Staredit Network

Everyone thought that at the time. I can't remember whether it was true or not though. I think he hacked some mod accounts and posted in the news section under Bolt's name with the title 'The barn is burning.'

Then the site mysteriously went down and...wait - he admitted to hacking it in a post on Blizzforums. I thought Yoshi had something to do with it though. It was right after the IcyHell and UnPROEdit scandals.

Edit: Yes that was me. How lame... I don't understand why I wrote that rubbish. The strange terms I used are how you're meant to write posts on that site; I'm not completely insane.

I can console myself in knowing that this was before I had a girlfriend.

I have like 5 of the first 2 pages of links.

-ezpk

I googled Deathawk. GgG-Deathawk, I am probably all of them.

Funny, that's not what I got.

Lol, I'm gay!

But really, thats not me.

ADD: And lol?

I seem to like CTF O.o

ADD:

Let's see... The PGTour and CreepColony links are me...

O.o

Wow, I have to be more creative >.<

http://www.google.ca/search?hl=en&q=Syphon...le+Search&meta=

Dissapointing.

http://www.google.ca/search?hl=en&safe=off...nG=Search&meta=

Are you kidding me?

When I google my other alias, caboose1337, it's all about me baby!

So you want to know how it was done....
(if you read this full post and understand it .... good job!)

Some other user on SEN did the first hits on ICY, I finished it off. How it was done.. Icy-hell left the install script on their forum on the server so you could write over the config.php file which stores the mysql information. The SEN user basically just reinstalled the forum with jibberish as mysql username/password.. screwing it up the file so when people connecting to the site would get a unable to connect to database error.

I took the knowledge of the install.php file and tracked down the host that this server was hosted on. I then found a phpmyadmin (php mysql adminstration) install for that server. I then tried a totally random username and password to connect to the mysql database. The username I tried was demo/demo and I was lucky and that user existed on the same database server icyhell was installed on. I then went back to the install.php file and entered in the known username and password for the demo mysql account. Basically setting a new forum install on the demo/demo database with the forum software being under the icy-hell account.

Right now we still don't have access to the icy-hell filesystem or database, all we have access to is administrative access on a new forum install and access to the mysql database (through phpmyadmin) if we need to manually edit any of the values. Next question is how do we exploit the features of this bulletin board to gain access over the filesystem and view contents of any file in the icyhell account?

So what what I did next was uploaded a dummy file to the forum through the post attachment method. What this does is creates an entry in the mysql database for a file upload. Switching back to phpmyadmin we view the table for forum user file uploads. In the table is a new entry for the file we uploaded and listed is the absolute location of the uploaded file in the filesystem. For security purposes the forum software renames the file to random characters with an innocent file extention (not executable) so can't upload php files and exectute them etc. Using phpmyadmin we edit this entry and change location of the uplaoded file to location of index.php, the index page when you type in icy-hell.com.

Now if you goto the forum post where I posted the dummy file and download the file you would be downloading index.php. Note: there is nothing really intresting in the index.php file, no passwords anything. If we wanted the forum password file we would need the config.inc.php file but that doesn't have anything intresting either since we just wrote over that file when were installing the forum software again. Since we do not yet have a method of listing the directory contents since all we have is the forum software to work with .. we do not know of the filenames of any other intresting files which may contain a mysql password. So what happens next?

What happens when you remove an attachment from your forum post? Does it delete the file on the server? You bet it does . So since we assocated my post file attachment with the index.php file, deleting the post attachment deletes the index.php file. So using the forum software and phpmyadmin we can now delete any file we want. However we already messed up the forum whats the point of deleting files? We want the mysql password...

Under apache (.htaccess) you can either enable or disable listing file directory contents if there is no index.php. By default icy-hell has this feature turned on and I strongly recommend you turning this off for big websites... because if you do not have an index.php file or it some how gets deleted (wink) .. people are able to view the full contents of your main website directory. Now with the index.php file missing and with full directory listings on... we visit icy-hell.com and we viewing the directory contents we look for any intresting file names which my suggest it contains a mysql username and password. Forget the name of the file I tracked down but I think it was like test2.php. Now if you clicked on this file listing on your web browser you would not see the file contents since php compiles any file with a php extension. Since we want the file contents in plain text, we upload another dummy file to a forum post (the same way we deleted index.php)... so after we use myphpadmin to change the location of the uploaded file to test2.php file we go to our forum post again and download the forum attachment. By downloading the file we are downloading the raw contents of test2.php, amazingly enough this file did contain a mysql username and password.

Switching back to phpmyadmin we can now login to the icy-hell database and do whatever we want. I did not delete this database myself, instead I gave the login/password to a SEN user which subsequently dropped the database.

Anyone who said this was a newb hack or used some kiddie script to do it, try again. This was done without reading any known exploits on the forum and done completely through creative thinking.

Now you want to know about SEN? It was claimed to be unhackable at the time...? I will double post the sen hack just so that this post isn't a huge wall of text more than it already is...



ADDITION:
The sen hack..

Nobody really knows how this was done I think I explained this two 1 or 2 sen users at the time. But now I will explain to everyone..

At the time yoshi was advertising webhosting by the same host he was hosted on, there was a demo control panel setup. On the page advertising the hosting was a link to a demo control panel account with the username/password "demo/demo" (a famous login/password ) From the control panel you can do a variety of things like install mysql databases, setup ftp accounts etc... unfortunately most of these features were disabled for the demo account.

The demo account had the domain name "sendemo.com" setup for that account. Since the domain name sendemo.com was not actually registered, typing in sendemo.com into your browser wouldn't do very much but bring you to an error page. So we now ping staredit.net and get the IP of the address sen is hosted on. Now to make it so when you type in sendemo.com and make it associate that name with that IP address you need to edit C:\WINDOWS\system32\drivers\etc\host file.

In this file you would add a line

(ip address of server)
123.456.789.123 www.sendemo.com

Now if you type the domain name in your browser it will bring up the sendemo webpage. So we now have a semi-functional cpanel account on the same server as SEN with ftp access. We can now upload any php file we want to our demo account and run it on the same server SEN. Now if the administrator of this webserver setup privileges right for each virtual host... there would be no problem at all. However this was not the case, using a single php file you can read/write/delete and file on any other webuser on this server. So all that is needed to do is upload a file management php script, browse to the location of the SEN website directory. Can change view delete any file you want including the forum config.inc.php file.

Was SEN an easier hack than ICY? pretty much.. yes. SENs problem was the server was insecure and any user on the same server could have messed up any other site on the server. ICY got hacked through a php file, and gaining access to passwords through forum software is quite a bit harder.

This is a post about how I did it, not a post whether or not it was good ... hacking any site is bad kids ... and can land you in prison if the person chooses to charge you. Yoshi was nice and didn't follow it up, and I was stupid using IPs trackable back to me with little effort.

But now you know.. It is good to know how these things were done to prevent yourself from hosting an insecure site in the future.

Hehe, I read all that. x]

Oh just wait till you google Screwed