Analytics
Upon scanning, you see the system has two ports open, 22, 80.
Attempted to see if a web server was being hosted on port 80, and sure enough:
analytical.htb
Don't forget to add the IP, domain name to your
/etc/hosts
file so you can browse the site properly since it's not actually "live"Ex: <machine ip> analytical.htb
Note the space between ip and domain.
Going to the login page on analytical.htb, it brings us to a new domain, well sub-domain:
data.analytical.htb
We will go through and do the same thing again, adding the sub-domain this time to our /etc/hosts
, so we will now have two listings for analytical.htb in our hosts file:
<machine ip> analytical.htb <machine ip> data.analytical.htb
On the database site, we see that it's using an application called Metabase for management. Searching around for potential exploits, it seems we have the capability of doing RCE without pre-authentication. I found a PoC in Rust, but I'm not savvy to Rust at all, so I kept searching.
I shortly came across one in Python:
PoC: https://github.com/securezeron/CVE-2023-38646
The initial payload did not work, there were some minor errors with the syntax. Referenced an issue, fix from someone who left a comment, and the PoC worked
https://github.com/securezeron/CVE-2023-38646/issues/4
Once I was able to get the PoC to work properly, with my listener setup, I was able to get onto the system. Time for some enumeration.
User.txt
Username: metalytics Password: An4lytics_ds20223#
Host enumeration
OS Version
cat /etc/*-release
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.3 LTS"
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
Kernel Version
uname -a
Linux version 6.2.0-25-generic (buildd@lcy02-amd64-044) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.3.0-1ubuntu1~22.04.1) 11.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2
ls /boot | grep vmlinuz-
metalytics@analytics:~$ ls /boot | grep vmlinuz-
vmlinuz-6.2.0-25-generic
uname -mrs
Kernel version:
Linux 6.2.0-25-generic x86_64
It looks like the command hostnamectl
, if it's available on the victim machine, is super useful. It pretty much seems to contain all the key information we might look for when discerning key info such as hostname, kernel version, virtualization, etc.
Static hostname: analytics
Icon name: computer-vm
Chassis: vm
Machine ID: 97985f393ecf4d86b4acd0b422f7d8c8
Boot ID: d223c13db26a414fb97b96a2e83c0615
Virtualization: vmware
Operating System: Ubuntu 22.04.3 LTS
Kernel: Linux 6.2.0-25-generic
Architecture: x86-64
Hardware Vendor: VMware, Inc.
Hardware Model: VMware Virtual Platform
Service and Process Enumeration
metalytics@analytics:~$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
metalyt+ 281865 0.0 0.2 17092 9600 ? Ss 16:41 0:00 /lib/systemd/systemd --user
metalyt+ 281954 0.0 0.1 8788 5632 pts/0 Ss 16:41 0:00 -bash
metalyt+ 375780 0.0 0.0 10068 3328 pts/0 R+ 17:03 0:00 ps aux
Not many processes were running. Checking services:
metalytics@analytics:~$ systemctl --type=service --state=running
UNIT LOAD ACTIVE SUB DESCRIPTION
auditd.service loaded active running Security Auditing Service
containerd.service loaded active running containerd container runtime
cron.service loaded active running Regular background program processing dae>
dbus.service loaded active running D-Bus System Message Bus
docker.service loaded active running Docker Application Container Engine
fwupd.service loaded active running Firmware update daemon
[email protected] loaded active running Getty on tty1
irqbalance.service loaded active running irqbalance daemon
ModemManager.service loaded active running Modem Manager
multipathd.service loaded active running Device-Mapper Multipath Device Controller
networkd-dispatcher.service loaded active running Dispatcher daemon for systemd-networkd
nginx.service loaded active running A high performance web server and a rever>
open-vm-tools.service loaded active running Service for virtual machines hosted on VM>
polkit.service loaded active running Authorization Manager
rsyslog.service loaded active running System Logging Service
ssh.service loaded active running OpenBSD Secure Shell server
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running User Login Management
systemd-networkd.service loaded active running Network Configuration
systemd-resolved.service loaded active running Network Name Resolution
systemd-timesyncd.service loaded active running Network Time Synchronization
systemd-udevd.service loaded active running Rule-based Manager for Device Events and >
udisks2.service loaded active running Disk Manager
upower.service loaded active running Daemon for power management
[email protected] loaded active running User Manager for UID 1000
vgauth.service loaded active running Authentication service for virtual machin hosted on VMWare
Since we're able to successfully execute systemctl
, that's the path we'll go with instead of cat /etc/services
. We get a lot more information about running services with systemctl
.
Looking through the list, a few services that immediately stick out are:
containerd.service loaded active running containerd container runtime
dbus.service loaded active running D-Bus System Message Bus
docker.service loaded active running Docker Application Container Engine
Reviewing PoC's for the containerd version, there were not any for the version running on this system.
Rabbit Hole # 1
Checking the version for the D-Bus Socket Cleanup utility /usr/bin/dbus-cleanup-sockets
, we had version 1.12.20. Searching online there is an existing CVE for this version, however, it's related to DoS (Denial of Service), not any kind of privesc.
Reference: https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2023-34969/
Rabbit Hole # 2
Digging into some of the service versions I was curious about polkit. It was a pretty close version to the one that could be exploited by pwnkit: CVE 2021-4034, unfortunately it was a no-go since we're not allowed to run pkexec without the root SUID being set.
pkexec must be setuid root
Additionally, we would need gcc in order to successfully compile the payload.
Rabbit Hole # 3
2023-10-15 19:43:38 Checking for update using Github
2023-10-15 19:43:38 Success.
2023-10-15 19:43:38 Latest version is 1.4.16
2023-10-15 19:43:38 App is up to date.
Hourly we seem to see this prompt, but having looked through the cron jobs, I'm unsure as to what this might specifically be referencing.
Root
Did quite a bit of searching, and TLDR; there is an exploit for the particular version of Ubuntu that is run on the system:
https://www.reddit.com/r/selfhosted/comments/15ecpck/ubuntu_local_privilege_escalation_cve20232640/
Last updated