1
00:00:00,840 --> 00:00:07,470
Hi, within this lecture, we're going to see if we can become real to using the admin user that we

2
00:00:07,470 --> 00:00:12,340
currently swished and we're going to see what we can do to become rude.

3
00:00:12,750 --> 00:00:15,920
So far, we know that we are edman right now.

4
00:00:16,290 --> 00:00:20,130
And over here we are the user Apache's.

5
00:00:20,130 --> 00:00:28,900
So now I have to shelfs right so I can use this shell in order to gain more privilege in this server.

6
00:00:29,280 --> 00:00:30,960
So let me run Al-Saleh.

7
00:00:31,020 --> 00:00:34,960
We are in the home admin user and see what we can do over here.

8
00:00:35,400 --> 00:00:43,400
So as you can see, we have some binaries like cats mod and also we have grown up that peahi cryptid

9
00:00:43,410 --> 00:00:47,420
pass that the encrypted pass that P y.

10
00:00:48,120 --> 00:00:52,170
So let me get this out and see what we can do with those.

11
00:00:52,440 --> 00:00:59,310
So chrome jpy it opens the top chrome results and it right.

12
00:00:59,310 --> 00:01:07,210
Some string into it and it actually runs the, it opens the run this and executes that.

13
00:01:07,230 --> 00:01:12,420
So this was our current job that we actually took leverage off in the previous lecture.

14
00:01:13,020 --> 00:01:14,430
So here you go.

15
00:01:14,430 --> 00:01:16,720
We have a cryptic pass that you see.

16
00:01:17,070 --> 00:01:18,300
Let's see what it does.

17
00:01:18,330 --> 00:01:25,350
So let me come over here, Krypto, pass the cryptid, pass that taxe.

18
00:01:25,950 --> 00:01:30,420
So we have a kind of password or some kind of a hash over here.

19
00:01:30,660 --> 00:01:36,900
So I'm just going to copy and take a note of that so that maybe we will decrypted later on.

20
00:01:36,900 --> 00:01:37,770
Maybe we won't.

21
00:01:37,770 --> 00:01:40,530
I don't know, but I'm just going to take some notes.

22
00:01:40,950 --> 00:01:45,180
So I'm going to go into my notes that TXI and pasted over here.

23
00:01:45,480 --> 00:01:45,910
Right.

24
00:01:45,930 --> 00:01:52,120
So let me just paste it and just come back to our shell.

25
00:01:52,560 --> 00:01:55,200
So this was the decrypted that passed out text.

26
00:01:55,320 --> 00:01:59,300
We also have a script passed that while over here.

27
00:01:59,880 --> 00:02:09,130
OK, so I believe this is the thing that cryptid that script to pass that text we're going to see.

28
00:02:09,570 --> 00:02:16,700
Let me just Kat, who is your gun now that as you can see, there is another text file over here.

29
00:02:17,070 --> 00:02:19,500
So this seems like another password.

30
00:02:19,890 --> 00:02:23,370
So I'm just going to come over here and paste this into my notes as well.

31
00:02:24,030 --> 00:02:25,230
So far, so good.

32
00:02:25,230 --> 00:02:31,560
We are getting a lot of hashes, so I'm just going to save those and cut them out to see it anytime

33
00:02:31,560 --> 00:02:32,130
I want.

34
00:02:32,580 --> 00:02:33,810
Let me come back.

35
00:02:34,440 --> 00:02:35,670
So here.

36
00:02:35,700 --> 00:02:36,150
OK.

37
00:02:36,960 --> 00:02:45,270
So I have to hashas and I also have one quick past IPY, so we suspect that this is the thing that crypts

38
00:02:45,570 --> 00:02:47,460
this hashes over here.

39
00:02:47,700 --> 00:02:49,170
So we get to see how it works.

40
00:02:49,180 --> 00:02:53,210
So I'm going to say Cat Creped, pass that p y.

41
00:02:53,790 --> 00:02:55,320
OK, great.

42
00:02:55,320 --> 00:02:55,840
Pass that.

43
00:02:56,790 --> 00:02:57,690
And here you go.

44
00:02:57,700 --> 00:03:00,270
We have a basic python over here.

45
00:03:00,270 --> 00:03:08,780
Python called over here and it actually uses some kind of base64 encryption and some other encryptions

46
00:03:08,970 --> 00:03:10,600
like row 13 as well.

47
00:03:10,950 --> 00:03:12,410
So I'm just going to copy this.

48
00:03:12,930 --> 00:03:21,390
So if this is the thing that copy is and actually that encrypts all this hashes, we can reverse engineer

49
00:03:21,390 --> 00:03:26,490
it and we can decrypt the file by writing our own python code.

50
00:03:26,490 --> 00:03:26,870
Right.

51
00:03:27,090 --> 00:03:28,200
So it's very easy.

52
00:03:28,530 --> 00:03:30,140
Let me just show you how it's done.

53
00:03:30,150 --> 00:03:37,320
I'm going to go into my free Salix folder one more time and I'm going to open a crypt up my file over

54
00:03:37,320 --> 00:03:39,920
here with Nano and I'm going to paste this in.

55
00:03:40,620 --> 00:03:41,540
So here you go.

56
00:03:41,550 --> 00:03:43,660
This is our algorithm over here.

57
00:03:44,010 --> 00:03:47,670
So what it does, it imparts the base64 cortex senses.

58
00:03:48,930 --> 00:03:50,330
So far, so good.

59
00:03:50,340 --> 00:03:55,650
So we have these libraries over here and then we have a function.

60
00:03:55,660 --> 00:03:59,150
So it's called encode string, OK?

61
00:03:59,490 --> 00:04:05,750
And it takes in a string and it uses some kind of encryption algorithms over here.

62
00:04:05,760 --> 00:04:15,030
So it first uses let me just see base64 and then it returns the rote version of this and finally it

63
00:04:15,050 --> 00:04:21,760
returns crypto results and it prints out the crypto results, actually, not the returns it.

64
00:04:22,290 --> 00:04:25,470
So this is the thing that we should reverse engineer.

65
00:04:25,920 --> 00:04:38,010
So again, this takes in string and it converts that string into the base64 encoding thingy and it returns

66
00:04:38,340 --> 00:04:41,560
this it actually reverses that string.

67
00:04:41,620 --> 00:04:51,570
OK, this does that base64 string and open parentheses, Colin, Colin minus one means reverse it and

68
00:04:51,570 --> 00:04:56,220
then it uses codecs library to encode it with 13.

69
00:04:57,390 --> 00:04:59,400
So algorithm is simple.

70
00:04:59,730 --> 00:05:07,230
First convert it into base64, then reverse it and actually encrypt it one more time.

71
00:05:07,230 --> 00:05:10,200
We throw thirteen and then princi that.

72
00:05:10,830 --> 00:05:19,180
So what we should do over here decrypted we 13 reverse it and then decrypted with base64 one more time.

73
00:05:19,750 --> 00:05:24,810
OK, so we have to just write the exact opposite of this algorithm.

74
00:05:25,410 --> 00:05:28,470
So I'm going to just try this, OK?

75
00:05:28,470 --> 00:05:31,500
I'm going to say python peahi atheel.

76
00:05:31,830 --> 00:05:33,510
So we have this encryption.

77
00:05:33,520 --> 00:05:39,000
So this is the string Attila's representation of the encryption algorithm.

78
00:05:39,540 --> 00:05:45,630
Later on, when we write our own decrypt algorithm, we are going to see if we can get the atheel back

79
00:05:45,630 --> 00:05:46,730
from that result.

80
00:05:47,310 --> 00:05:57,240
So I'm going to write Chat's Creped Pi to see this because I'm going to copy this and I'm going to create

81
00:05:57,240 --> 00:06:03,630
a new file called Decrypt that PBI over here and paste the thing in because we are going to change this

82
00:06:03,630 --> 00:06:04,220
a little bit.

83
00:06:04,230 --> 00:06:04,580
Right.

84
00:06:05,280 --> 00:06:11,070
So I'm going to still import those libraries, but I'm going to change this to decode string.

85
00:06:11,280 --> 00:06:14,490
It will take some string as an input one more time.

86
00:06:14,700 --> 00:06:16,470
So I'm not changing this.

87
00:06:16,980 --> 00:06:23,250
So rather than this first of all, I'm going to delete this, OK?

88
00:06:23,250 --> 00:06:26,970
Because we should start with base64 decryption.

89
00:06:27,120 --> 00:06:31,050
We start with the latest one with the 13 decryption.

90
00:06:31,200 --> 00:06:34,740
Then we will return the base64 decryption.

91
00:06:35,220 --> 00:06:40,230
OK, so I'm going to delete everything over here, including return.

92
00:06:40,440 --> 00:06:42,690
I'm just going to leave this, OK?

93
00:06:42,990 --> 00:06:50,370
I'm going to create a new variable called Decoded String and this will become codecs that decode this

94
00:06:50,370 --> 00:06:51,660
time rather than code.

95
00:06:52,080 --> 00:06:59,940
And it will just take in the string that we have supplied over here and reverse it and decrypt that.

96
00:06:59,940 --> 00:07:00,990
We dropped 13.

97
00:07:01,620 --> 00:07:08,070
Then I'm going to leave the exact same spaces as here and say return base64.

98
00:07:08,430 --> 00:07:18,810
And I believe we have to say that be 64 DeCota up it goes like this base64 that B seeks to for decode

99
00:07:19,170 --> 00:07:24,530
and we need to give the decoded string over here and over there.

100
00:07:24,540 --> 00:07:29,400
So crypto results will be now decode string.

101
00:07:29,410 --> 00:07:34,740
So this is the thing that we are looking for and we're going to print that result back.

102
00:07:35,040 --> 00:07:36,030
So that's it.

103
00:07:36,530 --> 00:07:37,890
That's all we need to do.

104
00:07:38,240 --> 00:07:48,110
We managed to turn it into decrypts states, I believe we're going to try and see because we did exactly

105
00:07:48,110 --> 00:07:51,110
the opposite of the encryption algorithm.

106
00:07:51,120 --> 00:07:52,310
So this should work.

107
00:07:53,120 --> 00:08:02,630
We turned down the road 13 and then we decoded the base64 as well, using the same algorithm, same

108
00:08:02,870 --> 00:08:03,830
logic.

109
00:08:04,220 --> 00:08:10,070
OK, so of course, in order to understand this, you should know a little bit python.

110
00:08:10,250 --> 00:08:13,160
But I believe this is easy and you know that much.

111
00:08:13,550 --> 00:08:19,970
So I'm going to try Python Decrypt IPY and I'm going to try and decrypt this one to see if this works.

112
00:08:19,970 --> 00:08:22,370
If this works, it should give me until as back.

113
00:08:22,550 --> 00:08:23,540
And here you go.

114
00:08:23,720 --> 00:08:27,880
I have my own name over here, so I encrypted this before.

115
00:08:28,250 --> 00:08:35,480
Now I can use the same decrypt API file in order to decrypt all this passwords over here.

116
00:08:35,480 --> 00:08:40,600
So I don't know if their passwords, but they are some kind of lead at least.

117
00:08:40,940 --> 00:08:43,580
So it says that this is all.

118
00:08:43,580 --> 00:08:46,120
So we want to try.

119
00:08:46,130 --> 00:08:46,710
I don't know.

120
00:08:47,330 --> 00:08:51,620
So let me just decrypt this one and see what we get over here.

121
00:08:52,010 --> 00:08:53,390
Let me copy this.

122
00:08:53,390 --> 00:08:55,310
And here you go.

123
00:08:55,970 --> 00:09:00,320
Let me just paste it one more time and hit enter.

124
00:09:00,500 --> 00:09:01,940
Let there be foresty.

125
00:09:02,090 --> 00:09:07,070
OK, so we know this to exist right now.

126
00:09:07,070 --> 00:09:13,910
Most people with their passwords of the other users that we are going to try, but we don't know yet.

127
00:09:14,060 --> 00:09:15,800
But we managed to decrypt this.

128
00:09:15,800 --> 00:09:19,520
We managed to break it cryptology over a year, which is good, which is great.

129
00:09:19,520 --> 00:09:21,050
So far, so good.

130
00:09:21,520 --> 00:09:24,470
Where are you going to stop here and continue within the next one?