Busqueda
Write up for the HTB machine 'Busqueda'
1. Inital Recon
1.1. nikto
seacher.htb -> add this to /etc/hosts
1.2. nmap
cmd: nmap -sC -sV 10.10.11.208
port 22 ssh port 80 http apache
1.3. domain recon
We can see at the bottom of the page that the web application is powered by Seachor 2.4.0
Which contains a RCE vulnerability that can be found at: https://github.com/ArjunSharda/Searchor/pull/130/files
If we capture the request using burp suite we can replace the query of the post request with the following python code to achieve RCE
Encoding our reverse shell using base64
After catching our reverse shell using a netcat listener we can do some recon on the file system of the web application
/var/www/app/.git/config contains some credentials for a gitea in the following URL: http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git
2. Privilege Escalation
sudo -l
we can use jh1usoih2bkjaspwe92 as the sudo password and ssh password so we no longer need our reverse shell
add gitea.searcher.htb to /etc/hosts
log into gitea as cody with above credentials
by looking through the gitea repository we can see that there is an administrator user
Credentials are found using the docker-inspect commands that we are allowed to run with sudo permissions as our user Cody
login to the gitea using
On the gitea we can see in system-checkup.py that a script called ./full-checkup.sh is run by one of the commands
If we create our own ./full-checkup.sh in any directory that isn't /opt/scripts/ and run the above sudo command from where our own script is, then our script will be run instead of the one that is intended.
So we place a ./full-checkup.sh with the following bash code for another reverse shell but this time we will be root :)
Finally, run the sudo command with full-checkup option whilst having a netcat listener to catch the reverse shell.
Last updated