Hack The Box: Jupiter Machine Walkthrough – Medium Difficulty

Written by darknite -
on October 21, 2023

In this post, I would like to share a walkthrough of the Jupiter Machine from Hack the Box

This room will be considered a Medium machine on Hack the Box

Testing

What will you gain from the Jupiter machine?

For the user flag, you will need to enumerate the subdomain which we found a subdomain directed to the Grafana kiosk(kiosk.jupiter.htb). We can abuse the Remote Code Execution Vulnerability which has been discovered within the Grafana service (datasource). Sadly, the reverse shell connection is not stable, and we need to import our SSH private key into the victim’s machine. Once we successfully obtain a stable connection, we can use evaluate to Juno user access by inserting a command within the YAML file which we can escalate to Juno access.

As for the root flag, we managed to find a service running in port 8888 which turned out to be an instance of Jupyter. We are required to find the token as the authentication access to the dashboard which can be found inside the logs file located inside  /opt/solar-flares/ directory. We can retrieve a reverse shell as Jovian when we exploited the notebook with a Python short script. Once we have access to the machine as Jovian, we need to modify the config.json that can be found in /tmp directory. After we have successfully modified the config.json file, we can run the sattrack command without requiring a password to proceed

For those who want to learn or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259v

Information Gathering on Jupiter Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Document/htb/Jupiter]
└──╼ $nmap -sC -sV 10.10.11.216 -oA initial 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-04 00:38 EDT
Nmap scan report for 10.10.11.216
Host is up (0.24s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 ac:5b:be:79:2d:c9:7a:00:ed:9a:e6:2b:2d:0e:9b:32 (ECDSA)
|_  256 60:01:d7:db:92:7b:13:f0:ba:20:c6:c9:00:a7:1b:41 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://jupiter.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.55 seconds

Let’s access the website interface

However, nothing interesting can be detected on the website itself

Therefore, let’s enumerate the directory by using the gobuster tool. Sadly, we didn’t find any useful directories that we can investigate further

As a result, we should be trying to find a subdomain with the machine.

Let’s access the subdomain website that we found earlier.

We managed to obtain a response of “ping” on our tcpdump output.

At last, we managed to obtain the reverse shell connection back to us.

I found a strange yaml file that resides inside the /dev/shm directory

The screenshot above shows the original content of the file

The screenshot above shows the modification of the file that we abused it.

Sadly, the reverse shell is not very stable

As a result, let’s obtain an SSH connection to the machine by inserting our public key into the machine.

Finally, we have successfully accessed the machine via SSH service.

Boom! The bash file has been assigned as SUID binary

Therefore, let’s execute the “bash -p” command

The original file will look something as shown above.

We should execute the command above which we might insert the reverse shell command to obtain a connection back to us.

Finally, we managed to retrieve a reverse shell connection back to us.

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

We managed to find that Juno privileges

I noticed that there’s a port that hasn’t been caught by Nmap

Let’s start the port forwarding with the chisel tool

The website interface will look something like as above.

At last, we managed to obtain the token for the website

It will redirect us to a page like shown above.

We can edit the page by adding a Python reverse shell command click run to retrieve the connection back to us.

Let’s start our nc listener

A picture containing screenshot, text, display, multimedia software Description automatically generated

Finally, we have successfully obtained a reverse shell connection back to us as Jovian.

We should be executing the command above to obtain a root shell

We can read the root flag by typing the “cat root.txt” command

How to get the root flag after the patch

We managed to find a location of a certain file inside the binary

Let’s modify the file which it require to get the root flag

At first, it doesn’t work at all but we might need the sudo command to execute

It works like charm!

We can read the root flag by typing the “cat root.txt” command

Categories:

Medium Machine

Tags:

BurpSuiteChallengesgobustergrafanaHackTheBoxJupyterLinuxPenetration Testingport forwardingsshSSH keytcpdumptokenyaml file

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *