I legally defaced this website.

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

you've invested countless hours to develop your own website and you're just afraid that some hacker on the internet would just deface it in this video I'm going to show you how hackers find vulnerabilities inside your website exploit them and then deface your website but why I bother doing that well I myself had this background voice whenever I was developing something that some hacker somehow would be able to attack it and that was like the motivation for me to start learning how to write secure code throughout this video you're going to witness some hacking techniques don't test them on websites that you don't have permission to attack imagine this is your website you're so happy about it you've published it I'm going to show you exactly how I would go about finding vulnerabilities here and exploit them and deface this website so what hackers generally do when they first start at hacking a website is just using it normally they would visit every link every page and every feature that your website or web application offers so here we can see we have about experience education we have the interests of this web developer he is an avid skier a novice ice climber he does a lot of Outdoors activities I would say he is a healthy developer and he has a bunch of awards so we're up against I would say a senior developer here and he has a bunch of social media links which point to nothing from his website okay I'm also going to look for the source code behind it it's not the server side code but just the HTML code that powers this web page and as you can see here we have a bunch of links that we didn't see in the manual enumeration part for example we can see that we have the profile image which is hosted under the IMG folder so if I go here to the same path I get the picture profile of the developer now what happens if I remove this part right here would I access other files potentially let's see oh we have what we call a directory listing which means that we have a list of files under this directory and fortunately for this developer he only had one picture image under this folder so let's go back to the source and continue our enumeration I don't see anything interesting here just a bunch of classes and IDs and HTML tags yeah he is a senior developer by the way we have a bunch of libraries like jQuery bootstrap which are hosted under the vendor folder so I wonder if I could go directly to that and yes I can fortunately for the developer these are just JavaScript libraries so the best thing that we could achieve here is just a cross-site scripting I'm not really interested in that I just wanted to face the website and to do that I would need something on the server side so the first thing you notice is that if you have a directory listing configured on your website just go ahead and disable it otherwise hackers might gain access to other files if they're hosted on under that directory I don't see any attack surface here so I want to discover more this is generally what hackers do and how to do that Brute Force so I'm going to Brute Force this part here to see if there are any folders which are not available as links these could be hidden portals upload folders Etc so I'm going to use wfos for that and I'm interested in fuzzing this part right here under the hostname so this would be this part right here all right we've already found CSS images in JS folders but we have something new development that's an interesting folder which might contain other interesting features probably vulnerable to something but as you can see here the response code is 401 which means that it's unauthorized so if I go to development as you can see I'm prompted with a login username and a password I don't have them maybe I can try something like admin admin or admin password if you're a developer and you have a portal with such username and password just go ahead pause the video and change them right now so let's cancel for now and let's see if we have anything more interesting while this is running I'm also going to build a custom word list which I'm going to use to Brute Force the login and password for the development portal there's a handy tool that's called cool so I'm going to Target my website I'm going to extract any words that have four characters minimum hit enter and just like that we have 246 words take a look at this file as you can see we have words like development words media and to brute force it we can use a tool called Hydra and let's use the username admin you know what um let's go ahead and create a list of logins let's try admin let's try Frank Dev and that would be it so we're targeting the development folder and capital P for the list of passwords and cross our fingers so we're trying all these passwords with the username admin Frank and Dev but we don't have a hit so let's continue as an attacker when I hit a roadblock I do more enumeration and this website is hosted on a server and part of the things an attacker always does is Port scanning so I'm going to Target this website with nmap and see if I can find any open ports that I can exploit and right away we see that we have having the three ports 21 for FTP 80 for HTTP this is the website that we've been testing so far and we have SSH Port 22. so I'm going to start with 21 see if I find anything interesting so I'm going to use FTP and one misconfiguration I see developers do is open FTP for guests the username is anonymous and the password could be whatever you want oh I can indeed log in all right let's see what we have doesn't seem to have anything in it can I list something from The Roots directory no so the developer hasn't put anything interesting in This Server so let's go back to our Port scanning we have SSH so let's try with SSH maybe use the username Frank and yes let's accept the fingerprint and it's asking us for a password let's type Frank or admin or password but none of them work but nonetheless we have the possibility to authenticate as Frank using a password this is not a good configuration you should have on your SSH server always use a public key to prevent any password Brute Force which we're going to do just now so just like the brute force that we've done using Hydra on the development portal I'm going to do the same thing but this time using SSH so I'm going to use SSH and Target the website I'm going to use those words and for the usernames I'm going to try admin Frank and Dev yeah why not hit enter and we don't have any hits unfortunately or fortunately for the developer oh we have another Port 8011 which also hosts a website here that was fingerprinted as Apache so let's visit that website oh development server okay what do we have in the HTML code nothing hmm okay let's uh use once more Brute Force okay we have API so while W fuzz is running let's go to that slash API and see what we have I think this is hosted on index.html yeah so index.html enter API hosts this web page which tells us that there are some files under API let's try them web underscore API oh not found okay records API cross our fingers and not found okay what about files underscore API oh we have something here no parameter called file passed to me note this API doesn't use Json so send the file name in raw format this is generally what we see in a development website verbose messages and yeah you know the website is not configured for the production and so we have a lot of hints let's go to burp and play with this request and see if we can get something from it let's pass in this file parameter like this hit send and we can see that the message is changed hacker detected what about posts hacker detected same thing instead of sending it in the get parameter let's send it here file equals hit send okay message has changed and it seems that it doesn't recognize the file parameter that we've sent here and that's generally because I guess we haven't provided it with the right content type a hacker always loves to Tinker with those requests content type would be URL encoded and let's send it okay if we have no errors now let's see index.html for example if I render the page as you can see this is the web page okay but can I load files that are not under the web root this is what attackers do they use the feature as it is try to make it work and then try to bypass restrictions and access unauthorized files oh okay we have a list of uh users here from the ETC pass WD which is outside the Webroot this is known as a local file inclusion vulnerability so now that we have this what can we do well if we take a wild guess and say that main website is hosted under VAR ww HTML let's try with index.html oh we have nothing maybe an older version and remove the HTML part oh okay we have the content of main website as you can see here we'll render it for you the experience different parts of the website so this means that the main website is hosted under VAR www this goes to say that the development portal is under development right now so if we send this we get nothing because we need a file under development so if we try index.html let's see oh we have something here my development tools okay here's my unfinished tools list the uploader tool so we've essentially bypassed the authentication and accessed the into index.html file perfect so it seems that we need to Brute Force this part right here to see if we can gain access to additional features hackers are always looking for additional features that they can abuse so let's send this to the Intruder and I'm going to add a placeholder right here and since the application is developed in PHP uh I'm going to take a wild guess and search for only PHP files and let's um let's go ahead and Define our payloads and let's give it a try so we have pretty much the same length here for results which don't have a valid page behind them but uh hopefully we would have bigger response here if we hit a file that exists under the development portal and it seems we have nothing let's go back to our local file inclusion there is a cool PHP wrapper expect like this in the command in this case I'm going to run the command ID if everything goes well if we were lucky we should get the result let's send nothing okay maybe we can try to sleep for five seconds and we have a response right away which means that we can't really use this to run arbitrary code okay we still had another file called database underscore API and O bummer it doesn't return anything okay it seems that we hit once again a roadblock and when we hit a roadblock using enumeration but before I do that I'm just going to see if I have something under development called https WD this holds the hash for the user to access the development portal and we have nothing so let's go back to the beginning so instead of targeting the files and folders I'm going to Target this time extensions so I'm going to use index and I'm going to use the word list small extensions hit enter so we already have dot HTML oh we have also.html dot back cool let's use Curl and Target index.html dot back what the hell there's a comment here that says I will use Frank and this hash as the dot htpass WD file to protect the development path oh okay so it seems that this is the hash I was talking about freely delivered to us in a backup file so developers you should never leave behind things like that never use those extensions to save your old code always use Version Control so with that said we can go ahead and crack this hash right here so I'm going to copy it to my hashcad folder and it seems that it was cracked look at this the password is Frank with three explanation marks developers you should never ever use guessable and predictable passwords so we're going to use Frank as the username and Frank with three explanation marks and we land on the same page that we had before here is my unfinished tool is the uploader tool blah blah blah but this time we can go ahead and Brute Force the paths here and hope that we find something interesting so I'm going to grab this header right here I'm going to use it in wfuzz so as you can see these are just step by step simple tasks that attackers follow in a methodical approach in order to find weak points on your website and exploit them so we have index okay oh we have another one uploader I think that's the uploader tool that the developer was talking about not a platter uploader oh we land on a file upload feature okay so I'm just curious to know if I can access the same page here from the local file inclusion vulnerability I had before and no I don't get access to it let's see if we have index.html here we would see it ah all right I needed to add index.html at the end to Brute Force directories so that's why I couldn't get it using the local file inclusion Perfect all right let's test this file upload feature and see if we can abuse it I'm going to try directly uploading a PHP file and see what we get upload image file is not an image sorry only jpeg jpeg PNG or GIF are allowed okay the file was not uploaded uploaded this is a classic protection that we will attempt to bypass and see if we are lucky that the developer did not properly code this feature so I'm going to go back and upload another file which would be just a test jpeg image upload it file is a JPEG okay it detected it as a JPEG file and it has been uploaded to my uploads path okay but it doesn't say which upload path here's what is the upload path it might be under uploads nope there is no folder called uploads maybe just upload nope we don't have anything um okay let's go back to our burp and play with the requests the first step here is just to upload something malicious and then we will find how we can locate it on the server so this is my request I guess yep send this to the repeater so the first thing I can do is copy this content type right here in this position and put them in my previous request this is to see if the developer checks only for the mime type and the extension if we send this file is not an image okay so it really goes ahead and inspects the content of the file well we can just take that PHP from here so copy it and paste it just after the image right here if we send it what do we have here file is an image uh yeah file already exists okay it tests if the file already exists in this case we already have uploaded test.jpg so I'm going to maybe use uh zero let's use jpeg like this and send it and it was uploaded now the question is where is this file because if we can find the location of the file we can leverage the previous vulnerability the local file inclusion to point right to it because the server is evaluating our file as a PHP code then it will go through that and see oh I have a PHP code here I'm going to run it and we would get the response here but uh let's not get ahead of ourselves and try to find where this upload folder might be the developer just loves patterns so why don't we play the game and guess his pattern so let's say maybe it's Frank and then upload nope okay well just to be 100 sure that we find the right file we know that the file has been uploaded right and the file is called zero.jpg so I'm going to take that and put it right here just to make sure that we have indeed our file back if we find the right folder so up for Frank upload doesn't work what about Frank uploads no okay maybe underscore uploads or Dash uploads maybe uh Dash upload or maybe underscore upload nope okay let's do something more automated I'm going to send this to the Intruder I'm going to Target this part right here add it to my first list I'm going to take that custom word list right here I'm going to paste it right here and maybe add a payload processing and I'm going to modify the case first of all let's use the lowercase okay that that way we only have lowercased versions and for the second payload I'm going to use like Frank sorry upload um we will also try with uploads and maybe uploader okay let's start the attack and see if we have our JPEG file back going to sort by length and all of them return 404 okay let's change this time the the case for our first word list and instead of using lowercase let's try uppercase okay start the attack we have something right here Frank uploads oh okay and for the response we have indeed our image which has PHP info at the end okay perfect let's uh go ahead quickly and test if we can you know run this PHP info code go back to our old beloved request right here and so we would do VAR ww development uploader and then it was Frank upload Frank uploads I guess and then 0.jpg drum rolls send and if we render holy cow we have the content of PHP info command executed you know this means that we've essentially gained remote code execution on the server so what can we do with it well I can learn more about the server from an inside perspective and as you can see we have a list of the files but they are owned by the user Frank what are we we are oh we are ww data that's the bummer we need to escalate our privileges to Frank if we wanted to Target that file and change the index.html to a defaced version well the fast thing I can think of is unnamed Dash a for the version of the kernel we have a version of 2.6 that's a really old kernel it's a cat Etc release to see the exact version of our distribution here it's an Ubuntu 10 Maverick that's a really old box I think system administration is not this developer's strong suit so we're going to exploit just that there's a known exploit that's targeting this exact version of Linux so I'm going to go to slash TMP and I'm going to paste in the base64 encoded exploit this exploit right here will give me root access so let's build it first of all I'm going to decode it I'm going to put it into an exploit.c file and then I'm going to build it and run exploit and voila we are root now I have full power on that web server I can control development I can control the index.html I also see the dot back here let's uh run a comfortable shell using python perfect so with that said I would look for a scary web page let's see let's take this one copy image address now there are many ways I can deface this website the simplest one is to replace this file right here I don't want to be evil I just want to play with the developer so I'm going to rename this index.html to index.html dot let's say original.html and this should be enough to scare our developer now if I go Moment of Truth refresh this page and it has been defaced if you have been a victim to it at hack before how it went what are the different things that you think would secure this website even more let me know in the comments

Info

Channel: thehackerish

Views: 506,012

Rating: undefined out of 5

Keywords: infosec, cybersecurity, bug bounty, appsec, ethical hacking, pentest, penetration testing, learn ethical hacking, red team lab, Certifications, active directory, hacking lab, free lab, free training, password, privesc, rce, file upload, owasp

Id: FvpZkEHpF8g

Channel Id: undefined

Length: 25min 48sec (1548 seconds)

Published: Tue Sep 05 2023