Analytics

Upon scanning, you see the system has two ports open, 22, 80.

Attempted to see if a web server was being hosted on port 80, and sure enough:

  • analytical.htb

Don't forget to add the IP, domain name to your /etc/hosts file so you can browse the site properly since it's not actually "live"

Ex: <machine ip> analytical.htb

Note the space between ip and domain.

Going to the login page on analytical.htb, it brings us to a new domain, well sub-domain:

  • data.analytical.htb

We will go through and do the same thing again, adding the sub-domain this time to our /etc/hosts, so we will now have two listings for analytical.htb in our hosts file:

<machine ip> analytical.htb <machine ip> data.analytical.htb

On the database site, we see that it's using an application called Metabase for management. Searching around for potential exploits, it seems we have the capability of doing RCE without pre-authentication. I found a PoC in Rust, but I'm not savvy to Rust at all, so I kept searching.

I shortly came across one in Python:

  • PoC: https://github.com/securezeron/CVE-2023-38646

The initial payload did not work, there were some minor errors with the syntax. Referenced an issue, fix from someone who left a comment, and the PoC worked

https://github.com/securezeron/CVE-2023-38646/issues/4

Once I was able to get the PoC to work properly, with my listener setup, I was able to get onto the system. Time for some enumeration.

User.txt

Username: metalytics Password: An4lytics_ds20223#

Host enumeration

OS Version

cat /etc/*-release

DISTRIB_CODENAME=jammy                   
DISTRIB_DESCRIPTION="Ubuntu 22.04.3 LTS" 
PRETTY_NAME="Ubuntu 22.04.3 LTS"         
NAME="Ubuntu"                            
VERSION_ID="22.04"                       
VERSION="22.04.3 LTS (Jammy Jellyfish)"  

Kernel Version

uname -a

Linux version 6.2.0-25-generic (buildd@lcy02-amd64-044) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.3.0-1ubuntu1~22.04.1) 11.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2

ls /boot | grep vmlinuz-

metalytics@analytics:~$ ls /boot | grep vmlinuz-
vmlinuz-6.2.0-25-generic

uname -mrs

Kernel version:

Linux 6.2.0-25-generic x86_64

It looks like the command hostnamectl, if it's available on the victim machine, is super useful. It pretty much seems to contain all the key information we might look for when discerning key info such as hostname, kernel version, virtualization, etc.

 Static hostname: analytics
       Icon name: computer-vm
         Chassis: vm
      Machine ID: 97985f393ecf4d86b4acd0b422f7d8c8
         Boot ID: d223c13db26a414fb97b96a2e83c0615
  Virtualization: vmware
Operating System: Ubuntu 22.04.3 LTS              
          Kernel: Linux 6.2.0-25-generic
    Architecture: x86-64
 Hardware Vendor: VMware, Inc.
  Hardware Model: VMware Virtual Platform

Service and Process Enumeration

metalytics@analytics:~$ ps aux

USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
metalyt+  281865  0.0  0.2  17092  9600 ?        Ss   16:41   0:00 /lib/systemd/systemd --user
metalyt+  281954  0.0  0.1   8788  5632 pts/0    Ss   16:41   0:00 -bash
metalyt+  375780  0.0  0.0  10068  3328 pts/0    R+   17:03   0:00 ps aux

Not many processes were running. Checking services:

metalytics@analytics:~$ systemctl --type=service --state=running

  UNIT                        LOAD   ACTIVE SUB     DESCRIPTION                 
  auditd.service              loaded active running Security Auditing Service   
  containerd.service          loaded active running containerd container runtime
  cron.service                loaded active running Regular background program processing dae>
  dbus.service                loaded active running D-Bus System Message Bus
  docker.service              loaded active running Docker Application Container Engine       
  fwupd.service               loaded active running Firmware update daemon
  [email protected]          loaded active running Getty on tty1         
  irqbalance.service          loaded active running irqbalance daemon     
  ModemManager.service        loaded active running Modem Manager         
  multipathd.service          loaded active running Device-Mapper Multipath Device Controller 
  networkd-dispatcher.service loaded active running Dispatcher daemon for systemd-networkd    
  nginx.service               loaded active running A high performance web server and a rever>
  open-vm-tools.service       loaded active running Service for virtual machines hosted on VM>
  polkit.service              loaded active running Authorization Manager
  rsyslog.service             loaded active running System Logging Service
  ssh.service                 loaded active running OpenBSD Secure Shell server
  systemd-journald.service    loaded active running Journal Service
  systemd-logind.service      loaded active running User Login Management
  systemd-networkd.service    loaded active running Network Configuration
  systemd-resolved.service    loaded active running Network Name Resolution
  systemd-timesyncd.service   loaded active running Network Time Synchronization
  systemd-udevd.service       loaded active running Rule-based Manager for Device Events and >
  udisks2.service             loaded active running Disk Manager
  upower.service              loaded active running Daemon for power management
  [email protected]           loaded active running User Manager for UID 1000
  vgauth.service              loaded active running Authentication service for virtual machin hosted on VMWare

Since we're able to successfully execute systemctl, that's the path we'll go with instead of cat /etc/services. We get a lot more information about running services with systemctl.

Looking through the list, a few services that immediately stick out are:

  • containerd.service loaded active running containerd container runtime

  • dbus.service loaded active running D-Bus System Message Bus

  • docker.service loaded active running Docker Application Container Engine

Reviewing PoC's for the containerd version, there were not any for the version running on this system.

Rabbit Hole # 1

Checking the version for the D-Bus Socket Cleanup utility /usr/bin/dbus-cleanup-sockets, we had version 1.12.20. Searching online there is an existing CVE for this version, however, it's related to DoS (Denial of Service), not any kind of privesc.

Reference: https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2023-34969/

Rabbit Hole # 2

Digging into some of the service versions I was curious about polkit. It was a pretty close version to the one that could be exploited by pwnkit: CVE 2021-4034, unfortunately it was a no-go since we're not allowed to run pkexec without the root SUID being set.

pkexec must be setuid root

Additionally, we would need gcc in order to successfully compile the payload.

Rabbit Hole # 3

2023-10-15 19:43:38 Checking for update using Github               
                                                                               2023-10-15 19:43:38 Success.
             2023-10-15 19:43:38 Latest version is 1.4.16                                     
                                                         2023-10-15 19:43:38 App is up to date.

Hourly we seem to see this prompt, but having looked through the cron jobs, I'm unsure as to what this might specifically be referencing.

Root

Did quite a bit of searching, and TLDR; there is an exploit for the particular version of Ubuntu that is run on the system:

https://www.reddit.com/r/selfhosted/comments/15ecpck/ubuntu_local_privilege_escalation_cve20232640/

Last updated