This article provides a detailed walkthrough of exploiting a retired HackTheBox machine, focusing on network enumeration, subdomain fuzzing, CVE exploitation, privilege escalation, and obtaining root access. It emphasizes understanding each step and commandβs purpose for beginners. #Grafana #CVE-2024-9264
Keypoints
- Initial enumeration involved pinging the target and running an nmap scan to identify open ports.
- Subdomain fuzzing led to discovering the Grafana and planning.htb subdomains.
- Exploiting CVE-2024-9264 allowed remote command execution on the Grafana instance.
- Privilege escalation was achieved through cron job manipulation and setuid binary abuse.
- Root access was obtained by creating a cron job that set the setuid bit on /bin/bash and executing it.