So, readers if you already know me (@n0x00) personally  you know what too expect, if you don”t, you might have a hard time with my writing skills (I mean lack of) … I”m quite terrible at it, but the information is accurate. if it frustrates you, maybe best you don”t scroll down

Looking at some of the feedback from the infosec community I”d say what I was dealing with was a variant of randsomware similar to cryptolocker. when I wrote the post below I had the assumption it was cryptolocker – so apologies for the in-adverted link-baiting.

A friend of mine had recently been stung by cryptolocker so I thought I”d have a look at it. Cryptolocker basically encrypts certain file types you have access too (your files) and say’s “You Pay me Bro if you want to see them files again… soon’  … it has your files and there is a timer on how long you have to decide to pay or lose those files . Not cool.

The way the bad guys want paying is usually via Bitcoin via the TOR Network, they explain in there graphic how to download the vidalia TOR bundle so you can reach the .onion website (websites hosted on the TOR network do not resolve over common DNS and always end in .onion,  What”s cool for us is that the graphic presented on my pals machine is static, so the address that is presented always has to be that address, they have to keep the box online *cough-its-still-there-cough* , anyway I took the address 4sfxctgp53imlvzk.onion To get myself in a comfortable position to have a good old poke around I hooked up Burp Suite Pro  and Firefox  and TOR the settings where use SOCKS Proxy, host and 9050 or the port, and DNS Lookups over socks proxy is ticked too, cool.


Luckily for me Steve Lord was hanging out with me this night, we just had some grub and where drinking whiskey and watching Super Jail, politely chipping away, some not very useful stuff. on an apptest I would report but for my goals … I need to get in …not to improve posture SO … a while back Dec 20th 2013 I noticed an issue with some randsome-ware echoing out it”s localhost connection details when requesting favicon from it”s server following up on this tweet

Screen Shot 2014-11-09 at 23.48.29


I thought i”d see if the same issue worked here (why not, I have whiskey, cartoons and a Steve Lord) Didn”t quite work …but this did…

<pre escaped=”true” lang=”php” line=”1″>GET /index.php%3C HTTP/1.1\r\nHost: 4sfxctgp53imlvzk.onion\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:27.0) Gecko/20100101 Firefox/27.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCookie: PHPSESSID=7ms6io53cb73k3u47n4jivr4c5\r\nConnection: keep-alive</pre>
Returned this
<pre escaped=”true” lang=”php” line=”1″>HTTP/1.1 200 OK\r\nServer: nginx/1.2.1\r\nDate: Sun, 16 Feb 2014 02:07:25 GMT\r\nContent-Type: application/octet-stream\r\nContent-Length: 12931\r\nLast-Modified: Sun, 16 Feb 2014 00:17:41 GMT\r\nConnection: keep-alive\r\nAccept-Ranges: bytes\r\n\r\n&lt;?php\r\nsession_start();\r\ndefine(”DBHOST”, ”localhost”);\r\ndefine(”DBUSER”, ”<strong>site</strong>”);\r\ndefine(”DBPASS”, ”<strong>Be6mybCWhpFpgG4u</strong>”);//Dostep do sql za miana!!! <strong>&lt;– polish </strong>\r\ndefine(”DBNAME”, ”site”);\r\nmysql_connect(DBHOST, DBUSER, DBPASS);\r\nmysql_select_db(DBNAME);\r\n$errors = $success = “”;\r\nif(isset($_GET[”captcha”]) &amp;&amp; $_GET[”captcha”] == 1){\r\ninclude(”kcaptcha6791/kcaptcha.php”);\r\n$captcha = new KCAPTCHA();\r\nif($_REQUEST[session_name()]){\r\n$_SESSION[”captcha_keystring”] = $captcha-&gt;getKeyString();\r\n}\r\nexit(); blah blah blah…</pre>

Sweet, that might come in handy later… any way picked away at it for a good 90 minutes looking at known vulns on webserver (DoS) and seeing what the value was of the issues found so far (little XSS, possible DoS and some lesser crap) not very meaningful to the goal and if it”s DoSsed then other people may miss out on recovery (if they are willing to pay) .

Got pissed with Steve and passed out.

Next Day, I see Steve off and drag my arse down to my local greasy spoon cafe, but before I do, I hook up DIRBuster and set a 2nd burp listener to push it through, I push it through burp so it resolves via Burp”s TOR configuration and I set up a 2nd listener to separate tools – 8080 does browser, 8088 does DIRBuster so on and so fourth using burps filter by port feature (nice) … Off I go, later on in the afternoon I have one of those “Oh shit yeah, I was hacking something”  thoughts and get back to my box nope, nope, nope nope… nop nopnoponponpno nothing exiting BUT WAIT


What is this ? 301 Redirect to /mysql/ I don”t  have the screen shot of the login at hand but if I find it I”ll modify this bit. I”m greeted with a web interface of some software called Adminer ver 3.7.1 and the information it requires is a username, a password and a database, because this is on the box I can use the details from yesterday ! – sweet.

  • Can I read from the hard drive
  • Can I Dump the database
  • Can I Expose it’s IP Address/FWDN/Hostname

No.Not really Partial hostname is DS791732 (if that means anything to anyone speak up) I have the database, it’s a small one, has some bitcoin shit in it (or did have) a few more hours after I got into this area, they where on to me and can no longer reach the /mysql interface :( but the link is still there taking money… I think they flush it now and then I only saw 12 entries some paid some probes   I took a dump of the database and a few screenshots I thought you lot might like this as a read. .. be interested to see if anyone else can cause these little shits a headache… I imagine there is more to come.


I could as a limited user view a bit of the database


anyway … ripping good laugh.

Here is how we configure burp up to hit the Tor network on a Mac



Add Your Comments

Your email is never published nor shared.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <ol> <ul> <li> <strong>