October 5, 2017

Cracking UNIX Password Over SSH to View PHP-Hardcoded Credentials


This exercise gives students a chance to practice what they learned in the previous exercise (brute-forcing a UNIX password over SSH). In addition, they gain practice with the shell after logging in, motivated by the need to understand how the file system is organized, how it can be searched, and how files can be opened to view their contents.


  • A Kali Linux instance:
    • No extra programs beyond those provided by a clean install are needed to complete this exercise.
  • A Linux-based target VM running atop Kali Linux:
    • With static IP, reachable from Kali on a VirtualBox Host-Only network (if previous exercise was used, change the IP to make students search for it again).
    • With SSH running on some port (if previous exercise was used, change the port to make students search for it again).
    • With a UNIX user whose username can be provided to students for cracking, and with a password that matches one of those in one of Kali’s /usr/share/wordlists/*.txt (if previous exercise was used, change the password to make students crack it again).
    • With Nginx/Apache installed along with PHP support. In the root document directory, place an index.php file containing a login form and a PHP script at the top that verifies the username and password upon POST. The username and password should be hardcoded within this file and unobfuscated. Upon success, redirect the user to a static HTML page containing a mocked-up bank account balance page for someone famous.

Background Info to Provide Students

Have them start the VM and explain that there is a bank website running on this VM. Their job is to crack the UNIX password for the username that was set up, just as was done in the previous exercise.

Then, once they’ve gained access, they’re to explore the filesystem and find the web page that is served by the web server. They should use the username/password combination found within that file to login to the bank site.


  1. $ ifconfig
    • Shows the vboxnet0 interface as having an IP address range of i.e. 192.168.56.??? (depending on specific configuration in VirtualBox and assuming subnet of
  2. $ nmap -p1-65000
    • To find all hosts on the network with all open ports (-p is necessary if any ports are above 1000); this will turn up one IP with two open ports.
  3. Opening a web browser and entering the IP should return the bank website page.
  4. $ hydra -l <pre-provided_username> -P /usr/share/wordlists/<wordlist_file.txt> ssh://<open_ip>:<open_port>
    • To find the password of the pre-provided UNIX user.
  5. $ ssh -p <open_port> <pre-provided_username>@<open_ip>
    • To gain shell access to the VM.
  6. $ cd / to navigate to top of filesystem
  7. $ grep -r -i "<keyword(s) on bank page>"
    • If using slow hardware, this may take a long time; students can use --include \*.php --include \*.html to narrow search.
  8. Use vi, nano, or cat to open the file found in the search. Find the hard-coded username/password combination, then return to the web browser to enter the combination and gain access to the bank balance page.


Students did very well recalling how to crack the UNIX password over SSH. Once they had shell access though, they (understandably) needed some help with how to proceed. I first explained how the file system is organized as an upside down tree, and that they should first get to the top of the tree (which they correctly identified as /). Then I told them they should check a book on Linux for how to use the grep command to search through files.

I was impressed to see that the students were able to figure out on their own that they needed to use the -r flag with grep so as to search all subtrees. The machines they were using were basic laptops, so I encouraged them to use --include to narrow the search to certain files. After that, they were able to pick the bank’s index.php file out of the search results, open it with nano, and write down the username and password inside of it to gain entry to the bank website.