{"id":2109,"date":"2023-06-28T17:29:31","date_gmt":"2023-06-28T17:29:31","guid":{"rendered":"https:\/\/berenkudaygorun.com\/blog\/?p=2109"},"modified":"2023-06-28T17:34:27","modified_gmt":"2023-06-28T17:34:27","slug":"stocker","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2023\/06\/28\/stocker\/","title":{"rendered":"Stocker"},"content":{"rendered":"<blockquote>\n<p>\u015e\u00fcphesiz ki sizi biraz korku ve a\u00e7l\u0131k, ayr\u0131ca mallardan, canlardan ve \u00fcr\u00fcnlerden azatma fakirlik ile imtihan edece\u011fiz. Sabredenlere m\u00fcjdele...<br \/>\nBakara 177<\/p>\n<\/blockquote>\n<table>\n<thead>\n<tr>\n<th>Makine Ad\u0131<\/th>\n<th>Seviye<\/th>\n<th>OS<\/th>\n<th>Logo<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/app.hackthebox.com\/machines\/Stocker\" title=\"Stocker\">Stocker<\/a> - HTB<\/td>\n<td>Kolay<\/td>\n<td>Linux<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.hackthebox.com\/storage\/avatars\/da052d0b0efd6dad222ba4a73d987c16.png\" alt=\"\" \/><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Walkthrough<\/h2>\n<p>nmap taramas\u0131n\u0131n \u00e7\u0131kt\u0131s\u0131 a\u015fa\u011f\u0131da verilmi\u015ftir. Bu \u00e7\u0131kt\u0131ya bakt\u0131\u011f\u0131m\u0131zda asl\u0131nda i\u00e7eride bir yerlerden kesinlikle bir ssh credenial'\u0131 \u00e7\u0131kacak gibi geliyor ama tabikide al\u0131\u015fkanl\u0131klar \u00f6n yarg\u0131 olu\u015fturmamal\u0131d\u0131r.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2023\/06\/Pasted-Graphic-1.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><\/p>\n<p>stocker.htb ifadesini ip adresi ile birlikte <strong>\/etc\/hosts<\/strong>'a ekledim. Daha sonras\u0131nda ffuf ile dosya dizin ke\u015ffine ba\u015flad\u0131m. Son zamanlarda bir tarikat hareketimidir nedir anlamad\u0131m ama \u00e7\u00f6zd\u00fc\u011f\u00fcm b\u00fct\u00fcn makinelerde subdomain tespit ettiriyor. ffuf ile klas\u00f6r dosya aramamdan bir\u015fey elde edemedim ancak subdomain aramas\u0131 yaparken dev isimli bir subdomain ke\u015ffettim.<\/p>\n<pre><code class=\"language-sh\">ffuf -u http:\/\/stocker.htb\/ -w \/usr\/share\/wordlists\/dirb\/big.txt -H &#039;HOST: FUZZ.stocker.htb&#039; -t 50 -fs 178 <\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2023\/06\/Pasted-Graphic-2.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><\/p>\n<p><strong>hosts<\/strong> dosyam\u0131 tekrardan g\u00fcncelledim. Bu sayfaya gitti\u011fimde bir login sayfas\u0131 ile denk geldim. sqlmap ile denemeler yapt\u0131m ancak olmad\u0131 daha sonras\u0131nda nosql ile denemeler yapmak istedim. i\u00e7eri\u011fi ilk olarak json format\u0131na d\u00f6n\u00fc\u015ft\u00fcr\u00fcp \u00e7al\u0131\u015f\u0131p \u00e7al\u0131\u015fmad\u0131\u011f\u0131n\u0131 kontrol ettim, \u00e7al\u0131\u015f\u0131yordu.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2023\/06\/Pasted-Graphic-5.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><br \/>\n<img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2023\/06\/Pasted-Graphic-4.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><\/p>\n<p>nosql injection payload\u0131m\u0131z a\u015fa\u011f\u0131dad\u0131r.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2023\/06\/Pasted-Graphic-6.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><\/p>\n<p>Bu noktadan sonra sayfaya giri\u015f yapabildim. A\u015fa\u011f\u0131daki sayfa ile kar\u015f\u0131la\u015ft\u0131m.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2023\/06\/Pasted-Graphic.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><\/p>\n<p>Sayfada inceleme yapt\u0131ktan sonra bir pdf dosyas\u0131 yarat\u0131c\u0131s\u0131 ile kar\u015f\u0131la\u015ft\u0131m. Burada ilk seferlerde SSTI denemeleri yapt\u0131m ancak ba\u015far\u0131l\u0131 olamad\u0131m. Daha sonras\u0131nda Server Side XSS isimli bir \u015fey duydum ve onun \u00fczerinden ilerledim. Bir \u00f6nceki yaz\u0131mda Server Side XSS nedir anlatt\u0131m bundan dolay\u0131 burada sadece payloadlar\u0131 verece\u011fim.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2023\/06\/Pasted-Graphic-8.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><\/p>\n<p>Soldaki ekranda burp var ve veriyi g\u00f6nderdi\u011fimizde bir id generate ediyor bu asl\u0131nda pdf'in id si oluyor. Amac\u0131m burada pdf generate edilirken i\u00e7erisnde html etiketleri s\u0131k\u0131\u015ft\u0131r\u0131p sunucu taraf\u0131ndan \u00e7al\u0131\u015fan javascript kodlar\u0131 ile hedef makine \u00fczerinde kod \u00e7al\u0131\u015ft\u0131rma.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2023\/06\/Pasted-Graphic-7.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><\/p>\n<p>Evet ilk denemem ba\u015far\u0131l\u0131 oldu. Bunun \u00fczerine i\u00e7eriden veri \u00e7\u0131kartmay\u0131 denedim. bu noktada payload\u0131\u011f\u0131m\u0131 d\u00fczenlerken chat gpt'den yard\u0131m ald\u0131m.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2023\/06\/Pasted-Graphic-9.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><br \/>\n<img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2023\/06\/Pasted-Graphic-10.png\" alt=\"\"  width=\"100%\" height=\"auto\" \/><br \/>\n<img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2023\/06\/Pasted-Graphic-11.png\" alt=\"\"  width=\"100%\" height=\"auto\" \/><br \/>\n<img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2023\/06\/Pasted-Graphic-13.png\" alt=\"\"  width=\"100%\" height=\"auto\" \/><\/p>\n<p>Kodlara bakarken mongodb parolas\u0131n\u0131 elde ettim.<\/p>\n<pre><code>\/\/ TODO: Configure loading from dotenv for production\nconst dbURI = &quot;mongodb:\/\/dev:IHeardPassphrasesArePrettySecure@localhost\/dev?authSource=admin&amp;w=1&quot;;<\/code><\/pre>\n<p>nmap \u00e7\u0131kt\u0131s\u0131nda ssh vard\u0131. <strong>etc\/passwd<\/strong> dosyas\u0131na bakarak kullan\u0131c\u0131lar\u0131 tespit ettim.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2023\/06\/Pasted-Graphic-14.png\" alt=\"\"width=\"100%\" height=\"auto\" \/><\/p>\n<p>Asl\u0131nda bundan sonras\u0131 kolay oldu \u00e7\u00fcnk\u00fc direjt olarak shell geldi.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2023\/06\/Pasted-Graphic-15.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><\/p>\n<p>linpeas gibi ara\u00e7lar\u0131 i\u00e7ine at\u0131p inceleme yapt\u0131m ancak asl\u0131nda \u00e7ok daha kolay bir y\u00f6ntem varm\u0131\u015f, sudo -l'yi kontrol etti\u011fimde root burday\u0131m diye ba\u011f\u0131r\u0131yordu.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2023\/06\/Pasted-Graphic-17.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><\/p>\n<p>Hemen \/tmp'in alt\u0131nda chatgpt yard\u0131m\u0131 ile bir shell scripti yazd\u0131m.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2023\/06\/Pasted-Graphic-18.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><br \/>\n<img decoding=\"async\" src=\"http:\/\/berenkudaygorun.com\/blog\/wp-content\/uploads\/2023\/06\/Pasted-Graphic-19.png\" alt=\"\" width=\"100%\" height=\"auto\" \/><\/p>\n<p>Script'im ilk olarak ls yap\u0131p daha sonras\u0131nda id komutunu \u00e7al\u0131\u015ft\u0131r\u0131yordu. De\u011fi\u015ftirip root klas\u00f6r\u00fc alt\u0131ndaki flagi okudum.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u015e\u00fcphesiz ki sizi biraz korku ve a\u00e7l\u0131k, ayr\u0131ca mallardan, canlardan ve \u00fcr\u00fcnlerden azatma fakirlik ile imtihan edece\u011fiz. Sabredenlere m\u00fcjdele&#8230; Bakara 177 Makine Ad\u0131 Seviye OS&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/berenkudaygorun.com\/blog\/blog\/2023\/06\/28\/stocker\/\">Devam\u0131n\u0131 oku<span class=\"screen-reader-text\">Stocker<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[688],"class_list":["post-2109","post","type-post","status-publish","format-standard","hentry","category-walkthrough","tag-server-side-xss","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/2109","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=2109"}],"version-history":[{"count":3,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/2109\/revisions"}],"predecessor-version":[{"id":2130,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/2109\/revisions\/2130"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=2109"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=2109"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=2109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}