HTB: Analytics - OSCP Prep Write-up
Next up: Analytics, an Easy Linux box. Pre-auth RCE on Metabase, Docker escape via environment variable credential leak, and a kernel exploit chain for root. Machine info Name Analytics Platform HackTheBox OS Linux Difficulty Easy TL;DR Metabase 0.46.6 vulnerable to pre-auth RCE (CVE-2023-38646) Initial shell lands inside a Docker container Environment variables leak SSH credentials (metalytics:An4lytics_ds20223#) SSH to the host as metalytics, then kernel exploit CVE-2023-2640 + CVE-2023-32629 (overlayfs) for root Recon RustScan + Nmap 1 rustscan -a 10.129.21.240 -- -sV -sC -Pn -A ...