Read my writeup to Busqueda macine on:
TL;DR
User: While monitoring port 80, we discovered that it was utilizing version 2.4.0 of Searchor. After examining the source code on Github, we identified a command injection vulnerability within the eval function. Leveraging this vulnerability, we were able to obtain a reverse shell as svc. We subsequently located the svc password within the .git directory’s config file.
Root: Upon running sudo -l, we determined that we could execute the /opt/scripts/system-checkup.py script as root. We then utilized the Python script to run the docker-inspect command, allowing us to inspect the currently running containers. Through this process, we discovered the credentials for Gitea. By creating a tunnel to Gitea, we were able to access the source code for system-checkup.py.
After thoroughly analyzing the source code, we determined that we could create our own script and utilize the system-checkup.py argument to execute it with root privileges.