Skip to main content

Election1 Walkthrough

Platform: Offsec | PG Play
Difficulty: Intermediate
OS: Linux
Author: Pawan Kumar (Vulntricks)

Scanning

Performing a quick scanning using rustscan and passing it to the nmap

└─$ rustscan -a $IP -- -sV -sC -Pn -oN scan_tcp.txt
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 20:d1:ed:84:cc:68:a5:a7:86:f0:da:b8:92:3f:d9:67 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoqt4FP0lhkJ0tTiMEUrVqRIcNKgQK22LJCOIVa1yoZf+bgOqsR4mIDjgpaJm/SDrAzRhVlD1dL6apkv7T7iceuo5QDXYvRLWS+PfsEaGwGpEVtpTCl/BjDVVtohdzgErXS69pJhgo9a1yNgVrH/W2SUE1b36ODSNqVb690+aP6jjJdyh2wi8GBlNMXBy6V5hR/qmFC55u7F/z5oG1tZxeZpDHbgdM94KRO9dR0WfKDIBQGa026GGcXtN10wtui2UHo65/6WgIG1LxgjppvOQUBMzj1SHuYqnKQLZyQ18E8oxLZTjc6OC898TeYMtyyKW0viUzeaqFxXPDwdI6G91J
|   256 78:89:b3:a2:75:12:76:92:2a:f9:8d:27:c1:08:a7:b9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO9gF8Fv+Uox9ftsvK/DNkPNObtE4BiuaXjwksbOizwtXBepSbhUTyL5We/fWe7x62XW0CMFJWcuQsBNS7IyjsE=
|   256 b8:f4:d6:61:cf:16:90:c5:07:18:99:b0:7c:70:fd:c0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINfCRDfwNshxW7uRiu76SMZx2hg865qS6TApHhvwKSH5
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeartion

So basically we have 1 port to look at --> port 80.

on quick directory enumeartion I found an end point :

└─$ gobuster dir --url $URL --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200

alt text

Enumearting further

alt text

Found a phpmyadmin page and default login worked root:toor

alt text

Further enumeartion

Found this user and pass in the DB alt text alt text

And cracked it. alt text alt text

Tried to use the login portal and used the found ID:
alt text

However RAW password failed so we need to decrypt it, But failed.

So visited back the discovered links in the gobuster and found the password.

alt text

Initial access .

I was able to ssh using the user love and the discovered passowrd.

alt text

Post Enum

After - some digging found this binary :

/usr/local/Serv-U/Serv-U alt text which looked interesting

Looking into searchsploit found that this is vulnearble alt text

Tried the exploit and was able to get the root shell :) alt text