eLection is an Intermediate difficulty machine on Offsec’s PG Play, highly rated by the community. In this technical walkthrough, I share how I methodically compromised it after conducting a comprehensive NMAP scan to identify its active network ports.

Port 80: HTTP

Accessing http://$ip directs to the default Apache2 Ubuntu landing page, indicating a web server running Apache. Further exploration reveals a phpMyAdmin interface at http://$ip/phpmyadmin. This page prompts for login credentials—suggesting potential attack vectors through web application and database admin interfaces. The robots.txt file (http://192.168.189.211/robots.txt) lists directories such as /admin, /wordpress, /user, and /election with some disallowed, guiding enumeration efforts.

admin (Not found)
wordpress (Not found)
user (Not found)
election (Website)

Visiting /election reveals “Tripath Projects: Web Based Election System,” a custom web app for electronic voting. Examining the site, I identified an existing vote from user admin1, which I added to my wordlist for brute-forcing attempts. The application includes several functionalities warranting further security assessment.

Tripath Projects: Web Based Election System
Poking around the site, noticed an existing vote from user **admin1** (Adding to Wordlist)

Before deep-diving, I researched Tripath Projects and found documented vulnerabilities including authenticated Remote Code Execution (RCE) and SQL Injection (SQLi). Navigating to http://192.168.189.211/election/admin/ and submitting admin1 triggered an error message, possibly indicating input handling flaws. Attempts to access /user and /wordpress directories were unsuccessful, awaiting completion of Autorecon scans to uncover more attack surfaces.

Typed admin1 and pressed Next and got the following error:

Further investigation into authenticated SQLi referenced AJAX endpoints at http://192.168.189.211/election/admin/ajax/, mostly returning “Request Denied” errors except one mentioning lack of authentication. Directory brute-forcing with DirBuster flagged an interesting page: http://192.168.189.211/election/card.php.

Decoding the page content’s binary data twice revealed credentials: 1234:Zxc123!@#, which I successfully used to authenticate at http://192.168.189.211/election/admin/index.php as an admin user. This granted privileged access to the administration dashboard for version 2.0 (released March 6, 2019). Despite references to SQLi attacks and sqlmap tools, I chose to proceed with manual exploitation to better understand the vulnerability mechanisms, utilizing Burp Suite’s Repeater feature to confirm the presence of SQL Injection.

Port 22: SSH

System logs retrieved from the compromised machine contained a plaintext password assigned to user love: P@$$w0rd@123. Several log entries indicated successful logins and candidate additions by this user, confirming active use.

[2020-01-01 00:00:00] Assigned Password for the user love: P@$$w0rd@123
[2020-04-03 00:13:53] Love added candidate 'Love'.
[2020-04-08 19:26:34] Love has been logged in from Unknown IP on Firefox (Linux).
[2024-05-31 20:01:47] Love has been logged in from Unknown IP on Firefox (Linux).

Foothold

Using SSH with credentials love:P@$$w0rd@123 provided initial shell access, eliminating the need for complex SQLi exploitation—an ideal post-exploitation foothold for privilege escalation.

The creds let me in!! (Glad I didn’t have to deal with SQLi) 😛

Grabbed local.txt

Privilege Escalation

Upon gaining shell access, I ran linpeas.sh to enumerate potential privilege escalation vectors. It highlighted writable files and directories, including /var/spool/cron/crontabs and writable log files such as /home/love/.local/share/gvfs-metadata/root-7bedd492.log, signaling a possible cron or logrotate exploit opportunity.

GROUP writable files
	/var/spool/cron/crontabs

	╔══════════╣ Writable log files (logrotten) (limit 50)
	╚ <https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation>
	logrotate 3.15.1
	
	    Default mail command:       /bin/mail
	    Default compress command:   /bin/gzip
	    Default uncompress command: /bin/gunzip
	    Default compress extension: .gz
	    Default state file path:    /var/lib/logrotate.status
	    ACL support:                no
	    SELinux support:            no
	./linpeas.sh: 5503: [: ImPOsSiBleeElastWlogFolder: unexpected operator
	./linpeas.sh: 5503: [: ImPOsSiBleeElastWlogFolder: unexpected operator
	Writable: /home/love/.local/share/gvfs-metadata/root-7bedd492.log

pkexec policy
	AdminIdentities=unix-group:sudo;unix-group:admin

Logrotate (Logrotten)

The pkexec policy showed AdminIdentities grouped under unix-group:sudo and unix-group:admin, a common target for privilege escalation. I explored the logrotate vulnerability (CVE references and relevant exploitation techniques from HackTricks) and attempted exploitation using the Logrotten tool but did not observe trigger events for logrotate via pspy monitoring.

[CVE-2021-4034] PwnKit

Shifting focus, I explored kernel-level vulnerabilities and successfully compiled and executed an exploit for CVE-2021-4034 (PwnKit), gaining root privileges on the system.

Additional research indicated many walkthroughs exploited the Serv-U SUID binary for elevation. Official OffSec videos also validated this method, underscoring the versatility of exploitation paths on this box.

This detailed hands-on experience with eLection highlights the importance of methodical enumeration, credential harvesting, manual SQLi verification, and varied privilege escalation techniques in cybersecurity penetration testing exercises.

By sharing this technical blog, I aim to help fellow cybersecurity engineers deepen practical understanding of real-world web application vulnerabilities, SSH exploitation, and Linux privilege escalation tactics for improved Red Team effectiveness. Stay curious, keep hacking, and keep sharing knowledge.