HTB | BoardLight

This is a Linux box. You can find it here.

Skill Learned

• Enumerating CMS (Dolibar) (CVE-2023-30253)

• Exploiting Enlightenment (CVE-2022-37706)

NMAP

IP:10.10.11.11

nmap scan

Port 80

port 80

nothing interesting was there for directory fuzing let's try for the subdomain before that add 10.10.11.11 board.htb in /etc/hosts

wfuzz -c -u http://board.htb -H "Host: FUZZ.board.htb" -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt --hc 302,400 --hw 1053

Found crm.broad.htb

crm subdoamin

add crm.broad.htb to hosts file

crm.board.htb

on trying admin: admin I was in the CRM

Foothold/shell

found this exploit

running exploit

getting shell

transfer linpeas.sh and run

we found the SQL port open internally

on looking found /var/www/html/crm.board.htb/htdocs/conf/conf.php

found the SQL cred

Let's reuse the password for Larissa, and we are in

found user.txt

user.txt

Priv Esc

we don't have permission for sudo -l

let's try find / -perm /4000 -print 2>/dev/null

find / -perm /4000 -print 2>/dev/null

we saw enlightenment, let's look more into it enlightenment is a window manager

On looking we found this exploit

and we are root, found root.txt

root.txt