In this post, I would like to share a walkthrough of the Analytics Machine from Hack the Box

This room will be considered an Easy machine on Hack the Box

What will you gain from the Analytics machine?

For the user flag, you will need to use the pre-authentication Remote Code Execution (RCE) exploit employed to leak a setup token, enabling the initiation of server setup. This involves injecting code into the configuration to achieve code execution. Within the Metabase container, credentials stored in environment variables are discovered and leveraged to gain access to the host.

As for the root flag, you need to exploit the GameOver(lay) vulnerability to get a shell as root and include a video explaining the exploit.

For those who want to learn or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link to support me

Academy link can be found

Information Gathering on Analytics Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start

└──╼ $ nmap -sV -sC -oA initial
Starting Nmap 7.93 ( ) at 2023-10-12 20:25 EDT
Nmap scan report for analytical.htb (
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (conn-refused)
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_  256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Analytical
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 23.35 seconds
└──╼ $ 

Let’s access the website interface

Nothing looks interesting on the website interface except for the login button

The page will be redirected to a subdomain as data.analytical.htb but we didn’t have any credentials to enter the username and password section

CVE-2023-38646 Poc

After doing some research, I found two interesting links which all related to CVE-2023-38646

Based on the article found here, let’s try to play around and manage to find some JSON information

When I try to scroll down the response output, I notice a setup-token that can be used in the next stage.

As a result, let’s try to validate the setup-token and surprisingly, I got an unexpected response. However, we are missing the API endpoint at this point

Let’s try to insert the payload that i found earlier on the request and i noticed that the response said “token does not match the setup token.”

Therefore, let’s start our python server on our attacker’s machine

At last, we have solved the issues where the token is correct.

On the Python server, the upload process work is completed even though the file request does not exist at all

For us to retrieve the shell connection, we need to start our listener

We should insert the reverse shell command that has been encoded with base64

The connection comes back to us, but we face an error we can proceed using pwncat-cs

Therefore, let’s catch the connection using the basic listener which is netcat

However, I notice that we are inside the docker environment

From my experience, we should check on the /proc/self/environ whether anything is interesting mentioned. We notice that the username and password have been mentioned.

Let’s access the machine with the credentials that we found earlier.

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access on Analytics machine

As usual, let’s check whether there’s a binary that we can investigate further

We managed to find the vulnerability after doing some research on the internet

The keyword for the search is #25-22.04.2-Ubuntu

We can use those commands to retrieve a root shell

As a result, we managed to create a bash file which we can use to escalate to the root

We need to execute the command above to switch to root privileges access

Finally, we are inside the root shell

Another way to obtain a root shell

Let’s download the GitHub file into our attacker’s machine

There are only two files inside the directory

As a result, let’s compile the c script

Let’s upload the malicious file into /dev/shm directory on the victim’s machine but sadly it doesn’t work

Let’s change to a different directory on the machine which /tmp and surprisingly it works like a charm

We can read the root flag by typing the “cat root.txt” command

Escalate to Root Privileges Access