Armageddon: HackTheBox Walkthrough
Back after a long time with another HackTheBox machine walkthrough. Hope you like it. Just add armageddon.htb in you /etc/hosts file and start your pawing process.
- Searching exploit
- Metasploit for initial shell
- SQL Commands
- dirty_sockv2 exploit
- Privilege escalation
During my port scanning process, I first use rustscan to find out the number of open ports quickly …
… and then start a detailed Nmap scan on those open ports. This saves scanning time for me.
So Let’s first enumerate port 80. I decided to start a ffuf scan and got robots.txt and some disallowed entries of files && directories.
Now I visited the webpage and decided to use the WhatWeb command for identifying services running for this site and here is the result, it’s Drupal.
Now it’s time to search for exploit available for drupal 7 and for this we can use some ways like using searchexploit in Linux terminal or googling the CMS name.
Searchexploit confirms that there is a Metasploit module present for drupal 7 and we can see the google result also.
Open msfconsole and search for Drupal 7 exploit.
Select the exploit and set the required options
and hit exploit to get the meterpreter session.
Now I typed shell command to get an interactive session and checked which python version is installed but rather than that I was unable to get an interactive shell due to this error.
So, continuing my enumeration I encountered with some file which gives me MySQL login credentials.
Search all these files and you will get MySQL credentials.
Now using these credentials I tried to get the drupal user’s details. First, let’s find out the names of Databases available.
So, we got the database name, now try to find out tables inside the drupal database.
So, table names are listed here. Use the table “users” to get the password hash of the correct user.
Copy the hash and crack it with the best-known tool JohnTheRipper and the best password list rockyou.txt.
Now SSH to the machine using the credentials and we got our first flag. The very first thing I check is What’s the sudo right for the current user. So, this user has got some rights. (LinPEASH.sh also shows this)
Time for some googling. Searching google on “privilege escalation through /usr/bin/snap install “ I got some useful results.
So, what basically happening here is the exploit takes advantage of the snap API to install a snap. The snap actually doesn’t do anything but contains a bash script that will add a user as an install hook. It then uses the api again to remove the snap, but the user remains. So, when we run the script it will add a user in the/etc/sudoers file with all privileges and we can easily escalate our privilege to root.
In the above image when we decode the base64 encoded text we can see a user with the username “dirty_sock” will be created with the password “dirty_sock” who has all the rights.
So, we don’t need the whole code from this link. Copy the “TROJAN_SNAP” part only and use python to decode base64 and save it in a [file_name].snap If any error occurs while decoding in victim machine then decode it and save in your own machine and transfer it using “updog or starting a server locally using python”. I will go with the updog tool it's simply awesome. Start the updog in the directory where you saved the .snap file.
Now in the 10.10.10.233 curl is installed. So, in the /tmp directory transfer the file like this and change the permission.
Run the file with sudo right and a user entry will be listed in the/etc/passwd file.
If this doesn't happen then rest the machine. Now to escalate the privilege to root enter “sudo -i” and we are down now.
Go and grab your root.txt file.
Donation for OSCP exam 👏
Before you go
Here is my other HackTheBox machine walkthrough’s:-
Mr-Lazzy - Overview
Cyber Security Enthusiast 🐱💻. Mr-Lazzy has 7 repositories available. Follow their code on GitHub.
and clap 👏 if you like.