Election1 OffSec Walkthrough

Election1 OffSec Walkthrough: Election1 is a medium-difficulty Linux machine on the Proving Grounds Play platform. This walkthrough aims to provide a comprehensive guide through its penetration testing process, focusing on critical areas like reconnaissance, gaining initial access, and privilege escalation. Its Available in OffSec Play and Vulnhub.

Reconnaissance:

Nmap: The initial step involved using Nmap to scan for open ports and running services.

Looking for open TCP ports

nmap -n -Pn -p- -sC -sV 192.168.209.211 --open

-n: No DNS resolution

-Pn: Treat all hosts as online (skip host discovery)
-p-: Scan all 65535 ports
-sC: Run default scripts
-sV: Probe to determine service versions

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 20:d1:ed:84:cc:68:a5:a7:86:f0:da:b8:92:3f:d9:67 (RSA)
|   256 78:89:b3:a2:75:12:76:92:2a:f9:8d:27:c1:08:a7:b9 (ECDSA)
|_  256 b8:f4:d6:61:cf:16:90:c5:07:18:99:b0:7c:70:fd:c0 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.68 seconds

Looking for open UDP ports — the most common UDP ports you may see.

nmap -p 53,67,68,69,111,123,161,162,137,138,139,514,1900,5353,500,445 -sU $IP

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-22 01:02 EDT
Nmap scan report for 192.168.209.211
Host is up (0.054s latency).

PORT     STATE         SERVICE
53/udp   closed        domain
67/udp   closed        dhcps
68/udp   closed        dhcpc
69/udp   closed        tftp
111/udp  closed        rpcbind
123/udp  closed        ntp
137/udp  closed        netbios-ns
138/udp  closed        netbios-dgm
139/udp  closed        netbios-ssn
161/udp  closed        snmp
162/udp  closed        snmptrap
445/udp  closed        microsoft-ds
500/udp  closed        isakmp
514/udp  closed        syslog
1900/udp closed        upnp
5353/udp open|filtered zeroconf

Nmap done: 1 IP address (1 host up) scanned in 12.30 seconds

These scans revealed open SSH (22/tcp) and HTTP (80/tcp) ports, indicating potential vectors for initial access.

Let’s quickly add the target IP to our hosts file before we begin dissecting the webserver:

echo "192.168.209.211  election1" >> /etc/hosts

Web Enumeration:

Let’s check out the landing page of the web server

election1/

After establishing initial access to the web server, we investigated the robots.txt file. This file often contains directives for search engine crawlers, specifying which paths on the server should not be indexed.

After going through the endpoints listed in robots.txt, the /election/ path emerged as particularly interesting. It led to a specialized platform called “Web Based Election System eLection,” hinting at intriguing prospects for further enumeration.

Some might say I’m a bit old-school for sticking with Dirbuster for directory brute-forcing, but something about its folder structure layout clicks for me. Old is gold, as they say. Using this tried-and-true method, we stumbled upon a phpmyadmin directory that led us to a login page.

Gaining Initial Access:

Luck was on my side this time; after the usual root:password for phpMyAdmin got me nowhere, I struck gold with root:toor. It’s like they say in the Infosec world:

sometimes, all it takes to crack a system is to guess the right password!

After gaining access to phpMyAdmin, we explored the database tables and then utilized the SQL scripting tab for further system enumeration.

0.1.44-MariaDB-0ubuntu0.18.04.1

We found out the server uses “0.1.44-MariaDB-0ubuntu0.18.04.1.” Knowing this helps us understand the system better from the OS and Database perspectives, so we continued to look for more areas on the web server we could enumerate.

Since we don’t have the necessary credentials for the admin login portal yet, we’ll keep exploring other areas and follow up on this later.

We encountered a lengthy string of binary data at the “/election/card.php” endpoint. To decipher it, we copy the binary text into CyberChef to decode it from binary to ASCII format, hoping to reveal any hidden information or clues.

CyberChef

The Cyber Swiss Army Knife – a web app for encryption, encoding, compression and data analysis

Having successfully cracked the username and password, we’re now equipped to attempt credential spraying on the admin portal we previously lacked access to.

We use these credentials 1234 : Zxc123!@# to log into /election/admin/

Logs

[2020-01-01 00:00:00] Assigned Password for the user love: P@$$w0rd@123
[2020-04-03 00:13:53] Love added candidate 'Love'.
[2020-04-08 19:26:34] Love has been logged in from Unknown IP on Firefox (Linux).
[2024-03-22 17:38:27]  has been logged out from Unknown IP.
[2024-03-22 17:38:27]  has been logged out from Unknown IP.
[2024-03-22 18:43:01] Love has been logged in from Unknown IP on Firefox (Linux).

Upon reviewing the logs, we discovered entries revealing credentials for the user love. Notably, there were records of login activities and logout events, hinting at active use of these credentials. Recalling our initial port scan that showed port 22 (SSH) open, we now have a promising avenue to attempt accessing the system using Love’s credentials.

ssh love@192.168.209.211

Privilege Escalation:

Once I successfully SSH’ed into the machine using the valid credentials, I explored the directories, looking for any unusual or suspicious folders. After a thorough initial inspection, I uploaded LinPEAS to the target machine. Running LinPEAS allowed me to comprehensively enumerate the system, specifically searching for potential footholds that could lead to privilege escalation opportunities.

The LinPEAS output provided strong indications of vulnerabilities in Serv-U, specifically hinting at the CVE-2019–12181 exploit. To delve deeper into this lead, I decided to search for relevant exploits using searchsploit and google, focusing on keywords related to Serv-U and the CVE. This approach would help identify any publicly known exploits that could be leveraged against the system.

searchsploit Serv-U FTP local

We download the script to our current working directory using the -m flag with searchsploit tool.

Serv-U FTP Server < 15.1.7 – Local Privilege Escalation (2). CVE-2019-12181 . local exploit for Multiple platform

searchsploit -m 47173.sh

Once you’ve downloaded the exploit binary to your local machine, open it and copy the script’s contents. Then, on the target machine, paste these contents into a new file — you can name it whatever you prefer. Next, adjust the file’s permissions to make it executable by running chmod +x <filename>. With that set up, you’re all ready to execute the script and see what unfolds.

Key Takeaways:

Continuous Enumeration:

• Post-access, it’s crucial to re-enumerate the system for additional vectors and sensitive information, as demonstrated by finding the Serv-U vulnerability and brute-forcing directory/files on the webserver.

Importance of Patching:

• Regularly updating and patching services can significantly reduce the attack surface, as seen with the exploitable Serv-U FTP Server.

Practice Secure Configurations:

• Sensitive information should not be accessible via web directories, and default/weak credentials should never be used in production environments.

Conclusion:

This walkthrough highlights the importance of thorough reconnaissance, the exploitation of common vulnerabilities (like weak credentials and misconfigurations), and the effectiveness of using known exploits for privilege escalation. The success of penetration testing relies on thorough and quick enumeration techniques, continuous learning, and adapting to the environment.

Also Read | DC9 OffSec Walkthrough