Page cover

🎧Data

Easy machine

Grafana

LogoGitHub - jas502n/Grafana-CVE-2021-43798: Grafana Unauthorized arbitrary file reading vulnerabilityGitHub

DB credentials (in /var/lib/grafana/grafana.db)

Dump hashes (using https://github.com/persees/grafana_exploits)

Cracking Hashes

With hashcat, I get this credential:

Privesc

After running linpeas, we can see that boris can run a specific command as root

And because there is the wildcard, we can add WHATEVER options we want to the command

First, we need to find a running container to execute a bash on it with privileges (--privileged)

We have now the ID of the container:

e6ff5b1cbc85cdb2157879161e42a08c1062da655f5a6b7e24488342339d4b81

So, let’s go run the command:

Bingo!

Now, we need to find a way to escape the docker container.

I follow some blogs / resources to learn a lot about this way of privesc

LogoOutshift | CiscoOutshift by Cisco
Unexpected error with integration github-files: Integration is not installed on this space

Finally, I found a way to escape it thanks to the --privileged flag:

We can now access to the host filesystem in the hola directory

PWNED πŸ†

LogoFzF_StormZ just pwned Data @ Vulnlab!api.vulnlab.com

PreviousBabyNextSQLi

Last updated