🈁Data
You will learn about getting a foothold through a CVE, cracking custom hashes & privileged docker containers
IP 10.10.103.22
Enumeration
Nmap scan reveals 2 ports 22 SSH 3000 an HTTP server running Grafana
With Gobuster we find a signup page
But in this instance user signup is disabled
This instance of Grafana is vulnerable to CVE-2021-43798 https://www.exploit-db.com/exploits/50581 We can read the /var/lib/grafana/grafana.db file containing the Grafana passwords
It's a Sqlite database, it has usernames and salted password hashes.
With this exploit we can only see the file but when saving it, it gives problems
So we use curl to directly get the db without using the script
We now have the hashed password and the salt with this Tool we can now convert the hashes in a hashcat compatible format
Now that we converted the hashes we can run hashcat
sha256:10000:TENCaGR0SldqbA==:3GvszLtX002vSk45HSAV0zUMYN82COnpm1KR5H8+XNOdFWviIHRb48vkk1PjX1O1Hag=:beautiful1boris:beautiful1 The other password does not seem to be crackable with rockyou
Now we login with SSH as user boris
Privilege Escalation
We get the first flag and we can immediately see a possible privesc vector
We can only interact with containers but not list them
So since the Grafana instance is probably running in a container we can list the hostname using the LFI
e6ff5b1cbc85 We are now root in the container
Now we can directly mount the host filesystem on the container and get the flag
Last updated
Was this helpful?