Analytics Write-Up
My infosec Journey continues
Introduction
Hello everyone! Welcome back to my infosec journey. Today we will hack an easy machine on the HackTheBox website, named Analytics. This machine has two potential vulnerabilities that lead us to compromise the entire infrastructure. So, let’s begin!
Enumeration
As always, we enumerate using the Nmap program.
#nmap command
$ nmap -Pn -p 22,80 -v -sCV -oN nmap-ana 10.10.11.233#nmap results
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://analytical.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelWe see that only two ports are open. We won’t focus on SSH at the moment, so let’s see what port 80 has.
It’s a static page that has a login page. The login page redirects us to another URL. Adding the new URL to the etc/hosts file, we can see a login page from Metabase. Metabase is an open-source business intelligence tool that lets you ask questions about your data and displays answers in formats that make sense, whether that’s a bar chart or a detailed table.
Searching on Google for vulnerabilities in Metabase, we find some methods to gain our initial access:
- Using Metasploit
- Using a public exploit
- Using Burp Suite and performing all the steps manually.
We will use a public exploit for now, but you can learn more about performing all the steps manually by watching the Ippsec video write-up for Analytics.
Exploitation
The image below displays the command to use the public exploit and the listening port (9001) from Netcat. It’s an exploit that takes advantage of the CVE-2023–38646 Metabase Pre-Auth RCE vulnerability.
Searching for an explanation on Google, we found this:
The vulnerability existed in the /api/setup/validate API endpoint, which served as a crucial part of Metabase’s initial setup process. During application setup, this endpoint was responsible for checking the database connection. However, attackers could exploit a flaw in the JDBC connection handling, leading to remote code execution (RCE) with pre-authentication. This meant that attackers could execute malicious commands on the server with elevated privileges, gaining full control over the application environment. With this level of access, an attacker could potentially steal sensitive data, manipulate the application, or even gain control of the entire server infrastructure.
After successfully gaining our first access, we noticed that we were in a Docker container. We start to test our privesc checklist (or upload LinPeas) to find our next vulnerability. But this time, it was very easy because the SSH credentials were in the env results, as we can see in the image below:
#ssh credentials:
META_USER=metalytics
META_PASS=An4lytics_ds20223#With the credentials in hand, let’s access the server via SSH.
Privilege Escalation
On the server, we can perform our privilege escalation checklist, testing all possibilities to discover any breaches in the system. During our enumeration, we discovered that this Ubuntu version is vulnerable to CVE-2023–2640, also known as GameOver(lay) Ubuntu Privilege Escalation. You can learn more about this technique here.
The command is very complex, but it’s easier to understand after watching the Ippsec video mentioned earlier. After copying and pasting the command, we gained root access, as shown in the image below:
After gaining root access, we can retrieve the user and root flags.
Conclusion
This machine was very interesting, and I learned so much. If you enjoyed this write-up, consider clicking the clapping button and following to stay updated on future content.
Thank you for reading, and I’ll see you in the next post.
