CVE-2022-37706
published 2022-12-25CVE-2022-37706: enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles…
PriorityP353high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
5.49%
91.8th percentile
enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | e17 | < e17 0.25.4-1 (bookworm) | e17 0.25.4-1 (bookworm) |
| enlightenment | enlightenment | < 0.25.4 | 0.25.4 |
Detection & IOCsextracted from sources · hover to see the quote
command${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net↗
sigma↗
sequence by host.id, process.parent.entity_id with maxspan=5s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name == "enlightenment_sys" and process.args in ("/bin/mount/", "-o","noexec","nosuid","nodev","uid=*") ]
[process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and user.id == "0"]- →Look for enlightenment_sys (setuid root binary) being invoked with mount arguments containing /dev/../tmp/ path patterns, which is the core exploit primitive — a path traversal via /dev/.. substring passed to the system() library call. ↗
- →Detect enlightenment_sys spawning with mount-related args (noexec, nosuid, nodev, uid=*) followed within 5 seconds by a uid_change event to uid 0 on the same host and parent process entity. ↗
- →Monitor for creation of directories /tmp/net and paths matching /dev/../tmp/;/tmp/exploit, and creation of a shell script at /tmp/exploit with execute permissions — these are staging artifacts of the exploit. ↗
- →Hunt for enlightenment_sys SUID binary using: find / -name enlightenment_sys -perm -4000. Presence of this binary on a system is a prerequisite for exploitation. ↗
- →The exploit injects a command via a semicolon in the mount path argument: the path /dev/../tmp/;/tmp/exploit causes enlightenment_sys to execute /tmp/exploit as root via the system() call. ↗
- ·The vulnerability is fixed in Enlightenment 0.25.4; versions 0.25.3 and earlier are affected. Debian stable (bullseye) fix is in 0.24.2-8+deb11u1. ↗
- ·Exploitation requires local access to a machine with Enlightenment installed and the enlightenment_sys binary present as a setuid-root SUID binary. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ring vulnerabilities
osv·2023-10-09·CVSS 9.8
CVE-2021-37706 ring vulnerabilities
ring vulnerabilities
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302,
CVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21723,
CVE-2022-23537, CVE-2022-23547, CVE-2022-23608, CVE-2022-24754,
CVE-2022-24763, CVE-2022-24764, CVE-2022
OSV
CVE-2022-37706: enlightenment_sys in Enlightenment before 0
osv·2022-12-25·CVSS 7.8
CVE-2022-37706 [HIGH] CVE-2022-37706: enlightenment_sys in Enlightenment before 0
enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.
GHSA
GHSA-j268-37pf-rvx9: enlightenment_sys in Enlightenment before 0
ghsa_unreviewed·2022-12-25
CVE-2022-37706 [HIGH] CWE-269 GHSA-j268-37pf-rvx9: enlightenment_sys in Enlightenment before 0
enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.
Debian
CVE-2022-37706: e17 - enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain priv...
vendor_debian·2022·CVSS 7.8
CVE-2022-37706 [HIGH] CVE-2022-37706: e17 - enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain priv...
enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.
Scope: local
bookworm: resolved (fixed in 0.25.4-1)
bullseye: resolved (fixed in 0.24.2-8+deb11u1)
forky: resolved (fixed in 0.25.4-1)
sid: resolved (fixed in 0.25.4-1)
trixie: resolved (fixed in 0.25.4-1)
Exploit-DB
Enlightenment v0.25.3 - Privilege escalation
exploitdb·2023-04-01·CVSS 7.8
CVE-2022-37706 [HIGH] Enlightenment v0.25.3 - Privilege escalation
Enlightenment v0.25.3 - Privilege escalation
---
## Exploit Title: Enlightenment v0.25.3 - Privilege escalation
## Author: nu11secur1ty
## Date: 12.26.2022
## Vendor: https://www.enlightenment.org/
## Software: https://www.enlightenment.org/download
## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706
## CVE ID: CVE-2022-37706
## Description:
The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation.
Enlightenment_sys in Enlightenment before 0.25.3 allows local users to
gain privileges because it is setuid root,
and the system library function mishandles pathnames that begin with a
/dev/.. substring
If the attacker has access locally to some machine on which the
machine is installed Enlightenment
he can use this vulnerability to do very dan
Metasploit
Ubuntu Enlightenment Mount Priv Esc
metasploit
Ubuntu Enlightenment Mount Priv Esc
Ubuntu Enlightenment Mount Priv Esc
This module exploits a command injection within Enlightenment's enlightenment_sys binary. This is done by calling the mount command and feeding it paths which meet all of the system requirements, but execute a specific path as well due to a semi-colon being used. This module was tested on Ubuntu 22.04.1 X64 Desktop with enlightenment 0.25.3-1 (current at module write time)
CTF
BoardLight / README
ctf_writeups·CVSS 7.8
CVE-2023-30253 [HIGH] BoardLight / README
# BoardLight - HackTheBox - Writeup
Linux, 20 Base Points, Easy
## Machine
## TL;DR
To solve this machine, we start by using `nmap` to enumerate open services and find ports `22`, and `80`.
***User***: Discovered the virtual host `crm.board.htb` running `Dolibarr 17.0.0`, which is vulnerable to `CVE-2023-30253`. Exploit this CVE to obtain a reverse shell as `www-data`. Reuse the database password from `conf.php` for SSH login as `larissa`.
***Root***: Identified an SUID file at `lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys`. Use `CVE-2022-37706` to achieve Local Privilege Escalation.
## BoardLight Solution
### User
Let's begin by using `nmap` to scan the target machine:
```console
┌─[evyatar9@parrot]─[/hackthebox/BoardLight]
└──╼ $ nmap -sV -sC -oA nmap/BoardLigh
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
https://git.enlightenment.org/enlightenment/enlightenment/commit/cae78cbb169f237862faef123e4abaf63a1f5064https://git.enlightenment.org/enlightenment/enlightenment/commit/cc7faeccf77fef8b0ae70e312a21e4cde087e141https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploithttps://git.enlightenment.org/enlightenment/enlightenment/commit/cae78cbb169f237862faef123e4abaf63a1f5064https://git.enlightenment.org/enlightenment/enlightenment/commit/cc7faeccf77fef8b0ae70e312a21e4cde087e141https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit
2022-12-25
Published