Changing Users
Start course
1h 21m

In this course, we explore brute force attacks, hacking WordPress, changing users, and suid privilege escalation. We'll do this through a CTF (capture the flag) ethical hacking game called Mr. Robot.


Hi. So far, we managed to hack into the server. And within this lecture, we're going to try and escalate our privileges. So, we have already used that. So, I'm going to close this down. We don't need php-reverse-shell anymore. So, let me come back here. And, I believe, we don't need this and this one as well. So far, so good. Now, let me come back over here and just make this minimized so that we can see the terminal in a better way. Clear doesn't work. So, let me try and see if we have $SHELL over here and let me run 'whoami'. Yes, we are deamon. We can run 'ls'. But, we cannot run... Of course, we cannot go into the root. Okay, let me try to go into a 'home'. And in home, we already see some kind of roboting. And, I believe, we have a key-2 over here. Let me try to cat that and see if we can get this. No, we cannot get the second key, we cannot get the second flag. So, it's better. It's good that we cannot get this. So, I believe, there is a user called robot because that's where we have found it, right. We have robot user under the home directory and this key-2-of-3 should have been the robot's file. So, we cannot read that. So, let me read this password over here and see if this is the password of the robot user. So, there's a hash over here and it's an MD5 hash. And, I believe, we can just decrypt this so that we can try to see if we can login as robot and use this password. So, if we can do that, then we can get the second flag. And, I believe, this is a good thing because we can be root. We are robot, apparently. I don't know that yet. So, I'm going to go for 'decrypt md5 online' over here. And, let's find something that works. So, I'm going to go here, ''. And just get this. Let me just get this over here. Okay, let me just copy this and paste it over there so that we can just try and decrypt it. If we do this, let's see if we can get this. No, "No result found in our database." So, this decryption works like a wordlist attack. So, if they have the same thing in their database, of course, it's not a wordlist attack, but the logic is they're comparing it with the previous hashes. So, I'm going to try a lot of websites over here. So, let's try this one, ''. No, this is not in their database as well. So, let's try this one, ''. Let me try and just 'Submit' this. And here you go, found something. And I cannot see it properly, but I'm just going to copy this and paste it in my notes.txt over here so that we can just take a note. I'm going to go over here and 'cd Documents/CTF/MrRobot'. And over here, we have to 'nano notes.txt' and under this PHP code. Here you go. This is 'abcdefg...' So, this is the whole alphabet, I believe. And user must be robot. We are not certain yet, but the leads actually pointed that direction. So, robot user with this password. Let's try this. So, let me just copy and paste. Yes, it works. So, let me go back to our session and try to go into robot by running 'su robot'. It says that it "must be run from a terminal." We don't have a shell over here. I don't know what we are into right now. So, let's try spawn a shell. I'm going to open my 'notes'. As I have shown you before, we can try to spawn a shell with Python. If we can run Python over here without one minor that would be great. So, this is the first thing that I'm going to try. You can try with bash or sh, obviously. So, 'python -c 'import pty; pty.spwan("bin/bash")'. So, we have seen that before. If you didn't take note of that, just pause the video and try to take note of that. I suggest that really. So, here we go. Now, we got a shell. So, we are daemon@linux. We cannot write clear right now, but we can run the other ones. So, let me try to 'su robot' one more time. It will ask me for a password. Now, let me get that password. So, let me close this down and where was it? So, we have to go to 'Documents'. 'CTF', 'MrRobot'. And over here, 'notes.txt' and copy that alphabet over here. So, let me copy this and come back to our session and paste it over there. And see, here we go. Now, we are robot. So, we managed to change the user. And apparently, we cannot clear this terminal at all. But, if we run 'whoami', then we are robot. If you run 'id', we are the robot. If we cat this flag 2 right now, let's see if we can do that. 'key-2-of-3.txt' and here you go. Now, we managed to get the second flag. Now, I'm going to make a copy of this one as well and just leave it there so that if you actually need this later on, we can come back and get this. So, what I'm going to do. Of course, I'm going to try and be root now because there are three flags and we are in the second flag phase and we need to be root in order to get the root flag. So, let me try and see if we can find the root directory over here, if you can cd into that. No, we cannot even cd into the root directory. Okay, so we're going to stop here. And within the next lecture, we're going to see how we can escalate our privileges to become root.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.