HackTheBox – Armageddon
00:00 – Intro
00:50 – Start of the box, showing a quick way to nmap
02:15 – Looking at web page
03:00 – Looking for Drupal Scanners
04:00 – Showing how I would fingerprint opensource apps if there was no scanner
06:30 – Using DroopeScan to scan the site
07:50 – Starting to use Drupalgeddon2 to get a shell
11:40 – Installing gems so DrupalGeddon works
12:15 – Drupalgeddon2 works, going from a webshell to reverse shell
16:00 – Confused about OSError: out of pty devices when improving the shell, give up eventually
17:50 – Looking for users on the box, then hunting for the Drupal configuration
21:00 – Cannot find the drupal configuration, going to google and asking for how to change the SQL Password
22:45 – Logging into the Drupal MySQL Database then dumping the Drupal Hash but have trouble getting it to work since we don’t have a TTY
29:00 – Cracking the Joomla Password, then testing the password with ssh and logging in
30:00 – Our user can install Snap Packages with sudo, so building a malicious snap
31:20 – Installing FPM which lets us build packages, building a lot of bad packages until we find one that works
36:20 – Our malicious packages aren’t working, switching to a non-malicious one to test the exploit
40:16 – Having our snap attempt to grab the root flag, turns out i was just impatient before
43:43 – Moving bash to avoid system directories and setting it to setuid
45:10 – Explaining what snap is
by IppSec
linux ftp command
