Analytics
Last updated
Last updated
🎯 Target IP: 10.129.229.224
Create a directory on the Desktop with the machine's name, and inside this directory, create another directory to store the materials and outputs needed to run the machine, including the scans made with nmap.
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target should be a *nix system, while Windows systems usually have a TTL of 128 secs.
sS
SynScan
sC
run default scripts
sV
enumerate versions
A
aggressive mode
T4
run a bit faster
oN
output to file with nmap formatting
It looks like there are 2 open TCP ports on the machine: 22, 80.
2
Now, we take more precise scan utilizing -sCV flags to retrieve versioning services and test common scripts.
Since we lack credentials for SSH login, we will begin by examining port 80.
Seeing http-title there's a new subdomain: http://analytical.htb/ and browsing on http port we notice there're being redirected (status code 302) to analytical.htb.
We can confirm it using a web proxy such as Burp Suite:
To resolve this, we add the domain to our /etc/hosts file
The task is to retrieve a new subdomain configured to provide a different application on the target web server, we found it discovering source code of web page:
This URL refers to login page, and to resolve it we need to add it to /etc/hosts
data.analytical.htb
By running WhatWeb or simply viewing the page, we discover that there is a Metabase web application.
Metabase
Using WhatWeb and an nmap scan, we were able to discover the Metabase version. However, it is simpler to retrieve this information by viewing the source code of the web page.
v0.46.6
Googling it, we found CVE ID relative to Metabase v0.46.6
CVE-2023-38646
setup-token
used by this Metabase instance?Using the same methodology of the task 2.4, we can reach setup-token into source code
249fa03d-fd94-4d5b-b94f-b4ebf3df681f
We discover it reading documentation of the team that discovered this vulnerability
/api/setup/validate
To answer for this question we need to exploit vulnerabilities with python script on github and web app parameters
Github repo suggests following usage:
The script needs the target URL, the setup token and a command that will be executed. The setup token can be obtained through the /api/session/properties
endpoint. Copy the value of the setup-token
key.
The command will be executed on the target machine with the intention of obtaining a reverse shell. You can find different options in RevShells. Having the setup-token value and the command that will be executed, you can run the script with the following command:
python3 main.py -u http://[targeturl] -t [setup-token] -c "[command]"
All right, then we make me in listening mode on port 1339 on attacker machine using netcat
we save exploit locally and run following command
and we're in
metabase
This questions take us an important hint to understand what we can do.
Infact, using command export, that show us environment variable we found credentials
META_PASS
Upon checking with sudo -l
, we found that we do not have permissions. However, considering we have discovered another open port 22 (SSH), we can attempt to use the credentials we just found to log in.
ssh metalytics@analytics.htb
We use uname -a
command to display kernel version
6.2.0-25-generic
We can use lsb_release -a
or cat /etc/os-release
UBUNTU 22.04.03 LTS (JAMMY)
After finding an old version of the kernel, I'll search on Google to find a public exploit.
overlayfs
As explained into github below, we can do GameOver(lay) Ubuntu Privilege Escalation
Then, executing bash script, we have become root and can now access the root flag.