The official writeup here is quite clear. I followed a similar path to get the flags. However, I was not that luck to meet the right script to get the reverse shell. Since the toppest script regarding the Metabase Pre-Auth RCE (CVE-2023-38646) used ‘“engine”: “h2”’ in the script which led to an error in the machine.

Try every method in the teaching part.

1. Enumeration: find the kernel version and search for a vulnerability to exploit. Unfortunately, no vulnerability for this kernel was found.
2. SUDO: sudo -l found leonard cannot run sudo.
3. SUID: “find / -type f -perm -04000 -ls 2>/dev/null” found out that base64 can be used. This is a good one, we can use the method in [gtfosbins]https://gtfobins.github.io/gtfobins/base64/ to read a file that otherwise requires a root privilege. Try to find the location of the two flag files with “find / -name flag1.txt 2>/dev/null” and “find / -name flag2.txt 2>/dev/null” showing no results.
4. Capabilities: “getcap -r / 2>/dev/null” shows no interesting results.
5. Cron jobs: “cat /etc/crontab”, no cron jobs defined.
6. PATH: I tried with no success.
7. NFS: “cat /etc/exports” no result.

谁能想象到时隔两年再次更新博客还是因为同一个问题！

这个过程主要还是参考上篇提到的使用docker来实现libreoffice并发转换docx文件为pdf这篇文章。