Post

HTB Linux Easy: Busqueda

Busqueda is an Easy rated Linux machine on HTB.

Posted
By Gregory Allegoet
1 min read
HTB Linux Easy: Busqueda

Nmap

Pasted image 20240715103333.png

Initial Foothold

Enumerating HTTP (Port 80)

Add the searcher.htb domain to the hosts file to resolve the domain. Pasted image 20240715103329.png

On the main webpage we find the flask and searchor version of 2.4.0. Pasted image 20240715103325.png

Establish shell

We can establish a shell using the searchor 2.4.0 vulnerability. Pasted image 20240715103319.png

Our nc listener should have turned into a shell now. Pasted image 20240715103315.png

File exploration

Looking through the files in the app folder we find a hidden .git folder that contains a config file. In this file we find credentials and a new subdomain: cody:jh1usoih2bkjaspwe92 Pasted image 20240715103311.png

Edit the hosts file and add the newly found subdomain: gitea.searcher.htb. Pasted image 20240715103307.png

Priv Esc

The Cody user doesn’t exist in /etc/passwd. Instead, we can use the password to run sudo -l as the svc user. Pasted image 20240715103304.png

Running the command to trigger a help menu. Pasted image 20240715103259.png

The full-checkup script only seems to work when we are in the /opt/scripts directory. Pasted image 20240715103255.png

Since we can run this script as sudo we can make a full-checkup file with a reverse shell payload which will be executed as root. Pasted image 20240715103251.png

We obtained a shell as the root user. Pasted image 20240715103246.png

User.txt

Pasted image 20240715103242.png

Root.txt

Pasted image 20240715103237.png

You have PWNED

Pasted image 20240715103231.png

Sources

CTF, HTB
Linux Easy
This post is licensed under CC BY 4.0 by the author.