1 00:00:00,840 --> 00:00:07,470 Hi, within this lecture, we're going to see if we can become real to using the admin user that we 2 00:00:07,470 --> 00:00:12,340 currently swished and we're going to see what we can do to become rude. 3 00:00:12,750 --> 00:00:15,920 So far, we know that we are edman right now. 4 00:00:16,290 --> 00:00:20,130 And over here we are the user Apache's. 5 00:00:20,130 --> 00:00:28,900 So now I have to shelfs right so I can use this shell in order to gain more privilege in this server. 6 00:00:29,280 --> 00:00:30,960 So let me run Al-Saleh. 7 00:00:31,020 --> 00:00:34,960 We are in the home admin user and see what we can do over here. 8 00:00:35,400 --> 00:00:43,400 So as you can see, we have some binaries like cats mod and also we have grown up that peahi cryptid 9 00:00:43,410 --> 00:00:47,420 pass that the encrypted pass that P y. 10 00:00:48,120 --> 00:00:52,170 So let me get this out and see what we can do with those. 11 00:00:52,440 --> 00:00:59,310 So chrome jpy it opens the top chrome results and it right. 12 00:00:59,310 --> 00:01:07,210 Some string into it and it actually runs the, it opens the run this and executes that. 13 00:01:07,230 --> 00:01:12,420 So this was our current job that we actually took leverage off in the previous lecture. 14 00:01:13,020 --> 00:01:14,430 So here you go. 15 00:01:14,430 --> 00:01:16,720 We have a cryptic pass that you see. 16 00:01:17,070 --> 00:01:18,300 Let's see what it does. 17 00:01:18,330 --> 00:01:25,350 So let me come over here, Krypto, pass the cryptid, pass that taxe. 18 00:01:25,950 --> 00:01:30,420 So we have a kind of password or some kind of a hash over here. 19 00:01:30,660 --> 00:01:36,900 So I'm just going to copy and take a note of that so that maybe we will decrypted later on. 20 00:01:36,900 --> 00:01:37,770 Maybe we won't. 21 00:01:37,770 --> 00:01:40,530 I don't know, but I'm just going to take some notes. 22 00:01:40,950 --> 00:01:45,180 So I'm going to go into my notes that TXI and pasted over here. 23 00:01:45,480 --> 00:01:45,910 Right. 24 00:01:45,930 --> 00:01:52,120 So let me just paste it and just come back to our shell. 25 00:01:52,560 --> 00:01:55,200 So this was the decrypted that passed out text. 26 00:01:55,320 --> 00:01:59,300 We also have a script passed that while over here. 27 00:01:59,880 --> 00:02:09,130 OK, so I believe this is the thing that cryptid that script to pass that text we're going to see. 28 00:02:09,570 --> 00:02:16,700 Let me just Kat, who is your gun now that as you can see, there is another text file over here. 29 00:02:17,070 --> 00:02:19,500 So this seems like another password. 30 00:02:19,890 --> 00:02:23,370 So I'm just going to come over here and paste this into my notes as well. 31 00:02:24,030 --> 00:02:25,230 So far, so good. 32 00:02:25,230 --> 00:02:31,560 We are getting a lot of hashes, so I'm just going to save those and cut them out to see it anytime 33 00:02:31,560 --> 00:02:32,130 I want. 34 00:02:32,580 --> 00:02:33,810 Let me come back. 35 00:02:34,440 --> 00:02:35,670 So here. 36 00:02:35,700 --> 00:02:36,150 OK. 37 00:02:36,960 --> 00:02:45,270 So I have to hashas and I also have one quick past IPY, so we suspect that this is the thing that crypts 38 00:02:45,570 --> 00:02:47,460 this hashes over here. 39 00:02:47,700 --> 00:02:49,170 So we get to see how it works. 40 00:02:49,180 --> 00:02:53,210 So I'm going to say Cat Creped, pass that p y. 41 00:02:53,790 --> 00:02:55,320 OK, great. 42 00:02:55,320 --> 00:02:55,840 Pass that. 43 00:02:56,790 --> 00:02:57,690 And here you go. 44 00:02:57,700 --> 00:03:00,270 We have a basic python over here. 45 00:03:00,270 --> 00:03:08,780 Python called over here and it actually uses some kind of base64 encryption and some other encryptions 46 00:03:08,970 --> 00:03:10,600 like row 13 as well. 47 00:03:10,950 --> 00:03:12,410 So I'm just going to copy this. 48 00:03:12,930 --> 00:03:21,390 So if this is the thing that copy is and actually that encrypts all this hashes, we can reverse engineer 49 00:03:21,390 --> 00:03:26,490 it and we can decrypt the file by writing our own python code. 50 00:03:26,490 --> 00:03:26,870 Right. 51 00:03:27,090 --> 00:03:28,200 So it's very easy. 52 00:03:28,530 --> 00:03:30,140 Let me just show you how it's done. 53 00:03:30,150 --> 00:03:37,320 I'm going to go into my free Salix folder one more time and I'm going to open a crypt up my file over 54 00:03:37,320 --> 00:03:39,920 here with Nano and I'm going to paste this in. 55 00:03:40,620 --> 00:03:41,540 So here you go. 56 00:03:41,550 --> 00:03:43,660 This is our algorithm over here. 57 00:03:44,010 --> 00:03:47,670 So what it does, it imparts the base64 cortex senses. 58 00:03:48,930 --> 00:03:50,330 So far, so good. 59 00:03:50,340 --> 00:03:55,650 So we have these libraries over here and then we have a function. 60 00:03:55,660 --> 00:03:59,150 So it's called encode string, OK? 61 00:03:59,490 --> 00:04:05,750 And it takes in a string and it uses some kind of encryption algorithms over here. 62 00:04:05,760 --> 00:04:15,030 So it first uses let me just see base64 and then it returns the rote version of this and finally it 63 00:04:15,050 --> 00:04:21,760 returns crypto results and it prints out the crypto results, actually, not the returns it. 64 00:04:22,290 --> 00:04:25,470 So this is the thing that we should reverse engineer. 65 00:04:25,920 --> 00:04:38,010 So again, this takes in string and it converts that string into the base64 encoding thingy and it returns 66 00:04:38,340 --> 00:04:41,560 this it actually reverses that string. 67 00:04:41,620 --> 00:04:51,570 OK, this does that base64 string and open parentheses, Colin, Colin minus one means reverse it and 68 00:04:51,570 --> 00:04:56,220 then it uses codecs library to encode it with 13. 69 00:04:57,390 --> 00:04:59,400 So algorithm is simple. 70 00:04:59,730 --> 00:05:07,230 First convert it into base64, then reverse it and actually encrypt it one more time. 71 00:05:07,230 --> 00:05:10,200 We throw thirteen and then princi that. 72 00:05:10,830 --> 00:05:19,180 So what we should do over here decrypted we 13 reverse it and then decrypted with base64 one more time. 73 00:05:19,750 --> 00:05:24,810 OK, so we have to just write the exact opposite of this algorithm. 74 00:05:25,410 --> 00:05:28,470 So I'm going to just try this, OK? 75 00:05:28,470 --> 00:05:31,500 I'm going to say python peahi atheel. 76 00:05:31,830 --> 00:05:33,510 So we have this encryption. 77 00:05:33,520 --> 00:05:39,000 So this is the string Attila's representation of the encryption algorithm. 78 00:05:39,540 --> 00:05:45,630 Later on, when we write our own decrypt algorithm, we are going to see if we can get the atheel back 79 00:05:45,630 --> 00:05:46,730 from that result. 80 00:05:47,310 --> 00:05:57,240 So I'm going to write Chat's Creped Pi to see this because I'm going to copy this and I'm going to create 81 00:05:57,240 --> 00:06:03,630 a new file called Decrypt that PBI over here and paste the thing in because we are going to change this 82 00:06:03,630 --> 00:06:04,220 a little bit. 83 00:06:04,230 --> 00:06:04,580 Right. 84 00:06:05,280 --> 00:06:11,070 So I'm going to still import those libraries, but I'm going to change this to decode string. 85 00:06:11,280 --> 00:06:14,490 It will take some string as an input one more time. 86 00:06:14,700 --> 00:06:16,470 So I'm not changing this. 87 00:06:16,980 --> 00:06:23,250 So rather than this first of all, I'm going to delete this, OK? 88 00:06:23,250 --> 00:06:26,970 Because we should start with base64 decryption. 89 00:06:27,120 --> 00:06:31,050 We start with the latest one with the 13 decryption. 90 00:06:31,200 --> 00:06:34,740 Then we will return the base64 decryption. 91 00:06:35,220 --> 00:06:40,230 OK, so I'm going to delete everything over here, including return. 92 00:06:40,440 --> 00:06:42,690 I'm just going to leave this, OK? 93 00:06:42,990 --> 00:06:50,370 I'm going to create a new variable called Decoded String and this will become codecs that decode this 94 00:06:50,370 --> 00:06:51,660 time rather than code. 95 00:06:52,080 --> 00:06:59,940 And it will just take in the string that we have supplied over here and reverse it and decrypt that. 96 00:06:59,940 --> 00:07:00,990 We dropped 13. 97 00:07:01,620 --> 00:07:08,070 Then I'm going to leave the exact same spaces as here and say return base64. 98 00:07:08,430 --> 00:07:18,810 And I believe we have to say that be 64 DeCota up it goes like this base64 that B seeks to for decode 99 00:07:19,170 --> 00:07:24,530 and we need to give the decoded string over here and over there. 100 00:07:24,540 --> 00:07:29,400 So crypto results will be now decode string. 101 00:07:29,410 --> 00:07:34,740 So this is the thing that we are looking for and we're going to print that result back. 102 00:07:35,040 --> 00:07:36,030 So that's it. 103 00:07:36,530 --> 00:07:37,890 That's all we need to do. 104 00:07:38,240 --> 00:07:48,110 We managed to turn it into decrypts states, I believe we're going to try and see because we did exactly 105 00:07:48,110 --> 00:07:51,110 the opposite of the encryption algorithm. 106 00:07:51,120 --> 00:07:52,310 So this should work. 107 00:07:53,120 --> 00:08:02,630 We turned down the road 13 and then we decoded the base64 as well, using the same algorithm, same 108 00:08:02,870 --> 00:08:03,830 logic. 109 00:08:04,220 --> 00:08:10,070 OK, so of course, in order to understand this, you should know a little bit python. 110 00:08:10,250 --> 00:08:13,160 But I believe this is easy and you know that much. 111 00:08:13,550 --> 00:08:19,970 So I'm going to try Python Decrypt IPY and I'm going to try and decrypt this one to see if this works. 112 00:08:19,970 --> 00:08:22,370 If this works, it should give me until as back. 113 00:08:22,550 --> 00:08:23,540 And here you go. 114 00:08:23,720 --> 00:08:27,880 I have my own name over here, so I encrypted this before. 115 00:08:28,250 --> 00:08:35,480 Now I can use the same decrypt API file in order to decrypt all this passwords over here. 116 00:08:35,480 --> 00:08:40,600 So I don't know if their passwords, but they are some kind of lead at least. 117 00:08:40,940 --> 00:08:43,580 So it says that this is all. 118 00:08:43,580 --> 00:08:46,120 So we want to try. 119 00:08:46,130 --> 00:08:46,710 I don't know. 120 00:08:47,330 --> 00:08:51,620 So let me just decrypt this one and see what we get over here. 121 00:08:52,010 --> 00:08:53,390 Let me copy this. 122 00:08:53,390 --> 00:08:55,310 And here you go. 123 00:08:55,970 --> 00:09:00,320 Let me just paste it one more time and hit enter. 124 00:09:00,500 --> 00:09:01,940 Let there be foresty. 125 00:09:02,090 --> 00:09:07,070 OK, so we know this to exist right now. 126 00:09:07,070 --> 00:09:13,910 Most people with their passwords of the other users that we are going to try, but we don't know yet. 127 00:09:14,060 --> 00:09:15,800 But we managed to decrypt this. 128 00:09:15,800 --> 00:09:19,520 We managed to break it cryptology over a year, which is good, which is great. 129 00:09:19,520 --> 00:09:21,050 So far, so good. 130 00:09:21,520 --> 00:09:24,470 Where are you going to stop here and continue within the next one?