Planning. (HTB)
Into.
Hello everyone again here is a new HTB machine planning without further to do let jump into it.
Enumeration.
Port scanning.
# Nmap 7.95 scan initiated Sat May 31 21:29:25 2025 as: nmap -vvv -p 22,80 -4 -sC -sV -vv -o scan.nmap 10.10.11.68
Nmap scan report for planning.htb (10.10.11.68)
Host is up, received syn-ack (0.014s latency).
Scanned at 2025-05-31 21:29:25 +08 for 8s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMv/TbRhuPIAz+BOq4x+61TDVtlp0CfnTA2y6mk03/g2CffQmx8EL/uYKHNYNdnkO7MO3DXpUbQGq1k2H6mP6Fg=
| 256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKpJkWOBF3N5HVlTJhPDWhOeW+p9G7f2E9JnYIhKs6R0
80/tcp open http syn-ack nginx 1.24.0 (Ubuntu)
|_http-title: Edukate - Online Education Website
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 31 21:29:33 2025 -- 1 IP address (1 host up) scanned in 7.57 seconds
Nothing new ssh and http.
Enumerate HTTP.
Directory Bruteforce.
Nothing interesting most of these sub directories are forbidden so let's check subdomains.
SubDomain Enumeration.
Using my custom tool check out if you want here it is.
we can see that we have grafana. below we can see more what grafana is.
Grafana
Grafana is an open-source analytics and monitoring platform. It is widely used for visualizing time series data and supports a plethora of data sources including Prometheus, InfluxDB, Elasticsearch, and more. With Grafana, users can create and share dynamic dashboards, set up alerts, and explore metrics to gain insights into their systems and operations. Its flexible and customizable dashboards make it a popular choice.
Access grafana.
First we need to add that subdomain into our hosts file.
Once we done with that now we can ope it in the browser and access it with the given creds.
Getting shell.
So once we in we can check the source code of the page searching for the word version we can find the grafana version is 11.0.0
If we look that we can find that there is a know vulnerablity the effect Duckdb. The vulnerability is a SQLi that could lead to file read and worst command execution i wrote a simple go code to exploit it you can also find a known exploit for it.
After we get a shell from the exploit.
Which is a docker container we can verify from the root directory.
After that i took a look around and i found this file ldap.toml inside the conf. folder after that i saw it uses some credentials from the environment variables and i check the environment variables and found these credentials.
These credintials will allow us to connect to ssh.
SSH AS enzo.
And here we can also find our first flag.
Root access.
As for the root access is quite simple looking around the system under /opt i found this db.
I though of few things when i saw this, like this is the root password or we maybe can get the zip and it may contain intresting info. But if we check the open ports we can see that there is an open port under 8000. forward it via ssh. using this command.
we can see there is something hiding behind login. using root user name and this password. we can access it. And in there we going to find this service.
And from here you can get creative to get shell everything will be running from here will be ran as ROOT. As for me i created a job that take the bash file add to it SUID bit and put it in the tmp folder.
And we can see it here. now just run
and you should be Root.
Last updated