OSCP Prep Box 51 – Crane- Proving Grounds Practice

Posted on

Hi everyone

Today we are going to look for a Box called Crane which is rated as intermediate in terms of difficulty. This machine has various phases: Recon, Enumeration, Exploitation and Privilege Escalation.

Box Type: Linux

Recon & Enumeration

Enumeration plays a very significant role in pen testing. The more properly you enumerate the more it will be easy to get a foothold on the target.

First, we will check whether target is reachable or not with ping command:

ping Target_IP

With ping command output we found that the target is reachable.

Now let’s move ahead and run the port scan for which we will be using Nmap a popular tool for port scanning and it will provide details of the various ports which are in Open state. The command for that will be:

nmap -sC -sV -O -oA nmap/initial 192.168.149.146

nmap -sC -sV -O -p- -oA nmap/full 192.168.149.146 -T4

I discovered these ports are open:

  • 22/tcp – SSH Service running OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
  • 80/tcp – HTTP Service running Apache httpd 2.4.38 ((Debian))
  • 3306/tcp – MySQL Service running MySQL (unauthorized)
  • 33060/tcp – MySQL Service running MySQL X protocol listener
  • OS: Linux

Then I went ahead and checked the IP in the web browser and I found a CRM running and tried admin admin as creds and it worked:

I found the version of the suite CRM

Exploitation

I found an exploit for the same and used it in order to get the initial foothold:

Exploit Link

I got the shell and the local.txt flag:

I found the local.txt flag

Privilege Escalation

Now it was a time for escalating the privileges.

sudo -l revealed a misconfiguration where the www-data user could execute /usr/sbin/service as root without a password: (ALL) NOPASSWD: /usr/sbin/service. This indicated a potential privilege escalation path, as controlling system services with root privileges could allow the execution of a malicious service to gain root access.

The above image shows the proof.txt file.

Key Takeaways

  • Enumeration revealed exploitable web service leading to initial access.
  • Public exploit CVE-2022-23940 enabled remote code execution.
  • Post-exploitation enumeration with sudo -l exposed a sudo misconfiguration.
  • www-data could run /usr/sbin/service as root without a password.
  • Path traversal with service allowed execution of /bin/sh as root.
  • Misconfigured sudo permissions resulted in full privilege escalation.

If you enjoyed this post, share it with your friends and colleagues!

Leave a Reply

Your email address will not be published. Required fields are marked *