Introduction to Boardlight:
In this write-up, we will explore the “Boardlight” machine from Hack The Box, categorized as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the “Boardlight” machine from Hack The Box by achieving the following objectives:
User Flag:
- Initial Access via Dolibarr CMS
Gaining entry to the Boardlight machine was straightforward using default credentials within its Dolibarr CMS. During my exploration, I uncovered a vulnerability that permitted the injection of raw PHP code into pages, enabling arbitrary code execution and granting me a foothold on the system.
Once inside, I located a configuration file containing the credentials for the next user. This discovery allowed me to escalate my privileges and move deeper into the machine’s systems.
- PHP Code Injection and Privilege Escalation
After logging into the Boardlight machine via its Dolibar CMS with default credentials, I identified a vulnerability that allowed the insertion of raw PHP code into web pages. By exploiting this flaw, I successfully gained access to the system.
With this foothold, I found a configuration file that contained user credentials, enabling further privilege escalation and continued exploration of the machine.
Root Flag:
- Manual Exploitation of Enlightenment Windows Manager CVE
I plan to exploit a known CVE in the Enlightenment Windows Manager. Instead of using available proof-of-concept (POC) scripts, I’ll perform the attack manually to understand the process better.
By working through the steps manually, I can see how the vulnerability functions in detail, giving me better control and insight into the exploit’s mechanics. This hands-on approach will help me fully comprehend how to abuse the flaw.
Enumerating the Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oN nmap_initial.txt 10.10.11.11
Nmap Output:
┌─[darknite@parrot]─[~/Documents/htb/boardlight]
└──╼ $nmap -sC -sV 10.10.11.11 -oA initial
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-26 23:27 EDT
Nmap scan report for 10.10.11.11
Host is up (0.020s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.98 seconds
Analysis:
- Port 22 (SSH): OpenSSH 8.2p1 provides secure remote access with RSA, ECDSA, and ED25519 key support.
- Port 80 (HTTP): Apache 2.4.41 serves web content on Ubuntu, with no site title defined.
Web Enumeration:
Perform web enumeration to discover potentially exploitable directories and files.
gobuster dir -u http://10.10.11.11 -w /usr/share/wordlists/dirb/common.txt
Gobuster Output:
┌─[darknite@parrot]─[~/Documents/htb/boardlight]
└──╼ $gobuster dir -u http://board.htb -w /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://board.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/js (Status: 301) [Size: 303] [--> http://board.htb/js/]
/images (Status: 301) [Size: 307] [--> http://board.htb/images/]
/css (Status: 301) [Size: 304] [--> http://board.htb/css/]
/server-status (Status: 403) [Size: 274]
Progress: 20116 / 20117 (100.00%)
===============================================================
Finished
===============================================================
Analysis:
- /js: Directory found with a 301 redirect (Size: 303) to http://board.htb/js/.
- /images: Directory found with a 301 redirect (Size: 307) to http://board.htb/images/.
- /css: Directory found with a 301 redirect (Size: 304) to http://board.htb/css/.
- /server-status: Access denied with a 403 status (Size: 274).
Exploitation
Web Application Exploration:
We accessed the main page of board.htb, but there isn’t anything noteworthy to exploit at the moment.
Let’s attempt to enumerate the subdomains. Let’s access the subdomain crm.board.htb on the machine.
Exploiting Remote Code Execution in Dolibarr (CVE-2023-30253)
Dolibarr is an open-source platform for enterprise resource planning (ERP) and customer relationship management (CRM), and its source code is available on GitHub. Version 17.0.0 is indicated above the form div.
Dolibarr versions before 17.0.1
permit remote code execution by an authenticated user through uppercase manipulation: using <?PHP
instead of <?php
in the injected data.
For more information, we can refer to this source.
The screenshot above displays the result obtained through Burp Suite.
We attempted to log in with the credentials admin: admin and timed how long it took to receive a failure message. However, this time it worked
Now click on “Website,” then select the “+” icon to create your site. Next, choose “Import website template” and click on “Load anything template.” Finally, proceed to edit the page.
Let’s create a new website on the dashboard, as demonstrated in the screenshot above.
We encountered an error stating, “URL VirtualHost must start with HTTP:// or HTTPS://“
Therefore, let’s prepend “HTTP://” to the VirtualHost URL.
From what I understand, we need to import the template into the website.
Manipulating the website template to insert the shell command.
Finally, we have successfully obtained the template.
It appeared relevant since we are also targeting RCE. One of the initial requirements is having permission to read and create or modify website content. By clicking on the user icon in the top right corner of the dashboard and opening the user card, we can view our user details. Under the Permissions tab, it’s clear that our user possesses the necessary permissions to execute this attack.
Following the steps outlined in the article, I first created a website and then added a page to it. After that, I inserted my reverse shell in the ‘Edit HTML Source‘ section.
It appears to be loading on the website.
We have successfully established the connection, as shown above.
After conducting some research on the machine, we can see that the configuration requires further investigation.
Our first goal was to get the user flag, and the home directory only had one user, Larissa. In the web server’s directory, I found several files related to the platform. I looked through some files but didn’t find anything useful, just code.
Next, I checked where the config files are stored in Dolibarr 17.0 and found that the htdocs/conf
directory contains the database configurations.
I quickly attempted to connect to MySQL using these credentials directly from the shell and successfully accessed the Dolibarr database. There were several tables, and I spent quite some time exploring them. Then it occurred to me—since there was only one user, Larissa, the same password may serve as her login password. And it worked!
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access on Boardlight machine
Privilege Escalation:
Now, as I shift to privilege escalation, I first checked the basics, like whether my current user has any sudo privileges and looked into files with SUID permissions.
I will execute the command find / -perm -4000 -ls 2>/dev/null
, and I noticed one binary that isn’t typically installed on the operating system: enlightenment_sys
.
When executing the command above, we can see that the version of Enlightenment is 0.23.1.
While searching for vulnerabilities for this specific version, I found CVE-2022-37706, which states:
enlightenment_sys in Enlightenment versions prior to 0.25.4 allows local users to gain privileges due to being setuid root, and the system library function improperly handles pathnames that begin with a /dev/.. substring.
You can download the exploit file at this link.
The exploit for this vulnerability can be found here. I used Wget to transfer the exploit from my machine.
We need to transfer the exploit file to the victim’s machine.
Upon running it, the privilege escalation was successful.
We can view the root flag by entering the command cat root.txt
.
No responses yet