基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV 10.10.11.11
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-27 13:57 CST
Nmap scan report for 10.10.11.11
Host is up (0.20s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
|   256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_  256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 164.60 seconds

80

直接访问是一个官网,页面底部联系方式中得到域名:

子域名扫描

添加hosts后扫描子域名可以发现一个crm:

1
2
3
4
ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://board.htb/" -H 'Host: FUZZ.board.htb' -fs 0,15949

[Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 202ms]
    * FUZZ: crm

crm

同样加hosts后访问,是Dolibarr 17.0.0:

Dolibarr

搜索可以发现相关漏洞,需要登录,就是默认账号密码:

1
admin:admin

按照文章中步骤,创建一个新网站,创建一个空白页面,使用大写绕过过滤,得到www-data:

conf

然后在配置文件中得到数据库密码:

1
2
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';

user flag

查看用户发现larissa,他复用了得到的这个数据库密码,直接ssh登录:

1
2
ssh larissa@10.10.11.11
serverfun2$2023!!

提权信息

常规枚举

/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys有suid,可以搜到相关利用:

提权 & root flag

自己根据exp代码简单改一下,去掉查找文件和后续清理那些,一键root:

shadow

1
2
root:$6$h9/xKUsFWX90kjQc$qcBeHXPiRHqbF0NgNxhPiZzYS1DiH4UnQc2kcshKtYEDPbjDe3E5qihEbapIJk8fAxRaj3T7EGReRQYiFIBHO1:19845:0:99999:7:::
larissa:$6$zNTCKunWYdACDiCg$m1Ci3x/AkPAUZM/YzNIXd7Ou89u/hMPPRAboFhbbevXu30s2PNtXcUvO3K1IwKIyxh.UKsonvBxKzDkedo7cw0:19860:0:99999:7:::

参考资料