HackTheBox : BoardLight
BoardLight is a great Linux box with a focus on public exploits and misconfigurations. To get an initial access on this machine, we will exploit an outdated and vulnerable web application called Dollibar which is an open source ERP & CRM for business. Once we get in, we will enumerate the target system and find an old php configuration file that contains cleartext password. We will then use that password to move laterally by logging into another user account via SSH. Finally, we will exploit a binary with the SUID bit set to root the box.
Reconnaissance
Nmap
We have two tcp open ports : 22 and 80. Let’s start our enumeration with HTTP.
HTTP — TCP/80
Before enumerating anything, let’s first take a quick look at the main web page :
At the bottom, you can see that there is an email address. That’s an interesting piece of information as the email contains the domain name : board.htb. This could be used later to search for possible virtual hosts.
That said, let’s note this information somewhere and keep on with our enumeration. Shall we ?
As you can notice, we have an Apache web server with version 2.4.41.
To get more information regarding the technologies used by the web server, we can use whatweb :
Well, let’s try to find out the web server’s type as well as the backend programming language using the following techniques :
1/ Enumerate the web server type and version by requesting a non-existent web page that triggers a 404 error :
2/ Enumerate the backend programming language being used by the web server by performing an extension fuzzing :
As you can see, the server uses PHP as a backend programming language.
This can be confirmed by browsing the /index.php webpage :
Note : I generally use the extension fuzzing technique when whatweb fails to provide me with the right back end programming language being used by the server.
Let’s check if the Apache version is vulnerable :
As you can see, there is nothing really interesting.
Directory/File Enumeration
In this section, we will enumerate other files and directories. One thing, I generally do prior conducting a directory/file enumeration is to check whether or not there is a robots.txt file. Indeed, this gives me a quick view of what the web admin doesn’t want me to see.
Unfortunately, I found nothing but that’s it. Let’s keep on with our enumeration with feroxbuster :
Let’s take a look at the webpages with a 200 status code :
/do.php
/contact.php
Here, I tried to fill the form, then send it to the server but noticed that my data was not really sent. It was just a rabbit hole. Nevertheless, it’s not over, let’s try to perform a virtual hosts enumeration and see if we can find something.
Vhost Fuzzing
If you remember, we found an email (info@board.htb) earlier during our enumeration. From that email, we retrieved a domain name : board.htb. Please make sure to save the following input in your hosts file before starting the attack : echo 10.10.11.11 board.htb >> /etc/hosts
Once done, let’s try to perform a vhost fuzzing using ffuf :
Here is a break down of the options used above :
-ac : use to automatically calibrate filtering options
-c : use to colorize the output
-ic : use to ignore comments in a wordlist
As you can see, we found a virtual host : crm.board.htb. Let’s add it to our hosts file : echo 10.10.11.11 crm.board.htb >> /etc/hosts
Now, let’s access the virtual host using our web browser :
Interesting ! As you can see we have a login page and at the very top, we have a text that highlights : Dolibarr 17.0.0.
Let’s check if the ERP/CRM is not using default credentials or if its version is not vulnerable to some known exploits.
Initial Access
A quick and easy way to get a foothold is to check whether or not default credentials were used. For that, we can use this great tool :
You might not believe it but the default credentials have not been changed :
With that in mind, let’s also check if the version being used is not vulnerable to some public exploits :
The XSS vulnerability will not be handy in our scenario as we’re looking for a way to get a remote command execution.
Let’s use our friend : Google :)
Awesome ! Seems that there is this PoC on GitHub that could allow us obtain a reverse shell. Let’s give it a try. Shall we ?
Note : Make sure to execute the following script in a python virtual environment. To do that, you will first need to create the virtual environment using this command : python -m venv .venv . After that, you can run this command source .venv/bin/activate to activate the virtual environment.
Before executing the exploit, consider installing the following packages : requests and bs4. For that, you can use the pip command :
Once done, let’s first launch Villain then execute the exploit to get our reverse shell. Simply put, Villain is a python C2 framework that can handle multiple reverse TCP connections.
Note : By default, Villain listens on port 4443 for reverse TCP connections.
That said, let’s now execute our exploit.
As you can see on the image below, we will need to specify the Dolibarr’s credentials as well as the attacker ip address and port number to get the reverse shell :
Wonderful ! We got a reverse shell \0/
Now that we have our initial foothold, we need to find a way to move laterally or escalate our privileges. To do that, we will need to enumerate the compromised system. This can be done manually or automatically. As far as I’m concerned, I generally use LinPEAS to enumerate the system though it’s primarily designed for privilege escalation.
Excellent ! LinPEAS returned a file called conf.php.old which seems to be a configuration file.
Note : I should have taken a look at the web server’s configuration files prior executing LinPEAS. This is important as sometimes we can fall across plaintext credentials as it was the case in our scenario.
With that said, let’s take a look at the config file :
Wonderful ! The configuration file contains a cleartext database password. A question you might ask yourself is what we can do with that ?
Well, we have already enumerated the list of users with a console above. We found 02 users : root and larissa. We also know that the SSH port is open on the target machine. Therefore we can check if the password we found earlier was reused for those users. Nevertheless, let’s first make sure that SSH allows password authentication :
Great ! Without further ado, let’s try to authenticate to the following user accounts :
- root
- larissa
Hoorah, we got a shell :)
We can then proceed with retrieving the user flag :
Fantastic ! Now we will need to escalate our privileges.
Privilege Escalation
In this section, I decided to look for privilege escalation vectors manually at a first hand instead of using directly LinPEAS though it could have shown me much more information with a colorized output. However, sometimes basic enumeration like I did can help us find out quick wins to escalate our privileges :
We had a lot of binaries and it can be challenging to differ the default binaries with SUID/SGID bit set from the custom ones. To solve that, we will use a great tool called SUID3NUM :
As you can see, SUID3NUM returns 3 piece of information :
- All SUID binaries
- Default SUID binaries
- Custom SUID binaries
We will be focused on the custom SUID binaries. Here, we can see a binary called enlightenment_sys. Let’s google for privilege escalation exploit :
Amazing ! It seems that there is a public LPE (Local Privilege Escalation) exploit from GitHub that can we can use to escalate our privileges.
As usual, we will execute this exploit in a virtual environment to avoid any unwanted actions on our system :
As you can see, we rooted the box after successfully executing the LPE exploit.
Key Techniques Used
Here are the key techniques, we used to root this box :
- Virtual hosts fuzzing with ffuf
- Login attempt using default credentials
- Research of public exploits
- Management of TCP reverse shells with Villain
- System enumeration with LinPEAS
- Enumerate the web server configuration files for sensitive information such as plaintext credentials
- Enumeration of SUID binaries with SUID3NUM
Lessons Learned
1/ Usage of default credentials and outdated and vulnerable software
To get our initial access, we used default credentials on Dolibarr’s login page then found an exploit that allowed us to get a reverse shell. To mitigate that, we recommend to change default credentials and update your software to the latest version. Refer here to download Dolibarr latest version.
2/ Insecure storage of credentials in configuration file
To move laterally, we found a plaintext password stored in a php configuration file. Unfortunately this password was reused by another account which then gave us access to their account. We recommend not sotring sensitive information such as credentials in configuration files in addition to avoid password reuse.
3/ Vulnerable root binary with SUID set
enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root. Knowing that, we cloned a public LPE exploit from GitHub that allowed us to escalate our privileges to root. To fix that, we recommend to remove the SUID bit or update the enlightenment_sys binary to its latest version. For that, refer here
Wrap Up
That’s it guys. Congrats on making it this far 👏
I hope you enjoyed the writeup. If so, do not forget to hit the little clap icon below and subscribe to my newsletter to keep up with my latest articles !
