Armageddon is an Easy box from HTB and created by bertolis. This box features the widely known Drupalgeddon exploit and a DirtySock escalation. I begin each box by running a RustScan. This is bundled into my setup.sh script which I’ve mentioned in a few of my other posts. Running RustScan with NMAP filters shows a website available on Port 80. Navigating to the website I can see a Drupal website running. Using that alongside the fact that the box is called Armageddon I check the CHANGELOG.txt which confirms the site is indeed out of date.

Drupal website running on Port 80.

I grab Drupalgeddon2 from GitHub and run is against the host giving me a web based shell.

Drupalgeddon2 giving me a web based shell.

I check and I can not only create files/folders in the current directory but I can also use curl to upload a better web shell. I opt for WSO (which is pulled as part of my script from earlier). You can find the webshell on tennc/webshell on Github.

Using the web shell I navigate to /var/www/html/sites/default/ and check the settings.php file which provide database credentials:

Next I use the built in SQL browser functionality to browse the Drupal database and grab brucetherealadmin hash. I then use john to crack the hash and SSH into the box.

Using WSO SQL functionality to enumerate the database.

Entering the box I use sudo -l to find –

I research possible privilege escalation methods with snap and come across CVE-2019-7304 – DirtySock on GitHub from its ExploitDB article. Reviewing the code I just need to the TROJAN_SNAP portion and to run it with elevated permissions:

Rooted Armageddon from HTB.