{"id":203,"date":"2025-06-29T18:47:00","date_gmt":"2025-06-29T18:47:00","guid":{"rendered":"https:\/\/thecyberstaff.com\/?p=203"},"modified":"2025-12-28T19:50:55","modified_gmt":"2025-12-28T19:50:55","slug":"busqueda-hackthebox-lab-2","status":"publish","type":"post","link":"https:\/\/thecyberstaff.com\/?p=203","title":{"rendered":"Busqueda- Hackthebox lab"},"content":{"rendered":"\n

I started this one with an nmap scan for both TCP and UDP ports.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

With the Nmap results, I started enumerating port 80.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

With this error, I am able to enumerate the website domain name and input that information into my \/etc\/hosts file so my local machine and resolve the hostname.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

With the name resolution set up, I can get to the website. It is a website that is designed to send searches to multiple search engines and other sites.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I use the Wappalyzer web browser extension to enumerate the tech stack and versions, I also see the Searcher 4.4.0 version in the bottom of the main page.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I run Nikto and Gobuster to enumerate the site more and do some directory discovery.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

I did not see much from these results, I decided to check into the versions to see if I can identify any vulnerabilities or exploits. The exploits below looked promising.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I decided to try the first result.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I ran the exploit and got a reverse shell!<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

While searching the system, I found the git config below with a password.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I used this password to ssh into the box.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I ran a check to see if the user has any sudo privileges.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I found out that the system-checkup.py script looks for the full-checkup.sh script when running the full-checkup command.<\/p>\n\n\n\n

I moved to the \/tmp directory and created a new system-checkup.sh file and made it executable, I put a reverse shell in this bash script pointing back at my machine.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I ran the system-checkup.py script from the \/tmp directory and it used the full-checkup.py file that I created.<\/p>\n\n\n\n

The reverse shell came back as root!<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This concludes the Busqueta machine from Hackthebox. This one shows the importance of keeping software up to date and protecting it against public exploits.<\/p>\n","protected":false},"excerpt":{"rendered":"

I started this one with an nmap scan for both TCP and UDP ports. With the Nmap results, I started enumerating port 80. With this error, I am able to enumerate the website domain name and input that information into my \/etc\/hosts file so my local machine and resolve the […]<\/p>\n","protected":false},"author":1,"featured_media":204,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-203","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-pentesting"],"brizy_media":[],"_links":{"self":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/203","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=203"}],"version-history":[{"count":2,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/203\/revisions"}],"predecessor-version":[{"id":520,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/203\/revisions\/520"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/media\/204"}],"wp:attachment":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=203"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}