Hi all, this was a really easy box let’s pwn it!
You can find the machine there > eLection
Let’s start always with nmap.
When we visit the webpage, we can see the apache2 default page. I always check first for
robots.txt and we see these directories:
/election is working and it runs some kind of webapp (?) :
gobuster on it.
Shell as love
/card.php has binary data in let’s decode them.
1234:Zxc123!@# we can login with them under
/admin. Under settings now we can download some logs:
These logs have this in:
We can use them with SSH.
love -> root - Exploiting Serv-U
Perfect, now privesc is pretty easy. Let’s search for
Serv-U seems interesting, let’s search for possible local privilege escalation exploits.
linux/local/47009.c Seems perfect, let’s mirror it and compile it.
Let’s wget it now and run it.
Bingo! :D Let’s read the flags: