BoardLight [HTB] — Writeup

I pwned the HTB machine BoardLight by discovering a hidden vhost (crm.board.htb), logging into Dolibarr with default creds, and exploiting CVE-2023-30253 to gain a user shell. After finding DB credentials in conf/conf.php and landing as larissa, I used a discovered Enlightenment RCE (CVE-2022-37706) to escalate to root and capture the root flag.