[BFischer]

I need help with the grafana.db hash. I've never cracked a grafana db hash before, x | x | developer | email | name | hash | salt | x and few other strings which could be salts, which one is the actual salt? I use the script to change it into hashcat crackable format but I exhaust my list and it never cracks. I have tried all the three strings that are after the hash as salts separately. Can anybody tell me what I am doing wrong?

https://github.com/iamaldi/grafana2hashcat this worked for me.

Did not work for me too, status shows => exhausted

I guess it's the wrong hash then...

---

I need help with the grafana.db hash. I've never cracked a grafana db hash before, x | x | developer | email | name | hash | salt | x and few other strings which could be salts, which one is the actual salt? I use the script to change it into hashcat crackable format but I exhaust my list and it never cracks. I have tried all the three strings that are after the hash as salts separately. Can anybody tell me what I am doing wrong?

use john for other user's hash

1|0|admin|admin@localhost||441a715bd788e928170be7954b17cb19de835a2dedfdece8c65327cb1d9ba6bd47d70edb7421b05d9706ba6147cb71973a34|CFn7zMsQpf|CgJll8Bmss||1|1|0||2024-06-05 16:14:51|2024-06-05 16:16:02|0|2024-06-05 16:16:02|0|0|
441a715bd788e928170be7954b17cb19de835a2dedfdece8c65327cb1d9ba6bd47d70edb7421b05d9706ba6147cb71973a34, CFn7zMsQpf > hash.txt ---> like this? or the other string  CgJll8Bmss, I don't understand.

There must be another hash, you did everything right as I did too. But if it's exhausting it means we got the wrong hash. The tool is simple to use. digging for the other hash right now

---

The admin hash cannot be cracked,
Here is the developer/George's hash 

7e8018a4210efbaeb12f0115580a476fe8f98a4f9bada2720e652654860c59db93577b12201c0151256375d6f883f1b8d960,4umebBJucv

How did you cracked it?

---

getting root in 1 command

It works thanks dude

[missinglenk13]

Hidden Content

You must register or login to view this content.

from kali local will give both flags automatically for those who want it. You can also read the python to see how to do the privesc portion if need be.

ensure you have paramiko 'pip install paramiko' and then ensure that blog.bigbang.htb is in your /etc/hosts file

then just run with python3 <script>.py

[local]

FInally i got shell

└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.204.166] 56708
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@bf9a078a3627:/var/www/html/wordpress/wp-admin$

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.

[Taour]

For those still stuck on the foothold
go check for iconv ambionics blogpost.
Don’t over complicate yourself. You need to retrieve 3 informations, /proc/self/maps (you should not have too much pain for this one) and the libc.so.6. But the headers of this one is broken so use the script mentionned before to fix the libc and the exploit will work perfectly fine

[tovax685]

For those still stuck on the foothold
go check for iconv ambionics blogpost.
Don’t over complicate yourself. You need to retrieve 3 informations, /proc/self/maps (you should not have too much pain for this one) and the libc.so.6. But the headers of this one is broken so use the script mentionned before to fix the libc and the exploit will work perfectly fine

for the libc you can just take the one from the docker image of debian:12.4 (docker run -it --rm debian:12.4 run)

strings libc.so.6 | grep "GLIBC 2.36"
GNU C Library (Debian GLIBC 2.36-9+deb12u4) stable release version 2.36.

[cavour13]

that was pretty easy btw !

[jsvensson]

For those still stuck on the foothold
go check for iconv ambionics blogpost.
Don’t over complicate yourself. You need to retrieve 3 informations, /proc/self/maps (you should not have too much pain for this one) and the libc.so.6. But the headers of this one is broken so use the script mentionned before to fix the libc and the exploit will work perfectly fine

What about zlib problem?

[Marker]

can someone provide links to CVEs about this machine foothold?

[newacc0]

How to find parameters to /command or read app.py?

Edit: omg there are more users, ez

[lolla981]

I need help with the grafana.db hash. I've never cracked a grafana db hash before, x | x | developer | email | name | hash | salt | x and few other strings which could be salts, which one is the actual salt? I use the script to change it into hashcat crackable format but I exhaust my list and it never cracks. I have tried all the three strings that are after the hash as salts separately. Can anybody tell me what I am doing wrong?

use john for other user's hash

1|0|admin|admin@localhost||441a715bd788e928170be7954b17cb19de835a2dedfdece8c65327cb1d9ba6bd47d70edb7421b05d9706ba6147cb71973a34|CFn7zMsQpf|CgJll8Bmss||1|1|0||2024-06-05 16:14:51|2024-06-05 16:16:02|0|2024-06-05 16:16:02|0|0|
441a715bd788e928170be7954b17cb19de835a2dedfdece8c65327cb1d9ba6bd47d70edb7421b05d9706ba6147cb71973a34, CFn7zMsQpf > hash.txt ---> like this? or the other string  CgJll8Bmss, I don't understand.

nah  how did u think all of this is a hash? this is (441a715bd788e928170be7954b17cb19de835a2dedfdece8c65327cb1d9ba6bd47d70edb7421b05d9706ba6147cb71973a34) hash but its salted and even if u crack it the password will not usefull for further invest. i thought u were true way. U cannot find something from this grafana. There is a db u should look more agressions inside box, then think like outside of the box. even Without linpeas u can get first flag.

I got it guys, it was the space that was messing up the converted hash, i got the password lateral movement and then the root