1
00:00:01,030 --> 00:00:08,320
Hi, within this lecture, we're going to see if we can log into this admin portal, so before trying

2
00:00:08,320 --> 00:00:14,290
brute forcing our kind of sequel injection over here, I'm going to take a look at the page source and

3
00:00:14,290 --> 00:00:17,100
see if we can have a tip or hint.

4
00:00:17,470 --> 00:00:18,190
And here you go.

5
00:00:18,200 --> 00:00:20,310
We have a lot of things going on over here.

6
00:00:20,320 --> 00:00:23,240
Let me zoom in and see what we can get over there.

7
00:00:23,710 --> 00:00:34,000
So we have the middle name description over here and the content is lead password login test page views,

8
00:00:34,000 --> 00:00:37,450
base 64 encoding for images.

9
00:00:37,720 --> 00:00:44,480
So they are in line in the HTML and yep, it says that I read somewhere on the web.

10
00:00:44,500 --> 00:00:46,210
This is a good way to do this.

11
00:00:46,510 --> 00:00:47,890
I don't know about that.

12
00:00:47,890 --> 00:00:50,290
But we have another comment over here.

13
00:00:50,560 --> 00:00:54,220
OK, so this is the comment syntax, as you might remember.

14
00:00:54,610 --> 00:01:02,460
And in the comment we have to see to do, we need to clean this up for production.

15
00:01:02,470 --> 00:01:05,970
I left some junk in here to make testing easier.

16
00:01:06,640 --> 00:01:13,080
So we have this note and it's obviously a hint for us.

17
00:01:13,480 --> 00:01:17,770
And the note is written by easy peasy over here.

18
00:01:17,770 --> 00:01:19,800
So easy peasy.

19
00:01:20,170 --> 00:01:24,030
So this may be our Edmands may be our user.

20
00:01:24,340 --> 00:01:28,060
We're, of course, definitely going to try to login with this.

21
00:01:28,060 --> 00:01:28,540
Right.

22
00:01:28,780 --> 00:01:30,070
Because that's what we do.

23
00:01:30,070 --> 00:01:34,500
We follow the breadcrumbs and try to see what we can do with it.

24
00:01:35,080 --> 00:01:41,870
And over here, we actually have the image source encoded with base64, I believe.

25
00:01:42,220 --> 00:01:44,980
So let me see if this is the same image.

26
00:01:45,190 --> 00:01:49,480
Let's say copy, image, address over here and paste it.

27
00:01:50,020 --> 00:01:50,990
And here you go.

28
00:01:51,010 --> 00:01:53,660
They actually named the image like this.

29
00:01:53,670 --> 00:01:59,050
So I don't know who does that, but supposedly it works.

30
00:01:59,350 --> 00:02:03,610
If I click enter, it will download the file for us.

31
00:02:04,130 --> 00:02:05,680
Of course, we don't need that.

32
00:02:05,890 --> 00:02:08,340
But again, so this is the case.

33
00:02:08,350 --> 00:02:14,050
It says that we use base64 encoding and I don't know how it's going to do us any help.

34
00:02:14,560 --> 00:02:22,060
But if we scroll down a little bit, we can see there is another comment over here, OK, which is the

35
00:02:22,090 --> 00:02:24,750
basics to encryption one more time.

36
00:02:25,390 --> 00:02:33,460
So what I'm going to do, I'm going to copy this one and try to decrypt it and see what we can actually

37
00:02:33,460 --> 00:02:34,380
get out of this.

38
00:02:34,390 --> 00:02:36,250
Well, maybe this is the password.

39
00:02:36,700 --> 00:02:40,350
So as you can see after that, there comes the form.

40
00:02:40,690 --> 00:02:47,560
So it's going to do a post over here if we give the user name and password.

41
00:02:47,980 --> 00:02:49,920
So, again, there's nothing funny over there.

42
00:02:49,930 --> 00:02:51,760
So this is the form.

43
00:02:52,240 --> 00:02:55,990
But maybe username is easy peasy.

44
00:02:56,200 --> 00:02:58,390
We assume that we found the user name.

45
00:02:58,870 --> 00:03:02,280
Maybe this is the password as well, but we're going to try and see.

46
00:03:02,650 --> 00:03:10,030
So I'm going to copy this and go to Web and search for base64, decrypt online, something like that,

47
00:03:10,030 --> 00:03:11,290
decode decryption.

48
00:03:11,830 --> 00:03:17,860
And I believe we worked with this before base64 decoded ARG and it doesn't work.

49
00:03:17,860 --> 00:03:19,660
We can always try other things.

50
00:03:19,900 --> 00:03:23,860
So I'm going to paste is over here and just see.

51
00:03:23,860 --> 00:03:26,530
Yeah, it says that malformed inputs.

52
00:03:27,640 --> 00:03:28,800
So let's see.

53
00:03:28,810 --> 00:03:31,270
Maybe we have copied the wrong thing.

54
00:03:31,270 --> 00:03:39,640
You let me just do this one more time over here and just say copy and come over there and just delete

55
00:03:39,640 --> 00:03:42,180
the whole thing and paste one more time.

56
00:03:42,820 --> 00:03:43,480
Here you go.

57
00:03:43,480 --> 00:03:50,110
It again says that malformed input so it isn't good.

58
00:03:50,110 --> 00:03:58,210
Let me copy this one and come to my terminal over here and let me go to my folder and create a new thing

59
00:03:58,210 --> 00:04:02,680
called Password that Steve OK, and pasted over there.

60
00:04:03,130 --> 00:04:06,280
So I'm going to try and decrypt this in my color Linux.

61
00:04:06,580 --> 00:04:14,440
I'm going to save this control or enter and control X, and I'm going to use base64 in order to decrypt

62
00:04:14,440 --> 00:04:14,830
this.

63
00:04:15,400 --> 00:04:23,620
And I'm going to say Base64 Dashty and you can just give the file as an input like password data exceed

64
00:04:24,340 --> 00:04:25,840
and here you go.

65
00:04:25,840 --> 00:04:29,560
It kind of decrypts it but it's all gibberish.

66
00:04:29,560 --> 00:04:33,010
OK, and we see the PMG over here.

67
00:04:33,310 --> 00:04:42,310
So I probably this is not a string, this is not a regular text file, but they decrypt, they encrypted

68
00:04:42,310 --> 00:04:43,990
and PMG file.

69
00:04:44,320 --> 00:04:51,520
So I'm going to decrypt this and give the output as a file like decrypt that Panji, something like

70
00:04:51,520 --> 00:04:56,200
that, and see if we actually get a valid back.

71
00:04:56,650 --> 00:05:00,430
So if we get this, that means that we're going to see a picture.

72
00:05:00,640 --> 00:05:04,970
Right, so here you go, we have the decrypts that PNG over there.

73
00:05:04,990 --> 00:05:11,220
So let me just open that and try to see if we have a valid PNG file over there.

74
00:05:11,230 --> 00:05:15,640
So let me come over here and here you go.

75
00:05:16,060 --> 00:05:19,370
So this is supposedly our password.

76
00:05:19,390 --> 00:05:25,020
Of course, we're going to try and see maybe this is the user and E.S.P is the password.

77
00:05:25,030 --> 00:05:25,590
I don't know.

78
00:05:26,200 --> 00:05:32,710
So I'm going to open my notes one more time because we're going to have to just take a note of those

79
00:05:32,710 --> 00:05:33,190
things.

80
00:05:33,850 --> 00:05:37,450
So, first of all, let me just take this from here.

81
00:05:37,480 --> 00:05:47,410
So this is uppercase, lowercase, OK, PKK, e, something like that.

82
00:05:47,680 --> 00:05:49,220
It's going to take some time.

83
00:05:49,660 --> 00:05:53,970
So if you know how to do this automatically, then it's great.

84
00:05:54,550 --> 00:05:57,670
I believe there are some services to do that online.

85
00:05:58,090 --> 00:06:04,000
But since this is a short, fairly short amount, shorter amount, I'm just going to do this manually

86
00:06:04,000 --> 00:06:10,380
and copy this, OK, and let me see if I copied the right thing.

87
00:06:10,390 --> 00:06:11,250
Here you go.

88
00:06:12,070 --> 00:06:15,040
Yeah, I believe yeah, I believe I did the right thing.

89
00:06:15,040 --> 00:06:16,810
But let's do that one more time.

90
00:06:17,170 --> 00:06:24,580
So I'm going to copy this and save this as well and come back here to our log in.

91
00:06:24,580 --> 00:06:30,940
Purtill I'm going to paste is under the password and for the username we're going to give the easy peasy.

92
00:06:30,940 --> 00:06:32,930
Let's see how it's spelled.

93
00:06:33,250 --> 00:06:35,460
Let me come back over here.

94
00:06:35,740 --> 00:06:36,010
Yeah.

95
00:06:36,010 --> 00:06:37,270
So it's like that.

96
00:06:37,270 --> 00:06:38,440
Easy peasy.

97
00:06:38,440 --> 00:06:43,360
So I'm going to copy that as well in order not to make a mistake.

98
00:06:43,990 --> 00:06:47,740
And I'm going to say log in and here you go.

99
00:06:47,740 --> 00:06:48,310
Log in.

100
00:06:48,310 --> 00:06:52,570
Successful and yeah, easy peasy.

101
00:06:52,570 --> 00:06:55,660
Should have been our user should have been our admin user.

102
00:06:55,660 --> 00:06:56,590
I don't know yet.

103
00:06:57,130 --> 00:06:58,600
And this is the password.

104
00:06:59,230 --> 00:07:01,060
So great.

105
00:07:01,060 --> 00:07:03,660
And this is supposably the admin portal.

106
00:07:03,730 --> 00:07:05,350
As you can see, we don't get much.

107
00:07:06,010 --> 00:07:12,220
We only have something to upload over here and it says that upload image.

108
00:07:12,520 --> 00:07:19,510
But of course, as usual, we're going to try and upload some reverse over there.

109
00:07:19,840 --> 00:07:21,220
I hope it works.

110
00:07:21,370 --> 00:07:26,290
So let me come over here and try to find something to upload.

111
00:07:27,040 --> 00:07:33,100
So we have done this before and this is the similarity between the Mr. Robot and this one.

112
00:07:33,610 --> 00:07:37,690
So I'm going to come over here and just search for the reversal.

113
00:07:38,290 --> 00:07:44,140
And of course, I'm going to go into the panties monkey by saying ignore the risk.

114
00:07:44,650 --> 00:07:45,970
So we have done this before.

115
00:07:45,970 --> 00:07:47,200
So I'm going to do this quick.

116
00:07:47,440 --> 00:07:51,850
I'm going to come over here to B and download the previous show.

117
00:07:52,330 --> 00:07:53,770
So we have done this before.

118
00:07:53,770 --> 00:08:03,340
If you remember, once we download this, it will get downloaded and the colonics will complain to say

119
00:08:03,340 --> 00:08:05,140
that, yeah, this is malware.

120
00:08:05,560 --> 00:08:11,110
We're going to open this, OK, so that it will allow us to edit this file.

121
00:08:11,560 --> 00:08:20,560
And I'm just going to come over here to my folder and just unzip this thing over there.

122
00:08:20,980 --> 00:08:30,370
And if I come over here and open this reversal with any kind of editor, then I get to edit the actual

123
00:08:30,400 --> 00:08:32,470
Allport and I'll host over here.

124
00:08:32,470 --> 00:08:32,820
Right.

125
00:08:33,010 --> 00:08:36,700
So remember, we have to open this with any kind of editor I'm using.

126
00:08:36,700 --> 00:08:39,790
Genie, if you're using something else, this is fine.

127
00:08:40,490 --> 00:08:47,800
Just I changed his IP address to your own IP address, which is ten down to four for me, I believe.

128
00:08:48,340 --> 00:08:51,100
And you can leave the port as it is.

129
00:08:51,430 --> 00:08:56,890
So I'm going to save this and close this one down and this one as well.

130
00:08:57,460 --> 00:09:04,750
So make sure you put your own IP address rather than channel to four and try to just I'm going to try

131
00:09:04,750 --> 00:09:08,230
and upload this thing over here.

132
00:09:08,230 --> 00:09:14,550
So let me find THP Perico and let's see if we can do that.

133
00:09:14,770 --> 00:09:15,400
Here you go.

134
00:09:15,400 --> 00:09:20,230
It says that this is not ever that file only allowed our PNG jpg.

135
00:09:20,980 --> 00:09:24,640
So again, we're going to have to try something else.

136
00:09:25,000 --> 00:09:29,290
So I'm going to rename this, OK, I'm going to change this too.

137
00:09:29,290 --> 00:09:30,670
Shall not be.

138
00:09:30,970 --> 00:09:35,190
And we can try that PMG like we have done before.

139
00:09:35,650 --> 00:09:38,230
Let me try and see if this works or not.

140
00:09:38,680 --> 00:09:41,230
I'm going to come over here and upload this one.

141
00:09:41,410 --> 00:09:42,220
Here you go.

142
00:09:42,220 --> 00:09:45,400
It says That file has been uploaded to uploads.

143
00:09:45,730 --> 00:09:46,420
Great.

144
00:09:46,420 --> 00:09:53,110
So let's go over here and see if we can actually make this work, because it doesn't mean that it's

145
00:09:53,110 --> 00:09:54,160
working right now.

146
00:09:54,790 --> 00:09:57,520
We only got to upload it.

147
00:09:57,550 --> 00:09:59,590
OK, so if you.

148
00:09:59,680 --> 00:10:06,760
Come over here to upload it, say no and let's say images, it says no.

149
00:10:07,420 --> 00:10:08,650
Here you go.

150
00:10:08,650 --> 00:10:15,820
Images, yeah, we can't see the images, but it's not uploaded over here and we cannot seem to go to

151
00:10:15,820 --> 00:10:16,620
uploads.

152
00:10:16,870 --> 00:10:18,610
Let me try that one more time.

153
00:10:18,650 --> 00:10:23,850
I, I actually wasn't able to see the whole thing over here.

154
00:10:24,160 --> 00:10:31,810
I'm going to just go for a movie LP on two one, two, three, four to start listening, OK, by the

155
00:10:31,810 --> 00:10:32,190
way.

156
00:10:32,860 --> 00:10:37,300
So, yeah, it's supposed to be.

157
00:10:38,530 --> 00:10:40,570
Let me come over here.

158
00:10:40,570 --> 00:10:42,740
It's supposed to be uploads.

159
00:10:42,790 --> 00:10:52,930
OK, so maybe we can just try to reach the upload slash and the filename over here, but we cannot go

160
00:10:52,930 --> 00:10:53,850
to uploads.

161
00:10:53,860 --> 00:10:54,340
Right.

162
00:10:54,340 --> 00:10:55,600
We cannot go there.

163
00:10:55,960 --> 00:11:03,730
So you can just try to directly go to the shelter that PMG and here you go.

164
00:11:03,730 --> 00:11:08,140
It seems to be working and we got the show right now.

165
00:11:08,140 --> 00:11:10,180
We got the show back from here.

166
00:11:10,180 --> 00:11:13,240
So maybe you can make a note of this URL as well.

167
00:11:13,250 --> 00:11:18,940
So if you lose your shadow over here, you can come back anytime you want.

168
00:11:19,480 --> 00:11:26,410
And as you can see, we are in the Apache user, which is great, but not great, actually, which is

169
00:11:26,410 --> 00:11:28,630
good, but not great because we are not rude.

170
00:11:29,020 --> 00:11:32,410
So we need to escalate our privileges a little bit.

171
00:11:32,950 --> 00:11:39,730
OK, so again, make sure to copy this one and try to run it.

172
00:11:40,930 --> 00:11:48,040
If you lose your show, if you lose your session later on, I'm going to go into my folder over here

173
00:11:48,040 --> 00:11:56,560
to Nannerl in my notes that Texte and I'm going to pace the thing over there so that we can actually

174
00:11:56,560 --> 00:11:58,080
reach it whenever we want.

175
00:11:58,900 --> 00:12:02,110
OK, now we are in the server.

176
00:12:02,110 --> 00:12:03,370
We managed to hack it.

177
00:12:03,550 --> 00:12:05,680
Now we're going to see what we can do with it.

178
00:12:05,800 --> 00:12:08,860
But we're going to do that within the next lecture together.