Busqueda

Enumeration

Nmap discovered two open ports and as seen below the web service running on port 80 redirects to searcher.htb so I had to add the domain to my /etc/hosts file to be able to access the page.

On the webpage, there is a search app that allows us select a search engine and a search query and perform the search for us.

I enumerated but couldn't find any subdomain or subdirectory but at the bottom of the webpage I noticed a software and version number Searchor 2.4.0...

...a couple of Google searches after I found a github repository an apparent issue with the installed version of Searchor.

As seen below the version uses the vulnerable eval() python function which when exploited allows code execution

To exploit this, I sent the search request to Burpsuite repeater

I used this hacktrick tutorial for Python payloads and was able to get it working using the format '+PAYLOAD+'. I had to url encode the payload to make it work though.

User

I enumerated and tried to find useful files on the system and found both a username and password from two different git files.

There was also a subdomain entry in the /etc/hosts file to a Gitea page which wasn't picked up when when I was brute forcing subdomain.

Since I have cody's password,  I was able to SSH into the box as user svc and gain the user flag.

Privilege Escalation

I used the sudo -l command to see that commands I can run as root and found noticed some scripts in /opt/scripts directory

When I run the command, it displays three actions I can take, two which are docker related, indicating that docker is running on the system and most likely containers as well.

running docker-ps I found two containers running. Gitea which I previously found a subdomain for and mysql_db.

As seen above I can also run docker-inspect commands however my docker is rusty and luckily I found help in the official docker documentation.

Using the --format='{{json .Config}}' option, I was able to dump some data, including passwords for both containers.

I visited the gitea subdomain since the found credentials didn't open any doors. firstly I tried login as cody with the initailly found password which worked. I enumerated but nothing interesting, no repository but I did found there is another user called administrator.

I tried one of the newly found passwords from the docker dump which worked and I was able to view the source codes of the scripts found in /opt/scripts.

so, comparing the below full-checkup.sh script and the output from running sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup, we can deduce that full-checkup argument of the command is running the the full-checkup.sh script...

...however, what happens when I try to run the full-checkup command from a different directory, say /tmp for example...

...as seen below, we get an error saying "something went wrong" indicating that the full-checkup.sh.


In order to exploit this, I simply created a file named full-checkup.sh containg a SUID bash script  in /tmp and running the command to escalate my privilege and I was root.