Enumeration

Nmap

Initial Nmap scan revealed SSH and HTTP ports open.

000 - nmap output

Hosts Update

The HTTP requests were forwarded to searcher.htb so I added it to /etc/hosts file.

001 - etc host

Exploitation

Searchor Version

The searchor version in use was vulnerable to remote code execution. I used the exploit in this github link.

002 - version

003 - exploit

004 - exploit sh

005 - got the shell

Got The User

User was compromised.

006 - got the user

Privilege Escalation

I tried some privilege escalation methods, tried some known exploits against this version but none of them worked. Then I ran linpeas and checked its output which revealed new subdomain gitea.

007 - linpeas output gitea

Then inside the web root, I found a .git directory and config file inside it. It included clear text password of a user named cody. Cody was not available in the current linux, so I tested the password against the current svc user and got the SSH shell.

008 - config file

sudo -l

Inside the SSH shell I ran sudo -l and found out I can run python3 with a specific script.

009 - sudo -l

The script included 3 options. I used one of the options to check configurations for gitea.

010 - command

011 - gitea

Gitea

The output included gitea user and password. I used this password with administrator user to login to gitea page.

012 - login

Now, I got access to the administrator repositories. The scripts repo included the file I can run as sudo. At first I tried to update the file but it was disallowed. Then I checked the file and found out the full-checkup option on the script run ./full-checkup.sh, this can be exploited because it is not using full path.

013 - update

I created a full-checkup.sh script which creates reverse shell.

014 - full checkup

Then running the full-checkup option as sudo I got the netcat shell.

015 - root

Pwned

The machine was fully pwned.

016 - pwned

<
Previous Post
Phantom - Hack The Box
>
Next Post
UpDown - Hack The Box