preliminary feroxbuster nothing found
→ doing subdomain fuzzing rn
3 inputs on the site ← check this out
- search box → nothing i think
- enroll now → 500 error if i put some random stuff on phone number
- contact page → nothing i think not even send
finally
theres a grafana subdomain
grafana.planning.htb ← use creds given here
CVE-2024-9264 RCE for this versions of grafana
env
GF_PATHS_HOME=/usr/share/grafana HOSTNAME=7ce659d667d7 AWS_AUTH_EXTERNAL_ID= SHLVL=1 HOME=/usr/share/grafana OLDPWD=/root AWS_AUTH_AssumeRoleEnabled=true GF_PATHS_LOGS=/var/log/grafana _=ps GF_PATHS_PROVISIONING=/etc/grafana/provisioning GF_PATHS_PLUGINS=/var/lib/grafana/plugins PATH=/usr/local/bin:/usr/share/grafana/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin AWS_AUTH_AllowedAuthProviders=default,keys,credentials GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT! AWS_AUTH_SESSION_DURATION=15m GF_SECURITY_ADMIN_USER=enzo GF_PATHS_DATA=/var/lib/grafana GF_PATHS_CONFIG=/etc/grafana/grafana.ini AWS_CW_LIST_METRICS_PAGE_LIMIT=500
with these creds I can log into ssh
what r these creds
enzo@planning:/opt/crontabs$ cat crontab.db {“name”:“Grafana backup”,“command”:“/usr/bin/docker save root_grafana -o /var/backups/grafana.tar && /usr/bin/gzip /var/backups/grafana.tar && zip -P P4ssw0rdS0pRi0T3c /var/backups/grafana.tar.gz.zip /var/backups/grafana.tar.gz && rm /var/backups/grafana.tar.gz”,“schedule”:“@daily”,“stopped”:false,“timestamp”:“Fri Feb 28 2025 20:36:23 GMT+0000 (Coordinated Universal Time)”,“logging”:“false”,“mailing”:{},“created”:1740774983276,“saved”:false,“_id”:“GTI22PpoJNtRKg0W”} {“name”:“Cleanup”,“command”:“/root/scripts/cleanup.sh”,“schedule”:”* * * * *”,“stopped”:false,“timestamp”:“Sat Mar 01 2025 17:15:09 GMT+0000 (Coordinated Universal Time)”,“logging”:“false”,“mailing”:{},“created”:1740849309992,“saved”:false,“_id”:“gNIRXh1WIc9K7BYX”}
theres some cron jobs running → run linpeas i feel like thats the priv esc
netstat also shows something running + theres mysql database
proxy_pass http://grafana.planning.htb:3000/;
so what is that other port 8000 info something is running on port 8000 that I need to auth, maybe port forward this
idk abt this
══════════╣ Checking if containerd(ctr) is available https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#containerd-ctr-privilege-escalation ctr was found in /usr/bin/ctr, you may be able to escalate privileges with it ctr: failed to dial “/run/containerd/containerd.sock”: connection error: desc = “transport: error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied”
Found readable /etc/mysql/my.cnf
Searching tmux sessions tmux 3.4 /tmp/tmux-1000
Other Interesting Files .sh files in path /usr/bin/gettext.sh
╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100) Found /opt/crontabs/crontab.db: New Line Delimited JSON text data Found /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3045001, file counter 5, database pages 967, cookie 0x4, schema 4, UTF-8, version-valid-for 5 Found /var/lib/fwupd/pending.db: SQLite 3.x database, last written using SQLite version 3045001, file counter 6, database pages 16, cookie 0x5, schema —More—(4, UTF-8, version-valid-for 6 Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3045001, file counter 5, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 5
→ Extracting tables from /var/lib/command-not-found/commands.db (limit 20) → Extracting tables from /var/lib/fwupd/pending.db (limit 20) → Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
localhost port forward to port 8000 on the local machine
creds are:
root:P4ssw0rdS0pRi0T3c
CRONTAB UI is running here
thats it just run a cronjob with revshell and u get root yay*