Enumeration

Nmap

Initial Nmap scan revealed HTTP, SSH and MySQL ports were open.

image

WEB Enumeration

Website was SuiteCRM Website.

01 - website suite crm

I did directory bruteforcing with versioning-metafiles and found Readme.md which revealed version was 7.12.3

02 - suite crm 7 12 3

Then I tried default login admin:admin and it worked.

03 - admin:admin creds worked

Exploitation

CVE-2022-23940

SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a crafted request, they can create a malicious report, containing a PHP-deserialization payload in the email_recipients field. Once someone accesses this report, the backend will deserialize the content of the email_recipients field and the payload gets executed. Project dependencies include a number of interesting PHP deserialization gadgets (e.g., Monolog/RCE1 from phpggc) that can be used for Code Execution.

04 - exploit

I simply got a reverse shell.

05 - shell

Privilege Escalation

sudo /usr/bin/service

I ran sudo -l and found that we could run service as sudo.

06 - sudo -l

I simply applied steps in gtfobins which was sudo service ../../../bin/bash and got the root flag.

07 - root flag

I also got the user flag after checking /var/www folder.

08 - user flag

<
Previous Post
Craft - Proving Grounds Practice
>
Next Post
Levram - Proving Grounds Practice