Turning Hacking Into Help: A Journey from Malice to Goodness
Written on
Chapter 1: A Pandemic's Strain
At the onset of the pandemic, the consequences were unexpected for many. A significant number of individuals lost their jobs, and financial strain led to the dissolution of numerous relationships. While I managed to keep my job, I faced struggles with my bills. Consequently, I sought assistance from my government.
In contrast to the U.S., where some individuals profited greatly, my country offered a mere one-time payment of £200 to £600, with the higher amount reserved for families.
How It All Began
Believing it was my right to receive assistance, I applied for the £200. Although it wasn’t a large sum, it was better than nothing. However, like most government aid, there was a catch. I submitted my application before the deadline they set.
As September rolled around, after numerous emails and calls, I was informed that support was limited to a select few, and unfortunately, my application was deemed too late. It was clearly a fabrication, as I had submitted it on time. The message was clear— I was on my own!
A Quest for Revenge
In the email explaining the denial of my request, they directed me to their site for further details. At that moment, I must confess, I was indifferent to their reasoning; my only thought was, "They will regret this."
Upon examining their website, I discovered an outdated WordPress login interface. Given the IT landscape of my country, it was unsurprising to see vulnerabilities present, ranging from Clickjacking to XSS and RCE.
The Process of Discovery
Here’s a summary of the vulnerabilities I encountered. While I identified more, I chose to highlight only the most significant.
Advanced Access Manager
Prior to Version 5.9.9, it allowed unauthorized access to files. This vulnerability enabled me to download the wp-config.php file, granting access to the database, which is often exposed on various servers.
Using this command, I was able to download their wp-config.php, which provided deeper insights for more sophisticated attacks.
HTML Injection
HTML injection can serve two main purposes: altering a site's appearance or stealing user identities.
I exploited this by injecting code into their comment section, which triggered a popup displaying "Hello world!" upon page load. This vulnerability posed a risk of session hijacking through injected HTML or JavaScript.
Note: I earned $600 using this technique at Atlassian.
Google Maps API Key Exposure
An exposed API key can lead to misuse. To mitigate potential overbilling, developers often impose budget limits, which can inadvertently lead to denial-of-service attacks.
How I Discovered It
I downloaded their Android APK to my MacBook and decompiled it using the following commands:
User@MB$ brew install apktool
User@MB$ cd path/to/campo.apk
User@MB$ apktool d campo.apk
Upon decompilation, I found the Google Maps API keys in the string.xml file. Given that this organization lacked a Bug Bounty program, they seemed unaware of how to manage such vulnerabilities.
XML-RPC Vulnerabilities
XML-RPC allows communication between WordPress and other systems, but it is susceptible to brute force attacks.
xmlrpc.php
When I accessed this in my browser, it initiated a GET request; however, I needed a POST request. Using BurpSuite, I crafted a POST request that yielded a response.
POST /xmlrpc.php HTTP/1.1
Host: campo.com
The response indicated available methods, such as system.listMethods and system.getCapabilities.
The Exploits
To carry out callbacks after listing methods, I utilized a string for port scanning, known as xspa (Cross Site Port Attack):
"pingback.ping"
I received a URL from requestbin for callbacks:
POST /xmlrpc.php HTTP/1.1
Host: campo.com
This allowed me to extract internal server information.
Brute Force Attack
By leveraging XML-RPC, I attempted to bypass request limits during a brute force attack against their WordPress site.
POST /xmlrpc.php HTTP/1.1
Host: campo.com
Content-Length: 235
wp.getUsersBlogs
{{username}}
{{password}}
From my research, I identified two usernames. However, this information wasn’t sufficient to access their admin panel.
Chapter 2: From Malicious Intent to Positive Action
Real Attack Stories
In this video, we explore a significant incident where a state government agency faced a credential-stuffing attack, revealing the vulnerabilities of public sector cybersecurity.
CIA Spy Insights
This video discusses the importance of foresight and caution, emphasizing why trusting instincts may not always be wise, especially in a world full of uncertainties.
The Transformation
Eventually, I felt a twinge of empathy for those whose private information could be compromised. I decided to reach out via email to inform the agency of my findings. Unsurprisingly, they did not respond.
Weeks later, I called them directly. The representative was unaware of my concerns but promised to connect me with the right personnel managing their website.
Four days after the call, their head of security contacted me. She inquired about my findings and my identity. After a detailed discussion, it became clear to her that this was a critical issue that needed immediate attention, particularly since their main site had faced a similar attack months prior.
Conclusion
Before concluding our call, she expressed gratitude for my diligence in reporting these vulnerabilities. She mentioned that I might receive further inquiries for additional details regarding the bugs I discovered. Ultimately, after a couple of weeks, I received the initial £200 along with a bonus for my contributions.
This experience taught me that even when we find ourselves in a position to cause harm, we can redirect our actions toward positive change.