daily pastebin goal
35%
SHARE
TWEET

Untitled

a guest Apr 25th, 2017 5,711 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.             ______ __     ______ _  __  ____ ____   ____ ______
  2.            / ____// /    / ____/| |/ / /  _// __ \ /  _// ____/
  3.           / /_   / /    / __/   |   /  / / / / / / / / / __/  
  4.          / __/  / /___ / /___  /   | _/ / / /_/ /_/ / / /___  
  5.         /_/    /_____//_____/ /_/|_|/___//_____//___//_____/  
  6.                                                        
  7.                          brought to you by
  8.            __                                 __  ___                          
  9.           / /  ___  ___   ___  ___ _ ____ ___/ / / _ ) ___  __ __              
  10.          / /__/ -_)/ _ \ / _ \/ _ `// __// _  / / _  |/ _ \/ // /              
  11.         /____/\__/ \___// .__/\_,_//_/   \_,_/ /____/ \___/\_, /              
  12.                        /_/                                /___/      
  13.                                        __
  14.                         ___ _ ___  ___/ /                                              
  15.                        / _ `// _ \/ _  /                                              
  16.                        \_,_//_//_/\_,_/                                                
  17.                                                                        
  18.   __   __         ___                       __   _                    
  19.  / /_ / /  ___   / _ \ ___  ____ ___  ___  / /_ (_)____ ___   ___   ___
  20. / __// _ \/ -_) / // // -_)/ __// -_)/ _ \/ __// // __// _ \ / _ \ (_-<
  21. \__//_//_/\__/ /____/ \__/ \__/ \__// .__/\__//_/ \__/ \___//_//_//___/
  22. Brazil's numero uno hacking group  /_/  A familia! A movimento!
  23. BTC GO HERE: 13XWdkW5sff2tUHauoEU4dKiigiMScEr7q
  24. Twitter:@fleximinx (for now)
  25.  
  26. ==========================================================================
  27. --[1: Introduction]-------------------------------------------------------
  28.  
  29. Hello, all!
  30.  
  31. Since FlexiSpy burnt their entire network driving us out, we think it's
  32. time for us to release our HowTo guide for aspiring hackers, about what we
  33. did, and how you can do it, too.
  34.  
  35. This is going out there to help people learn how to hack and how to defend
  36. themselves, as is traditional after these types of hacks.
  37.  
  38. There are lots of articles out there written by other talented
  39. hackers that would serve as excellent introductions, but we'd be remiss
  40. if we didn't include Phineas Fisher's articles, which are fantastic
  41. introductions [1][2][3]. They cover things like how to stay safe and many
  42. of the basics, including many techniques we used to compromise
  43. FlexiSpy/Vervata/etc. So read them and soak them up.
  44.  
  45. [1] http://pastebin.com/raw/cRYvK4jb
  46. [2] http://pastebin.com/raw/GPSHF04A
  47. [3] http://pastebin.com/raw/0SNSvyjJ (the previous link, translated into
  48. Gringo)
  49.  
  50. --[2: Recon]--------------------------------------------------------------
  51.  
  52. Just like Phineas, our initial tactic was to run fierce against both
  53. vervata.com and flexispy.com, then do some whois lookups to enumerate the
  54. entire IP space.
  55.  
  56. You can see the output of fierce (post-hack, sadly depleted after we stole
  57. their DNS) below:
  58.  
  59. 192.168.2.231   portal.vervata.com
  60. 58.137.119.230  www.vervata.com
  61.  
  62. 180.150.144.84  api.flexispy.com
  63. 180.150.144.84  admin.flexispy.com
  64. 180.150.144.83  affiliate.flexispy.com
  65. 180.150.144.83  affiliates.flexispy.com
  66. 180.150.144.83  blog.flexispy.com
  67. 180.150.156.197 client.flexispy.com
  68. 180.150.144.82  community.flexispy.com
  69. 58.137.119.229  crm.flexispy.com
  70. 54.246.87.5     d.flexispy.com
  71. 216.166.17.139  demo.flexispy.com
  72. 180.150.144.86  direct.flexispy.com
  73. 180.150.144.85  ecom.flexispy.com
  74. 54.169.162.58   log.flexispy.com
  75. 180.150.147.111 login.flexispy.com
  76. 68.169.52.82    mail.flexispy.com
  77. 68.169.52.82    mailer.flexispy.com
  78. 180.150.144.86  mobile.flexispy.com
  79. 180.150.156.197 monitor.flexispy.com
  80. 180.150.144.87  portal.flexispy.com
  81. 68.169.52.82    smtp.flexispy.com
  82. 180.150.146.32  support.flexispy.com
  83. 75.101.157.123  test.flexispy.com
  84. 180.150.144.83  www.flexispy.com
  85.  
  86.  
  87. They had several servers situated behind Cloudflare, which was a problem.
  88. Cloudflare unfortunately has a pretty effective WAF that, while nowhere
  89. near guaranteed to put an end to any fun, does almost guarantee that it'll
  90. be a lot more difficult and require a lot of configuring any automated
  91. tools to avoid setting it off. We had time, though, and looking at that
  92. list, what hostname seems immediately interesting?
  93.  
  94. Yes, that's right. It's admin.flexispy.com. Probably an admin panel.
  95.  
  96. --[3: Level 1]------------------------------------------------------------
  97.  
  98. Now that we had a target, it was time to go to work.
  99.  
  100. We tried some SQL injection on the login page [1]. We didn't get anywhere,
  101. but this wasn't very surprising. It's not 2010 any more; SQL injection is a
  102. widely-known attack, and most tutorials now teach people how to not end up
  103. introducing simple vulnerabilities into software.
  104. It still happens. You just can't rely on it.
  105.  
  106. So, out of boredom, we tried some common default credentials. admin:admin,
  107. administrator:administrator, the usual culprits. Imagine our surprise when
  108. test:test are valid.
  109.  
  110. We log in and look around. It's one user, tied to a gmail address. They
  111. have one license, which seems like a dead test device.
  112. There's some functionality there that throws you into what appears to be
  113. the customer interface over at mobilebackup.biz using some
  114. oauth/single-sign-on functionality. There's also functionality for viewing
  115. user details, looking at license details, and editing user details like
  116. username, password, and so on.
  117.  
  118. The URL looks like this:
  119. https://admin.flexispy.com/secure/employee/editEmployee?employeeId=1
  120.  
  121. Of course, because we're not dealing with people concerned about security,
  122. you can just change the Id=1 to Id=2. And that'll show you another user's
  123. details. And let you reset their password on the customer interface.
  124.  
  125. We played around with that for a couple of hours, and then we wrote a very
  126. simple script that just used curl to request every single ID up to
  127. 99999, which was the upper limit. We repackaged this into a nice text file
  128. and did some grepping to see if there were interesting customers (there
  129. were several), before getting bored and moving on. There's only so much you
  130. can do with customer lists, and that probably wasn't going to be enough to
  131. kill FlexiSpy.
  132.  
  133. [1] https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)
  134.  
  135. --[4: Level 2]------------------------------------------------------------
  136.  
  137. Next, we decided to use nmap to scan their office ranges. We'd found these
  138. through our earlier fierce scan, and you can see them below.
  139.  
  140. 58.137.119.224 -  58.137.119.239
  141. 202.183.213.64 -  202.183.213.79
  142.  
  143. There were a few SSH servers running, a Microsoft Exchange server, and some
  144. RDP, along with a few websites which mostly seemed to be hosting WildFly
  145. default pages, and one CRM instance.
  146.  
  147. Those were interesting, because it indicated there was both Linux and
  148. Windows on their internal network, which gave us options once we got
  149. inside. For now, though, we didn't have access, so we looked to see what
  150. else there was. On one server, port 8081, there appeared to be a Sonatype
  151. Nexus repository with some jar files sitting in it, which appeared to be
  152. for the command-and-control web applications. We assume that FlexiSpy put
  153. them there deliberately for resellers to take and install on their servers.
  154.  
  155. What's a group of shadowy, amorphous internet vigilantes to do but sit and
  156. spend a little bit of time reversing them? We pulled out our copies of
  157. procyon, a fantastic decompiler for Java [1] and got to work.
  158.  
  159. We pulled our several interesting utilities; the first would be their
  160. Mailchimp API key. This was fun, and let us see them sending out emails to
  161. new customers (with nice, fresh, default passwords they encouraged the
  162. customers to change). We had a look for vulnerabilities that might let us
  163. do some SQL injection (again) or exploit the API somehow, but the code
  164. didn't easily hand over any 0days to us.
  165.  
  166. What it did hand over, though, was a password, fairly simple, that looked
  167. like it might be a shared, default password: tcpip123.
  168. We sprayed this around against the SSH servers and the WildFly servers,
  169. but didn't have much luck.
  170.  
  171. Finally, we decided to try the CRM. Amazingly, we were able to compromise
  172. an administrator account using the password we found. From there, we were
  173. able to manipulate certain module installation functionalities into,
  174. eventually, letting us get remote code execution, and uploaded our shell.
  175.  
  176. [1] https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler
  177.  
  178. --[5: Level 3]------------------------------------------------------------
  179.  
  180. So, there we were, sitting on a server inside FlexiSpy's internal network.
  181. We weren't root, and the kernel was relatively new. We could have tried
  182. using DirtyCow [1], but many of the publicly available exploits had a high
  183. risk of frying the server, and the more reliable methods would require
  184. creating a development VM identical to the CRM server, which would take
  185. time which we were not sure we had.
  186.  
  187. We dropped a simple tool that allowed us to proxy onto the internal
  188. network, and we also placed a port scanner and an automated
  189. credential-checking tool onto the server, and started scanning quietly for
  190. port 22, 3389, and 23.
  191.  
  192. Once we had a list of these, the first thing we did was deploy our SSH
  193. scanner against them to test for the simple combination of root:tcpip123,
  194. admin:tcpip123, and Administrator:tcpip123.
  195.  
  196. We were in luck. We had managed to compromise three of their NAS servers.
  197. These were all Linux x86-64 machines, too, which meant we could deploy our
  198. tools on them with relative ease. We backdoored the NAS servers using some
  199. code of our own devising, which we left running in-memory hidden as one
  200. of the existing services to avoid bringing any unwarranted attention down
  201. on our heads.
  202.  
  203. From there, we spent several days scouring the systems. On one, we found
  204. source code backups, on another, we found backups of home directories, HR
  205. documents, corporate files, some SSH keys, password backups, internal
  206. network diagrams, you pretty much name it, we had it. Many of these files
  207. were quite out of date, but we were able to glean the password/username
  208. combination to several servers (services:tcpip123 and services:**tcpip!23)
  209. which also had sudo privileges.
  210.  
  211. We stole SSH keys from a number of them, and tasked the Jenkins server
  212. to start pulling down all of their repositories, and send them off to a
  213. server on the internet we controlled afterwards.
  214.  
  215. We also noticed we had access to the Domain Controller for all of the
  216. Windows domains, so we dropped some malware on that, and started slowly
  217. infecting devices and pulling credentials from memory. One of those sets of
  218. credentials belonged to a member of staff in charge of IT, which gave us
  219. access to the internal SharePoint server, which is always a house of fun.
  220.  
  221. By this point, we realised that FlexiSpy didn't give a crap about security,
  222. and in order to give us as many different points of access as possible, we
  223. deployed Tor across the Linux infrastructure, setting up each server's SSHd
  224. as a Hidden Service. We siphoned out as much as we could, stopping for a
  225. few weeks to attempt to transfer the EDB files from the Exchange Server,
  226. which were over 100GB in size. Eventually, we gave up, after trying several
  227. times to exfiltrate them, because we felt if we kept going, we'd eventually
  228. cause an alert loud enough that even FlexiSpy would notice.
  229.  
  230. Once that was done, we contacted Motherboard, gave them the interesting
  231. files, and sat back with some popcorn.
  232.  
  233. [1] https://dirtycow.ninja
  234.  
  235. --[6: BONUS LEVEL]--------------------------------------------------------
  236.  
  237. Wiping their servers was mostly a case of dding /dev/urandom all over all
  238. their drives, but we did have to do that across several RAID devices on
  239. their ESXi servers, which was one of the most frustrating things we've
  240. attempted.
  241.  
  242. Not even several hackers, armed with years of knowledge of
  243. UNIX, could enjoy trying to use ESXi. Eventually, after entering several
  244. long and arcane enchantments, we were able to reformat and dd over the
  245. RAID devices. The rest was fairly simple.
  246.  
  247. We used the stolen credentials from the SharePoint, NAS devices, and other
  248. places to log into Cloudflare, drop their account, then log into Rackspace,
  249. and destroy their servers there, and log into their multiple Amazon
  250. accounts, deleting as many S3 buckets of backups as we could find, before
  251. killing all of those.
  252.  
  253. Finally, we redirected their domains to Privacy International, and went on
  254. our merry way, pausing only to hijack a few twitter accounts and laugh at
  255. FlexiSpy.
  256.  
  257. --[7: Hack Back!]---------------------------------------------------------
  258.  
  259. Firstly, we'd like to dedicate this to everyone who has ever been a victim
  260. of Gamma, or FlexiSpy, or other surveillance tools.
  261.  
  262. We've stolen every a great deal of source code, going back years. We are
  263. hoping that signatures are going to be distributed, tools written to
  264. identify and remove infections, and we also hope that people will see that
  265. this industry is really out there, is worth money, and that it's terribly,
  266. terribly evil.
  267.  
  268. We're just, like, this group of guys, you know? We can hack these people,
  269. and we can expose their secrets, but it's up to everyone to make a
  270. difference.
  271.  
  272. If you have reverse-engineering skills, please, put them to use here. And
  273. not just with FlexiSpy. Take apart other malware samples, from other
  274. vendors of the same scumware.
  275.  
  276. If you have contacts in the antivirus or threat intelligence industry,
  277. push your colleagues to spend a little more time on these things.
  278.  
  279. If you're a hacker, hack back.
  280.  
  281. If you're an ordinary person, stay safe. Watch how things progress, and see
  282. what people are saying about how to detect FlexiSpy and protect yourselves.
  283. Several researchers, such as Hacker Fantastic [1], Tek [2], and Ben [3] are
  284. doing really good work.
  285.  
  286. If you're a spouseware vendor, we're coming for you. Stop, rethink your
  287. life, kill your company, and be a better person.
  288.  
  289. Otherwise, you'll be seeing us soon.
  290.  
  291. [1] https://twitter.com/hackerfantastic
  292. [2] https://twitter.com/tenacioustek
  293. [3] https://twitter.com/Ben_RA
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top