Armageddon | HackTheBox Writeup

Overview

Armageddon is an easy Linux based machine in HackTheBox

User Part

Start with nmap scan shows 2 ports are open.

also shows CHANGELOG.txt file exists.

So checking CHANGELOG.txt reveals Drupal and it’s version

By searching google I found drupalgeddon2 exploit and I used Metasploit for exploitation.

i got shell.

Root Part

in the settings.php file, I got the username and password for MySQL.

MySQL has the option ‘-e’ to execute the command. so I used that and got databases.

with that, I got a username and password.

Using hashcat i identified what hash is that and I decrypt that.

Using that username and password I can log in to ssh.

I checked what commands a current user can run with root privilege using sudo -l.

I got snap.

I found this interesting Repository and found the Payload.

I went through the code, it needs to be decoded by base64.

so I decoded that with base64 -d and saved it as a .snap file.

Then I installed it with sudo privilege and got the installation completed message.

As mentioned above repository, created a new user ‘dirty_sock’.

now I can log in to that user with username as password.

That user has all privilege and I can read root.txt.

Share on facebook
Share on twitter
Share on linkedin