Analytics

Upon scanning, you see the system has two ports open, 22, 80.

Attempted to see if a web server was being hosted on port 80, and sure enough:

  • analytical.htb

Don't forget to add the IP, domain name to your /etc/hosts file so you can browse the site properly since it's not actually "live"

Ex: <machine ip> analytical.htb

Note the space between ip and domain.

Going to the login page on analytical.htb, it brings us to a new domain, well sub-domain:

  • data.analytical.htb

We will go through and do the same thing again, adding the sub-domain this time to our /etc/hosts, so we will now have two listings for analytical.htb in our hosts file:

<machine ip> analytical.htb <machine ip> data.analytical.htb

On the database site, we see that it's using an application called Metabase for management. Searching around for potential exploits, it seems we have the capability of doing RCE without pre-authentication. I found a PoC in Rust, but I'm not savvy to Rust at all, so I kept searching.

I shortly came across one in Python:

  • PoC: https://github.com/securezeron/CVE-2023-38646

The initial payload did not work, there were some minor errors with the syntax. Referenced an issue, fix from someone who left a comment, and the PoC worked

https://github.com/securezeron/CVE-2023-38646/issues/4

Once I was able to get the PoC to work properly, with my listener setup, I was able to get onto the system. Time for some enumeration.

User.txt

Username: metalytics Password: An4lytics_ds20223#

Host enumeration

OS Version

cat /etc/*-release

Kernel Version

uname -a

ls /boot | grep vmlinuz-

uname -mrs

Kernel version:

It looks like the command hostnamectl, if it's available on the victim machine, is super useful. It pretty much seems to contain all the key information we might look for when discerning key info such as hostname, kernel version, virtualization, etc.

Service and Process Enumeration

metalytics@analytics:~$ ps aux

Not many processes were running. Checking services:

metalytics@analytics:~$ systemctl --type=service --state=running

Since we're able to successfully execute systemctl, that's the path we'll go with instead of cat /etc/services. We get a lot more information about running services with systemctl.

Looking through the list, a few services that immediately stick out are:

  • containerd.service loaded active running containerd container runtime

  • dbus.service loaded active running D-Bus System Message Bus

  • docker.service loaded active running Docker Application Container Engine

Reviewing PoC's for the containerd version, there were not any for the version running on this system.

Rabbit Hole # 1

Checking the version for the D-Bus Socket Cleanup utility /usr/bin/dbus-cleanup-sockets, we had version 1.12.20. Searching online there is an existing CVE for this version, however, it's related to DoS (Denial of Service), not any kind of privesc.

Reference: https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2023-34969/

Rabbit Hole # 2

Digging into some of the service versions I was curious about polkit. It was a pretty close version to the one that could be exploited by pwnkit: CVE 2021-4034, unfortunately it was a no-go since we're not allowed to run pkexec without the root SUID being set.

pkexec must be setuid root

Additionally, we would need gcc in order to successfully compile the payload.

Rabbit Hole # 3

Hourly we seem to see this prompt, but having looked through the cron jobs, I'm unsure as to what this might specifically be referencing.

Root

Did quite a bit of searching, and TLDR; there is an exploit for the particular version of Ubuntu that is run on the system:

https://www.reddit.com/r/selfhosted/comments/15ecpck/ubuntu_local_privilege_escalation_cve20232640/

PreviousSauNextTracks - Beginner

Last updated