HTB : Armageddon


  • Find service version through enumeration
  • Metasploit exploit will give a web shell
  • Databases credentials are stored openly
  • Use mysqldump to dump password hashes
  • Cracked hashes gives password for SSH login
  • Able to run snap install without root
  • Utilize dirty sock exploit to create an account and switch to root user without password


Run nmap scan to find for open ports.

Port 80 brings us to some type of login page.

Run a gobuster scan to find for hidden directories.

ReadME.txt tells us it runs a Drupal source content management platform

In the profiles folders there are files that contain the Drupal version.

Use searchsploit to find for known exploits.

**There was an issue running the ruby script on my system so I decided to use metasploit instead.


Once the shell is gained , a user name is found.

Enumerating the folders , we can find some database credentials in /var/www/html/sites/default/settings.php

Let’s use mysqldump to dump everything.

Let’s crack the hash with John the ripper.

Login to the user via ssh.

First flag is found

We are able to run the snap install with sudo and no password.

Searching GTFOBins we get the following.

We can also use a faster approach with dirtysock here

In the script we can use this payload.

Privilege escalation

Run the following commands in python.

Once dirty sock is installed it creates a user call dirty sock with the same password.

With this installed we are able to switch to the root user.

Root flag is found.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s