Hack The Box: Planning - Writeup

Machine Details

  • Machine Name: Planning
  • OS: Linux
  • Difficulty: Easy
  • Points: 20
    An image to describe post

Introduction

Greetings, fellow adventurers of the digital realm! Prepare to unveil the secrets of the Hack The Box machine "Planning" in this enchanting writeup. What unfolded was no ordinary penetration test, but a captivating journey of discovery, where I navigated the intricate pathways of web reconnaissance, unearthed a critical vulnerability within the Grafana realm, performed a daring escape from a contained Docker domain, and ultimately ascended to claim root privileges over the host system. Join me as I recount the tale of how I retrieved both the whispered secrets of user.txt and the ultimate treasure of root.txt!

Reconnaissance

Nmap Scan

I began with an Nmap scan to discover open ports and services.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web Enumeration (Port 80 - planning.htb)

The Nmap scan revealed a web server running on port 80. Accessing http://planning.htb/ (after updating my /etc/hosts file) revealed a website for "Edukate - Online Education Website." I reviewed the HTML source code and found standard PHP pages such as index.php, login.php, and contact.php.

The index.php page featured a search form that submitted a keyword parameter via a POST request. My initial attempts to find Cross-Site Scripting (XSS) or SQL Injection vulnerabilities here were unsuccessful, indicating the input was either sanitized or not reflected in an exploitable manner.

Subdomain Enumeration (grafana.planning.htb)

Believing there might be hidden subdomains, I used gobuster for subdomain enumeration. This process identified grafana.planning.htb, strongly suggesting the presence of a Grafana instance.

(Example gobuster command used for subdomain enumeration, ensure /etc/hosts is updated)

# Ensure /etc/hosts is updated: <'IP'> planning.htb grafana.planning.htb
gobuster vhost -u http://planning.htb/ -w /path/to/your/wordlist.txt -b 404 -o subdomain_enum.txt

Initial Access (to Grafana and Container)