eLection
Source: Proving Grounds OS: Linux Community Rating: Intermediate
Enumeration & Reconnaissance
I started by running autorecon against the target, which revealed two open ports:
SSH (22)
HTTP (80)
Since I didn't have valid SSH credentials at first, I began my analysis with the HTTP service.
Service Analysis
HTTP Service
While the fuzzers were working in the background, I checked the robots.txt file.

It revealed four paths:
admin
wordpress
user
election
Out of these, only the election path was active. The election page featured a single function interacting with the backend. Despite trying SQL injection, code injection, and other common techniques, nothing fruitful emerged from that endpoint.
Further fuzzing of the website uncovered additional interesting targets such as phpmyadmin and phpinfo.

Database Access
I experimented with several passwords on phpmyadmin until I managed to log in using:
Username: root
Password: toor
Inside the database, I discovered a table with a user whose password was stored as an MD5 hash.

I ran hash-identifier to confirm its type and then cracked it via hashes.com, which yielded the password:
Zxc123!@#
.

Initially, I attempted to use this credential via SSH, but it didnโt grant access. Instead, I tried it through the
election/admin
interface and was able to log in.
Gaining Initial Access
Within the admin panel, I found a Logging module that allowed the admin to view system logs.


Checking these logs revealed another password for the user love:
P@$$w0rd@123
. Using this newly discovered credential, I successfully accessed the system via SSH.
Privilege Escalation
After gaining SSH access, I ran linpeas.sh to enumerate the system further.

Among files with interesting permissions, there were hints pointing toward several exploitable CVEs. I focused on CVE-2021-4034, and it worked like a charm, it granted me root access.
Lessons Learned
Hidden Endpoints: Always check common files like robots.txt, as they can reveal valuable paths.
Weak Credentials: Default or weak passwords on services such as phpmyadmin can be a gold mine.
Log Analysis: Donโt overlook admin panels log files as they might expose additional credentials.
Exploitation Paths: Even when the initial credential doesnโt work for one service, trying it in another context (like an admin portal) can work.
Last updated