{"id":1789,"date":"2022-02-11T16:58:35","date_gmt":"2022-02-11T16:58:35","guid":{"rendered":"https:\/\/berenkudaygorun.com\/blog\/?p=1789"},"modified":"2022-02-11T16:58:35","modified_gmt":"2022-02-11T16:58:35","slug":"return","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2022\/02\/11\/return\/","title":{"rendered":"Return"},"content":{"rendered":"\n\n\n\n\n
Makine Ad\u0131<\/th>\nSeviye<\/th>\nOS<\/th>\nLogo<\/th>\n<\/tr>\n<\/thead>\n
Return<\/a> - HTB<\/td>\nEasy<\/td>\nWindows<\/td>\n\"\"<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Walkthrough<\/h2>\n

nmap \u00e7\u0131kt\u0131s\u0131 a\u015fa\u011f\u0131daki gibidir.<\/p>\n

\"\"<\/p>\n

Makinenin windows oldu\u011fu belli. Ldap, wsman, http gibi g\u00f6r\u00fcr g\u00f6rmez enum yapaca\u011f\u0131m\u0131z servisler var. \u0130lk olarak null sessionlar\u0131 ldap i\u00e7in denedim ancak olmad\u0131. Bunun \u00fczerine 80 de gezinmeye ba\u015flad\u0131m. A\u015fa\u011f\u0131daki sayfay\u0131 buldum.<\/p>\n

\"\"<\/p>\n

Burda svc-printer kullan\u0131c\u0131s\u0131n\u0131 yakalad\u0131\u011f\u0131m\u0131 d\u00fc\u015f\u00fcnd\u00fcm ve bunu nmap ile test etti\u011fimde b\u00f6yle bir kullan\u0131c\u0131n\u0131n ger\u00e7ektende var oldu\u011funu anlad\u0131m. Akl\u0131ma bir servis kullan\u0131c\u0131s\u0131 oldu\u011fu i\u00e7in direkt olarak ASREPRoast geldi. \u00c7\u00fcnk\u00fc bu sald\u0131r\u0131da parola bilgisine ihtiya\u00e7 yok, ancak yine ba\u015far\u0131l\u0131 olamad\u0131m. Bunun \u00fcerine d\u00fc\u015f\u00fcn\u00fcrken yukar\u0131daki sayfay\u0131 burp'e att\u0131m ve incelemeye ba\u015flad\u0131m. Post iste\u011finde makine ismi vard\u0131 : printer.return.local. Buradaki ismi 127.0.0.1 ile de\u011fi\u015ftirdi\u011fimde bir \u015fey de\u011fi\u015fmedi. Daha sonras\u0131nda kendi ip adresimi verdim ve sayfa ge\u00e7 y\u00fcklendi. Bu demek oluyorki sayfa ger\u00e7ekten arkaplanda bir\u015feyler yap\u0131yor. Kendimde ldap portunu nc ile dinledim ve olanlar oldu.<\/p>\n

\"\"<\/p>\n

Daha sonras\u0131nda evil-winrm ile i\u00e7eri girdim ve user flagibi okudum.<\/p>\n

\"\"<\/p>\n

Art\u0131k priv i\u00e7in haz\u0131r\u0131m. Otomtik scriptleri \u00e7al\u0131\u015ft\u0131rd\u0131m, winpeas arkaplanda \u00e7al\u0131\u015f\u0131rken bloodhound ba\u015flatt\u0131m. Bloodhound'da \u00e7ok bir \u015fey \u00e7\u0131kmad\u0131 ancak sahip oldu\u011fum kullan\u0131c\u0131 bir\u00e7ok gruba \u00fcye.<\/p>\n

\"\"<\/p>\n

Evet bingo! Server Operators ile servisleri modify edebiliyoruz. binary path'i de\u011fi\u015ftirip daha sonras\u0131nda servisi tekrar ba\u015flatabilirim. Bunun i\u00e7in sunucuya nc64.exe y\u00fckledim ve vss servisinin binary pathini de\u011fi\u015ftirip, \u00e7al\u0131\u015ft\u0131rd\u0131m. Bu i\u015flemi yaparken https:\/\/cube0x0.github.io\/Pocing-Beyond-DA\/<\/a> sayfas\u0131 bana referans oldu.<\/p>\n

\"\"<\/p>\n

Harika!<\/p>\n","protected":false},"excerpt":{"rendered":"

Makine Ad\u0131 Seviye OS Logo Return – HTB Easy Windows Walkthrough nmap \u00e7\u0131kt\u0131s\u0131 a\u015fa\u011f\u0131daki gibidir. Makinenin windows oldu\u011fu belli. Ldap, wsman, http gibi g\u00f6r\u00fcr g\u00f6rmez…<\/p>\n

Devam\u0131n\u0131 okuReturn<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[269,89,498,468],"tags":[],"class_list":["post-1789","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-network-guvenligi","category-walkthrough","category-windows","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1789","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1789"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1789\/revisions"}],"predecessor-version":[{"id":1796,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1789\/revisions\/1796"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1789"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1789"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1789"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}