63ac097bd2b9163f6643bd12b619ab8b.png

0. Preface

Very straightforward machine. To be honest, a very easy machine too. Just requires some enumeration by sifting through the linpeas.sh output. Also, please update your Serv-U if it is still below 15.7.

In this box, we will be tackling:

  1. Web server enumeration.
  2. More web server enumeration.
  3. Translating from binary to text.
  4. Abusing Serv-U 15.6 with SUID bit set.

1. Preliminary NMAP Scan

sudo nmap -sC -sV -oN nmap.txt 192.168.32.11 -v

adb39c2d46a4625906d0e1527f0b64b7.png

Only ports 22 and 80 are open. This box is running Ubuntu, and the web server is running on Apache.

2. Web Server Enumeration (Part 1)

Let’s see what’s on port 80.

aa6b39465bd2290dcb610d19dcb75d34.png

Nothing much except the default page. We will run gobuster on this to bruteforce directories.

gobuster dir -u http://192.168.32.11 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt

0cbcd9b821de7a0d3160337311a5989b.png

Let’s try accessing /election.

32bf705d521795905633a7a643b5d2d5.png

2dcd67eebef65770e1aa3acab65ed36c.png

Looking in the page source, this seems to be running php. We will run another gobuster to look for php files.

gobuster dir -u http://192.168.32.11/election -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -o gobuster-election.txt

00159dd46b00643506c467c6f4580c34.png

Let’s access /election/card.php.

717816722128c3624d37caca94d0e11c.png

We have what looks like binary. Let’s put it through CyberChef.

e66b5ef2c20014dac7355526ebd558ce.png

Converting it once gives us more binary, which we convert a 2nd time to get our first set of creds - 1234:Zxc123!@#.

Let’s check out /election/admin next and try to login with the credentials we got.

95e1da175c69e77117aa25220713b354.png

f49e223d2366e53276ce76280cc4cb77.png

Awesome.

3. Web Server Enumeration (Part 2)

Let’s hop on over to the settings page.

dcf1b386e42102df97c56b3a57a10775.png

On the bottom, there’s a system info box. Pretty useful to have system info. Let’s take a look at logging.

4274a0e6c3b049f48cbd0411fb2ff6b2.png

b1d6ea984a1bedd9e758b901092e8b64.png

Now we got our second set of credentials - love:P@$$w0rd@123. We can try to SSH into the box with those.

a0d37f4bdef8e6c4866b63bc170011ed.png

Let’s grab the user flag from the desktop.

a7333fc9e56c865117acbd059e9558fd.png

4. Exploiting Serv-U to Root

Let’s start off by uploading and running linpeas.sh to enumerate the machine.

51c54fa61a34f718e9e3b265ae55ea76.png

We see that there is a binary, Serv-U, which has the SUID bit set. Let’s take a look in the /usr/local/Serv-U directory.

19400a656263a5bee60e8373134bbbae.png

f17d430629dc006c3c4eae94ba9c42ee.png

Taking a look at the Serv-U-StartupLog.txt, we see that it is running 15.1.6.25.

searchsploit Serv-U

92b75fb1f7a2b77bc00a040349b0e7b3.png

Running searchsploit on that gives us two exploits. Let’s use the first one - 47009.c.

We will compile this with gcc locally.

gcc 47009.c -o exploit

62ee67d943d988bd5da8a83082c078cf.png

Now, let’s upload the exploit to the remote server and run it.

5b87fdd2eac5dd5f47e9e7ee2206237e.png

And we have root.