{"id":1819,"date":"2022-02-16T16:36:43","date_gmt":"2022-02-16T16:36:43","guid":{"rendered":"https:\/\/berenkudaygorun.com\/blog\/?p=1819"},"modified":"2022-02-16T16:36:43","modified_gmt":"2022-02-16T16:36:43","slug":"bountyhunter","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2022\/02\/16\/bountyhunter\/","title":{"rendered":"BountyHunter"},"content":{"rendered":"<table>\n<thead>\n<tr>\n<th>Makine Ad\u0131<\/th>\n<th>Seviye<\/th>\n<th>OS<\/th>\n<th>Logo<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/app.hackthebox.com\/machines\/359\" title=\"BountyHunter\">BountyHunter<\/a> - HTB<\/td>\n<td>Easy<\/td>\n<td>Linux<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.hackthebox.com\/storage\/avatars\/a24c032885e56a17a6c74cc58b63e8f4.png\" alt=\"\" \/><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Walkthrough<\/h2>\n<p>nmap taramas\u0131 ile ba\u015flayal\u0131m.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2022\/02\/1-nmap-1.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><\/p>\n<p>Daha sonras\u0131nda 80. portu incelemeye ba\u015flad\u0131m.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2022\/02\/2-gobuster.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><\/p>\n<p>Okay. \u0130\u00e7eri girdi\u011fimizde db.php dosyas\u0131na bakaca\u011f\u0131z. Ya da bir \u015fekilde \u015fimdi baka\u00e7a\u011f\u0131z. Ama o dosyay\u0131 okuyaca\u011f\u0131m. Daha sonras\u0131nda sayfa \u00fczerinde gezinmeye ba\u015flad\u0131m.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2022\/02\/3-post.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><\/p>\n<p>Yukar\u0131daki sayfada istek g\u00f6nderdi\u011fimizde elde etti\u011fimiz http iste\u011fi a\u015fa\u011f\u0131daki gibidir.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2022\/02\/4-post-istegi.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><\/p>\n<p>\u0130ste\u011fi url-decode daha sonra base64 decode ettitkten sonra bir xml dosyas\u0131 ile kar\u015f\u0131la\u015ft\u0131m. \u015eimdi ta\u015flar yerine oturdu.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2022\/02\/5-xml.png\" alt=\"\"  width=\"100%\" height=\"auto\" \/><\/p>\n<p>\u0130lk olarak \/etc\/passwd dosyas\u0131n\u0131 okumay\u0131 denedim. Ad\u0131mlar a\u015fa\u011f\u0131da verilmi\u015ftir.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2022\/02\/6-etcpasswd.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><\/p>\n<p>Payload\u0131m\u0131 olu\u015fturdum. Daha sonras\u0131nda bunu repeater ile g\u00f6nderdim.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2022\/02\/7-etcpasswd2.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><\/p>\n<p>Gelen cevab\u0131da decode ettikten sonra i\u015flem tamam.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2022\/02\/8-etcpasswd3.png\" alt=\"\"  width=\"100%\" height=\"auto\" \/><\/p>\n<p>Harika! Ayn\u0131 y\u00f6ntemle db.php dosyas\u0131n\u0131da okudum.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2022\/02\/9-db.png\" alt=\"\"  width=\"100%\" height=\"auto\" \/><\/p>\n<p>Buradaki credential ile user flag geldi.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2022\/02\/10-userflag.png\" alt=\"\"  width=\"100%\" height=\"auto\" \/><\/p>\n<p><code>sudo -l<\/code> yapt\u0131\u011f\u0131mda \u00e7al\u0131\u015ft\u0131rabilec\u011feim bir python dosyas\u0131 vard\u0131 ne yaz\u0131kki onun ekran g\u00f6r\u00fcnt\u00fcs\u00fcn\u00fc almay\u0131 unutmu\u015fum. Ancak python koduna burada ula\u015fabilirsiniz.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2022\/02\/sudo.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><\/p>\n<p>Burada biraz python bilgisi gerekecek. Akl\u0131ma istihza geldi. eval \u015feytani bir fonksiyondur! neyse devam edelim. A\u015fa\u011f\u0131daki \u015fekilde bir dosya olu\u015fturdum ve bunu \u00e7al\u0131\u015ft\u0131rd\u0131\u011f\u0131mda root geldi.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2022\/02\/Ekran-Resmi-2022-02-13-19.42.01.png\" alt=\"\"  width=\"100%\" height=\"auto\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Makine Ad\u0131 Seviye OS Logo BountyHunter &#8211; HTB Easy Linux Walkthrough nmap taramas\u0131 ile ba\u015flayal\u0131m. Daha sonras\u0131nda 80. portu incelemeye ba\u015flad\u0131m. Okay. \u0130\u00e7eri girdi\u011fimizde db.php&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/berenkudaygorun.com\/blog\/blog\/2022\/02\/16\/bountyhunter\/\">Devam\u0131n\u0131 oku<span class=\"screen-reader-text\">BountyHunter<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[],"class_list":["post-1819","post","type-post","status-publish","format-standard","hentry","category-walkthrough","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1819","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1819"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1819\/revisions"}],"predecessor-version":[{"id":1832,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1819\/revisions\/1832"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1819"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1819"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1819"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}