eLection

Source: Proving Grounds OS: Linux Community Rating: Intermediate

Enumeration & Reconnaissance

  • I started by running autorecon against the target, which revealed two open ports:

    • SSH (22)

    • HTTP (80)

  • Since I didn't have valid SSH credentials at first, I began my analysis with the HTTP service.

Service Analysis

HTTP Service

  • While the fuzzers were working in the background, I checked the robots.txt file.

Robots.txt
  • It revealed four paths:

    • admin

    • wordpress

    • user

    • election

  • Out of these, only the election path was active. The election page featured a single function interacting with the backend. Despite trying SQL injection, code injection, and other common techniques, nothing fruitful emerged from that endpoint.

  • Further fuzzing of the website uncovered additional interesting targets such as phpmyadmin and phpinfo.

Fuzzing Findings

Database Access

  • I experimented with several passwords on phpmyadmin until I managed to log in using:

    • Username: root

    • Password: toor

  • Inside the database, I discovered a table with a user whose password was stored as an MD5 hash.

Database User and Password
  • I ran hash-identifier to confirm its type and then cracked it via hashes.com, which yielded the password: Zxc123!@#.

Hashes Decryption
  • Initially, I attempted to use this credential via SSH, but it didnโ€™t grant access. Instead, I tried it through the election/admin interface and was able to log in.

Gaining Initial Access

  • Within the admin panel, I found a Logging module that allowed the admin to view system logs.

eLection Admin Panel
eLection Admin Logs
  • Checking these logs revealed another password for the user love: P@$$w0rd@123. Using this newly discovered credential, I successfully accessed the system via SSH.

Privilege Escalation

  • After gaining SSH access, I ran linpeas.sh to enumerate the system further.

linPEAS Files with Interesting Permissions
  • Among files with interesting permissions, there were hints pointing toward several exploitable CVEs. I focused on CVE-2021-4034, and it worked like a charm, it granted me root access.

Lessons Learned

  • Hidden Endpoints: Always check common files like robots.txt, as they can reveal valuable paths.

  • Weak Credentials: Default or weak passwords on services such as phpmyadmin can be a gold mine.

  • Log Analysis: Donโ€™t overlook admin panels log files as they might expose additional credentials.

  • Exploitation Paths: Even when the initial credential doesnโ€™t work for one service, trying it in another context (like an admin portal) can work.

Last updated