Хорошие новости! Знаменитая группа неудачников, известная тем, что «спамила 0day» Monero в 2024 году и тесно сотрудничала с LE в деле ареста рынка Archetyp в мае 2025 года, только что была обезврежена Yugong с помощью XSS-эксплойта + социальная инженерия. Действительно, эти люди становились настоящей проблемой для всего сообщества. Спасибо Yugong и DreadForum!
EN: Good News! The famous group of loosers, known for having “spammed with an 0day” Monero in 2024 and collaborated closely with LE on the Archetyp Market arrestation in may 2025, has just been defaced by Yugong with an XSS exploit + social engineering. Indeed, these individuals were becoming a real problem for the entire community. Thanks to Yugong and DreadForum!
"Entry Point
"I bruteforced a lot of files and paths and found a plugin they've enabled but you can't find it on any other page in the source (whom I checked before obviously). Lack of good configuration allowed me to see the difference in HTTP responses and identify existing files making way for the entry point.
The plugin in question allows browsing of the forum on Telegram. I can only speculate this is a feature they would have added in the future to the Telegram group they own or actively worked on at some point.
However that plugin had been marked as abandoned by the phpBB team on 30 March 2025.
Since they haven't updated their phpBB version in quite some time I assumed they wouldn't have seen this plugin being depreciated.
I made a test forum with their same phpBB version and installed the latest release of the plugin from 2023 (AntiDarknet forum created 2024). Enabled several fuzzers against the code and network side and manually started inspecting in the mean time.
Leveraging Multiple Vulnerabilities
After couple of hours I had narrowed it down to few problematic areas whom can be exploited directly and more easily. More testing and experimenting and vulnerabilities were found. I tailored a simple exploit script I had from before to the phpBB interface to use them and initiate upload on my payload.
However I realized issues existed with getting some of my requests unless pre authorized. I leveraged XSS vulnerability from the plugin to create a CSRF request and add authorization parameters in the plugin settings. The admin page of the plugin wasn't well protected compared to those within phpBB adding yourself as admin or more complex array of actions leading to shell upload (knowledge of users session id sid required). Next step was the delivery mechanism of the first stage."
More details can be found from Dread post / Более подробную информацию можно найти в посте Dread
_______________________________________________________________________________
LINKS:
/threads/140110/
EN: Good News! The famous group of loosers, known for having “spammed with an 0day” Monero in 2024 and collaborated closely with LE on the Archetyp Market arrestation in may 2025, has just been defaced by Yugong with an XSS exploit + social engineering. Indeed, these individuals were becoming a real problem for the entire community. Thanks to Yugong and DreadForum!
"Entry Point
"I bruteforced a lot of files and paths and found a plugin they've enabled but you can't find it on any other page in the source (whom I checked before obviously). Lack of good configuration allowed me to see the difference in HTTP responses and identify existing files making way for the entry point.
The plugin in question allows browsing of the forum on Telegram. I can only speculate this is a feature they would have added in the future to the Telegram group they own or actively worked on at some point.
However that plugin had been marked as abandoned by the phpBB team on 30 March 2025.
Since they haven't updated their phpBB version in quite some time I assumed they wouldn't have seen this plugin being depreciated.
I made a test forum with their same phpBB version and installed the latest release of the plugin from 2023 (AntiDarknet forum created 2024). Enabled several fuzzers against the code and network side and manually started inspecting in the mean time.
Leveraging Multiple Vulnerabilities
After couple of hours I had narrowed it down to few problematic areas whom can be exploited directly and more easily. More testing and experimenting and vulnerabilities were found. I tailored a simple exploit script I had from before to the phpBB interface to use them and initiate upload on my payload.
However I realized issues existed with getting some of my requests unless pre authorized. I leveraged XSS vulnerability from the plugin to create a CSRF request and add authorization parameters in the plugin settings. The admin page of the plugin wasn't well protected compared to those within phpBB adding yourself as admin or more complex array of actions leading to shell upload (knowledge of users session id sid required). Next step was the delivery mechanism of the first stage."
More details can be found from Dread post / Более подробную информацию можно найти в посте Dread
_______________________________________________________________________________
LINKS:
/threads/140110/
Последнее редактирование:
