eLection is an Intermediate difficulty machine on Offsec’s PG Play, highly rated by the community. In this technical walkthrough, I share how I methodically compromised it after conducting a comprehensive NMAP scan to identify its active network ports.
Port 80: HTTP
Accessing http://$ip directs to the default Apache2 Ubuntu landing page, indicating a web server running Apache. Further exploration reveals a phpMyAdmin interface at http://$ip/phpmyadmin. This page prompts for login credentials—suggesting potential attack vectors through web application and database admin interfaces. The robots.txt file (http://192.168.189.211/robots.txt) lists directories such as /admin, /wordpress, /user, and /election with some disallowed, guiding enumeration efforts.
admin (Not found)
wordpress (Not found)
user (Not found)
election (Website)
Visiting /election reveals “Tripath Projects: Web Based Election System,” a custom web app for electronic voting. Examining the site, I identified an existing vote from user admin1, which I added to my wordlist for brute-forcing attempts. The application includes several functionalities warranting further security assessment.
Tripath Projects: Web Based Election System
Poking around the site, noticed an existing vote from user **admin1** (Adding to Wordlist)
Before deep-diving, I researched Tripath Projects and found documented vulnerabilities including authenticated Remote Code Execution (RCE) and SQL Injection (SQLi). Navigating to http://192.168.189.211/election/admin/ and submitting admin1 triggered an error message, possibly indicating input handling flaws. Attempts to access /user and /wordpress directories were unsuccessful, awaiting completion of Autorecon scans to uncover more attack surfaces.
Typed admin1 and pressed Next and got the following error:
Further investigation into authenticated SQLi referenced AJAX endpoints at http://192.168.189.211/election/admin/ajax/, mostly returning “Request Denied” errors except one mentioning lack of authentication. Directory brute-forcing with DirBuster flagged an interesting page: http://192.168.189.211/election/card.php.
Decoding the page content’s binary data twice revealed credentials: 1234:Zxc123!@#, which I successfully used to authenticate at http://192.168.189.211/election/admin/index.php as an admin user. This granted privileged access to the administration dashboard for version 2.0 (released March 6, 2019). Despite references to SQLi attacks and sqlmap tools, I chose to proceed with manual exploitation to better understand the vulnerability mechanisms, utilizing Burp Suite’s Repeater feature to confirm the presence of SQL Injection.
Port 22: SSH
System logs retrieved from the compromised machine contained a plaintext password assigned to user love: P@$$w0rd@123. Several log entries indicated successful logins and candidate additions by this user, confirming active use.
[2020-01-01 00:00:00] Assigned Password for the user love: P@$$w0rd@123
[2020-04-03 00:13:53] Love added candidate 'Love'.
[2020-04-08 19:26:34] Love has been logged in from Unknown IP on Firefox (Linux).
[2024-05-31 20:01:47] Love has been logged in from Unknown IP on Firefox (Linux).
Foothold
Using SSH with credentials love:P@$$w0rd@123 provided initial shell access, eliminating the need for complex SQLi exploitation—an ideal post-exploitation foothold for privilege escalation.
The creds let me in!! (Glad I didn’t have to deal with SQLi) 😛
Grabbed local.txt
Privilege Escalation
Upon gaining shell access, I ran linpeas.sh to enumerate potential privilege escalation vectors. It highlighted writable files and directories, including /var/spool/cron/crontabs and writable log files such as /home/love/.local/share/gvfs-metadata/root-7bedd492.log, signaling a possible cron or logrotate exploit opportunity.
GROUP writable files
/var/spool/cron/crontabs
╔══════════╣ Writable log files (logrotten) (limit 50)
╚ <https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation>
logrotate 3.15.1
Default mail command: /bin/mail
Default compress command: /bin/gzip
Default uncompress command: /bin/gunzip
Default compress extension: .gz
Default state file path: /var/lib/logrotate.status
ACL support: no
SELinux support: no
./linpeas.sh: 5503: [: ImPOsSiBleeElastWlogFolder: unexpected operator
./linpeas.sh: 5503: [: ImPOsSiBleeElastWlogFolder: unexpected operator
Writable: /home/love/.local/share/gvfs-metadata/root-7bedd492.log
pkexec policy
AdminIdentities=unix-group:sudo;unix-group:admin
Logrotate (Logrotten)
The pkexec policy showed AdminIdentities grouped under unix-group:sudo and unix-group:admin, a common target for privilege escalation. I explored the logrotate vulnerability (CVE references and relevant exploitation techniques from HackTricks) and attempted exploitation using the Logrotten tool but did not observe trigger events for logrotate via pspy monitoring.
[CVE-2021-4034] PwnKit
Shifting focus, I explored kernel-level vulnerabilities and successfully compiled and executed an exploit for CVE-2021-4034 (PwnKit), gaining root privileges on the system.
Additional research indicated many walkthroughs exploited the Serv-U SUID binary for elevation. Official OffSec videos also validated this method, underscoring the versatility of exploitation paths on this box.
This detailed hands-on experience with eLection highlights the importance of methodical enumeration, credential harvesting, manual SQLi verification, and varied privilege escalation techniques in cybersecurity penetration testing exercises.
By sharing this technical blog, I aim to help fellow cybersecurity engineers deepen practical understanding of real-world web application vulnerabilities, SSH exploitation, and Linux privilege escalation tactics for improved Red Team effectiveness. Stay curious, keep hacking, and keep sharing knowledge.
