Hacking the Server
Hacking the Server
1h 1m

In this course, we solve a vulnerable virtual machine called FristiLeaks in order to explore pentesting and privilege escalation techniques.


Hi, within this lecture, we're going to see if we can log into this admin portal. So, before trying brute forcing our sequel injection over here, I'm going to take a look at the page source and see if we can have a tip or hint. And here we go, we have a lot of things going on over here, let me zoom in and see what we can get over there. So, we have the meta name description over here and the content is leet password login test page. We use base64 encoding for images, so they are in line in the HTML. And yeah it says that I read somewhere on the web, this is a good way to do this. I don't know about that, but we have another comment over here. So, this is the comment syntax, as you might remember. And in the comment we have to see ToDo. We need to clean this up for production, I left some junk in here to make testing easier. So, we have this note, and it's obviously a hint for us and the note is written by eezeepz over here, so eezeepz. So, this may be our admin, this maybe our user, we're definitely going to try to log in with this. Because that's what we do, we follow the breadcrumbs and try to see what we can do with it. And over here, we actually have the image source encoded with base64, I believe. So, let me see if this is the same image, let's say copy image address over here and paste it, and here we go. They actually named the image like this,  so I don't know who does that, but supposedly it works. If I click 'Enter' it will download the file for us. Of course, we don't need that, but again, this is the case, it says that we use base64 encoding and I don't know how it's going to do us any help. But if we scroll down a little bit we can see there is another comment over here, which is the basics to foreign encryption one more time. So, what I'm going to do, I'm going to copy this one and try to decrypt it and see what we can actually get out of this one, maybe this is the password. So, as you can see after that there comes the form, so it's going to do a post over here if we give the username and password. So again, there's nothing funny over there, so this is the form. But, maybe username is eezeepz, we assume that we found the username. Maybe this is the password as well, but we're going to try and see. So, I'm going to copy this and go to web and search for base64 decrypt online, something like that decode decryption. And I believe we worked with these ones before, and if it doesn't work we can always try other things. So, I'm going to paste this over here, and it says that malformed input. So, let's see if maybe we have copied the wrong thingy. Let me just do this one more time over here and just say copy, and come over there and just delete the whole thing and paste one more time. Here you go, it again, says that malformed input. So, it isn't good, let me copy this one and come to my terminal over here. And let me go to my folder and create a new thing called password.txt and paste it over there. So, I'm going to try and decrypt this in my Kali Linux, I'm going to save this with Control or Enter and 'Control X'. And I'm going to use base64 in order to decrypt this, and I'm going to say base64-d, and you can just give the file as an input like password.txt. And here we go it decrypt it, but it's all gibberish. And we see the PNG over here, so probably this is not f-string, this is not a regular text file, but they decrypted, they encrypted a PNG file. So, I'm going to decrypt this and give the output as a PNG file like decrypt.png, something like that and see if we actually get a valid PNG back. So, if we get this, then it means that we're going to see a picture, So, here you go, we have the decrypt.png over there, so let me just open that and try to see if we have a valid PNG file over there. So, let me come over here, and here you go. So, this is supposedly our password, of course, we're going to try and see maybe this is the user and eezeepz is the password, I don't know. So, I'm going to open my notes one more time because we're going to have to just take a note of those things. So, first of all, let me just take this from here. So, this is upper case, lower case. K, K, E, K, K, E, something like that. It's going to take some time, so if you know how to do this automatically, then it's great. I believe there are some services to do that online, but since this is a short, fairly short amount shorter amount, I'm just going to do this manually and copy this. And let me see if I copied the right thing, here you go. Yeah I believe I did the right thing, but let's do that one more time. So, I'm going to copy this and save this as well, and come back here to our login portal. I'm going to paste this under the password and for the username we're going to give the eezeepz, let's see how it's spelled. Let me come back over here. Yeah so it's like that, eezeepz. So, I'm going to copy that as well in order not to make a mistake, and I'm going to say login. And here you go, logging successful, and eezeepz should have been our user or should have been our admin user, I don't know yet. And this is the password, so great. And this is supposedly the admin portal, and as you can see we don't get much. We only have something to upload over here, and it says that upload image, but of course, as usual, we're going to try and upload some reverse shells over there. I hope it works. So, let me come over here and try to find something to upload. So, we have done this before and this is the similarity between the Mr Robot and this one. So, I'm going to come over here and just search for the reverse shell, and of course I'm going to go into the pentestmonkey by saying ignore the risk. So, we have done this before, so I'm going to do this quick. I'm going to come over here to PHP and download the php-reverse-shell. So, we have done this before, if you remember, once we download this it will get downloaded and the Kali Linux will complain to say that this is malware. We're going to open this, so that it will allow us to edit this file. I'm just going to come over here to my folder and just unzip this thing over there. And if I come over here and open this php-reverse-shell with any editor, then I get to edit the actual l-port and l-host over here. So, remember we have to open this with any editor, I'm using Geany, if you're using something else, this is fine. Just change this IP address to your own IP address, which is 10024 for me, I believe. And you can leave the ports as it is, so I'm going to save this and close this one down and this one as well. So, make sure you put your online IP address rather than 10024, I'm going to try and upload this thing over here. So, let me find PHP app, here we go, and let's see if we can do that. Here we go, it says that this is not a valid file, only allowed or PNG, JPG. So again, we're going to have to try something else. So, I'm going to rename this. I'm going to change this to shell.php, and we can try php.png like we have done before. Let me try and see if this works or not. I'm going to come over here and upload this one, here you go. It says that file has been uploaded to uploads. Great, so let's go over here and see if we can actually make this work, because it doesn't mean that it's working right now. We only got to upload it. So, if you come over here to upload it say no, and let's say images, it says no, here we go. Images, yeah we can see the images, it's not uploaded over here, and we cannot seem to go to uploads, let me try that one more time, I actually wasn't able to see the whole thing over here. I'm going to just go for NVLP on 1, 2, 3, 4 to start listening, by the way. Let me come over here, it's supposed to be uploads. So, maybe we can just try to reach the upload/ and the file name over here, but we cannot go to uploads, we cannot go there. So, you can just try to directly go to the shell.php.png, and here we go, it seems to be working and we got to shell, great. Now, we got the shell back from here, so maybe you can make a note of this URL as well so if you lose your shell over here, you can come back anytime you want. And as you can see we are in the Apache user which is great, but not great actually, which is good but not great because we are not root. So, we need to escalate our privilege is a little bit. So, again make sure to copy this one and try to run it if you lose your shell, if you lose your session later on. I'm going to go into my folder over here to nano in my notes.txt, and I'm going to paste the thing over there, so that we can actually reach it whenever we want. Now, we are in the server, we managed to hack it, now we're going to see what we can do with it, but we're going to do that within the next lecture together.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.