Setup
mkdir -p ~/ctf/HackTheBox/boardlight/scans; cd ~/ctf/HackTheBox/boardlight
IP Address: 10.10.11.11
echo "10.10.11.11 boardlight.htb" | sudo tee -a /etc/hosts
10.10.11.11 boardlight.htb
Enumeration
nmap -sC -sV -Pn -p- boardlight.htb -oN scans/nmap -vv
nmap -sC -sV -p- -T5 --min-rate 2500 -oN scans/nmap_2 boardlight.htb
boardlight.htb didnt have any directory or subdomain so found this on home page :
board.htb
Homepage:
Version was mentioned found a cve and exploit CVE-2023-30253
using hit and trial admin:admin worked
got reverse shell
using find . -name conf*
after logging in larissa account and running linpeas we found
quick google search returned a cve CVE-2022-37706 running this script in machine gave us root
user flag
Location: /home/larissa | Flag: ad4c##################################
after logging in larissa account and running linpeas we found quick google search returned a cve CVE-2022-37706
running this script in machine gave us root
root flag
Location: /root | Flag: a87##################################