SHARE
TWEET

Operation LeakedSource

1337ings Oct 10th, 2016 5,187 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. .
  2.     _  _    ____  _____                                                    
  3.   _| || |_ / __ \|  __ \                                                  
  4.  |_  __  _| |  | | |__) |                                                  
  5.   _| || |_| |  | |  ___/                                                  
  6.  |_  __  _| |__| | |                                                      
  7.    |_||_|  \____/|_|        _            _  _____                          
  8.   _| || |_| |              | |          | |/ ____|                        
  9.  |_  __  _| |     ___  __ _| | _____  __| | (___   ___  _   _ _ __ ___ ___
  10.   _| || |_| |    / _ \/ _| | |/ / _ \/ _| |\___ \ / _ \| | | | |__/ __/ _ \
  11.  |_  __  _| |___|  __/ (_| |   <  __/ (_| |____) | (_) | |_| | | | (_|  __/
  12.    |_||_| |______\___|\__|_|_|\_\___|\__|_|_____/ \___/ \__|_|_|  \___\___|
  13.                                                                            
  14.                                                                            
  15.  
  16. I'm sure you've heard of LeakedSource, yes? no? Maybe? Well search it up, You can find some background on it.
  17.  
  18. It's basically a web-server used for grepping through databases via a API on their server, Their database amount
  19. is insane.
  20.  
  21. They claim of two million database but who's to know? they could have 2 million databases. I want to find
  22. out for myself. We all do LOL.
  23.  
  24.  
  25. Note: server's contents will not be publicized in this file, maybe will be relased in zipped file ;3
  26.  
  27. Two minutes into attempt one i found a LFI;
  28.  
  29. http://leakedsource.com/etc/passwd
  30.  
  31. root:x:0:0:root:/root:/bin/bash
  32. bin:x:1:1:bin:/bin:/sbin/noggin
  33. daemon:x:2:2:daemon:/sbin:/sbin/noggin
  34. adm:x:3:4:adm:/var/adm:/sbin/noggin
  35. lp:x:4:7:lp:/var/spool/lpd:/sbin/noggin
  36. sync:x:5:0:sync:/sbin:/bin/sync
  37. shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
  38. halt:x:7:0:halt:/sbin:/sbin/halt
  39. mail:x:8:12:mail:/var/spool/mail:/sbin/noggin
  40. ftp:x:14:50:FTP User:/var/ftp:/sbin/noggin
  41. nobody:x:99:99:Nobody:/:/sbin/noggin
  42. sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/noggin
  43. justkiddingthisshitaintreal:x:86:86:Your-automated-scripts-are-annoying:/home/justkiddingthisshitaintreal:/sbin/noggin
  44.  
  45. LFI could not be exploited must've been patched.
  46.  
  47.  
  48.  
  49. ___________________________________________________
  50.  
  51.  
  52. I started scanning for cross site scripting with-in the web server & cpanel
  53. I found that they was using a version of cpanel that was vulnerable to a Csrf.
  54.  
  55. http://cpanel.leakedsource.com
  56.  
  57. It's currently offline due to reveling hosting ip address.
  58.  
  59. Doing a web-cache on it i seen it was a vulnerable version so i figured
  60. well shit, can't do anything with that.
  61.  
  62. But wait there's more...
  63.  
  64.  
  65.  
  66.  
  67. ___________________________________________________
  68.  
  69.  
  70. The ip of the cpanel was logged in web-cache.
  71.  
  72. Now i have my brute forcing target right?
  73.  
  74.  
  75.  
  76. root@ubuntu:~# nmap **.**.***.**
  77.  
  78. Starting Nmap 6.40 ( http://nmap.org ) at 2016-10-10 08:58 CEST
  79. Nmap scan report for hosted-by.blazing fast.io (**.**.***.**)
  80. Host is up (0.011s latency).
  81. Not shown: 999 closed ports
  82. PORT STATE SERVICE
  83. 22/tcp open ssh
  84. 25/tcp open smtp
  85. 80/tcp open HTTP
  86. 443/tcp open HTTP
  87.  
  88.  
  89. Okay, we know you can login via ssh & smtp, should we try and brute force it with a password list?
  90. We should at least give it a shot.
  91.    
  92.    
  93.    
  94. ___________________________________________________
  95.  
  96.    
  97.    
  98.  
  99. After six hours of waiting, ten different password lists, & It finally showed results.
  100.  
  101.  
  102.  
  103.  
  104. ___________________________________________________
  105.  
  106. Bruteforcing is over, lets cat the results....
  107.  
  108.  
  109.  
  110. root@ubuntu:~# cat ssh.txt
  111.  
  112. /!\ D I S C O V E R E D /!\
  113.  
  114. root@**.**.***.**:redrose64
  115.  
  116. Devi**.**.***.**:nigger420
  117.  
  118. admin@**.**.***.**:admin67
  119.  
  120.  
  121.  
  122. BING WAS HIS NAME-O FUCK BOY.
  123.  
  124.    ^^sorta lit
  125. But anyways, this was really interesting.
  126.  
  127. If you use your brain Mr/Ms 1337 hack0rs maybe you could get results.
  128. All & all ssh brute forcing is okay, but you'll need a TON of password lists & hours upon hours. i have several 1,000 I've collected for a up coming root kit I'm making.
  129. With-out using Tor nodes this brute force couldn't have been possible.
  130.  
  131.  
  132.  
  133.  
  134. ___________________________________________________
  135.  
  136.  
  137.  
  138.  
  139.  
  140. Well i got lucky, again LOL. My heart was racing when i catted the ssh bruteforcer log.
  141. After about six hours, 10 different passwords lists & about 2,000 Tor nodes i finally got something.
  142.  
  143. So i tried to ssh into the server
  144.  
  145.  
  146.  
  147. login as: root
  148.  
  149. root@**.**.***.**'s password:
  150.  
  151.  
  152.  
  153.  
  154.  
  155. [root@hostname-leakedsource.com ~]# ls
  156.  
  157. blog          js
  158.  
  159. databases           css
  160.  
  161. mysql.conf           API.json
  162.  
  163. paypal-redirct           brokeapi.json
  164.  
  165. notify           register
  166.  
  167. purchase           sql-data
  168.  
  169. hacked_sites           tos
  170.  
  171. faq           contact
  172.  
  173. api           home
  174.  
  175.  
  176.  
  177. ___________________________________________________
  178.  
  179.  
  180.  
  181.  
  182.  
  183. Yes, i backdoored a root user, don't worry. ;3
  184.  
  185.  
  186.  
  187.  
  188. ___________________________________________________
  189.  
  190.  
  191. [root@hostname-leakedsource.com ~]# cat mysql.conf
  192.  
  193. "xml version="1.0" encoding="utf-8" alone='yes'?>
  194. "
  195.  
  196.  mysqldb type>
  197.     leaked_source_a399db name>
  198.     leaked_source_a339username>
  199.     redrose64password>
  200. " db credentials>"
  201.  
  202. ___________________________________________________
  203.  
  204. Alright so, There's the MYSQL conf for connecting to the sql's of the database.
  205.  
  206.  
  207. Login was successful on MYSQL
  208.  
  209.  
  210. Yes I've come across 300,000 lines of a sql database that with-holds all users emails, passwords, user names, data_time, last_login, membership
  211.  
  212.  
  213. Will i release it in the zip file of all the databases? Maybe so ;3
  214.  
  215. ___________________________________________________
  216.  
  217.  
  218.  
  219. Now what to do? zip all database files.
  220.  
  221. [root@hostname-leakedsource.com ~]# cd databases
  222.  
  223. The system is going down for reboot NOW!
  224.  
  225.  
  226.  
  227.  
  228. ___________________________________________________
  229.  
  230.  
  231.  
  232. That's odd? Cd'ing into databases reboots the server? what is going on here -_-
  233.  
  234. after some research i discovered out that cd'ing into the big of files will reboot the server.
  235.  
  236. Question is.... Now what can i do?
  237.  
  238. I can WINSCP login & extract to my desktop?
  239.  
  240. This will take a long time, But whatever is necessary...
  241.  
  242.  
  243.  
  244.  
  245. ___________________________________________________
  246.  
  247.  
  248.  
  249.  
  250.  
  251. 12 hours into the extraction & It's only %9 done... maybe they do two million database?
  252.  
  253. Let's goto my desktop and see what database it's extracted so far
  254.  
  255. C:\Users\VM> ls
  256. Pornhub.sql
  257. SoicalBlade.sql
  258. 000WEBHOST.sql
  259. Coupon.sql
  260.  
  261.  
  262.  
  263.  
  264. ___________________________________________________
  265.  
  266.  
  267.  
  268.  
  269.  
  270. Maybe this will take a while...
  271.  
  272. Let's go to work & see what it does when we get home ;3
  273.  
  274.  
  275.  
  276.  
  277.  
  278. ___________________________________________________
  279.  
  280.  
  281.  
  282.  
  283. [root@hostname-leakedsource.com ~]# cat etc/passwd
  284.  
  285. root:x:0:0:root:/root:/bin/bash
  286. daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/noggin
  287. bin:x:2:2:bin:/bin:/usr/sbin/noggin
  288. sys:x:3:3:sys:/dev:/usr/sbin/noggin
  289. sync:x:4:65534:sync:/bin:/bin/sync
  290. games:x:5:60:games:/usr/games:/usr/sbin/noggin
  291. man:x:6:12:man:/var/cache/man:/usr/sbin/noggin
  292. lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/noggin
  293. mail:x:8:8:mail:/var/mail:/usr/sbin/noggin
  294. news:x:9:9:news:/var/spool/news:/usr/sbin/noggin
  295. uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/noggin
  296. proxy:x:13:13:proxy:/bin:/usr/sbin/noggin
  297. www-data:x:33:33:www-data:/var/www:/usr/sbin/noggin
  298. backup:x:34:34:backup:/var/backups:/usr/sbin/noggin
  299. list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/noggin
  300. irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/noggin
  301. gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/Golgi n
  302. nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/noggin
  303. liquid:x:100:101::/var/lib/liquid:
  304. syslog:x:101:104::/home/syslog:/bin/false
  305. message bus:x:102:106::/var/run/dbus:/bin/false
  306. landscape:x:103:109::/var/lib/landscape:/bin/false
  307. sshd:x:104:65534::/var/run/sshd:/usr/sbin/noggin
  308. azar:x:1000:1000:Azar,,,:/home/azar:/bin/bash
  309. colord:x:105:113:colord colour management daemon,,,:/var/lib/colord:/bin/false
  310.  
  311.  
  312.  
  313.  
  314.  
  315.  
  316.  
  317. ___________________________________________________
  318.  
  319.  
  320. Now what to do? Inspect the API system ^_^
  321.  
  322.  
  323.  
  324. After looking down several APIs I'm seeing all it does is a silently grep through the cd 'databases'
  325.  
  326. Also the payment system is fucked up, You could loose your cookie id you need to make the payment with LeakedSource
  327. because of script errors but no biggie they don't give a fuck.
  328.  
  329.  
  330. Also they're keeping logs of searches that include;
  331. search_details, search_time, username, password, salt, hash
  332.  
  333. What is this used for? what are you logging this for? The world will never know.
  334.  
  335. Maybe LeakedSource is the FBI? Maybe there just logging for legal notice? The world will never know.
  336.  
  337.  
  338. Also I rm -fr * the logged directory because it was 3 million lines of logs from you guys.
  339. I thought I'd do you a favor but i didn't, Two minutes later i found that they are using a Google server,
  340. to send all sql rows & logs to a directory on the Google server, so now i have to root their Google server.
  341. Hopefully it's same credentials.
  342.  
  343.  
  344.  
  345.  
  346. ___________________________________________________
  347.  
  348.  
  349.  
  350.  
  351.  
  352. login as: root
  353.  
  354. root@*.**.**.**'s password:
  355.  
  356. [root@localhost ~]# ls
  357.  
  358. sql.conf      logs.sql
  359.  
  360. database.sql     API2.json
  361.  
  362.  
  363. ___________________________________________________
  364. Woah, it worked, okay? Security?
  365. looking at API2.json is the API that allows users to login will cookies. Witch right now looks-
  366. to be disabled for security reasons. Even though there's no security at all for me to be able
  367. to root their server because a password they used was in a list I've used, like where's the security
  368. in that?
  369.  
  370. now what to do. oh yes, see how many databases was downloaded.
  371.  
  372.  
  373.  
  374.  
  375.  
  376. C:\Users\VM> ls
  377.  
  378. fucking froze
  379. fuck ^$
  380. ^$^$^$^$
  381. ___________________________________________________
  382.  
  383. Well, the VM acted up when i ls'ed the directory, hmm? Too big?
  384. of course, 200,000+ files.
  385.  
  386. Well what's my option now? can i even transfer all these files to my main desktop & release them?
  387.  
  388. Maybe if i can zip the file up.
  389.  
  390. Let's try that while I'm going to inspect the Google servers files.
  391.  
  392.  
  393.  
  394.  
  395.  
  396. ___________________________________________________
  397.  
  398.  
  399.  
  400.  
  401.  
  402.  
  403. After 30 minutes on searching i found that the server was used for a stresser on;
  404. http://networkstresser.com
  405. https://exitus.to/
  406. https://webstresser.co/
  407.  
  408.  
  409. Want to know how & why? The sql's of the stressers are still in MYSQL.
  410. now remember this is the second server i found from the first server
  411. This server I'm collecting this information from is a server for updating
  412. the sql's & maybe a coding server? This is the Google server that is in cost for $150.00 USD
  413. on their hosting website.
  414. Now i can see why these stresser guys mooched off of the owner of LeakedSource.
  415.  
  416.  
  417.  
  418.  
  419.  
  420.  
  421. ___________________________________________________
  422.  
  423.  
  424.  
  425.  
  426.  
  427.  
  428.  
  429. Now that we've breached two of their servers now what? I have all the files being zipped up at the moment, hopefully it won't crash...
  430. But so far we're okay.
  431.  
  432.  
  433. now we should really add a backdoored root user on the Google server.
  434.  
  435.  
  436.  
  437.  
  438.  
  439.  
  440. ___________________________________________________
  441.  
  442.  
  443.  
  444.  
  445.  
  446. Yes, I've removed all history containing my commands I've interjected with the server ;3
  447. should i maybe leave a echo for LeakedSource admin & developer to see? Nah lets fuck with them
  448. until they take recension of this PoC/Proof of Concept
  449.  
  450.  
  451.  
  452.  
  453. ___________________________________________________
  454.  
  455.  
  456.  
  457.  
  458. Why am i am doing this? Well, just knowledge reasons, everyone wondered what was behind all of this rupture that could or couldn't be a illegal service.
  459. Could it be ran by the FBI just to catch hackers? Well that is a real stupid conspiracy, but I've seen some weird shit that the FBI does to catch hackers
  460. so nothing will surprise me.
  461.  
  462.  
  463.  
  464.  
  465.  
  466.    _____              _ _ _      
  467.   / ____|            | (_) |      
  468.  | |     _ __ ___  __| |_| |_ ___
  469.  | |    | |__/ _ \/ _| | | __/ __|
  470.  | |____| | |  __/ (_| | | |_\__ \
  471.   \_____|_|  \___|\__|_|_|\__|___/
  472.                                  
  473.                                  
  474. All credits goes to Chris Poole | http://twitter.com/codingplanets
  475.  
  476. If you're reading LeakedSource admins, I'd suggest you to up your choices in life.
  477. Just saying LOL, friendly reminder, I could cause harm to you so called "company" that's been
  478. to court on multiple occasions, Also to everyone who thinks PoodleCorp is in their database?
  479. Yes they are, full emails, passwords & login IP's of 2 members.
  480. One used personal email & personal password.
  481.  
  482. Any questions on this PoC? DM me via Twitter @codingplanets
RAW Paste Data
Top