Armageddon — HackTheBox Writeup


Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.


Skills Required

Skills Learned



TL;DR — Drupalgeddon2
The vulnerability can enable remote code execution and results from insufficient input validation on the Drupal 7 Form API. Attacks against Drupalgeddon2 target AJAX requests composed of Drupal Form API’s renderable arrays, which are used to render a requested page through Drupal’s theming system.

Initial Access


File Permissions
DB Creds
Open sockets
DB table

Note: Due to restrictions on this “apache” service account we can't able to spawn upgraded TTY. We will look into that after getting root access.

user credentials
Identify hash
hashcat mode
Cracked Password
user flag
sudo binary

TL;DR — Snap
Snap is a package manager for linux, just like brew for macOS. It is easy to use, no dependency issues, auto update and secure.

snap setup

Note: By default root doesn't have .ssh directory, so in this script it will create it first, then add my Kali Linux SSH public keys (which I have kept it on current users home directory) to root’s authorized_keys.

run snap
root shell


dumb shell

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store