szczygielka@hacks$ nmap -sVC -p- 10.129.215.144
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-20 07:13 EST
Nmap scan report for the searcher.htb (10.129.215.144)
Host is up (0.035s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA)
|_ 256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: Searcher
| http-server-header:
| Apache/2.4.52 (Ubuntu)
|_ Werkzeug/2.1.2 Python/3.10.6
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.17 seconds
The Nmap scan result shows that 2 ports are open. SSH is running on port 22 and the Apache HTTP server is running on port 80. The HTTP response shows redirection to the domain http://searcher.htb/. Let's add the following line to the /etc/hosts file:
10.129.215.144 searcher.htb
Exploring website
Now open the domain http://searcher.htb/ via a web browser. The website seems to be a search engine. The webpage allows us to select a search engine and based on the entered phrase, it redirects us to the search result in a selected engine or returns the URL address of the query.
CVE-2023-43364
Search results for possible vulnerabilities for this library on the Internet indicate that the Searchor library up to version 2.4.1 seems to be vulnerable to Arbitrary Code Execution due to the use of an unsafe implementation of an eval method.
The information found shows that the version of the library found should also be vulnerable. This vulnerability can be exploited by using the following method, which should allow us to obtain a reverse shell:
To exploit the library we have to run the listener on our attacking machine and send the prepared payload as a value of the POST query parameter, which using Python will connect to our listener.
Let's prepare the nc listener:
nc -nvlp 443
Now prepare the payload with the proper IP and listening port:
The presence of a .gitconfig file in the home directory, responsible for the global Git configuration, may indicate the presence of Git repositories in the file system. The find command returns us 2 locations of 2 directories with Git repositories:
svc@busqueda:~$ find / -type d -name .git 2>/dev/null
/var/www/app/.git
/opt/scripts/.git
Let's move to the first .git directory and analyze its contents. In the config file, we find a URL that seems to contain the credentials of the user cody to the subdomain gitea.searcher.htb:
Add the found subdomain to the /etc/hosts file and go to this webpage using the web browser:
Let's try to log in as a user cody, entering the password we found:
We log in successfully as a cody. On the platform, we can see there is another user administrator:
On the website, we can find a repository called Searcher_site, containing the source code of the run Searcher web application:
After analyzing the repository, we do not find anything interesting in it. Trying to log in as the administrator with the cody's password also fails. Let's try to use the password we found to log in as the svc user via SSH:
szczygielka@hacks$ ssh svc@10.129.215.144
The authenticity of host '10.129.215.144 (10.129.215.144)' can't be established.
ED25519 key fingerprint is SHA256:LJb8mGFiqKYQw3uev+b/ScrLuI4Fw7jxHJAoaLVPJLA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.215.144' (ED25519) to the list of known hosts.
svc@10.129.215.144's password:
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-69-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Feb 20 01:14:57 PM UTC 2024
System load: 0.0
Usage of /: 80.2% of 8.26GB
Memory usage: 50%
Swap usage: 0%
Processes: 238
Users logged in: 0
IPv4 address for br-c954bf22b8b2: 172.20.0.1
IPv4 address for br-cbf2c5ce8e95: 172.19.0.1
IPv4 address for br-fba5a3e31476: 172.18.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for eth0: 10.129.215.144
IPv6 address for eth0: dead:beef::250:56ff:fe96:1a75
* Introducing Expanded Security Maintenance for Applications.
Receive updates to over 25,000 software packages with your
Ubuntu Pro subscription. Free for personal use.
https://ubuntu.com/pro
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Apr 4 17:02:09 2023 from 10.10.14.19
svc@busqueda:~$
SSH login is successful. Let's check if the svc user can execute any commands using sudo:
svc@busqueda:~$ sudo -l
[sudo] password for svc:
Matching Defaults entries for svc on busqueda:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User svc may run the following commands on busqueda:
(root) /usr/bin/python3 /opt/scripts/system-checkup.py *
The output of the sudo -l command indicates that we can run the /opt/scripts/system-checkup.py script with sudo privileges using python3. Checking script permission we can see that user svc does not have the right to read that script:
svc@busqueda:~$ ls -la /opt/scripts/system-checkup.py
-rwx--x--x 1 root root 1903 Dec 24 2022 /opt/scripts/system-checkup.py
So let's try to run it:
svc@busqueda:~$ sudo python3 /opt/scripts/system-checkup.py *
Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)
docker-ps : List running docker containers
docker-inspect : Inpect a certain docker container
full-checkup : Run a full system checkup
After executing the command, we receive information that we can execute this command with three different arguments: docker-ps, docker-inspect and full-checkup. Let's run the script with each of the arguments:
svc@busqueda:~$ sudo python3 /opt/scripts/system-checkup.py docker-ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
960873171e2e gitea/gitea:latest "/usr/bin/entrypoint…" 13 months ago Up 2 hours 127.0.0.1:3000->3000/tcp, 127.0.0.1:222->22/tcp gitea
f84a6b33fb5a mysql:8 "docker-entrypoint.s…" 13 months ago Up 2 hours 127.0.0.1:3306->3306/tcp, 33060/tcp mysql_db
svc@busqueda:~$ sudo python3 /opt/scripts/system-checkup.py docker-inspect
Usage: /opt/scripts/system-checkup.py docker-inspect <format> <container_name>
svc@busqueda:~$ sudo python3 /opt/scripts/system-checkup.py full-checkup
Something went wrong
Calling the script with the docker-ps argument returned information about two running containers. However, to run the script with the docker-inspect argument, two additional arguments are necessary. The script executed with a full-checkup argument returns the error information Something went wrong.
--format='{{json .Config}}'
Let's first dump the configuration for the gitea container:
The code snippet indicates that the full-checkup.sh script is invoked from the user's current directory (i.e. the directory where the user is currently located) and runs the system-checkup.py script. This means that the full-checkup.sh script will be run from the path where we will execute the following command, in this case from the /home/svc directory:
We can therefore create our script with the same name with any content, and run it indirectly using the system-checkup.py script. Since the script full-checkup.sh will run with sudo privileges, we can try to escalate our privileges.
So let's create our script in the svc user's home directory called a full-checkup.sh, with the payload which should allow us to connect with our attacking machine and run listener.
Let's start the listener using nc:
szczygielka@hacks$ nc -lnvp 9000
Now create our script in the svc user's home directory called full-checkup.sh, with the following content:
szczygielka@hacks$ nc -lnvp 9000
listening on [any] 9000 ...
connect to [10.10.14.172] from (UNKNOWN) [10.129.215.144] 33844
root@busqueda:/home/svc#
Root flag
The previous steps lead us to the root user. The root flag can be obtained at/root/root.txt.
At the bottom of the website, we can see that the webpage uses Flask and Searchor 2.4.0. From the Searchordocumentation, we find out that this is the Python library used to simplify web scraping, obtaining information, and generating search query URLs. More information about this library can be found . Since we know what version of the Searchoris used on the website, let's check if this library has any vulnerabilities.
If the queryparameter is not sanitized, it may lead to remote code execution. In the version 2.4.2 of Searchor this vulnerability was patched as we can check .
From the documentation of Gitea, we find out that it is an all-in-one software development service, it includes Git hosting, code review, team collaboration, package registry, and CI/CD. More information about Gitea can be found .
So let's find out how to properly run the system-checkup.py script with the docker-inspect argument. The Docker inspect shows that to obtain the container image configuration in JSON, the format can be specified as follows:
