Planning. (HTB)

Into.

Hello everyone again here is a new HTB machine planning without further to do let jump into it.

Enumeration.

Port scanning.

# Nmap 7.95 scan initiated Sat May 31 21:29:25 2025 as: nmap -vvv -p 22,80 -4 -sC -sV -vv -o scan.nmap 10.10.11.68
Nmap scan report for planning.htb (10.10.11.68)
Host is up, received syn-ack (0.014s latency).
Scanned at 2025-05-31 21:29:25 +08 for 8s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMv/TbRhuPIAz+BOq4x+61TDVtlp0CfnTA2y6mk03/g2CffQmx8EL/uYKHNYNdnkO7MO3DXpUbQGq1k2H6mP6Fg=
|   256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKpJkWOBF3N5HVlTJhPDWhOeW+p9G7f2E9JnYIhKs6R0
80/tcp open  http    syn-ack nginx 1.24.0 (Ubuntu)
|_http-title: Edukate - Online Education Website
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 31 21:29:33 2025 -- 1 IP address (1 host up) scanned in 7.57 seconds

Nothing new ssh and http.

Enumerate HTTP.

Directory Bruteforce.

dirsearch -u http://planning.htb                                                                                  □ Documents/Planning 21:35

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289

Target: http://planning.htb/

[21:36:01] Scanning:
[21:36:03] 200 -   12KB - /about.php
[21:36:05] 200 -   10KB - /contact.php
[21:36:06] 301 -   178B - /css  ->  http://planning.htb/css/
[21:36:07] 301 -   178B - /img  ->  http://planning.htb/img/
[21:36:07] 200 -   23KB - /index.php
[21:36:07] 403 -   564B - /js/
[21:36:07] 301 -   178B - /js  ->  http://planning.htb/js/
[21:36:07] 403 -   564B - /lib/
[21:36:07] 301 -   178B - /lib  ->  http://planning.htb/lib/

Nothing interesting most of these sub directories are forbidden so let's check subdomains.

SubDomain Enumeration.

~/Desktop/rust/web_tester/target/debug/web_tester sub-domain-active -t 'http://planning.htb' -d planning.htb -w /usr/share/seclists/Discovery/DNS/services-names.txt
Status: 200 OK, grafana.planning.htb

Using my custom tool check out if you want here it is.

GitHub - Cythonic1/web_tester: a simple rust port_scanner with multie threadingGitHub

we can see that we have grafana. below we can see more what grafana is.

Grafana

Grafana is an open-source analytics and monitoring platform. It is widely used for visualizing time series data and supports a plethora of data sources including Prometheus, InfluxDB, Elasticsearch, and more. With Grafana, users can create and share dynamic dashboards, set up alerts, and explore metrics to gain insights into their systems and operations. Its flexible and customizable dashboards make it a popular choice.

Access grafana.

First we need to add that subdomain into our hosts file.

Once we done with that now we can ope it in the browser and access it with the given creds.

admin / 0D5oT70Fq13EvB5r

Getting shell.

So once we in we can check the source code of the page searching for the word version we can find the grafana version is 11.0.0

If we look that we can find that there is a know vulnerablity the effect Duckdb. The vulnerability is a SQLi that could lead to file read and worst command execution i wrote a simple go code to exploit it you can also find a known exploit for it.

GitHub - Cythonic1/CVE-2024-9264: A go implementation for CVE-2024-9264 which effect grafana versions 11.0.x, 11.1.x, and 11.2.x.GitHub

After we get a shell from the exploit.

Which is a docker container we can verify from the root directory.

After that i took a look around and i found this file ldap.toml inside the conf. folder after that i saw it uses some credentials from the environment variables and i check the environment variables and found these credentials.

These credintials will allow us to connect to ssh.

SSH AS enzo.

And here we can also find our first flag.

Root access.

As for the root access is quite simple looking around the system under /opt i found this db.

I though of few things when i saw this, like this is the root password or we maybe can get the zip and it may contain intresting info. But if we check the open ports we can see that there is an open port under 8000. forward it via ssh. using this command.

ssh -L 8000:127.0.0.1:8000 enzo@planning.htb

we can see there is something hiding behind login. using root user name and this password. we can access it. And in there we going to find this service.

GitHub - alseambusher/crontab-ui: Easy and safe way to manage your crontab fileGitHub

And from here you can get creative to get shell everything will be running from here will be ran as ROOT. As for me i created a job that take the bash file add to it SUID bit and put it in the tmp folder.

cp /bin/bash /tmp && chmod 4777 /tmp/bash

And we can see it here. now just run

/tmp/bash -p

and you should be Root.

PreviousCicada (HTB)NextLinux History

Last updated 8 months ago

hashtagInto.

hashtagEnumeration.

hashtagPort scanning.

hashtagEnumerate HTTP.

hashtagDirectory Bruteforce.

hashtagSubDomain Enumeration.

hashtagGrafana

hashtagAccess grafana.

hashtagGetting shell.

hashtagSSH AS enzo.

hashtagRoot access.