search

HTB | BoardLight

This is a Linux box. You can find it herearrow-up-right.

hashtag
Skill Learned

  • Enumerating CMS (Dolibar) (CVE-2023-30253)

  • Exploiting Enlightenment (CVE-2022-37706)

hashtag
NMAP

IP:10.10.11.11

nmap scan

hashtag
Port 80

port 80

nothing interesting was there for directory fuzing let's try for the subdomain before that add 10.10.11.11 board.htb in /etc/hosts

Found crm.broad.htb

crm subdoamin

add crm.broad.htb to hosts file

crm.board.htb

on trying admin: admin I was in the CRM

hashtag
Foothold/shell

found this exploitarrow-up-right

running exploit
getting shell

transfer linpeas.sh and run

we found the SQL port open internally

on looking found /var/www/html/crm.board.htb/htdocs/conf/conf.php

found the SQL cred

Let's reuse the password for Larissa, and we are in

found user.txt

user.txt

hashtag
Priv Esc

we don't have permission for sudo -l

let's try find / -perm /4000 -print 2>/dev/null

find / -perm /4000 -print 2>/dev/null

we saw enlightenment, let's look more into it enlightenment is a window managerarrow-up-right

On looking we found this exploitarrow-up-right

and we are root, found root.txt

root.txt
PreviousHTB | AtlasNextTHM | CMess

Last updated