Planning Writeup

Planning Machine

This machine is about subdomain enumeration and an grafana vulnerability in it’s version. I will show the whole process to discover the user and root flag.

Enumerate services

Running nmap to enumerate services and ports running on the box.

┌──(mvthul㉿kali01)-[~/HTB/machines/planning]
└─$ cat nmap/planning.nmap 
# Nmap 7.95 scan initiated Sun Jun  8 16:37:09 2025 as: /usr/lib/nmap/nmap -sC -sV -T5 -oA nmap/planning 10.10.11.68
Nmap scan report for 10.10.11.68
Host is up (0.0088s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA)
|_  256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://planning.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun  8 16:37:16 2025 -- 1 IP address (1 host up) scanned in 7.23 seconds

This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox’s policy on publishing content from their platform.

For more hints and assistance, come chat with me and the rest of your peers in the HackTheBox Discord server.