Post

HTB Linux Easy: Analytics

Analytics is an Easy rated Linux machine on HTB.

Posted
By Gregory Allegoet
1 min read
HTB Linux Easy: Analytics

Nmap

Pasted image 20240715101403.png

Initial Foothold

Enumerating HTTP (port 80)

The site redirects to analytical.htb, add the domain to the hosts file. Pasted image 20240715101358.png

Visiting the login page results in a redirect to: data.analytical.htb, add the subdomain to the hosts file: Pasted image 20240715101354.png

Login page to the Metabase platform: subdomain data.analytical.htb: Pasted image 20240715101343.png

Gain shell

Looking for Metabase vulnerabilities we find one with RCE: CVE-2023-38646, step 1 is retrieving the setup token on the /api/session/properties page. Pasted image 20240715101349.png

Next up we can use the PoC to gain a reverse shell, modify the base64 string (base64 encode your own bash reverse shell and replace it in Burp). The request has to be sent with a POST to /api/setup/validate. Pasted image 20240715101336.png Pasted image 20240715101330.png

Your nc listener should have turned into a shell: Pasted image 20240715101325.png

Lateral movement

We know we are in a Docker container thanks to the .dockerenv file. Pasted image 20240715101320.png

Credentials can be found in the environment variables: metalytics:An4lytics_ds20223# Pasted image 20240715101301.png

Use these credentials to SSH as the metalytics user: Pasted image 20240715101257.png

Priv Esc

The system is vulnerable to the overlayfs kernel exploit, we can compile the C program on our host and then execute it on the target machine to get a root shell: Pasted image 20240715101250.png

User.txt

Pasted image 20240715101245.png

Root.txt

Pasted image 20240715101240.png

You have PWNED

Pasted image 20240715101233.png

Sources

CTF, HTB
Linux Easy
This post is licensed under CC BY 4.0 by the author.