Armageddon machine is a vulnerable machine with Linux operating system among retired machines. It is expected to obtain user and root flags by detecting these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan
Full Port Scan
As a result of network scanning, 22/tcp ssh OpenSSH 7.4 and 80/tcp http Apache httpd 2.4.6 ports were found to be open.
Since there is no vulnerability on the ssh port, we continue to enumerate port 80.
Since the http protocol is running on port 80, we open it on the browser.
We could not find information in source code, webanalayzer and developer mode. There is a User login section where we tried default passwords and could not log in.
We scan files and directories with gobuster.
We did not get any information as a result of the scan.
Let’s see if there is a vulnerability for the “Drupal 7” version that we found in the source code.
We have seen that there are multiple vulnerabilities in Searchsploit. Googling around, there is a tool on github made entirely for poc (https://github.com/dreadlocked/Drupalgeddon2)
We got an error while running the tool, so we used the “sudo gem install highline” command to resolve this error.
Our tool then worked
It gave us a Shell as apache user
This Shell is very limited in authorization, even the cd command did not work. We create a reverseshell from this shell.
Here we got a bad chracktere error when creating a Shell, so let’s try to upload a file to the Shell session to create a revershell.
Since the wget command did not work, we ran our bash script using the curl command.
Before running the bash script, we created a bash script to give revershell
When creating with Curl, we received blocking on ports such as 8000 4747, so we used ports 80 and 443.
This is how we got our shelter
We searched for credential information by providing enumeration on the machine. In the /var/www/html/sites/default/settings.php file, we found the user’s password information in sql.
We tried to connect to mysql using this information, but we kept getting errors because the sql password had bad chareckleters.
We tried to connect using the -e parameter, which is command execution without connecting.
The errors received were like this;
Here’s how the connection was made
First we saw the database. Then we looked at the tables and selected the column that can read the contents of the tables.
In this way we were able to obtain the password hash of the brucetherealadmin user.
Let’s try to break the hash value to connect to this user via ssh
We broke the hash with Hashcat
Then, using this information, we were able to obtain our user flag by providing an ssh connection.
Here we provide enumeration to elevate privileges. We ran sudo -l to see what is in root privileges.
We have seen that we can run /usr/bin/snap with root privileges without password.
