HackTheBox | Ambassador Walkthrough

Hi!

Please ignore any type of grammar errors.

let’s get started with enumeration.

Enumeration

Nmap Scan

nmap -T4 -v -p- -sCV <target_ip>

nmap scan 1

nmap scan 2

We got four open ports: port 22 running a SSH, port 80 running HTTP and 3000 Unknown and 3306 running MySQL.

Web

We got a normal web page, so I run diresearch to fuzz directories.

dirsearch

After analyzing the web pages, We’ve got nothing important.

So let’s see what port 3000 is running.

Port 3000

After checking it in the browser, I got redirected to grafana login page.

grafana login page

I noticed its version. So I searched on google with its version and I got CVE-2021–43798 for Directory Traversal and Arbitrary File Read.

Here I used ExploitDB code (https://www.exploit-db.com/exploits/50581), to run the exploit.

First I checked the vulnerability by read /etc/passwd file.

read /etc/passwd

Here I decided to read the configuration file and after searching online for grafana configuration file path, I got the path /etc/grafana/grafana.ini and I tried to read it.

read /etc/grafana/grafana.ini

I worked!!

After I reading it, I noticed something interesting related to grafana database password.

I decided to continue reading the file and I got credentials.

admin password

Here I used the credentials to login through the website, but I got nothing.

I returned back to reading files.

I decided to read grafana database, So I googled grafana database file path and I got the path /var/lib/grafana/grafana.db and I saved it.

read /var/lib/grafana/grafana.db

I used grep to match anything related to grafana and I got another creds.

Found DB password

So let’s login to MySQL server.

MySQL

mysql -h <target_ip> -u grafana -p

sql login

After navigating through the database, I found developer password.

Developer Password

It’s base64 encoded, So let’s decode it.

Decode the password

Lateral Movement

SSH Login

Let’s try to login to ssh using developer user and password.

ssh developer@<target_ip>

SSH Login

Here, I noticed interesting file in developer directory called .gitconfig.

user.txt

I decided to read it.

Read gitconfig

It’s related to /opt/my-app.

So let’s get the logs of the repo.

git log

Read git log

I opened the first commit.

First commit

I found interesting command called consul. So I decided to search for exploits.

I found an exploitation and I used this repo https://github.com/owalid/consul-rce.

Privilege Escalation

I follewed the POC, So let’s run the exploit.

Run the exploit

And it worked, So let’s get root.

Root

Root

Conclusion

Always Search, Google is your friend :)

This was great fun!

I hope you enjoyed the walkthrough. I waiting for your feedbacks.

Don’t forget to check other walkthroughs.