CTF-Writeups/HackTheBox/Armageddon.md
2021-07-25 04:13:45 +05:00

5.6 KiB

HackTheBox-Armageddon

Rustscan


rustscan -a 10.129.89.150 -- -A -sC -sV

Open 10.129.89.150:22                                              
Open 10.129.89.150:80 

PORT   STATE SERVICE REASON         VERSION                               
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:       
|   2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)      
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDC2xdFP3J4cpINVArODYtbhv+uQNECQHDkzTeWL+4aLgKcJuIoA8dQdVuP2UaLUJ0XtbyuabPEBzJl3IHg3vztFZ8UEcS94KuWP09ghv6fhc
7JbFYONVJTYLiEPD8nrS/V2EPEQJ2ubNXcZAR76X9SZqt11JTyQH/s6tPH+m3m/84NUU8PNb/dyhrFpCUmZzzJQ1zCDStLXJnCAOE7EfW2wNm1CBPCXn1wNvO3SKwokCm4GoMKHSM9rNb9FjGLIY
0nq+8mt7RTJZ+WLdHsje3AkBk1yooGFF+0TdOj42YK2OtAKDQBWnBm1nqLQsmm/Va9T2bPYLLK5aUd4/578u7h
|   256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE4kP4gQ5Th3eu3vz/kPWwlUCm+6BSM6M3Y43IuYVo3ppmJG+wKiabo/gVYLOwzG7js497Vr7e
GIgsjUtbIGUrY=                                                            
|   256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG9ZlC3EA13xZbzvvdjZRWhnu9clFOUe7irG8kT0oR4A
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-favicon: Unknown favicon MD5: 1487A9908F898326EBABFFFD2407920D
|_http-generator: Drupal 7 (http://drupal.org)                            
| http-methods:                                                           
|_  Supported Methods: GET HEAD POST OPTIONS                              
| http-robots.txt: 36 disallowed entries                   
| /includes/ /misc/ /modules/ /profiles/ /scripts/               
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt   
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php          
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/     
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16                    
|_http-title: Welcome to  Armageddon |  Armageddon                        


PORT 80 (HTTP)

Let's create a new account

But we can't login as it says activation email has been sent but the box doesn't have any internet connection so we can't really do much here

So I treid fuzzing but couldn't find anything intersting stuff other than default files

But if we go through these files

We can see that it's using Druapl CMS and going to modules we can see it's using Agggregator module

Now the webiste hints us about Drupalgeddon , since # Armageddon isn't anything in drupal so I searched for bunch of drupal 7 exploits as we can see the verions through wappalyzer

I tried getting the stablized shell but was getting permission denied

We can find the credentials for database from /var/www/html/sites/default/settings.php

 database => drupal,                                             
username => drupaluser,                                         
password => CQHEy@9M*m23gBVj
	  

Doing /bin/bash -i will give you a bash shell

No we know that there's a user on machine

So the only option is to brute force the user

Doing sudo -l

Now here we could try to install a custom snap packge to do that let's test this locally on our machine so first let's intall snap which is a package manager like apt

Then install snapcraft which build the snap packages

We can see that it's installed

To see if we can run snapcraft

Everything was installed but it gave me an error when I was trying to build snap package so I tried to find some publicaly available exploits for snap and came across this

https://0xdf.gitlab.io/2019/02/13/playing-with-dirty-sock.html

Here we can just copy the base64 encoded text which is being printed with python and then pipe it to base64 -d and write it to any file name with .snap extensions. What's happening in that encoded text that's it's creating a user dirty_sock and adding to sudoers giving all permissions to it so it can give us root.

But still it was giving errors that the package must be verified so to avoid these signature checks

Now it was finally installed , now to switch the user and become root