难度:easy
kali:192.168.56.104
靶机:192.168.56.174
端口扫描
┌──(root㉿kali2)-[~/Desktop]
└─# nmap 192.168.56.174 -sV -A -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-15 17:47 CST
Nmap scan report for 192.168.56.174
Host is up (0.0022s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.56.104
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 0 0 4096 Jun 09 2022 reminder [NSE: writeable]
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ce:ac:1c:04:d6:f6:64:d6:d9:9d:88:c9:0d:66:a9:45 (RSA)
| 256 4f:f1:7b:69:5c:47:b2:91:b8:d2:2f:82:73:b7:fc:03 (ECDSA)
|_ 256 65:6b:3b:8c:89:81:4d:f3:98:98:5a:ed:57:cf:58:c9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: NightCity Web Server
|_http-server-header: Apache/2.4.29 (Ubuntu)
MAC Address: 08:00:27:EA:9B:0B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8, Linux 5.0 - 5.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 2.24 ms 192.168.56.174
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.89 seconds开放了 21 22 80三个端口,21端口ftp服务可以匿名访问
ftp匿名访问
┌──(root㉿kali2)-[~/Desktop]
└─# ftp 192.168.56.174
Connected to 192.168.56.174.
220 Welcome to the NightCity Server!!
Name (192.168.56.174:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||18504|)
150 Here comes the directory listing.
drwxrwxrwx 2 0 0 4096 Jun 09 2022 reminder
226 Directory send OK.
ftp> ls -al
229 Entering Extended Passive Mode (|||27877|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Jun 09 2022 .
drwxr-xr-x 3 0 0 4096 Jun 09 2022 ..
drwxrwxrwx 2 0 0 4096 Jun 09 2022 reminder
226 Directory send OK.
ftp> cd reminder
250 Directory successfully changed.
ftp> ls -alk
229 Entering Extended Passive Mode (|||25685|)
150 Here comes the directory listing.
drwxrwxrwx 2 0 0 4096 Jun 09 2022 .
drwxr-xr-x 3 0 0 4096 Jun 09 2022 ..
-rwxr-xr-x 1 0 0 33 Jun 09 2022 reminder.txt
226 Directory send OK.
ftp> get reminder.txt
local: reminder.txt remote: reminder.txt
229 Entering Extended Passive Mode (|||29822|)
150 Opening BINARY mode data connection for reminder.txt (33 bytes).
100% |******************************************************************************************************************************************************************************************************************| 33 0.37 KiB/s 00:00 ETA226 Transfer complete.
33 bytes received in 00:00 (0.37 KiB/s)
ftp> quit
221 Goodbye.
┌──(root㉿kali2)-[~/Desktop]
└─# cat reminder.txt
Local user is in the coordinatesLocal user is in the coordinates
本地用户在坐标中
暂时不懂干什么用的,先留着
web信息搜集
目录扫描
web界面源码看了,没什么域名,网站功能点也点了几下,也没有什么东西,直接扫目录
┌──(root㉿kali2)-[~/Desktop]
└─# gobuster dir -u http://192.168.56.174 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.174
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: zip,html,txt,php,bak
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 8407]
/images (Status: 301) [Size: 317] [--> http://192.168.56.174/images/]
/contact.html (Status: 200) [Size: 6349]
/about.html (Status: 200) [Size: 7744]
/gallery.html (Status: 200) [Size: 8768]
/js (Status: 301) [Size: 313] [--> http://192.168.56.174/js/]
/robots.txt (Status: 200) [Size: 136]
/secret (Status: 301) [Size: 317] [--> http://192.168.56.174/secret/]
/robin (Status: 200) [Size: 1873]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
Progress: 676813 / 1323366 (51.14%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 676904 / 1323366 (51.15%)
===============================================================
Finished
===============================================================先看robots.txt
#Good Job
To continue, you need a workmate. Our lastest news is that Robin is close to
NightCity. Try to find him, Robin has the key!意思是找到Robin
然后看一下robin这个目录
ATMAN Y ROBIN VOL. 01. PARTE I.
Hay un nuevo Dúo Dinámico en la ciudad. Tras la desaparición de Bruce Wayne, y concluida La Batalla por la Capucha, el Hombre Murciélago es ahora Dick Grayson. Pero tendrá que llevar a cabo su misión como justiciero junto a un acompañante imprevisto: Damian Wayne, hijo de Bruce y Talia al Ghul, ha asumido el papel de Robin... después de que Tim Drake, el anterior titular, haya adoptado otra identidad y emprendido una difÃcil búsqueda destinada a arrojar increÃbles resultados sobre el verdadero destino del mentor de todos ellos. Sin embargo, mientras tanto, Dick y Damian deberán afrontar una Gotham que parece más enloquecida que nunca: a villanos cada vez más insólitos, entre ellos el Profesor Pyg y los demás miembros de su Circo de lo Extraño, se une el regreso de otro excompañero de Batman. Jason Todd, alias Capucha Roja, no solo cuenta con alguien muy sorprendente para ayudarle... ¡también está decidido a poner fin al reinado de los nuevos Batman y Robin antes incluso de que empiece!
Grant Morrison y Frank Quitely, un tándem con obras tan reconocidas como All-Star Superman y New X-Men, toma las riendas de la primera colección del Caballero Oscuro y el Chico Maravilla que lleva sus nombres en el tÃtulo... aunque los integrantes de este equipo no sean los habituales ni por asomo. Junto a Philip Tan (Batman del Futuro: La ciudad de japon), los dos aclamados autores escoceses abren una etapa repleta de innovadores conceptos y situaciones sin parangón que no dejarán indiferente a ningún lector. Lo demuestran a la perfección los dos arcos argumentales iniciales de la serie, Batman renacido y La venganza de Capucha Roja, que se incluyen Ãntegramente en este tomo de Batman Saga 《蝙蝠侠与罗宾》第01卷。一方。
这是一个新的城市。Bruce Wayne的设计,以及Capucha的Batalla,el Hombre Murciâ©lago es ahora Dick Grayson。Pero tenderâque llevar是一位杰出的法官:Damian Wayne、Bruce和Talia al-Ghul,他是Robin的父亲……尽管Tim Drake是一位有名无实的前任,但他还是采用了一种不同的身份,并最终成为了一位杰出导师。在禁运期间,我的父亲,迪克和达米安·德贝尔在哥谭市的一个村庄里:一个小村庄,一个Pyg教授和一个名叫Circo de lo Extraéo的小村庄,这是蝙蝠侠的一个例外。Jason Todd,别名Capucha Roja,没有单独的线索。。。“坦比”是决定蝙蝠侠和罗宾的新成员,包括员工!
Grant Morrison和Frank Quitely,《全明星超人》和《新X战警》的合作伙伴,卡巴列罗·奥库罗和奇科·马拉维拉的朋友们。。。设备的集成不会影响到当地居民的生活。菲利普·谭(《未来蝙蝠侠:日本城》),这是一部充满创新概念和场景的电影,没有一个独立的演讲者。这是一部关于《蝙蝠侠传奇》系列、《蝙蝠侠重生》和《卡普查·罗贾之战》的辩论性作品,其中包括《蝙蝠侠传奇不是哥们英语差,是他不给哥们英语看
哥谭,我回家了(bushi)
看一下secret目录
三张图片,打开看了一下,直觉就是隐写,传到kali分析
┌──(root㉿kali2)-[~/Desktop]
└─# curl http://192.168.56.174/secret/most-wanted.jpg > most_wanted.jpg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 127k 100 127k 0 0 39.8M 0 --:--:-- --:--:-- --:--:-- 41.6M
┌──(root㉿kali2)-[~/Desktop]
└─# curl http://192.168.56.174/secret/some-light.jpg >some-light.jpg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 213k 100 213k 0 0 26.5M 0 --:--:-- --:--:-- --:--:-- 29.8M
┌──(root㉿kali2)-[~/Desktop]
└─# curl http://192.168.56.174/secret/veryImportant.jpg > veryImportant.jpg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 185k 100 185k 0 0 21.8M 0 --:--:-- --:--:-- --:--:-- 22.6M
┌──(root㉿kali2)-[~/Desktop]
└─# stegseek most_wanted.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "japon"
[i] Original filename: "pass.txt".
[i] Extracting to "most_wanted.jpg.out".
┌──(root㉿kali2)-[~/Desktop]
└─# cat most_wanted.jpg.out
VGhpc0lzVGhlUmVhbFBhc3N3MHJkIQ==
┌──(root㉿kali2)-[~/Desktop]
└─# cat most_wanted.jpg.out | base64 -d
ThisIsTheRealPassw0rd!
┌──(root㉿kali2)-[~/Desktop]
└─# stegseek some-light.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 98.91% (132.0 MB)
[!] error: Could not find a valid passphrase.
┌──(root㉿kali2)-[~/Desktop]
└─# stegseek veryImportant.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 98.89% (132.0 MB)
[!] error: Could not find a valid passphrase.拿到一个密码ThisIsTheRealPassw0rd!,并没有登上robin的ssh,结果试了一下batman竟然登上去了,这波是直接化身蝙蝠侠,正常来说得拿字典爆破一下用户名
┌──(root㉿kali2)-[~/Desktop]
└─# ssh robin@192.168.56.174
The authenticity of host '192.168.56.174 (192.168.56.174)' can't be established.
ED25519 key fingerprint is SHA256:b5bJxI3fDeAAZm5bTrbGo9f1KEpEBR0FiU/HV8nzM3M.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? ye
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '192.168.56.174' (ED25519) to the list of known hosts.
robin@192.168.56.174's password:
Permission denied, please try again.
robin@192.168.56.174's password:
┌──(root㉿kali2)-[~/Desktop]
└─# ssh batman@192.168.56.174
batman@192.168.56.174's password:
_ _ _ _ _ ____ _ _
| \ | (_) __ _| |__ | |_ / ___(_) |_ _ _
| \| | |/ _` | '_ \| __| | | | __| | | |
| |\ | | (_| | | | | |_| |___| | |_| |_| |
|_| \_|_|\__, |_| |_|\__|\____|_|\__|\__, |
|___/ |___/
*** NightCityCTF © 2022 by Waidroc & Cillo31 is licensed under CC BY-NC-SA 4.0. ***
*** https://www.github.com/Waidroc/NightCityCTF ***
Welcome to Ubuntu 18.04.6 LTS (5.4.0-84-generic).
System information as of: Wed May 15 12:14:49 CEST 2024
System Load: 0.00 IP Address:
Memory Usage: 8.1% System Uptime: 36 min
Usage On /: 50% Swap Usage: 0.0%
Local Users: 0 Processes: 125
*** System restart required ***
38 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Last login: Wed Jun 15 19:15:17 2022 from 10.0.2.8
batman@NightCity:~$提权root
batman@NightCity:~$ ls -al
total 308
drwxr-xr-x 5 batman batman 4096 jun 15 2022 .
drwxr-xr-x 6 root root 4096 jun 9 2022 ..
-rw------- 1 batman batman 972 jun 15 2022 .bash_history
-rw-r--r-- 1 batman batman 220 jun 8 2022 .bash_logout
-rw-r--r-- 1 batman batman 3771 jun 8 2022 .bashrc
drwx------ 2 batman batman 4096 jun 9 2022 .cache
-rw-r--r-- 1 root root 66 jun 9 2022 flag.txt
drwx------ 3 batman batman 4096 jun 9 2022 .gnupg
-rw-rw-r-- 1 administrator administrator 272105 jun 9 2022 iknowyou.jpg
drwxrwxr-x 3 batman batman 4096 jun 15 2022 .local
-rw-r--r-- 1 batman batman 807 jun 8 2022 .profile
batman@NightCity:~$ cat flag.txt
Nice try! but, this is not the flag. You have to keep working >:)batman用户的密码就是user flag,所以这个flag.txt没什么鸟用,当前目录下有个图片iknowyou.jpg,不会还是隐写吧
python开个http服务传到kali上
┌──(root㉿kali2)-[~/Desktop]
└─# stegseek iknowyou.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Progress: 99.25% (132.4 MB)
[!] error: Could not find a valid passphrase.stegseek没跑出来
自己手动分析一下吧,又是做上MISC说是
用stegsolve翻了一下,发现柱子上好像有东西,但是用我5.0的视力也还是看不清
学到了一个新的隐写分析攻击stegoveritas
$ pip3 install stegoveritas
$ stegoveritas_install_deps┌──(root㉿kali2)-[~/Desktop]
└─# stegoveritas iknowyou.jpg
Running Module: SVImage
+------------------+------+
| Image Format | Mode |
+------------------+------+
| JPEG (ISO 10918) | RGB |
+------------------+------+
+---------+------------------+-------------------------------------------------------------------------------------------------------+-----------+
| Offset | Carved/Extracted | Description | File Name |
+---------+------------------+-------------------------------------------------------------------------------------------------------+-----------+
| 0x2d411 | Carved | LZMA compressed data, properties: 0xC0, dictionary size: 16777216 bytes, uncompressed size: 132 bytes | 2D411.7z |
| 0x2d411 | Extracted | LZMA compressed data, properties: 0xC0, dictionary size: 16777216 bytes, uncompressed size: 132 bytes | 2D411 |
+---------+------------------+-------------------------------------------------------------------------------------------------------+-----------+
+---------+------------------+-------------------------------------------------------------------------------------------------+-----------+
| Offset | Carved/Extracted | Description | File Name |
+---------+------------------+-------------------------------------------------------------------------------------------------+-----------+
| 0x30fd2 | Carved | LZMA compressed data, properties: 0xC0, dictionary size: 0 bytes, uncompressed size: 6144 bytes | 30FD2.7z |
| 0x30fd2 | Extracted | LZMA compressed data, properties: 0xC0, dictionary size: 0 bytes, uncompressed size: 6144 bytes | 30FD2 |
+---------+------------------+-------------------------------------------------------------------------------------------------+-----------+
+--------+------------------+-----------------------------------------------------------------------------------------------+-----------+
| Offset | Carved/Extracted | Description | File Name |
+--------+------------------+-----------------------------------------------------------------------------------------------+-----------+
| 0x4d11 | Carved | LZMA compressed data, properties: 0x92, dictionary size: 0 bytes, uncompressed size: 32 bytes | 4D11.7z |
| 0x4d11 | Extracted | LZMA compressed data, properties: 0x92, dictionary size: 0 bytes, uncompressed size: 32 bytes | 4D11 |
| 0x81c4 | Carved | LZMA compressed data, properties: 0x90, dictionary size: 0 bytes, uncompressed size: 32 bytes | 81C4.7z |
| 0x81c4 | Extracted | LZMA compressed data, properties: 0x90, dictionary size: 0 bytes, uncompressed size: 32 bytes | 81C4 |
+--------+------------------+-----------------------------------------------------------------------------------------------+-----------+
Running Module: MultiHandler
Found something worth keeping!
JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=0], baseline, precision 8, 1200x454, components 3
Exif
====
+---------------------+-----------------------------------------+
| key | value |
+---------------------+-----------------------------------------+
| SourceFile | /root/Desktop/iknowyou.jpg |
| ExifToolVersion | 12.76 |
| FileName | iknowyou.jpg |
| Directory | /root/Desktop |
| FileSize | 272 kB |
| FileModifyDate | 2022:06:10 01:55:43+08:00 |
| FileAccessDate | 2024:05:15 18:33:57+08:00 |
| FileInodeChangeDate | 2024:05:15 18:33:57+08:00 |
| FilePermissions | -rw-r--r-- |
| FileType | JPEG |
| FileTypeExtension | jpg |
| MIMEType | image/jpeg |
| ExifByteOrder | Big-endian (Motorola, MM) |
| DCTEncodeVersion | 100 |
| APP14Flags0 | [14], Encoded with Blend=1 downsampling |
| APP14Flags1 | (none) |
| ColorTransform | YCbCr |
| ImageWidth | 1200 |
| ImageHeight | 454 |
| EncodingProcess | Baseline DCT, Huffman coding |
| BitsPerSample | 8 |
| ColorComponents | 3 |
| YCbCrSubSampling | YCbCr4:4:4 (1 1) |
| ImageSize | 1200x454 |
| Megapixels | 0.545 |
+---------------------+-----------------------------------------+在result里面找到一张巨清晰的,柱子上面写着ThatMadeMeL4ugh!
尝试登录home下面其他几个用户,发现可以登上joker
batman@NightCity:/home$ ls -al
total 24
drwxr-xr-x 6 root root 4096 jun 9 2022 .
drwxr-xr-x 24 root root 4096 may 15 12:03 ..
drwxrwx--- 15 administrator administrator 4096 jun 9 2022 administrator
drwxr-xr-x 3 root root 4096 jun 9 2022 anonymous
drwxr-xr-x 5 batman batman 4096 jun 15 2022 batman
drwxrwx--- 2 joker joker 4096 jun 13 2022 .joker
batman@NightCity:/home$ su administrator
Contraseña:
su: Fallo de autenticación
batman@NightCity:/home$ su joker
Contraseña:
joker@NightCity:/home$ id
uid=1001(joker) gid=1001(joker) grupos=1001(joker)
joker@NightCity:/home$ joker@NightCity:/home/.joker$ cat flag.txt
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣴⣤⣶⡶⠛⠉⠉⠀⣀⣀⣀⣤⣤⣤⣶⣶⣒⣛⣉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣴⣿⣿⣿⡿⠋⢀⣠⣴⣶⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣶⢤⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⢀⡴⣿⣿⣿⣿⣿⣿⣷⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⣟⡽⣟⣫⣭⣶⣶⣿⣿⣦⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⢠⠏⠀⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠿⠋⠙⠉⠁⠀⢿⣿⣿⣿⣿⡿⠿⠿⣿⡿⣶⣦⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⡄⠀
⠀⠀⠀⠀⠀⠀⣴⠃⠀⠀⠈⠻⠿⠿⠿⠿⠟⠛⠉⠁⠙⠿⠿⠛⠋⠉⠀⠀⠀⢀⣠⣴⣶⣾⣿⣿⣿⣿⣷⣶⣦⣙⠻⢿⣿⣿⣿⣶⣶⣶⣦⣤⣤⣴⢶⣾⠟⠀⠀
⠀⠀⠀⠀⠀⠰⡏⣴⣄⠀⠀⠀⠀⠀⢀⣠⣴⣤⣄⣀⠀⠀⠀⠀⠀⠀⢀⣴⣶⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣦⡉⠙⠛⠛⠛⠛⠛⠉⣉⡴⢟⣡⣴⠏⠀
⠀⠀⠀⠀⠀⠀⠳⣿⣿⣷⣦⣀⠀⢠⣿⣿⣿⣿⣿⣿⣿⣶⡄⠀⣀⣶⣿⣿⡿⠿⠟⠛⠛⠛⠛⠛⠛⠛⠿⣿⣿⣿⣿⣿⣿⣶⠀⠀⠀⠀⣰⣾⣷⣾⣿⡿⠃⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠈⠛⠿⣿⣿⣷⣿⣿⣿⣿⣿⣿⣿⣿⣿⣣⢞⣭⠿⠋⠁⠀⠀⠀⠀⠀⠀⠠⣤⣤⣶⣾⣿⣿⣿⣯⣭⣿⣿⣶⣶⣿⣿⣿⣿⣿⣿⡟⠁⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠉⠛⢿⡿⣿⣿⣿⣿⣿⣿⣿⡵⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢻⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠏⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⠀⠀⠉⠉⠛⠿⠿⠏⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠙⣻⣿⣿⣿⣿⣿⣿⣿⣿⠿⠿⢿⣿⣿⠟⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡶⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠿⣿⣿⣿⣿⣿⠟⠁⠀⣠⣶⣿⠇⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⠀⠀⠀⠀⠀⠈⠳⣄⠀⠀⠀⣾⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣤⠀⠈⠻⣿⣿⡏⠀⣰⠊⠱⠛⡆⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡟⠀⠀⠀⠀⠀⠀⠀⠈⠳⣄⠈⠁⠀⠀⠀⠀⣀⣀⣠⠤⠶⠶⠿⣫⠟⠁⠀⠀⠀⠈⠻⣁⣼⠗⣿⠀⢠⡇⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡇⠀⠀⠀⠀⠀⣀⣀⣀⣀⣈⣷⠦⠤⠶⠖⠿⣭⣁⣀⣀⣠⣶⡾⠋⠀⠀⠀⠀⠀⠀⠀⠋⠁⢠⡇⠀⣼⠁⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⠿⠶⣶⣾⣯⣍⣉⠉⠙⠛⣿⠁⠀⠀⠀⠀⠀⠀⠉⠛⠿⠿⠛⠀⠀⠀⠀⣤⣀⣀⠀⠀⢸⡄⠀⣠⡜⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢈⡏⠉⠻⢷⣶⣿⡏⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⠤⠤⠤⢤⣄⣀⡀⠀⠀⠀⠀⠀⢿⠉⠁⠙⢦⡀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡾⠀⠀⢀⣀⣈⣼⠀⠀⠀⠀⠀⣀⣀⡴⠂⠉⠀⠀⠀⣠⢾⠁⠀⣽⠲⡄⠀⠀⠀⢸⡆⠀⠀⠀⠉⠳⢄⡀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢰⡇⠀⣴⣏⣁⠀⢻⠀⠀⢀⡴⣺⠝⠀⠀⠀⢀⣀⢶⠛⠁⠸⡄⠀⣿⠀⠹⠄⠀⠀⠈⡇⠀⠀⠀⠀⠀⠀⢙⠲⢄⡀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⣷⢸⡇⠈⠻⣷⣾⠀⠀⣨⠟⣁⣀⣤⣴⠶⠋⠁⢸⠀⠀⠀⣷⠀⣿⠀⠀⠀⠀⠀⢠⡇⠀⠀⠀⢀⡟⠀⢸⠀⠀⠉⠒⠄
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢷⡳⠀⠀⠙⢿⣀⡶⠉⣿⠉⠉⠉⣧⠀⠀⠀⢸⠀⠀⠀⣿⣠⣿⠀⠀⠀⠀⢀⣾⠇⠀⠀⠀⡼⠁⠀⡟⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠳⣄⠀⠀⠸⠿⣷⡀⠸⡀⠀⠀⠹⡄⠀⠀⠸⢀⣀⡴⠟⣿⠇⠀⠀⠀⠀⣾⡏⠀⠀⠀⣸⠃⠀⢰⡇⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⣄⠀⠀⠀⠻⣧⣠⢧⡤⠤⠤⠿⣆⠀⠚⠉⣧⠀⢰⡿⠀⠀⠀⢀⣾⡟⠀⠀⠀⢠⠇⠀⠀⣸⠀⠀⠀⠀⠀⠀
⠀⠀⠀⣀⣀⢀⣤⡦⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢧⠀⠀⣾⠉⠀⠀⣷⠀⠀⠀⢻⡀⠀⠀⢻⠀⣿⠁⠀⠀⢠⣾⡿⠀⠀⠀⢠⡞⠀⠀⢠⡇⠀⠀⠀⠀⠀⠀
⠀⢰⣾⣿⠷⣿⣿⠵⠖⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⠳⡀⠘⣆⠀⠀⣿⠀⠀⠀⠀⣧⠀⠀⣸⣾⠃⠀⠀⣠⣿⠟⠀⠀⠀⢀⡞⠀⠀⠀⣸⠁⠀⠀⠀⠀⠀⠀
⠀⠈⡻⠉⠋⠉⢁⣤⣼⡏⢠⣆⡾⠃⠀⠀⠀⠀⠀⠀⠀⠀⠹⣄⣿⣶⣤⣼⣤⣀⣀⣀⡽⠶⣚⡿⠁⠀⢀⣾⣿⠋⠀⠀⠀⠀⡼⠁⠀⠀⢠⡇⠀⠀⠀⠀⠀⠀⠀
⢰⣶⢟⡴⢾⢇⣏⣤⡿⠀⠈⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⣦⠉⠉⠉⠉⠙⠛⠛⠋⠉⠉⠀⠀⣠⣿⣟⠁⠐⠒⠒⠶⡾⠁⠀⠀⠀⡼⠀⠀⠀⠀⠀⠀⠀⠀
⣸⣃⣽⣣⠜⠿⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⢷⡀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⠟⠁⠈⠳⡄⠀⠀⡼⠁⠀⠀⠀⢰⡇⠀⠀⠀⠀⠀⠀⠀⠀
⠿⠉⠀⠀⠀⠀⠀⠀⣀⠀⠀⠀⠀⠀⠀⣶⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣳⡀⠀⠀⠀⠀⠀⢀⣴⠟⠧⣄⠀⠀⠀⠙⣦⡞⠁⠀⠀⠀⣀⣺⠴⠶⢲⡆⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⢀⣸⡏⠀⠀⠀⠀⣀⣴⡏⠀⠀⠀⠀⠀⠀⠀⢀⡠⠞⠉⠹⣄⠀⠀⠀⣠⠟⠁⠀⠀⠈⠓⣦⣀⣠⢟⠀⣠⠴⠞⠉⠁⠀⠀⠀⢀⡇⠀⠀⠀⠀⠀
⠀⠀⠀⠀⢠⣶⠏⢻⣶⡶⣾⣿⣟⡯⠞⠃⠀⠀⠀⠀⠀⢀⡴⠋⠀⠀⠀⠀⠹⣄⣠⣞⠉⠉⠉⠉⠉⠓⠲⢶⠾⠶⢿⠋⠁⠀⠀⠀⠀⠀⠀⠀⢰⡇⠀⠀⠀⠀⠀
⠀⠀⠈⠀⠉⠉⣉⣻⠉⠉⠈⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⠀⠀⠀⠀⠀⠀⠀⠉⠉⠹⣆⠀⠀⠀⠀⠀⠀⠘⣦⠀⠘⡇⠀⠀⠀⠀⠀⠀⠀⠀⢸⡇⠀⠀⠀⠀⠀
⠀⠀⢀⣠⣶⠋⡽⠃⠀⢀⣀⡴⠞⠀⠀⠀⠀⠀⣀⣠⠀⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠹⣄⠀⠀⠀⠀⠀⠀⠈⣳⢶⣿⣀⠀⠀⠀⠀⠀⠀⠀⢸⠁⠀⠀⠀⠀⠀
⠀⠀⠎⠀⣼⠋⠀⠰⢊⣯⡟⠀⢀⣀⡤⠶⠒⠉⠉⠁⠀⢻⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣿⡄⠀⠀⠀⠀⢀⣾⠁⣸⠇⢹⠳⣄⠀⠀⠀⠀⠀⡜⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⣯⢉⡶⡆⣸⡉⠓⠉⠉⠀⠀⠀⠀⠀⠀⠀⠀⠘⡆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⣇⠹⡀⠀⠀⣰⠏⡾⠀⣿⠀⢸⠀⠈⣿⢦⡀⠀⢰⡇⠀⠀⠀⠀⠀⠀
⠀⠀⠀⢀⡿⠋⠁⠁⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⠀⢻⣀⡜⠁⢠⠇⠀⣧⠀⢸⠀⠀⡇⠀⠙⠲⡽⠁⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠘⣆⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⠀⠀⠉⠀⠀⣿⠀⠀⣿⠀⢸⠀⢸⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠻⡀⠀⠀⠀⠀⠀⠀⠀⠀⢻⠀⠀⠀⠀⠀⠉⠉⠛⢿⡆⢸⡇⢸⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠻⡀⠀⠀⠀⠀⠀⠀⠀⠸⡄⠀⠀⠀⠀⠀⠀⠀⠘⣧⡾⠃⡜⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠻⣄⠀⠀⠀⠀⠀⠀⠀⣧⠀⠀⠀⠀⠀⠀⠀⠀⠉⠀⠀⡇⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⠀⠀⠀⠀⠀⠀⠀⠿⠂⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠟⠀⠀⠀⠀
Good job!! You just discovered the criminal!
joker用户能看到flag.txt,结束!还寻思继续提权到root呢,结果这就没了。