Fanatastic Proving Grounds Write-Up
SUMMARY
This write-up covers the Fanatastic machine from Offsec’s Proving Grounds, a Linux machine where a Grafana LFI led to credential decryption and a disk group privilege escalation.
Port 3000 hosted Grafana 8.3.0, vulnerable to CVE-2021-43798, a plugin-based path traversal allowing arbitrary file reads. The grafana.db database file was downloaded via the LFI and queried with strings, revealing the sysadmin password encrypted in Base64. The Grafana configuration file (grafana.ini) was also read, leaking the secret key used to encrypt credentials. A public decryptor tool reversed the encryption, yielding the plaintext password. SSH as sysadmin succeeded.
Privilege escalation leveraged membership in the disk group. Using debugfs on the system disk provided raw filesystem access as root, allowing browsing of /root/.ssh/ and reading the root SSH private key. SSH as root completed the machine.
PATH TO FOLLOW
- Reconnaissance & Grafana Version Discovery
- CVE-2021-43798 LFI →
grafana.db&grafana.iniExtraction - Secret Key + Encrypted Password → Grafana Decryptor → Plaintext Password
- SSH Access as
sysadmin - Disk Group Discovery →
debugfsFilesystem Access - Root SSH Key Read → SSH as Root
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.