In this post, I would like to share a walkthrough of the Ambassador Machine from Hack the Box


This room will be considered a medium machine on Hack the Box

What will you gain from the Ambassador machine?


For the user flag, you will need to abuse the file read vulnerability so that we will be able to read the DB configuration file which we should be able to obtain the password for the admin. As a result, we can get some information by exploring the MySQL instance.


As for the root flag, you need to exploit the Consul vulnerability which it will get us an execution as root.

Information Gathering on Ambassador Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

# Nmap 7.92 scan initiated Tue Oct  4 08:52:26 2022 as: nmap -sC -sV -oA nmap/intial 10.10.11.183
Nmap scan report for 10.10.11.183
Host is up (0.17s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 29:dd:8e:d7:17:1e:8e:30:90:87:3c:c6:51:00:7c:75 (RSA)
|   256 80:a4:c5:2e:9a:b1:ec:da:27:64:39:a4:08:97:3b:ef (ECDSA)
|_  256 f5:90:ba:7d:ed:55:cb:70:07:f2:bb:c8:91:93:1b:f6 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Ambassador Development Server
|_http-generator: Hugo 0.94.2
|_http-server-header: Apache/2.4.41 (Ubuntu)
3000/tcp open  ppp?
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Content-Type: text/html; charset=utf-8
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity.txt%252ebak; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Tue, 04 Oct 2022 12:53:24 GMT
|     Content-Length: 29
|     href="/login">Found</a>.
|   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Content-Type: text/html; charset=utf-8
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Tue, 04 Oct 2022 12:52:50 GMT
|     Content-Length: 29
|     href="/login">Found</a>.
|   HTTPOptions: 
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Tue, 04 Oct 2022 12:52:56 GMT
|_    Content-Length: 0
3306/tcp open  mysql   MySQL 8.0.30-0ubuntu0.20.04.2
|_sslv2: ERROR: Script execution failed (use -d to debug)
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.30-0ubuntu0.20.04.2
|   Thread ID: 11
|   Capabilities flags: 65535
|   Some Capabilities: Support41Auth, Speaks41ProtocolOld, SupportsLoadDataLocal, LongPassword, IgnoreSigpipes, ConnectWithDatabase, SupportsTransactions, FoundRows, SwitchToSSLAfterHandshake, Speaks41ProtocolNew, LongColumnFlag, IgnoreSpaceBeforeParenthesis, ODBCClient, SupportsCompression, DontAllowDatabaseTableColumn, InteractiveClient, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: xl4A/\x1Cfr:8J\x19\x13P@-It\x1D\x0E
|_  Auth Plugin Name: caching_sha2_password
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.92%I=7%D=10/4%Time=633C2CA1%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contro
SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir
SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\
SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten
SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect
SF:ion:\x201;\x20mode=block\r\nDate:\x20Tue,\x2004\x20Oct\x202022\x2012:52
SF::50\x20GMT\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">Found<
SF:/a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCac
SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra
SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO
SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O
SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Tu
SF:e,\x2004\x20Oct\x202022\x2012:52:56\x20GMT\r\nContent-Length:\x200\r\n\
SF:r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Req
SF:uest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2
SF:0close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1
SF:\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset
SF:=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSess
SF:ionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(FourOhFourRequest,1A1,"HTTP/1\.0\x20302\x20Found\
SF:r\nCache-Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset
SF:=utf-8\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\
SF:r\nSet-Cookie:\x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity\.txt
SF:%252ebak;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201;
SF:\x20mode=block\r\nDate:\x20Tue,\x2004\x20Oct\x202022\x2012:53:24\x20GMT
SF:\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">Found</a>\.\n\n"
SF:);
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Oct  4 08:54:41 2022 -- 1 IP address (1 host up) scanned in 135.32 seconds
   

Let’s access the website interface


However, nothing looks interesting for us to play with

Graphical user interface, text, application

Description automatically generated

When we try to read more on the post, we managed to see the content such as “Use the Developer account to SSH, DevOps will give you the password”

Grafana Website Enumeration

Graphical user interface, application

Description automatically generated

When we try to investigate the website using a different port, we managed to get a Grafana login page. Sadly, we don’t have any credentials that can be used for this purpose.

Text

Description automatically generated

After looking carefully at the Grafana login page, I notice that there’s a version at the bottom of the page.

Grafana Directory Traversal and Arbitrary File Read

Graphical user interface, application, website

Description automatically generated

After doing some research on version exploitation on the internet, we stumbled on an exploit-db for the vulnerability on Grafana.

Graphical user interface, text, website

Description automatically generated

As a result, let’s download the exploit on our attacker’s machine

Graphical user interface, text, application, chat or text message

Description automatically generated

As we can see in the screenshot above, we cannot use python 2 to execute the exploit

Text

Description automatically generated

However, the exploit can be used when we run using python3


Finally, the exploit work and we can read any file that has been saved on the machine

Text

Description automatically generated

For testing purposes, we can try to read the /etc/passwd file, and it looks something as shown above


After doing some research, I found one website over here

Text

Description automatically generated

At last, we managed to obtain credentials with admin and its password

Grafana Dashboard

Graphical user interface, application

Description automatically generated

Sadly, we don’t retrieve any interesting over here.

Graphical user interface

Description automatically generated

From my research previously, we can see another file that might give us some information which is (/var/lib/Grafana/Grafana.db)


For a better view, we can download it on our attacker’s machine.

Text

Description automatically generated
Graphical user interface, text

Description automatically generated

Finally, we can see the password for the MySQL database which we might be able to look for another user’s credentials.

MySQL Database Enumeration on Ambassador

Text

Description automatically generated

At last, we are connected to the MySQL database by using the credential that we found earlier.

Text

Description automatically generated

There are a few databases that we can investigate


Sadly, there are no tables on Grafana’s database.

Text

Description automatically generated
Text

Description automatically generated

However, we found a user’s table inside the whackywidget database.

Text

Description automatically generated

Inside the user’s tables, there’s a different credential that has been saved which we can use for further escalation.

A screenshot of a computer

Description automatically generated with medium confidence
Text

Description automatically generated

After decoding the hashes from base64, we manage to obtain a password for the developer


Finally, we can access the machine via SSH service by using the developer’s credentials.

Graphical user interface, text

Description automatically generated

We can read the user’s flag by executing the “cat user.txt” command

Escalate to Root Privileges Access on Ambassador Machine

A screenshot of a computer

Description automatically generated with medium confidence

Nothing can be found on the /var directory

Text

Description automatically generated

There are two directories that look interesting to analyze further

Text

Description automatically generated

Inside the my-app directory, there are two directories that we can analyze further.


Nothing looks interesting over here

Text

Description automatically generated

A .git directory have found inside the my-app directory

Text

Description automatically generated

When analyzing the git history, we managed to see there’s a consul command at the end of the git history


Therefore, let’s save the command “chmod +x /usr/bin/bash” to a new file which in my case I use darknite.sh


We can try to register a new account by executing the command above.


At last, bash has been assigned to the SUID binary

Text

Description automatically generated with medium confidence

We can read the root flag by executing the “cat root.txt” command

Extra Information

Graphical user interface, text

Description automatically generated with medium confidence