HackTheBox - Ambassador

00:00 - Intro 00:45 - Start of nmap 03:30 - Discovering Grafana and seeing it is ~2 years old 05:00 - Looking for exploits 06:00 - Manually performing the exploit 08:45 - Looking for interesting files, extracting Grafana config which lets us log in 12:55 - Extracting the SQLite3 Database in order to get the MySQL Password 15:30 - Logging into MySQL and getting SSH Creds from the whackywidget database 18:00 - Looking at the WhackyWidget application and discovering an Consul API Key 21:20 - Looking for the Consul API Documentation 23:05 - Playing with the API, examining the Metasploit script and building out our curl request 26:40 - Building a JSON file which will create a Consul Script to send us a reverse shell and getting root 31:50 - Showing the Metasploit Script would work if we port forward 34:50 - Showing another way, we can write to the Consul Config directory and do it manually