Analytics
Analytics writeup by Thamizhiniyan C S
Overview
Greetings everyone,
In this write-up, we will tackle Analytics from HackTheBox.
Machine link: Analytics Machine
Difficulty Level: Easy
Let's Begin 🙌
Firstly, connect to the HTB server using the OpenVPN configuration file generated by HTB. Click Here to learn more about how to connect to VPN and access the boxes.
Once connected to the VPN service, click on "Join Machine" to access the machine's IP.
Upon joining the machine, you will be able to view the IP address of the target machine.
Reconnaissance
Rust Scan
rustscan --range=1-65535 --ulimit 5000 -a <TARGET_IP> -- -A -T4 -v -Pn
Results
Ports | Services | Service Version |
---|---|---|
22 | SSH | OpenSSH 8.9p1 |
80 | HTTP | nginx 1.18.0 |
Information Gathering - analytical.htb
First, let's take a look at the website running on port 80.
When attempting to access view port 80, it redirects to the domain analytical.htb
. Therefore, to access the website, we need to append an entry to the /etc/hosts
file, mapping the domain to the target IP address.
Command: sudo vim /etc/hosts
Now we have access to the website. I used Wappalyzer
to check the technologies employed, but nothing of particular interest was discovered.
When I clicked the login button in the top right corner of the webpage, it redirected me to the subdomain data.analytical.htb
. To access it, you need to append another entry to the /etc/hosts
file.
Now, we can access the website. The website hosted on data.analytical.htb
is a Metabase login page. Metabase is an open-source business intelligence tool that allows you to connect to many popular databases.
CVE-2023-38646
I began searching for recent exploits and vulnerabilities related to Metabase and came across this: https://www.assetnote.io/resources/research/chaining-our-way-to-pre-auth-rce-in-metabase-cve-2023-38646.
As mentioned in the article, I verified whether /api/session/properties
is accessible, and indeed, it was.
Next, I searched for the setup-token in the /api/session/properties
page. I copied the content of the page and pasted it into a JSON beautifier, where I located the setup-token. I utilized the following JSON beautifier website: https://codebeautify.org/jsonviewer.
Initial Access
This indicates that the Metabase application is vulnerable to Remote Code Execution (RCE). I crafted a Python script based on the Proof of Concept (PoC) mentioned in the above article, along with references from other PoCs targeting the same vulnerability. The script retrieves the setup-token
from the Metabase application and sends a POST request to /api/setup/validate
to exploit the RCE, consequently enabling a reverse shell to be established back to the attacker's machine.
Before executing the script, initiate a netcat listener on port 9001.
Now, execute the Python script and monitor the netcat listener. You will observe that you receive a connection back from the target machine. Upon further exploration of the machine, I discovered linpeas in the home directory. However, running it did not yield any privilege escalation vectors. Therefore, I continued searching for alternative avenues. I inspected the environment variables of the target machine, from which I obtained a username and password.
Since SSH is running on the target machine, I attempted to log in using the credentials we obtained, and to my satisfaction, it worked.
Getting the User Flag
Privilege Escalation
I was trying all the privilege escalation vectors but nothing worked. I proceeded to identify the kernel version as my next step in the investigation.
I began searching for exploits targeting the identified kernel version and came across this: https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629.
I examined the exploit.sh file in the mentioned repository. It contained a single line of code that performed the privilege escalation task. Subsequently, I copied and executed the code. Below, I have provided the code:
Getting the Root Flag
I executed the code, and to my satisfaction, it successfully completed the privilege escalation, granting me access to the root flag.
Thank You....
Last updated