Jupiter – HackTheBox Writeup

Machine Name: Jupiter
IP: 10.10.11.216
Difficulty: Medium

Summary

Jupiter is a medium machine that starts with discovering a subdomain that retrieves data from the database using queries sent through the request, making it vulnerable to SQLi. The SQL injection is leveraged to gain a shell as user Postgres. A configuration script writable by Postgres, and run by Juno is used to gain a shell as Juno. Juno is a part of “science” group which uses Jupyter Notebook. The Jupyter service is run by Jovian. The logs of Jupyter can be read by Juno, which are used obtain tokens to login to the Jupyter Hub. The notebook is used to execute commands and gain a shell as Jovian. To escalate privileges as root, a binary which can be run using sudo, uses a configuration file which can be written by Jovian. This misconfiguration is leveraged to gain a shell as root.

Read More