Intro
Hi, after some time, I write again a small WriteUp. Today it's about the CTF "Keeper". This CTF-Challenge can be found at the platform HackTheBox. You have to find 2 flags in this challenge.
Discovery
First of all I fire up nmap and run a port scan. And as you can see here nmap discovers 2 opened ports.
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-12 21:42 CEST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 21:42
Completed NSE at 21:42, 0.00s elapsed
Initiating NSE at 21:42
Completed NSE at 21:42, 0.00s elapsed
Initiating NSE at 21:42
Completed NSE at 21:42, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 21:42
Completed Parallel DNS resolution of 1 host. at 21:42, 0.05s elapsed
Initiating SYN Stealth Scan at 21:42
Scanning 10.129.88.77 [65535 ports]
Discovered open port 80/tcp on 10.129.88.77
SYN Stealth Scan Timing: About 54.13% done; ETC: 21:43 (0:00:31 remaining)
SYN Stealth Scan Timing: About 69.45% done; ETC: 21:44 (0:00:30 remaining)
Completed SYN Stealth Scan at 21:43, 80.83s elapsed (65535 total ports)
Initiating Service scan at 21:44
Scanning 1 service on 10.129.88.77
Completed Service scan at 21:44, 6.09s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 10.129.88.77
Initiating Traceroute at 21:44
Completed Traceroute at 21:44, 0.04s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 21:44
Completed Parallel DNS resolution of 2 hosts. at 21:44, 0.04s elapsed
NSE: Script scanning 10.129.88.77.
Initiating NSE at 21:44
Completed NSE at 21:44, 0.79s elapsed
Initiating NSE at 21:44
Completed NSE at 21:44, 0.19s elapsed
Initiating NSE at 21:44
Completed NSE at 21:44, 0.01s elapsed
Nmap scan report for 10.129.88.77
Host is up (0.039s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://analytical.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.0
OS details: Linux 5.0
Uptime guess: 19.216 days (since Sat Sep 23 16:33:41 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 993/tcp)
HOP RTT ADDRESS
1 36.62 ms 10.10.14.1
2 36.75 ms 10.129.88.77
NSE: Script Post-scanning.
Initiating NSE at 21:44
Completed NSE at 21:44, 0.00s elapsed
Initiating NSE at 21:44
Completed NSE at 21:44, 0.00s elapsed
Initiating NSE at 21:44
Completed NSE at 21:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.22 seconds
Raw packets sent: 71529 (3.148MB) | Rcvd: 69203 (2.773MB)
The first port is 22 which is ssh. This port I can skip for now and look for port 80.
On port 80 there is an HTTP server which redirects to the url http://analytical.htb/
. I add the analytical.htb
to the file /etc/hosts
with the corrosponding ip address 10.129.88.77
. I visited port 80 with my browser and and got this page.
It's a corporate website for data analytics. I tried some links and got redirected to the url http://data.analytical.htb/auth/login
. I also added the domain data.analytical.htb
to the /etc/hosts
file. By refreshing the browser tab I got the login page of metabase.
Initial access
The first what I've do is to gather the version of metabase to find some vulnerabilities which I can exploit.
I copied the source code and searched for the version string. Well, the version of metabase is v0.46.6
. After some research I got an entry posted on packetstormsecurity.com. There is an Metasploit module which I can use for archiving RCE.
Ok, lets fire up metasploit and search for metabase. Well the same exploit is already included in metasploit which I can use.
I configured all necessary otions and run the exploit module and got a shell. By looking around I found an directory metabase.db and navigated to that directory. There two files which I should inspect by running the command strings. I decided to pipe the output to grep and search for all string which includes htb
.
Well, I got 2 accounts which I can crack metalytics@analytical.htb
and metalytics@data.htb
. These password hashes are bcrypt which I tried to crack with hashcat but this was an rabbithole. I searched for more information but there was nothing which gave me a hint what possible password could be.
After spending some time, I just run hostname to look what's the hostname and saw these hashy hostname. That must be an docker container, so I printed all environment variables and found a password.
User flag.txt
I just tried this password on both accounts, and I loggend in into the account metalytics@analytical.htb
, sweet!
The next thing what I do is to gather all information what I can find. After some time I tested these credentials for ssh.
I logged in! Now I can read out the first flag and enumerate the system for potential privilege escalations.
user.txt: 39da6ec0341c4d8c769ae8041d1fe14e
Get the root flag
I ran LinPEAS to get some attack vectors to gain root. I tried all these results but I somehow I didn't get that I should look for newer exploits like Looney Tunables. Why not? May it works on that machine. So I cloned the repo and generated the malicious libc file by copying the libc from that machine to my local machine. After generating the malicious libc, I compiled the exploit and made some small changes for me. The I copied these both files to the machine and executed the exploit. There was no shell for me.
metalytics@analytics:~$ uname -a
Linux analytics 6.2.0-25-generic #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
metalytics@analytics:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.3 LTS
Release: 22.04
Codename: jammy
metalytics@analytics:~$
After looking again I had mind that there was another exploit which I came across recently. Ubuntu OverlayFS Local Privesc Exploit CVE-2021-3493. I cloned the repo and compiled the exploit. Next what I've done is to download this exploit to the machine and run it.
I got root! Really? No Looney Tunables as CTF? After reading the root flag I was done with the challenge.
This challenge was fun but the I would not say that this machine was easy. I would rate this machine as an medium machine.
I hope you enjoyed it and see you next time 😄