Hack The Box: Analytics Machine Walkthrough

Written by darknite -

on March 23, 2024

In this post, I would like to share a walkthrough of the Analytics Machine from Hack the Box

This room will be considered an Easy machine on Hack the Box

Testing

What will you gain from the Analytics machine?
Information Gathering on Analytics Machine
CVE-2023-38646 Poc
Escalate to Root Privileges Access on Analytics machine
Another way to obtain a root shell
Escalate to Root Privileges Access

What will you gain from the Analytics machine?

For the user flag, you will need to use the pre-authentication Remote Code Execution (RCE) exploit employed to leak a setup token, enabling the initiation of server setup. This involves injecting code into the configuration to achieve code execution. Within the Metabase container, credentials stored in environment variables are discovered and leveraged to gain access to the host.

As for the root flag, you need to exploit the GameOver(lay) vulnerability to get a shell as root and include a video explaining the exploit.

For those who want to learn or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vvv

Information Gathering on Analytics Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start

┌─[darknite@parrot]─[~/Documents/htb/Analytics]
└──╼ $ nmap -sV -sC 10.10.11.233 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-12 20:25 EDT
Nmap scan report for analytical.htb (10.10.11.233)
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_  256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Analytical
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.35 seconds
┌─[darknite@parrot]─[~/Documents/htb/Analytics]
└──╼ $

Let’s access the website interface

Nothing looks interesting on the website interface except for the login button

The page will be redirected to a subdomain as data.analytical.htb but we didn’t have any credentials to enter the username and password section

CVE-2023-38646 Poc

After doing some research, I found two interesting links which all related to CVE-2023-38646

Based on the article found here, let’s try to play around and manage to find some JSON information

When I try to scroll down the response output, I notice a setup-token that can be used in the next stage.

As a result, let’s try to validate the setup-token and surprisingly, I got an unexpected response. However, we are missing the API endpoint at this point

Let’s try to insert the payload that i found earlier on the request and i noticed that the response said “token does not match the setup token.”

Therefore, let’s start our python server on our attacker’s machine

At last, we have solved the issues where the token is correct.

On the Python server, the upload process work is completed even though the file request does not exist at all

For us to retrieve the shell connection, we need to start our listener

We should insert the reverse shell command that has been encoded with base64

The connection comes back to us, but we face an error we can proceed using pwncat-cs

Therefore, let’s catch the connection using the basic listener which is netcat

However, I notice that we are inside the docker environment

From my experience, we should check on the /proc/self/environ whether anything is interesting mentioned. We notice that the username and password have been mentioned.