OSCP PREP BOX 6: HtB BoardLight
HTB Boardlight
Key Takeaways:
Always test with multiple wordlists. Don’t become dependent on one and think that since it failed, you tested it.
Onto box #6, moving right along. As always, let’s run our default nmap scan.
We see that we have only two ports open, an Apache web server and SSH.
We can go ahead and add the website name to our hosts file with: sudo sh -c ‘echo “<ip> boardlight.htb” >> /etc/hosts’
Upon navigating to the webpage, we come across a pretty standard webpage. Looking at the web URLs, we’re running JavaScript and PHP. We also have a contact page which seems to be our only real user input field.
I started by running some directory bruteforcing in the background while I went to test the contact page.
Okay, let’s take a look at this contact form. I popped open burpsuite and we see that it’s not sending a POST request to the backend, and instead is just sending a GET request, effectively just refreshing the page.
I then took to poking around the page source. Interestingly, I found a line of code in the page source that makes reference to a page “portfolio.php” which had been commented out of the header section. However, attempts to navigate to it just show a dead link.
Going back to my ffufs we see we get a result for a subdomain!
Now just to talk through my ffuf setup.. in the hackthebox pentester course in the ffuf section, they talk about fuzzing vhosts (virtual hosts). We need to set up our ffufs like this when we want to fuzz subdomains that don’t have a public DNS. So our formatting is a little different:
Okay, so let’s check out this subdomain. In order to do this, we have to add the subdomain to our hosts file since the DNS is not public and our machine won’t know how to resolve the domain name.
When we navigate there, we’re confronted with a login portal for an app called Dolibarr 17.0.0
I google’d for default credentials and located admin:admin. I gave that a try and it worked!
Now we don’t get much to work with once we’re inside but when I was Googling the default credentials, one of the top Google searches was Dolibarr 17.0.0 exploit. I’ll take that as a clue..
I navigated to a GitHub PoC, downloaded the exploit, and used the default credentials to exploit it.
I also launched my netcat listener on port 9001.
Just a quick aside, just be mindful to put the URL as: http://crm.board.htb and don’t add a / at the end of it. As you can see from the pic I was getting error messages for the formatting.
Now that we have a shell as www-data, I ran my usual grep and started looking for passwords (I tried going to the /home/ directory first and saw we had a user named larissa whom we don’t have permissions to access).
Now begins the local enumeration process. I started by using some targeted grep searches within the www directory to see if we can find any config files containing credentials. To my luck, I found a config file located in ~/html/crm.board.htb/htdocs/conf/
To find this file I had used: grep -nr –color=always “db_user”
Okay so let’s try logging in to the mysql database using these creds we found:
We’re in! Time to poke around..
I checked the database dolibarr and then checked out the content of the table llx_user and we get the user dolibarr with the user’s hash.
The hash is a bcrypt hash so we can use john or hashcat to crack this one.
Sadly wasted like 30 minutes trying to crack these to no avail. So up to this point we only have the mysql db password and the basic default credential. Worth it to try password reuse. We know we have a user larissa, so let’s try the database password for that account.
Success!
From here we can navigate to larissa’s home directory and get our user flag.
Now time for priv esc. I started with general enumeration of the system and this took quite some time poking around.. a lot of time.. probably too much time.. but I began manual enumeration of services on the system (which I got running:
apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]:?//g' | tee -a installed_pkgs.list
And I noticed a service called enlightenment (honestly this one stuck out to me because of the word “light”). I checked the version and saw it was vulnerable to an exploit. I used a PoC exploit.sh I found on GitHub and the rest is history.
All in all.. this would have been so much easier if I had used LinPeas or an automation tool, but I want to prep manual over tools. So this was definitely a huge day waster lol. Onto the next one.
