# BoardLight Nmap Scan ``` $ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 10.10.11.11 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-31 04:28 EDT Warning: 10.10.11.11 giving up on port because retransmission cap hit (10). Nmap scan report for 10.10.11.11 Host is up (0.096s latency). Not shown: 43184 filtered tcp ports (no-response), 22349 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA) | 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA) |_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 80.16 seconds ``` ## Initial Access ### Port 80 First, we will add the IP address into the host file.
Next, we visit the website.
However, after some enumeration, there is nothing much. ### Directory enumeration The next step is to check if there is any hidden directories. #### Feroxbuster ``` $ feroxbuster -u http://board.htb -b 404 -x txt,php,pdf ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher πŸ€“ ver: 2.10.3 ───────────────────────────┬────────────────────── 🎯 Target Url β”‚ http://board.htb πŸš€ Threads β”‚ 50 πŸ“– Wordlist β”‚ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt πŸ‘Œ Status Codes β”‚ All Status Codes! πŸ’₯ Timeout (secs) β”‚ 7 🦑 User-Agent β”‚ feroxbuster/2.10.3 πŸ’‰ Config File β”‚ /etc/feroxbuster/ferox-config.toml 🀯 Header β”‚ Cookie: πŸ”Ž Extract Links β”‚ true πŸ’² Extensions β”‚ [txt, php, pdf] 🏁 HTTP methods β”‚ [GET] πŸ”ƒ Recursion Depth β”‚ 4 πŸŽ‰ New Version Available β”‚ https://github.com/epi052/feroxbuster/releases/latest ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menuβ„’ ────────────────────────────────────────────────── 403 GET 9l 28w 274c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 9l 31w 271c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 1l 3w 16c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 301 GET 9l 28w 307c http://board.htb/images => http://board.htb/images/ 301 GET 9l 28w 303c http://board.htb/js => http://board.htb/js/ 301 GET 9l 28w 304c http://board.htb/css => http://board.htb/css/ 200 GET 3l 10w 667c http://board.htb/images/telephone-white.png 200 GET 6l 52w 1968c http://board.htb/images/twitter.png 200 GET 11l 50w 2892c http://board.htb/images/d-1.png 200 GET 5l 55w 1797c http://board.htb/images/linkedin.png 200 GET 100l 178w 1904c http://board.htb/css/responsive.css 200 GET 280l 652w 9100c http://board.htb/about.php 200 GET 5l 48w 1493c http://board.htb/images/fb.png 200 GET 9l 24w 2405c http://board.htb/images/d-2.png 200 GET 6l 57w 1878c http://board.htb/images/youtube.png 200 GET 5l 14w 1227c http://board.htb/images/insta.png 200 GET 7l 48w 3995c http://board.htb/images/d-5.png 200 GET 5l 23w 1217c http://board.htb/images/location-white.png 200 GET 6l 12w 491c http://board.htb/images/user.png 200 GET 5l 12w 847c http://board.htb/images/envelope-white.png 200 GET 294l 635w 9426c http://board.htb/contact.php 200 GET 294l 633w 9209c http://board.htb/do.php 200 GET 714l 1381w 13685c http://board.htb/css/style.css 200 GET 517l 1053w 15949c http://board.htb/index.php 200 GET 4437l 10973w 131639c http://board.htb/js/bootstrap.js 200 GET 2l 1276w 88145c http://board.htb/js/jquery-3.4.1.min.js 200 GET 348l 2369w 178082c http://board.htb/images/map-img.png 200 GET 536l 2364w 201645c http://board.htb/images/who-img.jpg 200 GET 10038l 19587w 192348c http://board.htb/css/bootstrap.css 200 GET 517l 1053w 15949c http://board.htb/ [####################] - 6m 480144/480144 0s found:27 errors:72153 [####################] - 6m 120000/120000 357/s http://board.htb/ [####################] - 6m 120000/120000 356/s http://board.htb/images/ [####################] - 6m 120000/120000 356/s http://board.htb/js/ [####################] - 6m 120000/120000 357/s http://board.htb/css/ ``` #### gobuster ``` $ gobuster dir -u http://board.htb/ -w /usr/share/wordlists/dirb/big.txt -k -b 404 =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://board.htb/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.htaccess (Status: 403) [Size: 274] /.htpasswd (Status: 403) [Size: 274] /css (Status: 301) [Size: 304] [--> http://board.htb/css/] /images (Status: 301) [Size: 307] [--> http://board.htb/images/] /js (Status: 301) [Size: 303] [--> http://board.htb/js/] /server-status (Status: 403) [Size: 274] Progress: 20469 / 20470 (100.00%) =============================================================== Finished =============================================================== ``` Directory listing does not return any results that looks interesting. ### Subdomain Enumeration After some enumeration, we can see that there is 1 subdomain response looks different from the rest. ``` $ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://board.htb -H "HOST:FUZZ.board.htb" > vhost-result.txt $ cat vhost-result.txt ... crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 76ms] ... ``` Next we will add into the host files again. ``` $ echo "10.10.11.11 crm.board.htb" | sudo tee -a /etc/hosts 10.10.11.11 crm.board.htb ``` After visiting it, we will see this webpage.
We can see that the application version running on the website also is `17.0.0`. We will search if there is any exploits that is available for this version. ### CVE-2023-30253 After searching online for a while, we come across this exploit on this repo. {% embed url="" %} First, we will download the git repo to our local kali machine.
Next, we will see how to run this exploit.
So we would require to login in order to execute this exploit. After some digging online, we found the default credentials for Dolibarr. {% embed url="" %}
After trying with that credentials, we are able to login. So the next step is to execute the exploit. Before we start the exploit, we will run a listener to the reverse shell first.
Then we will execute the exploit.
After a while, a reverse shell is returned.
### Upgrading shell We will use the method in [upgrading-shells](https://jasons-organization-25.gitbook.io/security-stuff/boxes-methodology/reverse-shell-payloads/upgrading-shells "mention") ### Getting User After getting into the machine, we will enumerate the machine. First, we found a db\_pass: `serverfun2$2023!!`
We also know that the username is `larissa`. The next thing we will try after is to see if we can login to the user with the password. It turns out we are able to login as the user.
## Privilege Escalation ### DirtyPipe LPE After some enumeration, we will notice that this OS version is vulnerable to this exploit: {% embed url="" %} So we can upload the exploit file and run it to get root access.