Enumeration

Nmap

Initial nmap scan revealed Port 3000 and Port 22 (SSH) were open.

00 - nmap

Web Enumeration

Visiting the port 3000 revealed a grafana website.

01 - web

Later, I checked grafana version and found out it was vulnerable to Path Traversal.

02 - path traversal

Exploitation

CVE-2021-43798

Searching through the internet, I found the config file location of grafana. It included secret_key and other informations. At first I tried to decrypt datasource password but I could not.

Then further enumeration revealed sqlite db named grafana.db.

grafanadb

grafanadb2

I downloaded it using curl. After the download, I enumerated the sqlite db and found salted hashes on the database.

03 - grafana passwords

Using the grafana2hashcat tool, I generated cracable password format, then run hashcat using rockyour.txt file.

04 - hashes

The hash of the boris was cracked.

05 - cracked

I logged in and got the user flag.

06 - user flag

Privilege Escalation

The “sudo -l” command revealed I can run “docker exec” command as sudo.

07 - sudo l

To run it I need to find the container id or container name. I could not run docker ps or docker container ls. So at first I tried random names and one of the names were true: “grafana”.

However, it is not a dependable solution. So I tried another method, I checked running processes and grepped docker. This revealed the container id.

08 - docker id

After learning the container id, I checked for mounts on the current machine. The /dev/sda1 mount was on the / path.

09 - 0 mount

Thus, with the container id I got a root shell on the container. Then mounted the /dev/sda1 to access to host machines root folder and got the root flag.

09 - shell on docker

10 - mount

Pwned

The machine was pwned.

pwned

<
Previous Post
Media - Hack The Box
>
Next Post
EscapeTwo - Hack The Box