Skip to main content
  1. Posts/

Boardlight

·112 words
Table of Contents

Boardlight
#

boardlight

User
#

nmap

WEB

FFuF was doing this

ffuf error

so i added -c -fs 15949

ffuf sucess 

ffuf -u http://board.htb -H "Host:FUZZ.board.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -c -fs 15949

login

found a poc for authenticated rev shell so had to get in

Googled default creds which were admin/admin and it worked

made a test page with a rev and ran it

foothold

got foothold now onto priv esc

lariss

conf

db name = dolibarr db username = dolibarrowner db password = serverfun2$2023!!

larissa password = serverfun2$2023!!

lariss user.txt

Root
#

linpeas suid
I ran linpeas and found an unkown SUID binary called Enlightenment

exploit db
I googled and found an exploit

root.txt
I ran the exploit and got a shell as root

Pwnd

And thats Pwnd.

Thanks for reading