Post cover image

June 2, 2026

Proving Grounds Crane: Semi-Default

Predictable Credentials

Nicolas Garcia

2 min read

Different credentials. Same mistake.

Lesson: Predictability is a vulnerability.

Overview

Crane (PG Lab) is rated Intermediate and community-rated Easy. The community got it right. It is a short straightforward lab. An outdated credential change may send some people down the wrong path, but the reality is much simpler: weak credentials remain weak, even when they're updated.

Initial Enumeration

None

Seeing SQL-related ports 3306 and 33060 open may tempt us into unnecessary enumeration, but the solution is much simpler. Start with the webpage first.

None

The webpage is using SuiteCRM, so let's check the default credentials for it.

None

It lists admin:password as the default credential, but it no longer works. This is where some pentesters may start searching for a more complicated solution. A little patience and curiosity go a long way. Trying another common default credential, admin:admin, was all it took.

None

Initial Access

We are in. Clicking around the webpage and About page revealed a version 7.12.3.

None

Googling SuiteCRM 7.12.3 Sugar Build 344 vulnerabilities quickly led to a known exploit.

None

Manuelz120 published an exploit script and shared it on GitHub. He also provided easy to follow instructions.

None

Clone the repository.

None

The instructions recommend pip3 install -r requirements.txt, but Kali required the dependencies to be installed inside a virtual environment venv.

None None

Manuelz120 included a ready to use reverse shell payload, making the exploit easier to use.

None

The listener connected, but it was a blind shell. To make it user friendly, spawn a PTY using Python 3.

None

Privilege Escalation

The sudo -l output revealed that www-data could run /usr/sbin/service as root without a password. Rather than supplying a service name, ../../../../bin/bash uses path traversal ../ to navigate to /bin/bash. Since service is running as root, Bash inherits those privileges and drops us directly into a root shell.

None None None

Remedies

  1. Credential Management
  • Replace default and predictable credentials with strong, unique passwords.
  • Enforce a password policy that prevents weak combinations such as admin:admin.
  1. Patch Management
  • Update SuiteCRM to a version that is no longer vulnerable to the exploit.
  • Regularly review and apply vendor security updates.
  1. Privilege Management
  • Review sudo permissions and follow the principle of least privilege.
  • Avoid allowing service management utilities to run as root without strict restrictions.