Overview
Ambassador is a medium difficulty box from Hack The Box released on October 1st 2022 and retired on January 28 2023. I start off by exploiting a directory traversal vulnerability in a Grafana instance to read sensitive configuration files and obtain MySQL login credentials. Searching through the MySQL databases I’ll find SSH login details and a obtain shell. I’ll find that this account has access to a git repo that leaks a token for Consul, I’ll then use this token to interact with Consul and escalate my privileges to root.
Scan Details
#nmap -sV -sC $IP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 29:dd:8e:d7:17:1e:8e:30:90:87:3c:c6:51:00:7c:75 (RSA)
| 256 80:a4:c5:2e:9a:b1:ec:da:27:64:39:a4:08:97:3b:ef (ECDSA)
|_ 256 f5:90:ba:7d:ed:55:cb:70:07:f2:bb:c8:91:93:1b:f6 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Hugo 0.94.2
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Ambassador Development Server
3000/tcp open ppp?
3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2
| mysql-info:
| Protocol: 10
| Version: 8.0.30-0ubuntu0.20.04.2
| Thread ID: 10
| Capabilities flags: 65535
| Some Capabilities: SupportsLoadDataLocal, ODBCClient, FoundRows, Speaks41ProtocolOld, SwitchToSSLAfterHandshake, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, IgnoreSigpipes, LongColumnFlag, InteractiveClient, IgnoreSpaceBeforeParenthesis, SupportsTransactions, Support41Auth, LongPassword, SupportsCompression, ConnectWithDatabase, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: \x04EsK2\x10\x1A_\x10\x087j#\x02k\x1F%\x13KC
|_ Auth Plugin Name: caching_sha2_passwordEnumeration and Initial Foothold
The website on port 80 yields little other than a ssh user name.
Browsing to the website on port 3000 I can a login screen along with the software name and version.
Just googling this version of Grafana give me an exploit: https://www.early-retirement.org/. This exploit happens because the filepath.Clean function only removes .. elements when the element starts with a forward slash. The exploit can easily be done with curl.
I was able to use this LFI exploit to include the /var/lib/grafana/grafana.db file, I used the DB Browser that comes with kali to browse this database and retrieve a mysql password.
I was able to find the password of the developer account I discovered earlier while searching through the database.
Privilege Escalation
While searching through the home directory of the developer account I found a .gitconfig file which pointed me to the directory of an app of some sort.
I browsed to this directory and saw that it was a git project. I searched through the commit logs and found a “consul” API token.
By using google I quickly discovered that this referred to HashiCorp’s Consul software. I decided to check if they where any known exploits for this software and I found two metasploit modules.
Since Consul is running on local host I need to set up a port forward to be able to exploit it using metasploit. I used chisel to setup the proxy.
With the proxy set up I configured the multi /misc/multi/consul_service_exploit and received a shell as the root user.
Remediations
HashiCorp has published a blog post addressing this specific attack, newer versions of Consul have the --enable-local-script-checks configuration option, this prevents the use of the HTTP API to register malicious checks. (https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations)
Base64 is not a form of encryption (ENCODING != ENCRYPTION!!). This should instead be replaced with a modern hashing algorithm like Bcrypt or Scrypt.
Personal Thoughts
Definitely an interesting box, I enjoy ambassador’s use of relatively new vulnerabilities and exploits, this gives it a very modern feel. I appreciate the break away from the traditional RCE > Privesc model instead requiring the chaining of multiple exploits to achieve root.