tohitsugu
diff --git a/‎.gitignore‎
Lines changed: 20 additions & 0 deletions b/‎.gitignore‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 41 additions & 0 deletions b/‎README.md‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎blog/2018-05-04-hackers.mdx‎
Lines changed: 120 additions & 0 deletions b/‎blog/2018-05-04-hackers.mdx‎
Lines changed: 120 additions & 0 deletions
diff --git a/‎blog/2023-11-14-android-proxy.mdx‎
Lines changed: 175 additions & 0 deletions b/‎blog/2023-11-14-android-proxy.mdx‎
Lines changed: 175 additions & 0 deletions
@@ -0,0 +1,20 @@
+# Dependencies
+/node_modules
+
+# Production
+/build
+
+# Generated files
+.docusaurus
+.cache-loader
+
+# Misc
+.DS_Store
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
@@ -0,0 +1,41 @@
+# Website
+
+This website is built using [Docusaurus](https://docusaurus.io/), a modern static website generator.
+
+## Installation
+
+```bash
+yarn
+```
+
+## Local Development
+
+```bash
+yarn start
+```
+
+This command starts a local development server and opens up a browser window. Most changes are reflected live without having to restart the server.
+
+## Build
+
+```bash
+yarn build
+```
+
+This command generates static content into the `build` directory and can be served using any static contents hosting service.
+
+## Deployment
+
+Using SSH:
+
+```bash
+USE_SSH=true yarn deploy
+```
+
+Not using SSH:
+
+```bash
+GIT_USER=<Your GitHub username> yarn deploy
+```
+
+If you are using GitHub pages for hosting, this command is a convenient way to build the website and push to the `gh-pages` branch.
@@ -0,0 +1,120 @@
+---
+slug: turning-the-tables-on-some-hackers
+title: Turning the Tables on Hackers for Fun (But not Profit)
+authors: tohitsugu
+tags: [hacking, threat, sql injection, botnet, malware, zeus]
+image: ./img/hack/tracker.png
+---
+
+import Image from '@theme/IdealImage';
+
+
+## 0x01 Init
+
+:::tip Note 
+This is a repost of an old blog post I made on another site.
+:::
+
+
+Sometimes it's fun to turn the tables on the bad guys. A hobby of mine is hijacking botnets to see what all the fuss is about. The goal for today is to gain a shell on the malware host server.
+
+:::danger
+Don't actually do any of this. Someone once sent me threatening pictures of my children after I poked around the wrong botnet
+:::
+
+Anyway. C&C web panels are commonly included with malware, and act as a central dashboard providing statistics, command functionality, and access to stolen information such as passwords. As they are essentially the heart and brain of a malware campaign and can be used to control thousands of infected hosts they tend to be hidden on obscure domains, deep from the prying eyes of Google and other search indexers, making them difficult to discover. The panels themselves are usually secured with long and complicated passwords and sometimes require specific URL parameters to be present before access is granted.
+
+They also tend to be poorly coded and subject to exploitation, which we will leverage to our advantage 😁. 
+
+{/* truncate */}
+
+First, we need to find an admin panel for an active botnet. This can be difficult, depending on your standards, and often is time consuming. Options including reverse-engineering malware found in the wild, using a malware tracker, or social engineering someone on one of the underground forums. Because I'm lazy I chose the second option, **using a malware tracker**, which conveniently provides the C&C url directly. The downside is the link most likely will not last long now as it has been marked as a malware host. Most serious threat actors will migrate to a new domain at the first whiff of public detection.
+
+Here's an example of a malware tracker: 
+
+
+import tracker from './img/hack/tracker.png';
+
+<Image img={tracker} style={{width:800}} />
+
+
+
+## 0x02 Reconnaissance
+
+Looking at some recent URLs we see a domain hosting both KeyBase and Pony, making this ideal for reasons discussed shortly. Serious players almost never use a single host for multiple C&C panels, meaning the owner or owners are most likely new to the scene and inexperienced. This is good for us as it increases our chances at finding a bug or mistake to exploit.
+
+As detailed by Paolo Stagno at [VoidSec](https://voidsec.com/keybase-en/), the panel for KeyBase is rather poorly coded and has a couple of major vulnerabilities, *including* **SQL injection**.  Here's the vulnerable bit of code, located in file `post.php`
+
+![post.php](./img/hack/post.png)
+
+![sqli](./img/hack/sqli.png)
+
+
+Notice the utter lack of input validation - escaping the query and appending our own code at` $machinename` in is what allows us to hijack this server.
+
+Using `sqlmap` we can view the databases available to the mysql user. We also learn that the backend is Windows, and that we have db-admin privileges. We also can tell from the table names of the current db that a **Zeus** or **Citadel** panel is lurking somewhere on the server.
+
+According to VoldSec the KeyBase application also has a file upload vulnerability. Unfortunately I was unable to get this to work, leaving us to find another way to access the backend system.
+
+Now, due to design flaw or some other unknown reason, the creators of the **Pony** malware loader store the login credentials for the panel to the database itself...in plain text. Let's take a look:
+
+![spiritc](./img/hack/spiritc.png)
+
+Now we have the admin credentials for one of the panels present on the server: `dmjcode/NAS12345`
+
+The panel itself is pretty bare of activity. Looking at the stats we learn that only a handful of machines have been infected by the malware:
+
+![pony-bots](./img/hack/pony.png)
+
+Nothing interesting here. Going back to `sqlmap` for inspiration I found that I overlooked something previously - the presence of a **phpmyadmin** installation. We know the current mysql user from our earlier sqlmap. Maybe they reuse passwords?
+
+![phpmyadmin](./img/hack/phpmyadmin.png)
+
+
+Back to sqlmap yet again. Because we are running on Windows (and thus have fewer permission issues), we can try and **read and writing to the backend system directly** with the `os-shell`, `file-read`, and` file-write` options.
+
+Trying the `os-shell` and `file-write` features fails almost instantly. After some investigation I learned that this was not due to permission errors but due to how sqlmap attempts to write the files to the remote server.  
+
+![sqlmap-errors](./img/hack/sqlmaperr.png)
+
+Luckily, the `file-read` feature *does* work. By correctly guessing the location of the Pony `config.php` file we can pull it with sqlmap. Let's take a look:
+
+![file-read](./img/hack/fileread.png)
+
+Now we have the actual mysql credentials and are getting somewhere. We can use the mysql username and password to login to phpmyadmin. 
+
+![mysql-databases](./img/hack/mysql.png)
+
+
+## 0x03 Exploitation 
+
+Using phpmyadmin, let's add a single 1-line backdoor:
+
+![mysql-databases](./img/hack/mysql.png)
+
+Using the `MySQL SELECT into outfile` command, we can write to the local file system. Because this is Windows, we have permission to write to the local `htdocs` folder:
+
+![exploit](./img/hack/exploit.png)
+
+Now we have a backdoor to the local windows machine:
+
+![dir-command](./img/hack/dir.png)
+
+
+Using a combination of local files and executing my own SQL statements, I was able to find the **Zeus** panel and log myself in. The password was the same used on the Pony panel - don't reuse passwords! Even fraudster make this mistake.
+
+Zeus panel. Not sure which variant this is for: 
+
+![zeus](./img/hack/zeus.png)
+
+
+Poking around on the Zeus panel, it seemed some of the bots were pushing a version of the **Cryptolocker ransomware**. Unfortunately I was not able to penetrate the host that controlled this software. The good news is that they were using a version of cryptolocker-type malware that Kaspersky has a tool to decrypt files.
+
+Also on host were CC tracks and full card info for online and in-store fraudulent purchases: 
+
+![cc-tracks](./img/hack/tracks.png)
+
+## 0x04 Conclusion 
+
+The owners of the malware caught on at this point and took everything offline. Unfortunately for them, all the bots not yet suffering from Cryptolocker were deleted by me first 🤭.
+
@@ -0,0 +1,175 @@
+---
+slug: packed-android-proxy-framework
+title: Exploring a Stealth Proxy Framework Packed into an Android Shared Library
+authors: tohitsugu
+tags: [android, hola, luminati, bright data, proxy]
+image: /img/libtopvpn.png
+---
+
+import Image from '@theme/IdealImage';
+
+:::note File Information
+File name: `com.bigos.androdumpper.apk` <br/>
+Size: 11MiB <br/>
+Type: android <br/>
+Mime: application/zip <br/>
+SHA256: d2490fc5fc5a5f6fd9f58a8e3c488601367638d4dd9f3a5f892131dc50df9031 <br/>
+Last VirusTotal Scan: [11/17/2023 23:23:14](https://www.virustotal.com/file/d2490fc5fc5a5f6fd9f58a8e3c488601367638d4dd9f3a5f892131dc50df9031/analysis) <br/>
+Last Sandbox Report: [11/17/2023 23:23:13](https://www.hybrid-analysis.com/sample/d2490fc5fc5a5f6fd9f58a8e3c488601367638d4dd9f3a5f892131dc50df9031/6557f5e04029ab79350e64d3) <br/>
+Malware Family: Luminati (not currently classified as malware)
+:::
+
+
+
+## 0x1 Intro
+
+Not all malicious (or at least dishonest) code can rightfully be called malware, even if the tactics used by the software in question are similar or even undistinguishable from actual malware. The difference is in how they are used. And sometimes - as in this case - you can grant developers permission to turn your Android device into a hidden SOCKS proxy for paying customers.
+
+One of my favorite methods of poking around on Android devices is to install a [Linux chroot image](https://xdaforums.com/t/tutorial-how-to-build-ur-own-chrooted-linux-for-android-step-by-step.3586319/) on a *rooted* device so that I can make use of my favorite command-line tools. This gives me access to a full Linux distro on my device.  
+
+I recently discovered an Android app called **AndroDumpper** that seemed innocent enough. However, when first starting the application you see this message asking you to agree to sharing some of your device's wifi and cellular data:
+
+
+import androterms from './img/androterms.png';
+
+<Image img={androterms} style={{width:400}} />
+
+
+
+{/* truncate */}
+
+
+So what does this mean? Well, after starting the application I can see a new p2p network interface as well as some system commands configuring it:
+
+import ifconfig from './img/ifconfig.png';
+
+<Image img={ifconfig} style={{height:500}} />
+
+
+import ps from './img/ps.png';
+
+<Image img={ps} style={{width:800}} />
+
+
+The application appears to be tunneling network traffic through the new `tun0` interface, and if we open a network sniffer such as **Packet Capture** we can see that there is quite a bit of network traffic being used: 
+
+![packetcapture](./img/packet1.png)
+
+![packetcapture-apps](./img/packet.png)
+
+While all this network activity is happening, this is all I see from the application itself: 
+
+import appmenu from './img/appmenu.png';
+
+<Image img={appmenu} style={{width:400}} />
+
+
+
+Unfortunately, the application is using [certificate pinning](https://developer.android.com/privacy-and-security/security-config) which makes it difficult to actually inspect the network packets. So far my attempts using Frida to bypass certificate pinning have failed for this application. In the past I was able to load a modified Xposed Framework module - if I can get this working I will update this post.  
+
+Seeing as a live inspection of the application is impossible, let's take a look at the APK itself. 
+
+## 0x2 Decompiled Library
+
+First, I used **apktool** to decompile the APK. 
+
+```shell 
+apktool d androdummper-3-11.apk
+```
+
+My attention was immediately drawn to the libs folder containing five *shared object library* `.so` files. One in particular - `libtopvpn_svc-1.121.410.so` - caught my eye as it was pretty large.
+
+![apktool](./img/apktool.png)
+
+![file](./img/file.png)
+
+Unfortunately. the file was [stripped](https://www.man7.org/linux/man-pages/man1/strip.1.html) of all its symbols, making it very difficult to study. Not to be deterred, I searched for a couple of hours and eventually found an earlier file version intact, `libtopvpn_svc-1.66.306`.
+
+Loading the non-stripped file in Ghidra revealed *hundreds* of functions. Here is the `main` function, edited a bit to repair the function signature:
+
+![main](./img/main.png)
+
+The sheer number of functions to sort through was quite overwhelming. Because the `main` function contained a string reference to the word **zon**, that's a good starting point. 
+
+`zon_` functions: 
+
+![zon_functions](./img/zon.png)
+
+The function `zon_process_entry_point` function was interesting as it contained a reference to a javascript file and appeared to have command-line flags defined as arguments: 
+
+![zon_process_entry_point](./img/zonprocess.png)
+
+Lots of defined strings for `.js:
+
+![search-js](./img/searchjs.png)` 
+
+Also exciting is the reference to `hola_browser`. Hola VPN is a popular free VPN. What a lot of people need to learn about them is that they turn your device into a proxy connection point for their paying customers. More on that later. 
+
+Digging through the functions some more, we can see that the process queries a database and inserts a list of hosts and IP addresses:
+
+![sql-insert](./img/sqlinsert.png)
+
+And here it appears to save a list of peers:
+
+![sql-tunnel](./img/ztunsql.png)
+
+Function to execute the native android shell `/system/bin/sh`: 
+
+![execvpe](./img/execvpe2.png)
+
+## 0x3 Extracted Framework
+
+When first examining the `.so` in Ghidra, I initially assumed that the running code downloaded the javascript framework referenced in the source and saved it on the Android device somewhere. After a few hours of digging through functions, it became clear that the framework was packed into the file in some method. 
+
+Running the `strings` command on both the original stripped library file (`libtopvpn_svc-1.121.410.so`) and the unstripped version (`libtopvpn_svc-1.66.306`) showed lots of readable text, including references to `.js` files. 
+
+I tried using `binwalk` to see what might be extractable. To make things interesting, I focused on the unstripped file I extracted from the AndroDumpper APK. 
+
+```shell 
+binwalk -e libtopvpn_svc-1.121.410.so
+```
+
+![binwalk](./img/binwalk.png)
+
+The results were immediate. As I suspected, this `.so` contains several javascript files cleverly packed into a shared object library, something I'd never encountered before. 
+
+Some of the extracted files: 
+
+![libtopvpn_ls_command](./img/libtopvpn.png)
+
+Here's a peek inside `lum_proxy.js`: 
+
+![lum_proxy.js](./img/lumproxy.png)
+
+Some interesting `powershell` functions in `main.js`: 
+
+![powershell-commands](./img/pscommands.png)
+
+Configuration details in  `zon_config.js`: 
+
+![zon_config.js](./img/zonconfig.png)
+
+## 0x4 Conclusion
+
+So what is all this? The solution came from `zon_config.js`, the standard client config file used by the [Bright Data](https://brightdata.com/luminati) proxy network - formerly known as **Luminati Networks**. Remember when I mentioned the **Hola VPN** turned your device into a proxy connection point for paying customers? Bright Data, a.k .a. Luminati, is the sister company of Hola VPN that sells those proxies.   
+
+A lot has been written about this company before. Still, using the free Hola VPN app or browser extension allows your machine to be part of a SOCKS proxy botnet for paying Luminati customers. I first learned about Luminati by lurking on Russian crime forums, where it was mentioned as a popular tool for helping commit credit card fraud.  
+
+The vast Bright Data SOCKS proxy network allows people (including criminals) to connect to a site using a home or mobile IP address from their chosen city. Fraudsters can bypass security measures this way when using stolen credit card info. Attempting to purchase an expensive item or service with a marked VPN or Russian IP would cause the purchase to be flagged. However, connecting via a Comcast or Verizon IP from the correct city will make the transaction seem much more legitimate. That's not to say that the service can't be used legitimately - I'm sure it can - but my exposure to it has left me with a poor opinion of the company and its tactics. 
+
+However, the reason why the AndroDumpper application was bundling a proxy network disguised as a harmless shared object library remained.  
+
+Well, it turns out that Bright Data offers a [monetization service](https://bright-sdk.com/) to app developers. Rather than including ads (as is typical in free apps), Bright Data offers to turn your application into a node for its network. They were very creative on their part but backhanded and sneaky. After all, **nowhere** in the agreement clause you see when first running the app does it implicity state you are effectively turning your device into a proxy server for Bright Data's paying customers.
+
+It might be a stretch to call this behavior *malware*, but it raises some ethical considerations. 
+
+Luckily, AndroDumpper *does* allow you to opt out of Luminati from the **Settings** menu, though they fail to mention why you might want to do this - in fact, this is the first time a user actually sees the name **Luminati** mentioned. 
+
+![opt-out](./img/optout.png)
+
+I'm still in the process of reversing this application, and plan to update this post once I do. 
+
+All the files can be found on my [github](https://github.com/tohitsugu/androdumpper) if you want to take a peek yourself. **Note**: I had to compress the files into a `.7z` archive as they were too large to upload by otherwise. 
+
+
+