Dirtyfrag

Version numbers in page footers exist for a reason. Searchor 2.4.0 handed over the foothold; a kernel exploit closed it out. Machine info Name Busqueda Platform HackTheBox OS Linux Difficulty Easy TL;DR Nmap reveals a web app on port 80 - the page footer discloses “Powered by Flask and Searchor 2.4.0” Searchor 2.4.0 is vulnerable to arbitrary command injection; a public exploit delivers a reverse shell as svc Privilege escalation via DirtyFrag (universal Linux LPE): compile and run the PoC to get root Recon Add host to /etc/hosts ...

Sandboxes are only as strong as their implementation. Codify gives you a Node.js code editor to play with - and a vm2 version that plays right back. Machine info Name Codify Platform HackTheBox OS Linux Difficulty Easy TL;DR Web app runs Node.js snippets in a vm2 sandbox; child_process is blocked, but vm2’s context escaping lets you break out entirely Shell as svc, linpeas finds a SQLite database with a bcrypt hash for joshua - cracked with John + rockyou SSH as joshua, sudo -l shows /opt/scripts/mysql-backup.sh as root; the script uses unquoted [[ $DB_PASS == $USER_PASS ]] enabling glob-based password brute-forcing Alternatively, compile and run the dirtyfrag LPE directly as svc and skip joshua entirely Recon Nmap 1 nmap -sV -sC -Pn -A codify.htb ...