penetration-testing

Hack The Box Writeup - Planning (May 10th, 2025)

1337 Sheets
1337 Sheets
·
Hack The Box Writeup - Planning (May 10th, 2025)

Hack The Box: Planning - Writeup

Machine Details

  • Machine Name: Planning
  • OS: Linux
  • Difficulty: Easy
  • Points: 20 Planning.png

Introduction

Greetings, fellow adventurers of the digital realm! Prepare to unveil the secrets of the Hack The Box machine "Planning" in this enchanting writeup. What unfolded was no ordinary penetration test, but a captivating journey of discovery, where I navigated the intricate pathways of web reconnaissance, unearthed a critical vulnerability within the Grafana realm, performed a daring escape from a contained Docker domain, and ultimately ascended to claim root privileges over the host system. Join me as I recount the tale of how I retrieved both the whispered secrets of user.txt and the ultimate treasure of root.txt!

Reconnaissance

Nmap Scan

I began with an Nmap scan to discover open ports and services.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web Enumeration (Port 80 - planning.htb)

The Nmap scan revealed a web server running on port 80. Accessing http://planning.htb/ (after updating my /etc/hosts file) revealed a website for "Edukate - Online Education Website." I reviewed the HTML source code and found standard PHP pages such as index.php, login.php, and contact.php.

The index.php page featured a search form that submitted a keyword parameter via a POST request. My initial attempts to find Cross-Site Scripting (XSS) or SQL Injection vulnerabilities here were unsuccessful, indicating the input was either sanitized or not reflected in an exploitable manner.

Subdomain Enumeration (grafana.planning.htb)

Believing there might be hidden subdomains, I used gobuster for subdomain enumeration. This process identified grafana.planning.htb, strongly suggesting the presence of a Grafana instance.

(Example gobuster command used for subdomain enumeration, ensure /etc/hosts is updated)

# Ensure /etc/hosts is updated: <'IP'> planning.htb grafana.planning.htb
gobuster vhost -u http://planning.htb/ -w /path/to/your/wordlist.txt -b 404 -o subdomain_enum.txt

Initial Access (to Grafana and Container)

Grafana Discovery and Version Identification

Navigating to http://grafana.planning.htb/ redirected me to a Grafana login page. Further investigation led me to http://grafana.planning.htb/swagger, which exposed the Grafana Swagger UI. (ref. https://grafana.com/docs/grafana/latest/developers/http_api/)

Initially, I faced challenges loading the Swagger UI assets from unpkg.com due to network issues on my Kali machine (likely firewall or DNS-related, as it loaded for others). After some troubleshooting (clearing browser cache, trying different browsers like Chromium), the Swagger UI finally rendered correctly.

Analysis of the HTML source code of the Grafana login page and the Swagger UI revealed the exact Grafana server version: Grafana v11.0.0 (Open Source edition). Which lead me to https://github.com/nollium/CVE-2024-9264, https://github.com/z3k0sec/CVE-2024-9264-RCE-Exploit, and https://zekosec.com/blog/file-read-grafana-cve-2024-9264/.

window.grafanaBootData = {
// ... other properties ...
settings: {
// ... other settings ...
buildInfo: {
hideVersion: false,
version: "11.0.0",
versionString: "Grafana v11.0.0 (83b9528bce)",
commit: "83b9528bce85cf9371320f6d6e450916156da3f6",
commitShort: "83b9528bce",
buildstamp: 1746903338,
edition: "Open Source",
latestVersion: "",
hasUpdate: false,
env: "production"
},
// ... more settings ...
},
// ... more properties ...
};