Introduction@Armageddon:~$
Column | Details |
---|---|
Name | armageddon |
IP | 10.10.10.233 |
Points | 20 |
Os | Linux |
Difficulty | Easy |
Creator | bertolis |
Out On | 27 Mar 2021 |
Pwned
➜ armageddon git:(master) ✗ ssh root@armageddon.htb root@armageddon.htbWelcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-26-generic x86_64) System information as of Thu 21 May 2020 06:11:30 AM UTC System load: 0.07 Usage of /: 46.0% of 15.68GB Memory usage: 13% Swap usage: 0% Processes: 218 Users logged in: 2 IPv4 address for br-836575a2ebbb: 172.20.0.1 IPv4 address for br-8ec6dcae5ba1: 172.30.0.1 IPv4 address for docker0: 172.17.0.1 IPv4 address for eth0: 10.10.10.233 Last login: Thu May 21 06:11:12 2020 from 10.10.XX.XX
Recon
Nmap
So basically Two ports are opened 22:ssh
80:http
Port-80
There is a simple login page
.
Let’s check the source code for some juicy
stuff.
I found the drupal version "Drupal 7"
.
Let’s search on google for exploit
for this specific
version.
Found a rapid7
page
Let’s try this real
quick.
We got the shell
.
Now let’s enumerate
some good stuff
.
I found an interesting
file called settings.php
inside /var/www/html/sites/default/
directory. which has contain mysql
creads.
But before connect to the mysql
let’s spawn a stable shell
first.
python3 tty
shell doesn’t spawn So let’s try connect
with mysql without tty shell
.
It’s giving us error
so let’s try another command of mysql
.
It’s work let’s fetch
the tables inside drupal
database.
Now let’s dump the username
and hashes
inside users table.
Now we have the hashes
let’s try to crack
it.
We got the password for brucetherealadmin:booboo
Let’s ssh
in real quick and get the user.txt
.
Privilege escalation
Before running linpeas
let’s try manually
first.
Let’s google it for Privilege
escalation.
Link
: Privilege Escalation in Ubuntu Linux (dirty_sock exploit)
This github python
script doesn’t work in this case so in this script
we only need the base64
string and then we decode the base64 string
and save it in file.
Imp : If you can’t "su dirty_sock"
reset the box and try again
in my case it’s work in second
time.
And we pwned it …….
If u liked the writeup.Support a Student to Get the OSCP-Cert
Donation for OSCP
Resources
Topic | Url |
---|---|
Drupal Drupalgeddon 2 Forms API Property Injection | https://www.rapid7.com/db/modules/exploit/unix/webapp/drupal_drupalgeddon2/ |
Privilege Escalation in Ubuntu Linux (dirty_sock exploit) | https://shenaniganslabs.io/2019/02/13/Dirty-Sock.html |
dirty_sock: Linux Privilege Escalation (via snapd) | https://github.com/initstring/dirty_sock/blob/master/dirty_sockv2.py |
.
Hash -> OhKUwkvR$.uL.mlYJOz.ubK/FmXouGbU7vCVCG9s00K7R.ny9ryM.vXNdwZhOGCcq7e3XcbA5UpqUp.9eKY4hfLy9m5aU7/
.