Crane Proving Grounds Write-Up
SUMMARY
This write-up covers the Crane machine from Offsec’s Proving Grounds, a Linux machine where an outdated CRM application led to full system compromise.
Port 80 redirected to a SuiteCRM login panel accessible with default administrator credentials. The About page revealed the version as 7.12.3, which is vulnerable to CVE-2022-23940 — an authenticated RCE vulnerability that allows arbitrary command execution by crafting a report containing malicious PHP content. Cloning the public exploit repository and running it returned a shell as www-data.
Privilege escalation was achieved via a sudo rule allowing www-data to execute the service binary as any user. The service binary is exploitable via a relative path traversal technique documented in GTFOBins, spawning a shell as root.
PATH TO FOLLOW
- Reconnaissance & SuiteCRM Discovery on Port 80
- Default Credential Login & Version Identification
- CVE-2022-23940 Authenticated RCE
- Reverse Shell as
www-data - Sudo
serviceBinary Abuse via Path Traversal - Shell as Root
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.