Skip to content

Clue -- Proving Grounds (write-up)

Difficulty: Hard Box: Clue (Proving Grounds) Author: dsec Date: 2024-06-10

TL;DR

Exploited a Grafana vulnerability to extract credentials and read config files, pivoted through FreeSWITCH to get a shell as cassie, then abused cassandra-web running as root to read /etc/shadow and escalate to root.

Enumeration

Nmap results

Services

Web enum

More enum

Grafana

Exploit search

  • Could not get SSH or anything else interesting.

Found a comment on the exploit:

Exploit comment

Exploitation

Grafana exploit

  • cassie:SecondBiteTheApple330
  • ALWAYS READ THE POC!
  • SSH failed with these creds.

Used the exploit to read SSH config:

python 49362.py -p 3000 192.168.157.240 /etc/ssh/sshd_config

sshd_config

  • Only root and anthony can SSH.

FreeSWITCH pivot

Found FreeSWITCH event socket password:

FreeSWITCH docs

Google result

Config read

  • Password: StrongClueConEight021

FreeSWITCH access

Shell as cassie

Enumeration

More enum

cassandra-web

Running services

Privilege escalation

cassandra-web is running as root, so I can read /etc/shadow via path traversal:

curl --path-as-is localhost:4444/../../../../../../../../etc/shadow

/etc/shadow

Hash cracking

Root access

Root flag

Lessons & takeaways

  • Always read the full POC code -- creds were embedded in the exploit output
  • When SSH is restricted by AllowUsers, check which users are actually permitted
  • Internal services (like FreeSWITCH, cassandra-web) running as root are prime privesc targets
  • Path traversal on internal web services can leak sensitive files like /etc/shadow