In this course, we solve a vulnerable virtual machine called FristiLeaks in order to explore pentesting and privilege escalation techniques.
Hi, within this lecture, we're going to see if we can become root using the admin user that we currently switched. And we're going to see what we can do to become root. So far, we know that we are admin right now. And over here we are the user Apache. So, now I have two shells, right? So, I can use this shell in order to gain more privilege in this server. So, let me run LS -LA. We are in the home admin user and see what we can do over here. So, as you can see we have some binaries like cat, chmod, and also we have cronjob.py, cryptedpass.txt, cryptpass.py. So, let me cat this out and see what we can do with those. So, cronjob.py: it opens the tmp/cronresults and it writes some string into it, and it actually runs the... it opens the run this and execute that. So, this was our cronjob that we actually took leverage of in the previous lecture. So, here you go. We have a cryptedpass.txt. Let's see what it does. So, let me come over here crypedpass.txt. So, we have a kind of password or some kind of a hash over here. So, I'm just going to copy and take a note of that. So that, maybe, we will decrypt it later on. Maybe we won't, I don't know but I'm just going to take some notes. So, I'm going to nano into my 'notes.txt' and paste it over here, right? So, let me just space it and just come back to our shell. So, this was the cryptedpas.txt. We also have a cryptpass.py over here. Okay? So, I believe this is the thing that crypted that cryptedpass.txt We're going to see. Let me just cat 'whoisyourgodnow.txt'. As you can see there is another txt file over here. So, this seems like another password. So, I'm just going to come over here and paste this into my notes as well. So, far so good. We are getting a lot of hashes, so I'm just going to save those and cat them out to see it anytime I want. Let me come back. So here, okay? So, I have two hashes and I also have one cryptpass.py. So, we suspect that this is the thing that crypts this hashes over here. So, we're going to see how it works. So, I'm going to say cat 'cryptpass.py' Okay? cryptpass.py. And here we go, we have a basic Python code over here. And it actually uses some kind of base64 encryption, and some other encryptions like rot13 as well. So, I'm just going to copy this. So, if this is the thing that copies actually that encrypts all these hashes, we can reverse engineer it and we can decrypt the file by writing our own Python code, right? So, it's very easy. Let me just show you how it's done. I'm going to go into my Fristileaks folder one more time and I'm going to open a crypt.py file over here with nano, and I'm going to paste this in. So, here we go. This is our algorithm over here. So, what it does? It imports to base64 codecs and sys. So far so good. So, we have these libraries over here and that we have a function. So, it's called encodeString, okay? And it takes in a string and it uses some kind of encryption algorithms over here. So, it first uses... let me just see base64, and then it returns the rot version of this. And finally it returns cryptoResult, and it prints out the cryptoResults actually, not returns it. So, this is the thing that we should reverse engineer. So, again this takes in a string and it converts that string into the base64 encoding thing, and it returns this. It actually reverses that string, okay? This does that. base64String [::-1] means reverse it, and then it uses codecs library to encode it with rot13. So, algorithm is simple. First, convert it into base64, then reverse it and actually encrypt it one more time with rot13, and then print it out. So, what we should do over here decrypt it with rot13, reverse it, and then decrypt it with base64 one more time, okay? So, we have to just write exact opposite of this algorithm. So, I'm going to just try this, okay? I'm going to say "python crypt.py atil." So, we have this encryption. So, this is the string atil's representation of the encryption algorithm. Later on when we write our own decrypt algorithm, we're going to see if we can get the atil back from that result. So, I'm going to write 'cat crypt.py' to see this because I'm going to copy this. And I'm going to create an infile called 'decrypt.py' over here and paste the thing in because we're going to change this a little bit, right? So, I'm going to still import those libraries but I'm going to change this to decodeString. It will take some string as an input one more time. So, I'm not changing this. So, rather than this... First of all, I'm going to delete this, okay? Because we shouldn't start with base64 decryption, we start with the latest one with the rot13 decryption, then we will return the base64 decryption, okay? So, I'm going to delete everything over here including return. I'm just going to leave this, okay? I'm going to create a new variable called decodedString and this will become 'codecs.decode' this time rather than code and it will just take in the string that we have supplied over here and reverse it and decrypt it with rot13. Then I'm going to leave exact same spaces as here and say, "return base64". And I believe we have to say '.b64decode'. Yep, it goes like this: base64.b64decode. And we need to give the decoded string over here and over there. So, crypto results will be now decodeString. So, this is the thing that we're looking for and we're going to print that result back. So that's it. That's all we need to do. We managed to turn it into decrypted state, I believe. We're going to try and see, because we did exactly this opposite of the encryption algorithm. So, this should work. We turned down the rot13 and then we decoded the base64 as well using the same algorithm, same logic, okay? So, of course, in order to understand this you should know a little bit Python but I believe this is easy and you know that much. So, I'm going to try 'python decrypt.py', and I'm going to try and decrypt this one to see if this works. If this works, it should give me atils back. And here you go. I have my own name over here. So, I encrypted this before. Now I can use the same decrypt.py file in order to decrypt all these passwords over here. So, I don't know if they are passwords but there are some kind of lead, at least. So, it says that 'thisisalsopw123', I don't know. So, let me just decrypt this one and see what we get over here. Let me copy this and here you go. Let me just paste it one more time and hit 'Enter'. Let there be Fristi, okay. So, we know this to exist right now. Most probably they are passwords of the other users that we're going to try but we don't know yet, but we managed to decrypt this. We managed to break a cryptology over here which is good, which is great. So far so good. We're going to stop here and continue within the next one.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.