Busqueda
Gaining Access
Nmap scan:
$ nmap -sC -sV -Pn -oN nmap 10.10.11.208
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-14 20:35 +08
Nmap scan report for 10.10.11.208
Host is up (0.0056s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA)
|_ 256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://searcher.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.83 secondsPort 80
During the scan, I can see there is a domain name being used in the URL searcher.htb.
So, I added searcher.htb to the host files
There is a search feature on the website using the selected search engine that the user used
If I scroll down a bit more, I can see this website is powered by Flask and Searchor 2.4.0
Arbitrary CMD Injection for Searchor
After searching online about Searchor 2.4.0, there is an arbitrary command injection
After running the exploit, I have managed to get a reverse shell.
After getting the reverse shell, I am in the user svc .
After searching through the machine, the user flag is at the home folder.
Privilege Escalation
Gitea in VirtualHost
After running linpeas.sh, there is a virtual host that is running on port 80.
After adding gitea.searcher.htb into the host files, I am able to access the site.
I can also see the version that it is running on.
However, the exploit requires a username and password
After enumerating more on the machine, there is a config file in the .git folder in the app folder
After logging in with cody's credential, there is this under the repositories in his account. But there is nothing special under this account.
Able to use sudo on system-checkup script
However, if we use ssh to login into svc account with cody's password. There is a command we can use to run as root using sudo.
After playing around, I realised that this file is uised to check the dockers
By using the docker-ps argument, I am able to see all the dockers that are running.
So I tried to use docker-inspect to see if there is any information, but the command return me a syntax usage
After reading the website, they used {{json .}} as the format. However, it will return a very hard to read json format.
However, if I pipe to jq, it will return in a nicer format.
There are credentials for Gitea MySQL Database
I tried the password for the administrator user and I have managed to get into the administrator account on Gitea.
Relative Path Vulnerability to gain PE to root
Upon looking at the scripts repo on the administrator account, we can see if the system-checkup.py have any more issues as since this is the only file that we can run as root.
It is running using a relative path which means I can write a malicious full-checkup.sh and get a reverse shell as root.
So i created a malicious full-checkup.sh
After executing, it will return a reverse shell.
Last updated