Write-Ups
  • Intro
  • Active Directory
    • HTB | Forest
    • HTB | Sauna
    • HTB | Active
    • HTB | Blackfield
    • HTB | Resolute
    • HTB | Cascade
    • HTB | Cicada
    • HTB | Administrator
    • HTB | Authority
    • HTB | Office
  • Windows
    • HTB | Devel
    • HTB | Chatterbox
    • HTB | SecNotes
    • HTB | Access
    • HTB | Jeeves
    • HTB | Artic
    • HTB | Bastard
    • HTB | Bastion
    • HTB | Querier
  • Linux
    • HTB | BoardLight
    • THM | CMess
    • THM | ConvertMyVideo
    • HTB | Editorial
    • HTB | Mirai
    • HTB | Nibbles
    • HTB | Help
    • HTB | SwagShop
    • HTB | Jarvis
    • HTB | Sea
    • HTB | Chemistry
Powered by GitBook
On this page
  • NMAP
  • Port 80
  • Foothold/shell
  • Priv Esc
  1. Linux

HTB | BoardLight

PreviousHTB | QuerierNextTHM | CMess

Last updated 7 months ago

This is a Linux box. You can find it here.

Skill Learned

  • Enumerating CMS (Dolibar) (CVE-2023-30253)

  • Exploiting Enlightenment (CVE-2022-37706)

NMAP

IP:10.10.11.11

Port 80

nothing interesting was there for directory fuzing let's try for the subdomain before that add 10.10.11.11 board.htb in /etc/hosts

wfuzz -c -u http://board.htb -H "Host: FUZZ.board.htb" -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt --hc 302,400 --hw 1053

Found crm.broad.htb

add crm.broad.htb to hosts file

on trying admin: admin I was in the CRM

Foothold/shell

found this exploit

transfer linpeas.sh and run

we found the SQL port open internally

on looking found /var/www/html/crm.board.htb/htdocs/conf/conf.php

found the SQL cred

Let's reuse the password for Larissa, and we are in

found user.txt

Priv Esc

we don't have permission for sudo -l

let's try find / -perm /4000 -print 2>/dev/null

we saw enlightenment, let's look more into it enlightenment is a window manager

On looking we found this exploit

and we are root, found root.txt

nmap scan
port 80
crm subdoamin
crm.board.htb
running exploit
getting shell
user.txt
find / -perm /4000 -print 2>/dev/null
root.txt