/hash_identifier and found the hash type (it was drupal7)

now i can crack the password using hashcat with these command

7900 is a drupal7 hash mode from hashcat. Reference: https://hashcat.net/wiki/doku.php?id=hashcat

And gotcha. let’s try to ssh with this credential.

got the user flag. now let’s see if i can privesc this accoynt into root🔥.

first of all, i checked sudo available command with sudo -l

i can install any snap package with root permission. let’s check the exploit on internet.

found this CVE https://github.com/initstring/dirty_sock. lets download it and use that on the machine.

on host :

on machine :

but the script didn’t work as expected☹️

started searching again on internet and found this interesting article https://notes.vulndev.io/notes/redteam/privilege-escalation/misc-1

following step on that article, now the snap package was installed and i have new user with this credential dirty_sock:dirty_sock and i can execute all command with sudo on that account.

i can execute sudo su and becoming root user.

that’s the end! Hope you’all enjoyed my long long long (little short?) journey xD

Thank’s for reading. You can reach me in telegram if you want to talk with me. Cheers!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store