In this post, I would like to share a walkthrough of the Busqueda Machine from Hack the Box

This room will be considered an Easy machine on Hack the Box

What will you gain from the Busqueda machine?

For the user flag, you will need to exploit the application which relied on the outdated software component that is vulnerable to RCE attack. We should enumerate on the target’s configuration file, we managed to find hardcoded credentials.

As for the root flag, you only need to exploit the SUID binary to present us with the docker environment on the machine. We could craft a basic bash script that can execute as a root

Information Gathering on Busqueda Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- -PN

┌─[darknite@parrot]─[~/Document/htb/Busqueda]
└──╼ $nmap -sC -sV 10.10.11.208 -oA inital 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-09 22:15 EDT
Nmap scan report for 10.10.11.208
Host is up (0.30s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA)
|_  256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://searcher.htb/
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 269.68 seconds

Let’s access the website interface

We didn’t get any information on top of the website

However, we have sighted the function

Therefore, let’s inspect the packet via burpsuite

There are a few methods that we can use to retrieve a shell on the machine

Exploitation using two methods

First Method

We can directly insert the reverse shell on the burpsuite request and forward the request

Finally, we managed to retrieve the reverse shell connection

Second Method

Firstly, we need to create a file that contains reverse shell command which looks something like above

As a result, let’s call the file by running the curl command

By default, we are required to start our Python server on our attacker’s machine

At last, the file managed to be transferred to the machine

Boom! We have successfully retrieved the reverse shell connection back to us

We managed to see the app.py file on the screen

Sadly, nothing useful is found inside the file.

However, we have surprisedly got the username and password

Therefore, let’s start our proxy connection with the credential that we found earlier.

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

As usual, we can run the “sudo -l” to see any useful file or binary that we can abuse

The command that we see above is all related to the docker environment

Gitea Enumeration

We managed to obtain a password that we might be able to use in the Gitea application

We are presented with Gitea main page

A log in page has appeared and we have several credentials that we can use to access

There are a few files that we can investigate even further

I notice that there’s an arg_list that directed to ./full-checkup.sh

We can create a file that contains a reverse shell command

We can execute the system-checkup.py with the file that we create earlier.

Boom! I managed to obtain the root reverse shell connection

We can read the root flag by typing the “cat root.txt” command

Another way to obtain root flag

!#/bin/bash

chmod u+s /bin/bash 

We can also use the easier way to get root by giving the /bin/bash the SUID binary permission

As shown in the screenshot above, we managed to clarify that /bin/bash is not a SUID binary execution permission yet

As we have run previously, we have got a message saying “[+] Done!“

We can read the root flag by typing the “cat root.txt” command

Extra Information on Busqueda machine