Armageddon - HTB Write-up

Hello guys! hope you all are doing good. In this blog post, I would like to explain my methodology that I used for pwning the Armageddon box. I hope this would add some educational value for someone who is just starting up with penetration testing. (I am just a wanna be penetration tester. Feel free to point out my mistakes 😜)

1.1 Methodology - Information Gathering

Lets begin by running a Nmap scan. The nmap scan shows that a web application is running on port 80. On checking the CMS technology in use and its version, I could find that the application is built on Drupal 7.


1.2 Methodology - Initial Foothold

Vulnerability Exploited: Drupal 7 CVE-2018-7600. 

Vulnerability Explanation: A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. 

Severity: Highly Critical

Ref: https://github.com/dreadlocked/Drupalgeddon2.git

Using the PoC found on the above github, got initial access on the box.


 

This shell only allows execution of one command and the state of the terminal is not maintained. Hence, I uploaded a php backdoor using the above shell prompt.


4.3 Methodology - Reconnaissance

As seen in the previous screenshot, I currently have privileges of apache user. Looking at /etc/passwd file, I could see that there is a user account “brucetherealadmin”. Looking to escalate privileges to brucetherealadmin. 

Further, found credentials for mysql database in “sites/default/settings.php”.


4.4 Methodology - Local Privilege Escalation

Logging into mysql using the database as “drupal”, found that the database contains below tables. Of these, users' tables seem to be of interest. 



Found hashed password for brucetherealadmin.



Cracked the hash value using hashcat.



Local User Account: "brucetherealadmin"

Local User Password: "booboo"

Using the initial information gathering, port 22 (SSH) was seen open. Using the local user account credentials to login through ssh.


4.5 Methodology - Enumeration

While checking for services running, I could see that snap is running. Ran linPEAS for further enumeration. 



Based on linPEAS results, found out that brucetherealadmin had permission to install snap packages as root, without credentials. 

4.6 Methodology - Root Privilege Escalation

Vulnerability Exploited: Dirty Sock Local Privilege Escalation

Vulnerability Explanation: In January 2019, current versions of Ubuntu Linux were found to be vulnerable to local privilege escalation due to a bug in the snapd API.

Severity: Critical

Ref: https://www.exploit-db.com/exploits/46362

Used the below python script to create a PoC snap package. The snap package will create a new user “dirty_sock” and will add this newly created user to /etc/sudoers with rights to run all commands as sudo.



Installed the PoC snap package in devmode.



As seen in the above screenshot, a new user account “dirty_sock” is created. Changed user account to “dirty_sock”.



Dirty_sock has permissions to run all the commands as sudo. Read the flag from /root/root.txt.


Thank you!!

Comments

Post a Comment

Popular posts from this blog

An Overview of SRUM Forensics

Image
Often there comes a scenario where a malware has run on the host system and there is suspicion of data exfiltration. One forensic technique that comes in handy in such situations is SRUM forensics. Introduction to System Resource Usage Monitor SRUM was first introduced in Windows 8 operating system for keeping a track of system resource usage. In particular, information such as process owner, CPU cycles used by the process, data bytes read/written, network data sent/received, Windows push notifications and energy usage is continuously recorded. SRUM is part of diagnostic policy service and it monitors desktop applications, programs, services, windows applications and network connections. The data that is visualized when one open’s the task manager is part of SRUM data feed. The SRUM data collection happens once in every hour and at shut down. SRUM uses the below extensions for monitoring and data collection. Source: Windows 8 SRUM Forensics - SANS DFIR Summit 2015(Slides) b...
Read more

Sparta - 100 (EASY)

Image
After participating in Zh3r0 CTF last year(2020), I thought the CTF had some really cool challenges and so thought of looking at few of the challenges this year too. So, lets just jump straight  into the technical write-up. In this blog, I would be describing my methodology for sparta - 100, which was an easy challenge in web category. The challenge provided with source code along with a Dockerfile for hosting the web application locally. Looking at the source file, it was clear that express/node js was used at the back-end. Looking at the server code, one could see that there is a check to see if "guest" token is passed in cookie. If so, the value of guest token is passed to unserialize() of node-serialize module. That's it! we are talking about a node de-serialization vulnerability here. If the guest token is not part of the cookie, the application would take username, country and city values from the request body and will create a base64 encoded json object. This is...
Read more

Easy-ELF! Reversing.kr Walkthrough

Image
  Let’s begin with the main function. So firstly, the string “Reversing.Kr Easy ELF\n\n” defined in the .data section is printed to stdout. Further, we can see two function calls – sub_8048434 and sub_8048451. Finally, the return value of function sub_8048451 is checked. If the return value is false, string “Wrong\n” is printed to stdout. Let’s now proceed to check function sub_8048434. This function reads an input of type string and stores it at address starting from 0x804A020 using “scanf”. As a test scenario let’s consider our input is “xxxxxxx”. Moving ahead to function sub_8048451. Here we have a series of checks in place. If all the checks are passed, the function returns true or else false. So now let’s analyze each check individually. In the first case, the 2nd byte of the input is checked to verify weather it is “1”. So now we know, the correct key should be something like “x1xxx..”   Then, in the second case, its checks if the 5 th byte of the input ...
Read more