In this post, I would like to share a walkthrough of the Busqueda Machine from Hack the Box
This room will be considered an Easy machine on Hack the Box
What will you gain from the Busqueda machine?
For the user flag, you will need to exploit the application which relied on the outdated software component that is vulnerable to RCE attack. We should enumerate on the target’s configuration file, we managed to find hardcoded credentials.
As for the root flag, you only need to exploit the SUID binary to present us with the docker environment on the machine. We could craft a basic bash script that can execute as a root
Information Gathering on Busqueda Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
┌─[darknite@parrot]─[~/Document/htb/Busqueda]
└──╼ $nmap -sC -sV 10.10.11.208 -oA inital
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-09 22:15 EDT
Nmap scan report for 10.10.11.208
Host is up (0.30s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA)
|_ 256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://searcher.htb/
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 269.68 seconds
Let’s access the website interface
We didn’t get any information on top of the website
However, we have sighted the function
Therefore, let’s inspect the packet via burpsuite
There are a few methods that we can use to retrieve a shell on the machine
Exploitation using two methods
First Method
We can directly insert the reverse shell on the burpsuite request and forward the request
Finally, we managed to retrieve the reverse shell connection
Second Method
Firstly, we need to create a file that contains reverse shell command which looks something like above
As a result, let’s call the file by running the curl command
By default, we are required to start our Python server on our attacker’s machine
At last, the file managed to be transferred to the machine
Boom! We have successfully retrieved the reverse shell connection back to us
We managed to see the app.py file on the screen
Sadly, nothing useful is found inside the file.
However, we have surprisedly got the username and password
Therefore, let’s start our proxy connection with the credential that we found earlier.
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
As usual, we can run the “sudo -l” to see any useful file or binary that we can abuse
The command that we see above is all related to the docker environment
Gitea Enumeration
We managed to obtain a password that we might be able to use in the Gitea application
We are presented with Gitea main page
A log in page has appeared and we have several credentials that we can use to access
There are a few files that we can investigate even further
I notice that there’s an arg_list that directed to ./full-checkup.sh
We can create a file that contains a reverse shell command
We can execute the system-checkup.py with the file that we create earlier.
Boom! I managed to obtain the root reverse shell connection
We can read the root flag by typing the “cat root.txt” command
Another way to obtain root flag
!#/bin/bash
chmod u+s /bin/bash We can also use the easier way to get root by giving the /bin/bash the SUID binary permission
As shown in the screenshot above, we managed to clarify that /bin/bash is not a SUID binary execution permission yet
As we have run previously, we have got a message saying “[+] Done!“
We can read the root flag by typing the “cat root.txt” command
Extra Information on Busqueda machine
