Armageddon — HackTheBox Writeup

Source

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

Synopsis

Skills Required

Skills Learned

Enumeration

Nmap

TL;DR — Drupalgeddon2
The vulnerability can enable remote code execution and results from insufficient input validation on the Drupal 7 Form API. Attacks against Drupalgeddon2 target AJAX requests composed of Drupal Form API’s renderable arrays, which are used to render a requested page through Drupal’s theming system.

Initial Access

POC — https://github.com/dreadlocked/Drupalgeddon2

Shell
File Permissions
DB Creds
Open sockets
DB table

Note: Due to restrictions on this “apache” service account we can't able to spawn upgraded TTY. We will look into that after getting root access.

user credentials
Identify hash
hashcat mode
Cracked Password
user flag
sudo binary

TL;DR — Snap
Snap is a package manager for linux, just like brew for macOS. It is easy to use, no dependency issues, auto update and secure.

snap setup
command

Note: By default root doesn't have .ssh directory, so in this script it will create it first, then add my Kali Linux SSH public keys (which I have kept it on current users home directory) to root’s authorized_keys.

yaml
Build
run snap
root shell

Quirks

dumb shell
SeLinux

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.

References

https://0xdf.gitlab.io/2019/02/13/playing-with-dirty-sock.html
https://initblog.com/2019/dirty-sock/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store