| welcome to social.hackers | posts are made by Clocwork and Shadowdrifter | added some new hack diaries + podcasts |

Monday, April 18, 2011

Shadowdrifter Hack Diary : The Festival

Shadowdrifter's Hack Diary: The Festival.

I had tested dozens of sites for vulnerabilities, finding none. When I was ready to give up
I stumbled across a site that was vulnerable to SQL. When I noticed that the SQL version was 4; I was filled
with anger and hatred. After many attempts at finding the user tables I decided my time was best spent getting
my normal four hours of sleep. I sent a message to my colleague Clocwork, and took my rest.

When I awoke from my slumber I had a message which simply said "Cool". I should have known Clocwork wouldn't care about it until he had seen it for himself. When he finally joined me in my endeavours we began to test the site for other vulnerabilities; finding none we focused solely on the sql injection.
After many creative attempts we finally found the user table. When we inspected in further I noticed that
there was no password column. Disappointed I continued to search through the table only finding the usernames.

So, distraught Clocwork and I retreated to ponder our attack. While he was working on the password
columns I decided "Hey, why not try password guessing". So I got a list of every username, and began my attack
I tried the name of the event, and presto! I was granted super administrator access. Dumbstruck by the adins
terrible password choice I paused to really contemplate his ignorance. Then I messaged my colleague to tell him the good news, and we planned our next move. Our plan was to simply email the admin explaing how we got in, but I decided to go with a different plan. So we created a deface page as a proof of concept then preceeded to dox the system admin. After finding his information we called his home, and had a good chat. Promptly he fixed the vulnerabilities, and changed the passwords to something much more difficult to guess. During our chat Clocwork and I were offered the opportunity to volunteer and do security for the festival next year. So sometimes doing a white hat hack has its benefits.

    This is all for my hacking diary... For now. May your blade stay sharp, your mind sharper.
Posted by social.podcaster at 8:07 PM
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)