search

BoardLight

Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 10.10.11.11
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-31 04:28 EDT
Warning: 10.10.11.11 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.11
Host is up (0.096s latency).
Not shown: 43184 filtered tcp ports (no-response), 22349 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
|   256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_  256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.16 seconds

hashtag
Initial Access

hashtag
Port 80

First, we will add the IP address into the host file.

Next, we visit the website.

However, after some enumeration, there is nothing much.

hashtag
Directory enumeration

The next step is to check if there is any hidden directories.

hashtag
Feroxbuster

hashtag
gobuster

Directory listing does not return any results that looks interesting.

hashtag
Subdomain Enumeration

After some enumeration, we can see that there is 1 subdomain response looks different from the rest.

Next we will add into the host files again.

After visiting it, we will see this webpage.

We can see that the application version running on the website also is 17.0.0. We will search if there is any exploits that is available for this version.

hashtag
CVE-2023-30253

After searching online for a while, we come across this exploit on this repo.

LogoGitHub - nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253: Reverse Shell POC exploit for Dolibarr <= 17.0.0 (CVE-2023-30253), PHP Code InjectionGitHubchevron-right

First, we will download the git repo to our local kali machine.

Next, we will see how to run this exploit.

So we would require to login in order to execute this exploit. After some digging online, we found the default credentials for Dolibarr.

LogoLogin after installationDolibarr international forumchevron-right

After trying with that credentials, we are able to login. So the next step is to execute the exploit.

Before we start the exploit, we will run a listener to the reverse shell first.

Then we will execute the exploit.

After a while, a reverse shell is returned.

hashtag
Upgrading shell

We will use the method in Upgrading Shells

hashtag
Getting User

After getting into the machine, we will enumerate the machine.

First, we found a db_pass: serverfun2$2023!!

We also know that the username is larissa.

The next thing we will try after is to see if we can login to the user with the password. It turns out we are able to login as the user.

hashtag
Privilege Escalation

hashtag
DirtyPipe LPE

After some enumeration, we will notice that this OS version is vulnerable to this exploit:

LogoLinux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe)Exploit Databasechevron-right

So we can upload the exploit file and run it to get root access.

PreviousPermXNextWindows

Last updated