# Busqueda
## Gaining Access
Nmap scan:
```
$ nmap -sC -sV -Pn -oN nmap 10.10.11.208
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-14 20:35 +08
Nmap scan report for 10.10.11.208
Host is up (0.0056s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA)
|_ 256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://searcher.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.83 seconds
```
### Port 80
During the scan, I can see there is a domain name being used in the URL `searcher.htb`.
So, I added `searcher.htb` to the host files
There is a search feature on the website using the selected search engine that the user used
If I scroll down a bit more, I can see this website is powered by `Flask` and `Searchor 2.4.0`
### Arbitrary CMD Injection for Searchor
After searching online about `Searchor 2.4.0`, there is an arbitrary command injection
{% embed url="" %}
After running the exploit, I have managed to get a reverse shell.
After getting the reverse shell, I am in the user `svc` .
After searching through the machine, the user flag is at the home folder.
## Privilege Escalation
### Gitea in VirtualHost
After running `linpeas.sh`, there is a virtual host that is running on port 80.
After adding `gitea.searcher.htb` into the host files, I am able to access the site.
I can also see the version that it is running on.
However, the exploit requires a username and password
{% embed url="" %}
After enumerating more on the machine, there is a config file in the `.git` folder in the `app` folder
After logging in with cody's credential, there is this under the repositories in his account. But there is nothing special under this account.
### Able to use sudo on system-checkup script
However, if we use ssh to login into `svc` account with cody's password. There is a command we can use to run as root using sudo.
After playing around, I realised that this file is uised to check the dockers
By using the `docker-ps` argument, I am able to see all the dockers that are running.
So I tried to use `docker-inspect` to see if there is any information, but the command return me a syntax usage
After reading the website, they used `{{json .}}` as the format. However, it will return a very hard to read `json` format.
{% embed url="" %}
However, if I pipe to `jq`, it will return in a nicer format.
There are credentials for Gitea MySQL Database
I tried the password for the administrator user and I have managed to get into the administrator account on Gitea.
### Relative Path Vulnerability to gain PE to root
Upon looking at the scripts repo on the administrator account, we can see if the system-checkup.py have any more issues as since this is the only file that we can run as root.
It is running using a relative path which means I can write a malicious `full-checkup.sh` and get a reverse shell as root.
So i created a malicious `full-checkup.sh`
After executing, it will return a reverse shell.
