Here we go again…
Welcome once again to my exploits of delving into the world of hacking with the hope of one day gaining a job within this booming industry. I had been reading this article which showed growth was even better than I had originally anticipated. I would be an idiot to turn my nose up at an opportunity like this, so armed with my pentesting course from Udemy, I was ready to resume my continuing journey into hoodies, pizza and red bull…and computers (I suppose). After having hacked my first website by creating a php shell, I was now well on the way to making some serious money. I wanted my future divorce settlement to hit the headlines. Jeff Bezos? Ha! Watch as clu3l3ss gets taken to the cleaners.
Let’s hit the books
My next module was all about intercepting requests which first of all meant learning what the different types of requests are. These included the GET and POST requests which I sort of understood, however their significance went completely over my head. The interesting thing here was that these requests could be intercepted and modified by something called a proxy. The last time I used something called a proxy was when my parents were abroad and gave me their proxy votes. They requested me to vote Liberal on their behalf but my local UKIP party got two extra votes instead. Go Brexit! I somehow had the feeling that this proxy was going to be something a bit different.
Next I would be firing up an essential tool in the pentesters world, something with huge capabilities and many different uses. It was called Burp! Really? Is that the best name they could come up with? It makes me realise that this world is dominated by young juveniles who clearly haven’t hit puberty yet. One look at all the phallic imagery that adorned my workbooks back at school would clearly state that I was on a higher maturity level and could have come up with a far more sophisticated name. Too late though, Burp it is and we would have to learn to get along.
Help me Udemy!
After having followed the video instructions and setting up my proxy, I was ready to go. By doing this I was inserting another element into the process of communication between client and server. My request was going to the proxy first and it turns out there was a lot I could do with that request before forwarding it on to the server.
So what was I able to do? For this exercise I would be revisiting my php shell created in weevely. In my last blog I commented on how easy it was to hack a Web app. Well turns out I had the security turned on low; this was the equivalent of having, well er…me looking after the security.
The moment I turned up the security settings to medium (that’s right I went there), there were filters in place which stopped my php file from being uploaded. This is where Burp comes in. First things first was to change the file extension on my file from .php to a harmless .jpeg. This was great because it meant that the filters would allow the file through, however as a .jpeg file, it was useless and would not run my shell. Enter Burp! I proxied the request which got intercepted by Burp and showed me all the details of the POST request I had sent through including my file upload. This gave me the opportunity to change the file extension back to .php before forwarding it on. There was only client-side filtering which we had already bypassed and now my php file could be uploaded.
I then used weevely to connect to my shell and bingo! I was in once again. This plan surpassed the cunning of the most cunning fox what used to be Professor of Cunning at Oxford University but has moved on and is now working for the U.N. at the High Commission of International Cunning Planning (that’s my quote, who says it isn’t?).
After this storming success I then tried turning up the security settings to 11. Yes it was time to turn the security to high. I tried the same trick of changing the file type but this time the file didn’t upload. Apparently it didn’t like the fact that my extension was a .php. So now it was time to change the extension type. In my proxied request I changed the file extension to .php.jpeg and this meant that the guardians of the Internet were happy with my extension because it was a .jpeg and the php file was able to execute because it had the .php extension. Load up weevely and bam…I’m in again. I was now breaking top security levels!
I quickly checked my emails to see if Elon Musk had offered me a job yet or whether the Extinction Rebellion wanted me to aid them bring down the government (dream on you tree huggers; I love sitting in my gas guzzler, chomping on freshly chlorinated chicken whilst clubbing a baby seal),
however there were no such offers. I couldn’t understand it. What was I doing wrong? The only option I had was to keep trawling through the videos; I had only been at it for a few weeks and I’d probably spent more time on researching memes and writing these blogs than I had on actually hacking. Back to the drawing board and time to start learning. Hack the planet!!!