{"id":1,"date":"2023-02-17T03:27:21","date_gmt":"2023-02-17T03:27:21","guid":{"rendered":"https:\/\/merrillnewman.tech\/?p=1"},"modified":"2023-02-19T00:41:23","modified_gmt":"2023-02-19T00:41:23","slug":"htb-ambassador","status":"publish","type":"post","link":"https:\/\/merrillnewman.tech\/?p=1","title":{"rendered":"HTB Ambassador"},"content":{"rendered":"\n

Overview<\/h3>\n\n\n\n

Ambassador is a medium difficulty box from Hack The Box released on October 1st 2022 and retired on January 28 2023. I start off by exploiting a directory traversal vulnerability in a Grafana instance to read sensitive configuration files and obtain MySQL login credentials. Searching through the MySQL databases I’ll find SSH login details and a obtain shell. I’ll find that this account has access to a git repo that leaks a token for Consul, I’ll then use this token to interact with Consul and escalate my privileges to root.<\/p>\n\n\n\n\n\n\n\n

Scan Details<\/h3>\n\n\n\n
#nmap -sV -sC $IP\n\nPORT     STATE SERVICE VERSION\n22\/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 29:dd:8e:d7:17:1e:8e:30:90:87:3c:c6:51:00:7c:75 (RSA)\n|   256 80:a4:c5:2e:9a:b1:ec:da:27:64:39:a4:08:97:3b:ef (ECDSA)\n|_  256 f5:90:ba:7d:ed:55:cb:70:07:f2:bb:c8:91:93:1b:f6 (ED25519)\n80\/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))\n|_http-generator: Hugo 0.94.2\n|_http-server-header: Apache\/2.4.41 (Ubuntu)\n|_http-title: Ambassador Development Server\n3000\/tcp open  ppp?\n3306\/tcp open  mysql   MySQL 8.0.30-0ubuntu0.20.04.2\n| mysql-info: \n|   Protocol: 10\n|   Version: 8.0.30-0ubuntu0.20.04.2\n|   Thread ID: 10\n|   Capabilities flags: 65535\n|   Some Capabilities: SupportsLoadDataLocal, ODBCClient, FoundRows, Speaks41ProtocolOld, SwitchToSSLAfterHandshake, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, IgnoreSigpipes, LongColumnFlag, InteractiveClient, IgnoreSpaceBeforeParenthesis, SupportsTransactions, Support41Auth, LongPassword, SupportsCompression, ConnectWithDatabase, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments\n|   Status: Autocommit\n|   Salt: \\x04EsK2\\x10\\x1A_\\x10\\x087j#\\x02k\\x1F%\\x13KC\n|_  Auth Plugin Name: caching_sha2_password<\/code><\/pre>\n\n\n\n
Enumeration and Initial Foothold<\/h3>\n\n\n\n
The website on port 80 yields little other than a ssh user name. <\/p>\n\n\n
\n
\"\"
http:\/\/ambassador.htb\/<\/figcaption><\/figure><\/div>\n\n\n
Browsing to the website on port 3000 I can a login screen along with the software name and version.<\/p>\n\n\n
\n
\"\"
http:\/\/ambassador.htb:3000\/login<\/figcaption><\/figure><\/div>\n\n\n
Just googling this version of Grafana give me an exploit: https:\/\/www.early-retirement.org\/<\/a>. This exploit happens because the filepath.Clean<\/code> function only removes ..<\/code> elements when the element starts with a forward slash. The exploit can easily be done with curl.<\/p>\n\n\n
\n
\"\"
Exploiting Grafana LFI<\/figcaption><\/figure><\/div>\n\n\n
I was able to use this LFI exploit to include the \/var\/lib\/grafana\/grafana.db<\/code> file, I used the DB Browser that comes with kali to browse this database and retrieve a mysql password.<\/p>\n\n\n
\n
\"\"
Retrieving the mysql account password<\/figcaption><\/figure><\/div>\n\n
\n
\"\"\/
Logging in with the retrieved password<\/figcaption><\/figure><\/div>\n\n\n
I was able to find the password of the developer account I discovered earlier while searching through the database.<\/p>\n\n\n
\n
\"\"
Finding the developer accounts password<\/figcaption><\/figure><\/div>\n\n
\n
\"\"
Decoding the developer accounts password<\/figcaption><\/figure><\/div>\n\n\n
Privilege Escalation<\/h3>\n\n\n\n
While searching through the home directory of the developer account I found a .gitconfig<\/code> file which pointed me to the directory of an app of some sort.<\/p>\n\n\n
\n
\"\"
Discovering the .gitconfig file<\/figcaption><\/figure><\/div>\n\n\n
I browsed to this directory and saw that it was a git project. I searched through the commit logs and found a “consul” API token.<\/p>\n\n\n
\n
\"\"\/
Finding the consul API token<\/figcaption><\/figure><\/div>\n\n\n
By using google I quickly discovered that this referred to HashiCorp’s Consul software. I decided to check if they where any known exploits for this software and I found two metasploit modules.<\/p>\n\n\n
\n
\"\"
Discovering exploits for HashiCorp’s Consul<\/figcaption><\/figure><\/div>\n\n\n
Since Consul is running on local host I need to set up a port forward to be able to exploit it using metasploit. I used chisel to setup the proxy.<\/p>\n\n\n
\n
\"\"
Starting a chisel server and seeing ambassador connect<\/figcaption><\/figure><\/div>\n\n
\n
\"\"
Connecting ambassador to my chisel server<\/figcaption><\/figure><\/div>\n\n\n
With the proxy set up I configured the multi<\/code> \/misc\/multi\/consul_service_exploit<\/code> and received a shell as the root user.<\/p>\n\n\n
\n
\"\"
Configuring the metasploit module<\/figcaption><\/figure><\/div>\n\n
\n
\"\"
Running the metasploit module and receiving a root shell
 <\/figcaption><\/figure><\/div>\n\n\n
Remediations<\/h3>\n\n\n\n
HashiCorp has published a blog post addressing this specific attack, newer versions of Consul have the --enable-local-script-checks<\/code> configuration option, this prevents the use of the HTTP API to register malicious checks. (https:\/\/www.hashicorp.com\/blog\/protecting-consul-from-rce-risk-in-specific-configurations<\/a>)<\/p>\n\n\n\n
Base64 is not a form of encryption (ENCODING != ENCRYPTION!!). This should instead be replaced with a modern hashing algorithm like Bcrypt or Scrypt.<\/p>\n\n\n\n
Personal Thoughts<\/h3>\n\n\n\n
Definitely an interesting box, I enjoy ambassador’s use of relatively new vulnerabilities and exploits, this gives it a very modern feel. I appreciate the break away from the traditional RCE > Privesc model instead requiring the chaining of multiple exploits to achieve root. <\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Overview Ambassador is a medium difficulty box from Hack The Box released on October 1st 2022 and retired on January 28 2023. I start off by exploiting a directory traversal vulnerability in a Grafana instance to read sensitive configuration files and obtain MySQL login credentials. Searching through the MySQL databases I’ll find SSH login details […]<\/p>\n","protected":false},"author":1,"featured_media":42,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"hide_page_title":"","_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","_mi_skip_tracking":false,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-writeups"],"_links":{"self":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts\/1","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1"}],"version-history":[{"count":10,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts\/1\/revisions"}],"predecessor-version":[{"id":78,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts\/1\/revisions\/78"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/media\/42"}],"wp:attachment":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}