Nmap

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_  256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://analytical.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

add analytical.htb to /etc/hosts

Visit the login pannel found ourself redirect to a new subdomain data.analytical.htb

add it again into /etc/hosts

Pasted-image-20231013214049.png

Found metaBase site, at first I thought it’s a custom CMS. Tried with different injection but failed.

Proceed to search about metaBase, found one metasploit module about the preauth RCE.

https://www.rapid7.com/db/modules/exploit/linux/http/metabase_setup_token_rce/

Proceed to add it into the metaspoit modules

Pasted-image-20231013214302.png

Found ourself to be metabase

Pasted-image-20231013214354.png

after some enumeration, we found ourself to be in a docker container.

Checking the environment, we got ourself some username and password

Pasted-image-20231013214531.png

And we manage to ssh in as metalytics

Pasted-image-20231013214630.png

After enumeration on the kernel version we found this POC github

https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629

Pasted-image-20231013222116.png

$y$j9T$aVUkVU8LWFNEuXdwrOIJH.$jF8hy0vMzBJTvu/.HkzP0E4ZObo1I.frOPRVj2ktqM2

root