https://www.hackthebox.com/machines/Busqueda

OS: Linux

10.129.187.196

Credentials:

UsernamePassword
codyjh1usoih2bkjaspwe92
svcjh1usoih2bkjaspwe92
administratoryuiu1hoiu4i5ho1uh

nmap results:

22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                       
|   256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIzAFurw3qLK4OEzrjFarOhWslRrQ3K/MDVL2opfXQLI+zYXSwqofxsf8v2MEZuIGj6540YrzldnPf8CTFSW2rk=      
|   256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTtbUicaITwpKjAQWp8Dkq1glFodwroxhLwJo6hRBUK  
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.52
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://searcher.htb/

Web Service Enum:

redirected to http://searcher.htb/search

subdomain enumerating and gobustering we got:

http://gitea.searcher.htb/administrator
http://gitea.searcher.htb/user/login

Attack + Enum Vectors: (Ports, etc.)

  • TCP 80: HTTP Apache httpd 2.4.52
  • TCP 22: SSH OpenSSH 8.9p1

Initial Access

Searching google for exploits lands us this: https://github.com/twisted007/Searchor_2.4.0_RCE_Python/blob/main/searchor-2_4_0_RCE.py

which we use to get initial access


Priv Esc

sudo -l

reveals:

sudo /usr/bin/python3 /opt/scripts/system-checkup.py

After getting some hints by watching ippsec: the above pass seem to work like a docker command? therefore after seeing him analyzes docker content with json i start trying by myself

Now after analyzing with --help we see there are three different scripts we can run: docker-ps: shows the information about current running dockers, docker-inspect: inspects data of the current dockers, and full-checkup: a .sh scripts

and looking in /opt/scripts we can run the scripts but not edit them. So after researching online about the scripts: seems like they are similar to the commands:

https://docs.docker.com/reference/cli/docker/inspect/

and using docker-ps we note down the id and name of the dockers

https://docs.docker.com/engine/cli/formatting/https://www.hackthebox.com/machines/Box

then we try running inspect: one of the options from above link has some ways that can view data: we tried the {{json .Mounts}} first but seemed useless info: at the bottom of the page tho says '{{json .}}' shows all content as json

and also online says that we can use pump output into jq for prettier output

then we grep -i pass and found a password; and we tried it on gitea.searcher.htb: we get to log on as admin

then logging on we cannot edit the script files: I tried to edit the configurations on the website but doesn’t seem to work; watching ippsec: the ./full-cleanup.sh or which means it is executing it at the directory when we use sudo and the command; therefore we created a bash script for reverse shell at tmp or some directory we can edit, however:

It didn’t work for some reason; I realized I needed to add chmod +x to the script too doesn’t matter it is executed through sudo, also i need to add #!/bin/bash at begging of the script then we get root

Conclusion & Remediation

This lab was also done before I started blogging my write-up. Honestly, this is pretty messy writing. However, I did learn a lot including to use jq to make the output of .json files prettier and nicer to read, improving my researching skills on things I haven’t encountered before to adapt accordingly.

To remediate for such attacks: system administrators need not just to hide their web application on a subdomain, but also update them to patch from critical exploits like the ones appeared. In addition, the misconfigured sudo scripts needs to be removed to follow the principle of least privileges.