1 00:00:01,030 --> 00:00:08,320 Hi, within this lecture, we're going to see if we can log into this admin portal, so before trying 2 00:00:08,320 --> 00:00:14,290 brute forcing our kind of sequel injection over here, I'm going to take a look at the page source and 3 00:00:14,290 --> 00:00:17,100 see if we can have a tip or hint. 4 00:00:17,470 --> 00:00:18,190 And here you go. 5 00:00:18,200 --> 00:00:20,310 We have a lot of things going on over here. 6 00:00:20,320 --> 00:00:23,240 Let me zoom in and see what we can get over there. 7 00:00:23,710 --> 00:00:34,000 So we have the middle name description over here and the content is lead password login test page views, 8 00:00:34,000 --> 00:00:37,450 base 64 encoding for images. 9 00:00:37,720 --> 00:00:44,480 So they are in line in the HTML and yep, it says that I read somewhere on the web. 10 00:00:44,500 --> 00:00:46,210 This is a good way to do this. 11 00:00:46,510 --> 00:00:47,890 I don't know about that. 12 00:00:47,890 --> 00:00:50,290 But we have another comment over here. 13 00:00:50,560 --> 00:00:54,220 OK, so this is the comment syntax, as you might remember. 14 00:00:54,610 --> 00:01:02,460 And in the comment we have to see to do, we need to clean this up for production. 15 00:01:02,470 --> 00:01:05,970 I left some junk in here to make testing easier. 16 00:01:06,640 --> 00:01:13,080 So we have this note and it's obviously a hint for us. 17 00:01:13,480 --> 00:01:17,770 And the note is written by easy peasy over here. 18 00:01:17,770 --> 00:01:19,800 So easy peasy. 19 00:01:20,170 --> 00:01:24,030 So this may be our Edmands may be our user. 20 00:01:24,340 --> 00:01:28,060 We're, of course, definitely going to try to login with this. 21 00:01:28,060 --> 00:01:28,540 Right. 22 00:01:28,780 --> 00:01:30,070 Because that's what we do. 23 00:01:30,070 --> 00:01:34,500 We follow the breadcrumbs and try to see what we can do with it. 24 00:01:35,080 --> 00:01:41,870 And over here, we actually have the image source encoded with base64, I believe. 25 00:01:42,220 --> 00:01:44,980 So let me see if this is the same image. 26 00:01:45,190 --> 00:01:49,480 Let's say copy, image, address over here and paste it. 27 00:01:50,020 --> 00:01:50,990 And here you go. 28 00:01:51,010 --> 00:01:53,660 They actually named the image like this. 29 00:01:53,670 --> 00:01:59,050 So I don't know who does that, but supposedly it works. 30 00:01:59,350 --> 00:02:03,610 If I click enter, it will download the file for us. 31 00:02:04,130 --> 00:02:05,680 Of course, we don't need that. 32 00:02:05,890 --> 00:02:08,340 But again, so this is the case. 33 00:02:08,350 --> 00:02:14,050 It says that we use base64 encoding and I don't know how it's going to do us any help. 34 00:02:14,560 --> 00:02:22,060 But if we scroll down a little bit, we can see there is another comment over here, OK, which is the 35 00:02:22,090 --> 00:02:24,750 basics to encryption one more time. 36 00:02:25,390 --> 00:02:33,460 So what I'm going to do, I'm going to copy this one and try to decrypt it and see what we can actually 37 00:02:33,460 --> 00:02:34,380 get out of this. 38 00:02:34,390 --> 00:02:36,250 Well, maybe this is the password. 39 00:02:36,700 --> 00:02:40,350 So as you can see after that, there comes the form. 40 00:02:40,690 --> 00:02:47,560 So it's going to do a post over here if we give the user name and password. 41 00:02:47,980 --> 00:02:49,920 So, again, there's nothing funny over there. 42 00:02:49,930 --> 00:02:51,760 So this is the form. 43 00:02:52,240 --> 00:02:55,990 But maybe username is easy peasy. 44 00:02:56,200 --> 00:02:58,390 We assume that we found the user name. 45 00:02:58,870 --> 00:03:02,280 Maybe this is the password as well, but we're going to try and see. 46 00:03:02,650 --> 00:03:10,030 So I'm going to copy this and go to Web and search for base64, decrypt online, something like that, 47 00:03:10,030 --> 00:03:11,290 decode decryption. 48 00:03:11,830 --> 00:03:17,860 And I believe we worked with this before base64 decoded ARG and it doesn't work. 49 00:03:17,860 --> 00:03:19,660 We can always try other things. 50 00:03:19,900 --> 00:03:23,860 So I'm going to paste is over here and just see. 51 00:03:23,860 --> 00:03:26,530 Yeah, it says that malformed inputs. 52 00:03:27,640 --> 00:03:28,800 So let's see. 53 00:03:28,810 --> 00:03:31,270 Maybe we have copied the wrong thing. 54 00:03:31,270 --> 00:03:39,640 You let me just do this one more time over here and just say copy and come over there and just delete 55 00:03:39,640 --> 00:03:42,180 the whole thing and paste one more time. 56 00:03:42,820 --> 00:03:43,480 Here you go. 57 00:03:43,480 --> 00:03:50,110 It again says that malformed input so it isn't good. 58 00:03:50,110 --> 00:03:58,210 Let me copy this one and come to my terminal over here and let me go to my folder and create a new thing 59 00:03:58,210 --> 00:04:02,680 called Password that Steve OK, and pasted over there. 60 00:04:03,130 --> 00:04:06,280 So I'm going to try and decrypt this in my color Linux. 61 00:04:06,580 --> 00:04:14,440 I'm going to save this control or enter and control X, and I'm going to use base64 in order to decrypt 62 00:04:14,440 --> 00:04:14,830 this. 63 00:04:15,400 --> 00:04:23,620 And I'm going to say Base64 Dashty and you can just give the file as an input like password data exceed 64 00:04:24,340 --> 00:04:25,840 and here you go. 65 00:04:25,840 --> 00:04:29,560 It kind of decrypts it but it's all gibberish. 66 00:04:29,560 --> 00:04:33,010 OK, and we see the PMG over here. 67 00:04:33,310 --> 00:04:42,310 So I probably this is not a string, this is not a regular text file, but they decrypt, they encrypted 68 00:04:42,310 --> 00:04:43,990 and PMG file. 69 00:04:44,320 --> 00:04:51,520 So I'm going to decrypt this and give the output as a file like decrypt that Panji, something like 70 00:04:51,520 --> 00:04:56,200 that, and see if we actually get a valid back. 71 00:04:56,650 --> 00:05:00,430 So if we get this, that means that we're going to see a picture. 72 00:05:00,640 --> 00:05:04,970 Right, so here you go, we have the decrypts that PNG over there. 73 00:05:04,990 --> 00:05:11,220 So let me just open that and try to see if we have a valid PNG file over there. 74 00:05:11,230 --> 00:05:15,640 So let me come over here and here you go. 75 00:05:16,060 --> 00:05:19,370 So this is supposedly our password. 76 00:05:19,390 --> 00:05:25,020 Of course, we're going to try and see maybe this is the user and E.S.P is the password. 77 00:05:25,030 --> 00:05:25,590 I don't know. 78 00:05:26,200 --> 00:05:32,710 So I'm going to open my notes one more time because we're going to have to just take a note of those 79 00:05:32,710 --> 00:05:33,190 things. 80 00:05:33,850 --> 00:05:37,450 So, first of all, let me just take this from here. 81 00:05:37,480 --> 00:05:47,410 So this is uppercase, lowercase, OK, PKK, e, something like that. 82 00:05:47,680 --> 00:05:49,220 It's going to take some time. 83 00:05:49,660 --> 00:05:53,970 So if you know how to do this automatically, then it's great. 84 00:05:54,550 --> 00:05:57,670 I believe there are some services to do that online. 85 00:05:58,090 --> 00:06:04,000 But since this is a short, fairly short amount, shorter amount, I'm just going to do this manually 86 00:06:04,000 --> 00:06:10,380 and copy this, OK, and let me see if I copied the right thing. 87 00:06:10,390 --> 00:06:11,250 Here you go. 88 00:06:12,070 --> 00:06:15,040 Yeah, I believe yeah, I believe I did the right thing. 89 00:06:15,040 --> 00:06:16,810 But let's do that one more time. 90 00:06:17,170 --> 00:06:24,580 So I'm going to copy this and save this as well and come back here to our log in. 91 00:06:24,580 --> 00:06:30,940 Purtill I'm going to paste is under the password and for the username we're going to give the easy peasy. 92 00:06:30,940 --> 00:06:32,930 Let's see how it's spelled. 93 00:06:33,250 --> 00:06:35,460 Let me come back over here. 94 00:06:35,740 --> 00:06:36,010 Yeah. 95 00:06:36,010 --> 00:06:37,270 So it's like that. 96 00:06:37,270 --> 00:06:38,440 Easy peasy. 97 00:06:38,440 --> 00:06:43,360 So I'm going to copy that as well in order not to make a mistake. 98 00:06:43,990 --> 00:06:47,740 And I'm going to say log in and here you go. 99 00:06:47,740 --> 00:06:48,310 Log in. 100 00:06:48,310 --> 00:06:52,570 Successful and yeah, easy peasy. 101 00:06:52,570 --> 00:06:55,660 Should have been our user should have been our admin user. 102 00:06:55,660 --> 00:06:56,590 I don't know yet. 103 00:06:57,130 --> 00:06:58,600 And this is the password. 104 00:06:59,230 --> 00:07:01,060 So great. 105 00:07:01,060 --> 00:07:03,660 And this is supposably the admin portal. 106 00:07:03,730 --> 00:07:05,350 As you can see, we don't get much. 107 00:07:06,010 --> 00:07:12,220 We only have something to upload over here and it says that upload image. 108 00:07:12,520 --> 00:07:19,510 But of course, as usual, we're going to try and upload some reverse over there. 109 00:07:19,840 --> 00:07:21,220 I hope it works. 110 00:07:21,370 --> 00:07:26,290 So let me come over here and try to find something to upload. 111 00:07:27,040 --> 00:07:33,100 So we have done this before and this is the similarity between the Mr. Robot and this one. 112 00:07:33,610 --> 00:07:37,690 So I'm going to come over here and just search for the reversal. 113 00:07:38,290 --> 00:07:44,140 And of course, I'm going to go into the panties monkey by saying ignore the risk. 114 00:07:44,650 --> 00:07:45,970 So we have done this before. 115 00:07:45,970 --> 00:07:47,200 So I'm going to do this quick. 116 00:07:47,440 --> 00:07:51,850 I'm going to come over here to B and download the previous show. 117 00:07:52,330 --> 00:07:53,770 So we have done this before. 118 00:07:53,770 --> 00:08:03,340 If you remember, once we download this, it will get downloaded and the colonics will complain to say 119 00:08:03,340 --> 00:08:05,140 that, yeah, this is malware. 120 00:08:05,560 --> 00:08:11,110 We're going to open this, OK, so that it will allow us to edit this file. 121 00:08:11,560 --> 00:08:20,560 And I'm just going to come over here to my folder and just unzip this thing over there. 122 00:08:20,980 --> 00:08:30,370 And if I come over here and open this reversal with any kind of editor, then I get to edit the actual 123 00:08:30,400 --> 00:08:32,470 Allport and I'll host over here. 124 00:08:32,470 --> 00:08:32,820 Right. 125 00:08:33,010 --> 00:08:36,700 So remember, we have to open this with any kind of editor I'm using. 126 00:08:36,700 --> 00:08:39,790 Genie, if you're using something else, this is fine. 127 00:08:40,490 --> 00:08:47,800 Just I changed his IP address to your own IP address, which is ten down to four for me, I believe. 128 00:08:48,340 --> 00:08:51,100 And you can leave the port as it is. 129 00:08:51,430 --> 00:08:56,890 So I'm going to save this and close this one down and this one as well. 130 00:08:57,460 --> 00:09:04,750 So make sure you put your own IP address rather than channel to four and try to just I'm going to try 131 00:09:04,750 --> 00:09:08,230 and upload this thing over here. 132 00:09:08,230 --> 00:09:14,550 So let me find THP Perico and let's see if we can do that. 133 00:09:14,770 --> 00:09:15,400 Here you go. 134 00:09:15,400 --> 00:09:20,230 It says that this is not ever that file only allowed our PNG jpg. 135 00:09:20,980 --> 00:09:24,640 So again, we're going to have to try something else. 136 00:09:25,000 --> 00:09:29,290 So I'm going to rename this, OK, I'm going to change this too. 137 00:09:29,290 --> 00:09:30,670 Shall not be. 138 00:09:30,970 --> 00:09:35,190 And we can try that PMG like we have done before. 139 00:09:35,650 --> 00:09:38,230 Let me try and see if this works or not. 140 00:09:38,680 --> 00:09:41,230 I'm going to come over here and upload this one. 141 00:09:41,410 --> 00:09:42,220 Here you go. 142 00:09:42,220 --> 00:09:45,400 It says That file has been uploaded to uploads. 143 00:09:45,730 --> 00:09:46,420 Great. 144 00:09:46,420 --> 00:09:53,110 So let's go over here and see if we can actually make this work, because it doesn't mean that it's 145 00:09:53,110 --> 00:09:54,160 working right now. 146 00:09:54,790 --> 00:09:57,520 We only got to upload it. 147 00:09:57,550 --> 00:09:59,590 OK, so if you. 148 00:09:59,680 --> 00:10:06,760 Come over here to upload it, say no and let's say images, it says no. 149 00:10:07,420 --> 00:10:08,650 Here you go. 150 00:10:08,650 --> 00:10:15,820 Images, yeah, we can't see the images, but it's not uploaded over here and we cannot seem to go to 151 00:10:15,820 --> 00:10:16,620 uploads. 152 00:10:16,870 --> 00:10:18,610 Let me try that one more time. 153 00:10:18,650 --> 00:10:23,850 I, I actually wasn't able to see the whole thing over here. 154 00:10:24,160 --> 00:10:31,810 I'm going to just go for a movie LP on two one, two, three, four to start listening, OK, by the 155 00:10:31,810 --> 00:10:32,190 way. 156 00:10:32,860 --> 00:10:37,300 So, yeah, it's supposed to be. 157 00:10:38,530 --> 00:10:40,570 Let me come over here. 158 00:10:40,570 --> 00:10:42,740 It's supposed to be uploads. 159 00:10:42,790 --> 00:10:52,930 OK, so maybe we can just try to reach the upload slash and the filename over here, but we cannot go 160 00:10:52,930 --> 00:10:53,850 to uploads. 161 00:10:53,860 --> 00:10:54,340 Right. 162 00:10:54,340 --> 00:10:55,600 We cannot go there. 163 00:10:55,960 --> 00:11:03,730 So you can just try to directly go to the shelter that PMG and here you go. 164 00:11:03,730 --> 00:11:08,140 It seems to be working and we got the show right now. 165 00:11:08,140 --> 00:11:10,180 We got the show back from here. 166 00:11:10,180 --> 00:11:13,240 So maybe you can make a note of this URL as well. 167 00:11:13,250 --> 00:11:18,940 So if you lose your shadow over here, you can come back anytime you want. 168 00:11:19,480 --> 00:11:26,410 And as you can see, we are in the Apache user, which is great, but not great, actually, which is 169 00:11:26,410 --> 00:11:28,630 good, but not great because we are not rude. 170 00:11:29,020 --> 00:11:32,410 So we need to escalate our privileges a little bit. 171 00:11:32,950 --> 00:11:39,730 OK, so again, make sure to copy this one and try to run it. 172 00:11:40,930 --> 00:11:48,040 If you lose your show, if you lose your session later on, I'm going to go into my folder over here 173 00:11:48,040 --> 00:11:56,560 to Nannerl in my notes that Texte and I'm going to pace the thing over there so that we can actually 174 00:11:56,560 --> 00:11:58,080 reach it whenever we want. 175 00:11:58,900 --> 00:12:02,110 OK, now we are in the server. 176 00:12:02,110 --> 00:12:03,370 We managed to hack it. 177 00:12:03,550 --> 00:12:05,680 Now we're going to see what we can do with it. 178 00:12:05,800 --> 00:12:08,860 But we're going to do that within the next lecture together.