HTB - Armageddon without MetaSploit
Intro
During this box, we’ll exploit an outdated version of Drupal in order to get an initial shell. This will allow me to discover user credentials on the Drupal DB. Finally, I’ll get privesc thanks to an insecure sudo command (once again).
Target
Recon
A quick look to the box info reveals it’s running Linux.
Enum
We run our classic nmap
scan :
|
|
|
|
The above scans confirms we are facing a Linux box with only Apache and SSH running.
The CHANGELOG.txt
shows a Drupal 7.56
version :
After a quick look on exploitDB, we’ll notice that this version should be vulnerable to Drupalgeddon2
.
Let’s see!
Exploitation
NB: I like to use searchsploit directly in my terminal, it makes it easier to show an exploit with searchsploit -x relative_path
and searchsploit -m relative_path
in order to mirror (eg. copy the exploit in my current directory).
In our case, we’ll be using : searchsploit -m php/webapps/44449.rb
.
Getting Initial Shell
After firing it up, we’ll get a shell :
From here, we can get the Drupal config inside sites/default/settings.php
and find MySQL credentials
:
Once, we have the creds, we can try to dump the db, with mysqldump
, but we’ll gt an error about a bad character (>). We,then, shall upgrade our shell.
Let’s fire up Burp
, with the following request and a nc listener
:
|
|
NB : In case you are wondering, I am using the shell.php
from the exploit, and I simply copy pasted the URL in browser, captured it with Burp, and converted to POST. Then, I could run a better script.
Once it is done, we can dump the DB like so :
mysqldump -u drupaluser -p drupal > plop.sql
We now look inside the dump and search for user’s information :
It appears our user is called brucetherealadmin
and it’s hash starts with $S$
according to hashcat, it is a Drupal 7 hash, which we can confirm it is!
Now to crack it :
hashcat -m 7900 arma.hash /usr/share/wordlists/rockyou.txt
After a little while, the password will be cracked :
Getting User’s Shell
We can now log in via SSH as brucetherealadmin
with the just cracked password, and grab user's flag
:
PrivEsc
Now that we are in, the first thing I like to do is checking if I have sudo
’s rights. This might be an easy win and it is a lot quieter than running a script such as LinPeas
.
Bruce can indeed run sudo snap install
:
When I first did the box, there was nothing on GTFObins, but since there is today, let’s do it the easy way!
We simply modify the first line, replacing id
command with cat /root/root.txt
.
Finally, we run it like : sudo snap install plop_1.0_all.snap --dangerous --devmode
in order to get root’s flag:
Outro
I remember loving the first part until user… but the last part was just horrible. I hated it ! It was actually so painful, that I didn’t take any note on the privesc and didn’t even planned to do the writeup… but here I am!