VL - Data


Nmap returns only port 3000 and 22 open. On port 3000 is Grafana version 8.0.0 running. Version 8.0.0 is vulnerable for a unauthorized LFI CVE-2021-43798

It is important to understand what is vulnerable if we take a look at the code the request is sent to /public/plugins/<random_plugin> from there the LFI is being executed by adding multiple ../../../ this way we go down the directories and can include another file from the server.

I highly recommend exploiting it manually or creating your own script to maximize your learnings.

Initial Access

We can retrieve the database by going to /var/lib/grafana/grafana.db this returns us a sqlite3 database file with the hashed password and the salt used in it. By researching a bit how Grafana handles the encryption I stumbled against the following blogpost VulnCheck.

In the blogpost they showed a small script to convert the password + salt to a hashcat likeable format. I changed the script a little bit to make it more user friendly Grafana2Hash.

The interesting code in Grafana:

// EncodePassword encodes a password using PBKDF2.
func EncodePassword(password string, salt string) (string, error) {
newPasswd := pbkdf2.Key([]byte(password), []byte(salt), 10000, 50, sha256.New)
return hex.EncodeToString(newPasswd), nil

In the code we can see how the password get stored and that it is hex encoded before being saved in the database. By using the script we can convert it and feed it to Hashcat to crack it.

hashcat -m 10900 hash.txt /usr/share/wordlists/rockyou.txt 

We can now log in as Boris into Grafana but notice pretty quickly that we have no permissions to do anything, we can reuse the password via SSH to gain access to the Boris user.

Privilege Escalation

Running sudo -l shows that we can run docker exec as root. There also isn’t a Grafana user in the home directory but the /etc/passwd we retrieved earlier did show us the Grafana user, so this is most likely running in a container. We can get privileged access to the container as the root user --privileged -u 0:

sudo /snap/bin/docker exec --privileged -u 0 -it grafana /bin/sh

As a privileged user within the container we have access to /dev/ and are able to mount the disk of the VM:

mkdir -p /mnt/bushidosan
mount /dev/xvda1 /mnt/bushidosan

By going to /mnt/bushidosan/root/ we can now obtain the root flag.

This post is licensed under CC BY 4.0 by the author.