Official Armageddon Discussion

ald3rs0n · April 14, 2021, 7:56pm

Nice box. Enjoyed pwning it. Thanks…

d3f4u17 · April 15, 2021, 5:37am

I got initial foot hold with user a****e struggling with user, kindly DM if someone can assist.

tmy · April 15, 2021, 3:27pm

Rooted.
This was a not so “easy” box, I get the medium rating now.

uid=0(root) gid=0(root) groupes=0(root)

newhacker96 · April 15, 2021, 9:07pm

Hi,

I have got the initial shell and have access to m***l credentials. When i try to access the db, i get access denied.
Not sure what I’m missing here. Can anyone give a possible hint on how to move forward.

UVision · April 16, 2021, 1:23pm

I got credentials to connect to my***, with user drupalu*** in an interesting file, but when I try to connect I get no response, any help ?

UVision · April 16, 2021, 2:25pm

Finally got the user, a little hint with my*** : put an “exit;” after any request and you see the output.

ariel9016 · April 17, 2021, 10:39am

Rooted thanks to small help i needed from @alemusix

User: after having a small foothold, just brute force.
Root: The best tip i can give you - ignore errors, sometimes they dont represent whether you succed/failed run your payload.

idobhh · April 17, 2021, 11:54am

can anyone help me with root?

sk1dy · April 17, 2021, 2:19pm

Why am not able to authenticate to ssh ssh@brucethe****@10.10.10.233 -p 22
connection closed by remote host AM TIRED TRYING TO SOLVE THIS …
i even asked my friend the ssh autentication worked for him except me …

sk1dy · April 17, 2021, 2:22pm

@SackOfHacks said:
Rooted this machine.

Hints:
Initial foothold: enumerate the web app and use google
Getting a ssh session: find a user and keep asking access…
Root: ask what you are allowed to do and use that to your advantage

All in all a fun box, a little different than the usual and definitely one of the more real-life ones out there. Thanks to the creator!

am not able to get ssh session it says connection closed by remote host …
ssh brucethe************@10.10.10.233 -p 22
Connection closed by 10.10.10.233 port 22

d3f4u17 · April 18, 2021, 3:35am

Got root, root was ■■■■ easy, did a lot of overthinking for user though.

Ashh · April 18, 2021, 5:32pm

id

uid=0(root) gid=0(root) groups=0(root)

Overall, kinda a “meh” box in my opinion and closer to a medium, especially given the limitations in getting the initial foothold (if you got a revshell you’ll understand what I mean).

User

Enumerate what is running + do some googling and you shouldn’t have any trouble with RCE. Persistance may be troublesome, but try to “flow in” in areas of least resistance. Getting user.txt will take some additional enumeration/exploitation.

Root

This is what took me the most time, and ended up being the most annoying. From ~5 minutes after user it’ll be clear what the vector is, but accurately weaponizing it is tedious and annoying. Easy to overthink, but once you know what you’re doing don’t overdo it. Google is also your friend here.

Feel free to PM if you need a nudge.

TheLivestep · April 18, 2021, 6:50pm

Just Finished the Box. Send a message if you nedd hints!

Kefa7 · April 18, 2021, 8:56pm

I’m stuck at a****e user, tried all my best with getting the db and I just couldn’t get it, kindly if anyone can DM me for a solution…

EDIT: Never mind, I found the solution.

mar0ne · April 19, 2021, 2:41pm

Now i know how to build s*** pkg

garnus · April 20, 2021, 12:14pm

I’m working on root now.
I know what Ubuntu specific tool i need to use, but i got 401 error.
Any hint?

EDIT: I’m root. I didn’t need to use this whole dirty thing.

secure77 · April 21, 2021, 7:19pm

finished the machine, If anyone need help, just pm me.

Exci · April 21, 2021, 7:25pm

Got user. The very last step should be fast once you know what you’re working with and can configure your tool (a few seconds). If you’re having issues working with m*s** on the box, pack everything in a suitcase and take it outside.

…Got root. After getting user, simply check what “bigguy” things you can do with that user.

Beyond that point it went fast but I have to go back to understand s*** out of curiosity. For the exploit itself, there’s a certain popular source for…breaking out of stuff…that covers all the steps, though I had to change the payload slightly.

Feel free to PM for hints.

b14s · April 22, 2021, 11:13am

Sometimes my curse of overthinking kills me. Got the root flag

rancilio · April 22, 2021, 3:06pm

I’m in as b*****eaan, have done some basic enum to see that there’s a n exploit with the v2 already in the home dir. Running the v2 exploit fails for me with a 401 error. Looking on Google it and reading on here you can craft your own… I tried this in Kali but it failed and people have said to use a different environment… I really don’t want to install a new VM just for one machine…

Anybody that’s not installed a new VM for this box able to help/DM?

thanks!