{"id":1798,"date":"2022-02-16T15:51:42","date_gmt":"2022-02-16T15:51:42","guid":{"rendered":"https:\/\/berenkudaygorun.com\/blog\/?p=1798"},"modified":"2022-02-16T15:51:42","modified_gmt":"2022-02-16T15:51:42","slug":"delivery","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2022\/02\/16\/delivery\/","title":{"rendered":"Delivery"},"content":{"rendered":"\n\n\n\n\n
Makine Ad\u0131<\/th>\nSeviye<\/th>\nOS<\/th>\nLogo<\/th>\n<\/tr>\n<\/thead>\n
Delivery<\/a> - HTB<\/td>\nEasy<\/td>\nLinux<\/td>\n\"\"<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Walkthrough<\/h2>\n

nmap \u00e7\u0131kt\u0131s\u0131 a\u015fa\u011f\u0131daki gibidir. 80 ve 8065'te 2 adet web sitesi bulunmaktad\u0131r. Ayr\u0131ca sayfalar\u0131n kaynak kodlar\u0131n\u0131 kontrol etti\u011fimde bir subdomainde buldum. gobuster ile kontroller yapt\u0131m ancak bir dikkat \u00e7ekici bir sonu\u00e7 elde edemedim. Bunun \u00fczerine internette exploitler arad\u0131m ancak yine bir \u015fey bulamad\u0131m. <\/p>\n

helpdesk.delivery.htb adresinde bir ticket a\u00e7ma sistemi bulunmaktayd\u0131. Sisteme \u00fcye olmadan da ticket a\u00e7man\u0131za izin veriyordu ve bu i\u015flemi yapt\u0131\u011f\u0131n\u0131zda ticket id'nize g\u00f6re bir mail hesab\u0131 olu\u015fturuyor. Bu ilgin\u00e7.<\/p>\n

\"\"<\/p>\n

8065'te \u00e7al\u0131\u015fan uygulamaya kay\u0131t a\u00e7abilmek i\u00e7in \u00fcye olmam\u0131z laz\u0131m ancak eposta onay linki g\u00f6nderiyor ve bunu tabikide d\u0131\u015far\u0131ya yapm\u0131yordu. Bunun \u00fczerine iki uygulamay\u0131 birle\u015ftirme karar\u0131 ald\u0131m. bir ticket a\u00e7t\u0131m. oradan elde etti\u011fim epostay\u0131 8065'te kulland\u0131m. Ve olanlar oldu.<\/p>\n

\"\"<\/p>\n

Daha \u00f6ncesinde bu sayfada \u00e7e\u015fitli file upload zafiyetleri denedim ancak ba\u015far\u0131l\u0131 olamam\u0131\u015ft\u0131m. Neyse epostam\u0131z\u0131 onaylad\u0131ktan sonra 8065'in dashboard'\u0131na ba\u011flanabildim.<\/p>\n

\"\"<\/p>\n

Burada okadar \u00e7ok bilgi varki. \u0130lk credential'\u0131m\u0131z\u0131 elde etmi\u015f olduk. Daha sonras\u0131nda ise ba\u015fka hesaplar i\u00e7in kullan\u0131lan bir paroladan bahsediyor. Hashcat rule'lar\u0131n\u0131 kullanmam\u0131z gerekti\u011fi bilgisini veriyor ve baz\u0131 hashler bulmam\u0131z gerekti\u011fini s\u00f6yl\u00fcyor... Biz user flagini okuyarak ba\u015flayal\u0131m.<\/p>\n

\"\"<\/p>\n

Bu noktadan sonra \u00e7e\u015fitli auto scriptleri \u00e7al\u0131\u015ft\u0131rd\u0131m ve akl\u0131ma tabikide kullan\u0131lan web uygulamalar\u0131n\u0131n config dosyalar\u0131n\u0131 okumak geldi. \u0130lk elde etti\u011fim credential ticket sisteminin mysql credentiallar\u0131yd\u0131 ancak bir i\u015fime yaramad\u0131. Daha sonra ise 8065'te \u00e7al\u0131\u015fan uygulaman\u0131n config dosyas\u0131n\u0131 buldum. San\u0131r\u0131m \/opt'nin alt\u0131ndayd\u0131. Write-up'u sonradan yazd\u0131\u011f\u0131m i\u00e7in hat\u0131rlam\u0131yorum...<\/p>\n

\"\"<\/p>\n

Bu bilgilerle mysql'e ba\u011fland\u0131\u011f\u0131mda hashleri ele ge\u00e7irdim.<\/p>\n

\"\"<\/p>\n

Evet \u015fimdi hashcat rule kullanal\u0131m ve bir deneyelim. Hashlerin bcrypt oldu\u011funu anlayabiliriz. Kendi olu\u015fturdu\u011fum hesaplada bunu do\u011frulad\u0131m.<\/p>\n

\"\"<\/p>\n

\u015eimdi wordlist'imizi olu\u015ftural\u0131m.<\/p>\n

\"\"<\/p>\n

Art\u0131k k\u0131rmaya haz\u0131r\u0131z.<\/p>\n

\"\"<\/p>\n

root flag:<\/p>\n

\"\"<\/p>\n","protected":false},"excerpt":{"rendered":"

Makine Ad\u0131 Seviye OS Logo Delivery – HTB Easy Linux Walkthrough nmap \u00e7\u0131kt\u0131s\u0131 a\u015fa\u011f\u0131daki gibidir. 80 ve 8065’te 2 adet web sitesi bulunmaktad\u0131r. Ayr\u0131ca sayfalar\u0131n…<\/p>\n

Devam\u0131n\u0131 okuDelivery<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[],"class_list":["post-1798","post","type-post","status-publish","format-standard","hentry","category-walkthrough","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1798","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1798"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1798\/revisions"}],"predecessor-version":[{"id":1809,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1798\/revisions\/1809"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1798"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1798"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1798"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}