<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Git on appl3b0y</title>
    <link>https://appl3b0y.com/tags/git/</link>
    <description>Recent content in Git on appl3b0y</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <lastBuildDate>Tue, 02 Jun 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://appl3b0y.com/tags/git/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Busqueda</title>
      <link>https://appl3b0y.com/writeups/busqueda/</link>
      <pubDate>Tue, 02 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://appl3b0y.com/writeups/busqueda/</guid>
      <description>&lt;h2 id=&#34;introduction&#34;&gt;Introduction&lt;/h2&gt;&#xA;&lt;p&gt;&lt;strong&gt;Busqueda&lt;/strong&gt; is an easy Linux box that plays out like a small, realistic engagement: one web bug for the foothold, then a chain of information leaks and a &lt;code&gt;sudo&lt;/code&gt; misconfiguration for root. No memory corruption, just reading things carefully.&lt;/p&gt;&#xA;&lt;p&gt;The foothold is an &lt;strong&gt;&lt;code&gt;eval()&lt;/code&gt; injection&lt;/strong&gt; in &lt;strong&gt;Searchor 2.4.0&lt;/strong&gt;, the library powering the search site. That gives a shell as &lt;code&gt;svc&lt;/code&gt;. From there the box is about looting: a leftover &lt;code&gt;.git/config&lt;/code&gt; exposes a Gitea instance and a set of credentials, and a &lt;code&gt;sudo&lt;/code&gt;-runnable &amp;ldquo;system checkup&amp;rdquo; script lets us inspect Docker containers, one of which leaks a database password. That password is &lt;strong&gt;reused&lt;/strong&gt; for the Gitea admin, which lets us read the source of the very script we can run as root. The script calls a helper by a &lt;strong&gt;relative path&lt;/strong&gt;, so we drop our own version in the working directory and run it as root.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
