HackTheBox | BoardLight

In this walkthrough, I demonstrate how I obtained complete ownership of BoardLight on HackTheBox
HackTheBox | BoardLight

Initial Foothold Hint

  • This box has only two ports open — SSH and HTTP
    • You may already know that SSH is almost never your first way in
    • So, you're left with your web enumeration skills
  • Sometimes, web servers can be known by alternative names
    • Without giving too much away, how would you enumerate these alternate names?
    • Once you find the server running on the other hostname, you should see a software version number
    • Have you found the CVE for this version of the software?

Privilege Escalation Hint

  • You'll need to pivot laterally before you can become root
  • You need to have a solid post-compromise enumeration process, look at everything on the system — ports, files, etc.
  • Once you find the information for the local service, you might see if you can reuse the information you've found elsewhere
  • To escalate to root — again — solid enumeration strategies are needed, find the interesting file / application and associated CVE

Nmap Results

target="10.129.139.70"
sudo nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt $target
# Nmap 7.94SVN scan initiated Tue May 28 16:37:38 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.139.70
Nmap scan report for 10.129.139.70
Host is up (0.017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
|   256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_  256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 28 16:38:20 2024 -- 1 IP address (1 host up) scanned in 42.58 seconds

This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.

Read the full story

Sign up now to read the full story and get access to all posts for Pending Publication tier only.

Subscribe
Already have an account? Sign in
0xBEN
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.