Searchor 240

Synopsis: # On the host Busqueda a vulnerable web app was running, by exploiting the web app’s query parameter the attacker gained RCE & the initial foothold. The attacker then enumerated the system and compromised the password for the cody user, which was reused for the user svc account. The attacker also discovered a new virtual host (VHOST) where a self-hosted Git service was running. Using the sudo privileges of the svc user, the attacker was able to dump the configuration files of running Docker containers, which led to the compromise of a few additional user passwords. The attacker then logged into the administrator’s Git account and found a number of scripts. One of these scripts, named full-checkup.sh, did not have its full path specified. The attacker abused this oversight by creating a file named full-checkup.sh in the /tmp directory that contained a reverse shell. This allowed the attacker to gain complete control of the host.