🔦BoardLight
Preparation
As always I am going to prepare my workspace for the following assessment by exporting environment variables, creating new directories and changing my present working directory to the correct one.
export TARGET_NAME=
export TARGET=
mkdir -p ~/machines/htb/${TARGET_NAME}/nmap
cd ~/machines/htb/${TARGET_NAME}
mkdir exfilNext, we need to ensure that we are connected to the HackTheBox lab VPN. In a seperate terminal window:
sudo openvpn ~/lab_Rizz0.ovpnNow we should be able to progress with this lab.
Enumeration - Host
Nmap
Port Scan - TCP
Firstly we will perform a quick scan so we can further enumerate the returned results while the full scan runs in the background
sudo nmap -sC -sV -Pn -A -oA ~/machines/htb/${TARGET_NAME}/nmap/${TARGET_NAME}_quick ${TARGET} -F -v PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
| 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=6/10%OT=22%CT=7%CU=35319%PV=Y%DS=2%DC=T%G=Y%TM=6666
OS:AA50%P=aarch64-unknown-linux-gnu)SEQ(SP=F9%GCD=1%ISR=106%TI=Z%CI=Z%II=I%
OS:TS=A)SEQ(SP=F9%GCD=2%ISR=106%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53AST11NW7%O2=M
OS:53AST11NW7%O3=M53ANNT11NW7%O4=M53AST11NW7%O5=M53AST11NW7%O6=M53AST11)WIN
OS:(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF
OS:0%O=M53ANNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(
OS:R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z
OS:%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y
OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RI
OS:PL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 41.928 days (since Mon Apr 29 19:08:09 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=249 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 23.50 ms 10.10.16.1
2 12.25 ms 10.10.11.11
The quick scan provides us with some information about what is running on the host. Of note, we know that we have an ssh service and a web server running.
To run the nmap scan against all 65,535 ports we will remove the fast scan flag -F and explicitly tell nmap to scan all ports -p-
sudo nmap -sC -sV -Pn -A -oA ~/machines/htb/${TARGET_NAME}/nmap/${TARGET_NAME}_full ${TARGET} -p- -v Port Scan - UDP
Vulnerability Scan
Enumeration - Service
SSH
From our nmap scans we know that the target is potentially running an SSH service. Manually checking for vulnerabilities against this OpenSSH version using the searchsploit and ExploitDB services returned no results.
HTTP - board.htb
Firstly we will browse to the website and see what its all about. It looks to be a corporate website. None of the links function, the only interesting page is the contact page that has data entry forms to receive a call back. Analysing the functionality of this page in burp shows it is also just boiler plate code.
This means we willl have to continue to look for a way in.
It was observed within the HTML code of each of the pages, a link to portfolio.php capturing the response and uncommenting the link <a> tag we find ourselves with a 404 error
It was observed during the HTML code review that the domain http://html.design was referenced and is potentially in-scope for this assessment. html.design was added to the /etc/hosts file for later enumeration.
sudo vi /etc/hosts
#Edit the 10.10.11.11 line to read as follows:
10.10.11.11 board.htb html.designKnowing that we have PHP running on the back end, I tried to enumerate more *.php files using ffuf.
ffuf
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://board.htb/FUZZ.php
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200
________________________________________________
# on at least 1 host [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 62ms]
# Priority-ordered case-sensitive list, where entries were found [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 61ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 59ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 61ms]
# [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 74ms]
# Copyright 2007 James Fisher [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 75ms]
about [Status: 200, Size: 9100, Words: 3084, Lines: 281, Duration: 75ms]
# [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 75ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 77ms]
# [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 90ms]
# directory-list-2.3-big.txt [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 90ms]
# [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 90ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 90ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 92ms]
contact [Status: 200, Size: 9426, Words: 3295, Lines: 295, Duration: 114ms]
index [Status: 200, Size: 15949, Words: 6243, Lines: 518, Duration: 101ms]
do [Status: 200, Size: 9209, Words: 3173, Lines: 295, Duration: 89ms]
:: Progress: [27018/1273833] :: Job [1/1] :: 423 req/sec :: Duration: [0:01:16]:: Progress: [27064/1273833] :: Job [1/1] :: 391 req/sec :: Duration: [0:01:16]:: Progress: [27119/1273833] :: Job [1/1] :: 383 req/sec :: Duration: [0:01:16] ::: Progress: [27135/1273833] :: Job [1/1] :: 373 req/sec :: Duration: [0:01:16] ::: Progress: [27135/1273833] :: Job [1/1] :: 373 req/sec :: Duration: [0:01:16] ::: Progress: [27199/1273833] :: Job [1/1] :: 275 req/sec :: Duration: [0:01:17] ::: Progress: [27258/1273833] :: Job [1/1] :: 303 req/sec :: Duration: [0:01:17] ::: Progress: [27307/1273833] :: Job [1/1] :: 301 req/sec :: Duration: [0:01:17] ::: Progress: [27361/1273833] :: Job [1/1] :: 443 req/sec :: Duration: [0:01:17] ::: Progress: [27379/1273833] :: Job [1/1] :: 425 req/sec :: Duration: [0:01:17] ::: Progress: [27389/1273833] :: Job [1/1] :: 304 req/sec :: Duration: [0:01:17] ::: Progress: [27445/1273833] :: Job [1/1] :: 307 req/sec :: Duration: [0:01:17] ::: Progress: [27504/1273833] :: Job [1/1] :: 313 req/sec :: Duration: [0:01:18] ::: Progress: [27515/1273833] :: Job [1/1] :: 305 req/sec :: Duration: [0:01:18] ::: Progress: [27515/1273833] :: Job [1/1] :: 305 req/sec :: Duration: [0:01:18] ::: Progress: [27555/1273833] :: Job [1/1] :: 226 req/sec :: Duration: [0:01:18] ::: Progress: [27591/1273833] :: Job [1/1] :: 270 req/sec :: Duration: [0:01:18] ::: Progress: [27649/1273833] :: Job [1/1] :: 272 req/sec :: Duration: [0:01:18] ::: Progress: [27670/1273833] :: Job [1/1] :: 272 req/sec :: Duration: [0:01:18] ::: Progress: [27755/1273833] :: Job [1/1] :: 409 req/sec :: Duration: [0:01:18] ::: Progress: [27789/1273833] :: Job [1/1] :: 425 req/sec :: Duration: [0:01:19] ::: Progress: [27799/1273833] :: Job [1/1] :: 348 req/sec :: Duration: [0:01:19]:: Progress: [27878/1273833] :: Job [1/1] :: 407 req/sec :: Duration: [0:01:19]:: Progress: [1273833/1273833] :: Job [1/1] :: 1162 req/sec :: Duration: [0:31:49] :: Errors: 0 ::
On completion this gave us no new *.php files than we already knew.
Next we will perform subdirectory enumeration with gobuster
gobuster dir --url http://10.10.11.11:80/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.11.11:80/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 311] [--> http://10.10.11.11/images/]
/css (Status: 301) [Size: 308] [--> http://10.10.11.11/css/]
/js (Status: 301) [Size: 307] [--> http://10.10.11.11/js/]
/server-status (Status: 403) [Size: 276]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================the /server-status page seems to exist but we do not have access.
Next, DNS enumeration was performed. I first created an entry into /etc/hosts and named the domain board.htb
I then used gobuster again, this time in DNS mode to enumerate subdomains. I used the seclists dns-jhaddix list to attempt to enumerate over 2 million domains.
gobuster dns --domain board.htb --wordlist /usr/share/seclists/Discovery/DNS/dns-jhaddix.txtgobuster vhost --domain board.htb --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --append-directory --exclude-length 301
crm.board.light is has to be added to the /etc/hosts file so that it can be accessed. once it has been added to the hosts file we are presented with a web application Dolibarr
Noting we have a version number that is accessible we should search to see if this web application is vulnerable to any publicly known exploits.
searchsploit Dolibarr 17
Googling for Dolibarr reveals that there is a PHP code injection exploit that version 17.0.0 is vulnerable to CVE-2023-30253 (https://www.swascan.com/security-advisory-dolibarr-17-0-0/#:~:text=%2Dof%2Dconcept.-,Description,injection%20bypassing%20the%20application%20restrictions.)
HTTP - html.design
Since we found the html.design virtual host we need to enumerate it in the same fashion as we did with the board.htb to try and find an initial foothold on the box
Subdomain Enumeration
gobuster dns --domain html.design --wordlist /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
Enumeration of the html.design revealed that three potential subdomains for further enumeration
www.html.design
download.html.design
cdn.html.design
Navigating to each of the subdomains we are greeted with the following: www - results in being directed to the https boardlight original page
download - brings up an interesting text message Shh... no cheating...
cdn - reveals a cloudways WAF security banner.
Subdirectory Enumeration - www.html.design
gobuster dir -u http://www.html.design -w /usr/share/wordlists/seclists/Discovery/Web-ContentSubdirectory Enumeration - download.html.design
ffuf -u http://download.html.design/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -fc 301,302,307,401,403,405,500 
Subdirectory Enumeration - cdn.html.design
Exploitation
Exfiltration - user
Privilege Escalation
Exfiltration - root
Culmination
Last updated