In this post, I would like to share a walkthrough of the Analytics Machine from Hack the Box


This room will be considered an Easy machine on Hack the Box

What will you gain from the Analytics machine?


For the user flag, you will need to use the pre-authentication Remote Code Execution (RCE) exploit employed to leak a setup token, enabling the initiation of server setup. This involves injecting code into the configuration to achieve code execution. Within the Metabase container, credentials stored in environment variables are discovered and leveraged to gain access to the host.


As for the root flag, you need to exploit the GameOver(lay) vulnerability to get a shell as root and include a video explaining the exploit.

For those who want to learn or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vvv

Information Gathering on Analytics Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start

┌─[darknite@parrot]─[~/Documents/htb/Analytics]
└──╼ $ nmap -sV -sC 10.10.11.233 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-12 20:25 EDT
Nmap scan report for analytical.htb (10.10.11.233)
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_  256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Analytical
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.35 seconds
┌─[darknite@parrot]─[~/Documents/htb/Analytics]
└──╼ $ 

Let’s access the website interface


Nothing looks interesting on the website interface except for the login button


The page will be redirected to a subdomain as data.analytical.htb but we didn’t have any credentials to enter the username and password section

CVE-2023-38646 Poc


After doing some research, I found two interesting links which all related to CVE-2023-38646


Based on the article found here, let’s try to play around and manage to find some JSON information


When I try to scroll down the response output, I notice a setup-token that can be used in the next stage.


As a result, let’s try to validate the setup-token and surprisingly, I got an unexpected response. However, we are missing the API endpoint at this point


Let’s try to insert the payload that i found earlier on the request and i noticed that the response said “token does not match the setup token.”


Therefore, let’s start our python server on our attacker’s machine


At last, we have solved the issues where the token is correct.


On the Python server, the upload process work is completed even though the file request does not exist at all


For us to retrieve the shell connection, we need to start our listener


We should insert the reverse shell command that has been encoded with base64


The connection comes back to us, but we face an error we can proceed using pwncat-cs


Therefore, let’s catch the connection using the basic listener which is netcat


However, I notice that we are inside the docker environment


From my experience, we should check on the /proc/self/environ whether anything is interesting mentioned. We notice that the username and password have been mentioned.


Let’s access the machine with the credentials that we found earlier.


We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access on Analytics machine


As usual, let’s check whether there’s a binary that we can investigate further


We managed to find the vulnerability after doing some research on the internet


The keyword for the search is #25-22.04.2-Ubuntu


We can use those commands to retrieve a root shell


As a result, we managed to create a bash file which we can use to escalate to the root


We need to execute the command above to switch to root privileges access


Finally, we are inside the root shell

Another way to obtain a root shell


Let’s download the GitHub file into our attacker’s machine


There are only two files inside the directory


As a result, let’s compile the c script


Let’s upload the malicious file into /dev/shm directory on the victim’s machine but sadly it doesn’t work


Let’s change to a different directory on the machine which /tmp and surprisingly it works like a charm


We can read the root flag by typing the “cat root.txt” command

Escalate to Root Privileges Access