Skip to main content

· 6 min read
Anderson de Souza

Way before A.I. popped up with its magical vibe-coding, the power to build solutions in form of software was in developers' hands. And sometimes we saw that in movies.

Our character used to believe in that—so much so that he possessed such creative capacity, but he always lacked sales skills. The very first client he sold a website to even tried to help him, even lending him a book on sales, but he didn't listen to the advice and chose instead to focus on developing skills compatible with his role.

Because of this, he was always looking for a sales partner. The key person who would sell the solution and launch them into the game. He tried a few times: his brother, his wife, a friend, multiple friends, until a sharp-looking, successful multi-entrepreneur came along.

He believed he had found the missing ingredient for the recipe of success—the business and sales guy. So, without wasting any time, he laid his cards on the table and showed the huge potential of the whole idea: action plan, key features, branding, everything for the new mobility app. At the time, basically a single option dominated the market, and there was barely any competition.

"Entrega já!" (Deliver Now!) was the name.

The guy showed great interest and accepted the partnership offer. In addition to capital, he would handle marketing and other sales operations.

Le coup

After a few days of working on the MVP and presenting the procurement needs (expanding the team, etc.), a new problem arose: "Entrega lá!" (Deliver there!) — the "blessed" guy had hired a company from SC to develop the project. (And holy sh*t, he didn't even try to hide it a bit with the name...) 🤡

The anger of being played for a fool served as fuel to the fire of his revenge, and he immediately set out to claim his victory.

He tracked down the company that had sold the software and found out the price at the time: R$ 6,000.00.

Developed in vanilla PHP without any framework, the app's API had more flaws than features. Right off the bat, he found an IDOR 1 in the users endpoint. The very first registered user, with ID 1, was the admin. After that, he was able to list all user information: full address, personal data, etc. Luckily, the system didn't handle payments, so there was no credit card data stored.

Le contrecoup

Next, he tried what would probably be the entry point for any pentester or hacker: a SQL injection 2 in the login form. Guess what? Totally vulnerable!

Voilà! The system was his!

From that point on, he could:

  • exfiltrate the data from the entire system;
  • trigger total chaos in the system with fake orders and messed-up information;
  • make the whole platform unavailable with DoS attacks 3;
  • and even compromise the entire server with an RCE attack! 4

Coup de grâce?!

His fingers rushed to the keys to type. But instead of crafting and executing an attack, he set out to generate a report.

He contacted the software house, introducing himself and listing the vulnerabilities he had found. All in vain! The manager's ignorance and arrogance felt like a bucket of cold water.

Once again, that little voice in his left ear tried to convince him to wreak havoc:

  • "Let 'em be hoist by their own petard." — it whispered...

But he wasn't about to flirt with a "career choice" that involved being woken up right after 0500 by the Federal Police. And yeah, sooner or later, anyone who plays stupid games gets caught. No matter how good the hacker is.

Besides, ethics is about doing the right thing regardless of the situation, and it takes just one wrong move to ruin an otherwise spotless track record.

Du coup

The outcome? He left everything exactly as it was, and the case became just "another CD under the bed."

"Entrega lá!" didn't last long: within a few months, the app had vanished from the Play Store, and the domain no longer pointed to any IP address.

After that, he didn't even bother to look up the company that had developed the platform. It's possible that somewhere on the internet, a flawed "mobility" app is still exposing its users. But that's not his problem.

(Well, after all it looks like his lil' friend was quite right about their petard...)

"Revenge is never sweet, it kills the soul and poisons it." - Don Ramón (El Chavo del Ocho)

Notes


    • OWASP: Insecure Direct Object Reference Insecure Direct Object Reference (IDOR) is a vulnerability that arises when attackers can access or modify objects by manipulating identifiers used in a web application's URLs or parameters. It occurs due to missing access control checks, which fail to verify whether a user should be allowed to access specific data.

    • OWASP: SQL injection A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

    • OWASP: Denial of Service The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users.

    • CloudFlare: Remote Code Execution A remote code execution (RCE) attack is one where an attacker can run malicious code on an organization’s computers or network. The ability to execute attacker-controlled code can be used for various purposes, including deploying additional malware or stealing sensitive data.

· 6 min read
Anderson de Souza

Since my childhood, I’ve had a taste and a need for writing in code (so I could vent about my crushes without the risk of getting caught).

NEED?

Since I didn't know another language yet—and even if I did, it wouldn't have served my purpose, as anyone who spoke it could still access my secrets—I quickly turned to something I didn't even have a name for at the time: a Monoalphabetic Substitution Cipher1.

'A' was a star, 'B' was a rune, the letter 'C' was a waxing moon, and so on.

And just like that, it was done. Now, all I had to do was copy the substitution table and give it to anyone I wanted to share my secrets with.

Back then, I had a crush on a gal, but as my family moved to another town, I needed to send her the letter 2 along with another one to my friend who acted as our go-between. Did I trust my friend? Yeah. So much so that we already had our own secret code, not to mention 'P-language' 3 for when we spoke. But there were some things only my crush was meant to read 4. All of this inside an envelope marked "SOCIAL LETTER" 5 with a 1-cent stamp, and more often than not, a handmade envelope.

In the last letter I got from my friend, she warned me that our pen-pan romance scheme had been busted: while trying to smuggle a letter inside te girl's arm sling, her parents noticed and found out everything. Well, at least the 'sensitive parts' weren't decoded. LMFAOOO

Challenge

Years later (around age 16 or 17), a letter arrived at my place. "SENDER: GUESS WHO?" Boom. My friend had found me again. I wasn't completely shocked 'cause she had talked to my parents in person at a religious event, so she probably got my new address there. I'm not entirely sure if she handed the letter to my parents or if she asked for the address and mailed it.

At the end of the letter, there was an old-school ciphered message. Right after it, a cliffhanger: "You're going to have to reply to this letter so I can send you the code for you to understand the sentence! LOL"6

Man, that really triggered me. Back then, I hated being forced to do anything, and I was pretty determined to show off how smart I was (poor little being).

I grabbed a notebook and rewrote the entire sentence. Then, I wrote down the characters. I started brainstorming a method to crack it. "It's pure substitution, a silly swap. If someone made this up, I can crack it too!" - or so I thought.

The table didn't work out so well; a piece was missing. I grouped the words together and, using Portuguese grammar, started determining whether a given character could be a vowel or a consonant. I had to count on my friend having written with impeccable Portuguese, free of slang or typos; otherwise, it would cause inconsistencies in the method.

Back then, my simple line of reasoning went like this:

  • A word can start with a consonant, followed by another consonant or a vowel.
  • A word can start with a vowel, but it must be followed by a consonant (Aarão would beg to differ, haha).
  • A consonant can follow another consonant only if it is "H, L, N, or R."
  • The last character must be a VOWEL or one of the following consonants: "L, M, R, S, X, Z."

For every V/C (Vowel or Consonant) I placed under a character, I had to replicate it across all occurrences to ensure the consistency and efficiency of the method. In fact, the more words she had written, the more it would help me solve it.

These were the rules of my rudimentary cracking system, which, by the way, would only be effective specifically in the Portuguese language.

At the time, I had no knowledge of "Frequency Analysis" tools and techniques 7. But I had a problem to solve, the drive, and the capability.

After determining whether each character was a vowel or a consonant, I started assigning a letter to each symbol, rewriting the text and replacing all matches of that character: "The square could be a 'T'"...

Victory

I kept at it, trial and error, until I finally managed to translate the sentence.

Right after that, I set about creating my own copy of the cipher dictionary, though naturally, a few letters were still missing.

I wrote a reply to my friend and just couldn't help but brag. Using her very own cipher, I told her it wouldn't be necessary to send me the answer key.

A few days later, I received a letter in pure disbelief, questioning how on earth I had managed to translate and replicate that secret code.

To this day, I still wonder: "What did Rafa actually think about that whole thing?"

Aenigma solve

Notes:


    • When I say I was born in a really great era, this is what I mean: having experienced sending paper letters, 4, 8, and 64-bit video games (and later, of course, the PS1), offline computers, dial-up internet (though I never actually used it), TDMA phones (my first cell phone was a Gradiente CD 550)—man, I even miss *3001#12345# (Field Test Mode) — and now living through things like A.I., V.R. (Meta Quest 3), and the modern internet.

    • Well, as this article was originally written in Portuguese, it would be a hell of a trouble to explain this part in English. But I found something that could help English readers to understand: The "P-language" is something similar to "Pig Latin", "Gibberish", "Opish" and "Ubbi Dubbi".

    • This part doesn't contribute much to the story; it's just a curious note about having practically dealt with the Byzantine Generals Problem, MitM (Man-in-the-Middle), cryptography, etc., in my own life back then.

    • This was a hack I learned from a friend of my mother's, who was a former postal worker. All you had to do was write "CARTA SOCIAL" (Social Letter) and stay within the ONE-PAGE limit. Yes, they would actually weigh the envelope sometimes. Carta Social – Wikipedia, the free encyclopedia (Note: This was a specific low-cost postal service in Brazil).

    • I need to track down the letter among my things so I can write the exact words used here.

· 3 min read
Anderson de Souza

Hello, friend.

Some guy was looking for bus tickets to go visit his parents. His city bus station had a website to buy tickets online.

His head started scratching, you know... So he decided to see how the website worked: when you learn web development, you are supposed to learn the "Browser's Developer Tools" (Chrome/Chromium, Firefox, etc., they all have them). In that tool, you are able to mess with a lot of stuff: JS console, cookies, HTML body, HTTP requests, and so on.

Vulnerability Assessment

He started analyzing every request... chose his ticket and went through the purchase.

During the checkout, he noticed that the tickets' info was sent back to the server in the request! What does it mean??? "Well," he thought, "as I'm sending the price back, can I set it?"

Exploitation

So, instead of "R$57,60" for the ticket price, he changed the request and set it at "R$57,69."

Crossed his fingers and... That worked! The balance has been debited from the account and the order receipt was generated.

But it was not done yet. You must print the receipt and exchange it for the ticket itself at the bus station.

Problems

What if the guys at the bus station notice the price difference? May he face a fraud accusation? Let's make a superficial Law analysis.

Brazil's Criminal Law - Art 154a

Art. 154-A. Trespassing another party´s computer-related device, whether connected or not to the World Wide Web, by means of undue violation of a security mechanism, to obtain, tamper with, or destroying data or information without express or tacit authorization by the device owner, or to install vulnerabilities in order to obtain an illicit advantage:

Penalty - imprisonment, from 3 (three) months to 1 (one year), and fine.

Well, we can see clearly that no advantage was obtained in this hacking. Actually, he spent nine cents on that.

But, as I am not a lawyer, I cannot guarantee.

As he didn't know what to do with that info, he just ignored it... His reward was always bypassing and breaking stuff, not making money.

A few years later

He remembered the issue and went after it to see how it was.

The website was the same (actually, it still is). But the vulnerability has been mitigated.

They didn't refactor the solution. The user still sends the ticket's info to the server, but... Even if you add one cent, the server checks it and returns with an error message saying that the ticket price was changed by the user.

Never trust the user

With this history, we can see (in a real-life practical approach), what is said in almost every "Cybersecurity course": Never trust the user! While drawing, architecting, and coding software, always have this deeply engraved in your mind.

It doesn't matter if you are coding a Raspberry Pi program to monitor your bedroom temperature, an intranet message board website for the company where you work, or an API in your work...

That's it!

References

· 9 min read
Anderson de Souza

Hello, friend.

I'll try to give you a glimpse of the history that drew me into the I.T. world.

Child's play

When I was a child, I used to disassemble my electronic toys to take out the motors and gears. For what? To understand how that works and make it work differently.

I was astounded when I managed to better understand how a brushed DC electric motor works. (btw, you can learn it here)

DC Motors

DC motor DC motor components

The problem is that I almost never managed to make those toys properly work again. 😂

Palmtop

My dad used to be a salesman (beverages, coffee, flour, ...) and the companies he worked for provided a handheld device (usually a PalmTop). It was right there that my curiosity began:

Usually, he brought his device home, and my brothers and I always asked to play with it. My dad allowed it with the condition that "do not break it!"

PalmTop

PalmTop

We used to make some drawings and play solitaire. But... I've learned that there were some "strange" files on it, system stuff. It was a Windows-powered device. It took me a while to figure out that it was a computer, but it doesn't matter; my curiosity had been well fertilized.

P.S. we never broke any of our father's devices.

Desktop

Until 2007, I had very little contact with home-use computers (desktops, to be more precise). Computers back in those days were way too expensive and my family had enough for our wellbeing. They also weren't that necessary for common household use.

A friend of mine helped me create my first email account (which I still own). It was a Hotmail. I was a piece of work... I had a typewriter with which I made kind of a business card with my email and distributed it to all of my friends.

Then I created my Orkut page and started using the computer as a "regular" person.

Script Kiddie

This is where "hacking / social engineering" started popping out...

I started making friends on Orkut and I tried to reach them via MSN Messenger. But some of them didn't have an MSN account with the same Orkut e-mail. So I realized that Orkut didn't check if the person owned it.

Once, I had to recover my Orkut account, and for that, a URL was sent to my e-mail.

I put it all together and thought: "What if I create an e-mail for every unexistent one and request an Orkut password recovery?"

et voilá!

But I realized that it was a very time-consuming task to manually get the Orkut e-mail and check if the it existed. So I found a webpage who managed that for me.

A lot of Orkut accounts were lost in that (F). I deeply regret it.

Coding

My family managed to buy a reasonable desktop computer. But we didn't have an internet connection. My elder brother used to go to the Culture Centre to use their computers and internet connection to download some stuff and bring it home on his pendrive.

Then I got better contact with the internet in the 7th grade of middle school. A friend and school colleague had a cybercafe, and I always used to do some school work with him. I usually did all the jobs as he allowed me to stay at the cybercafe free of charge for the rest of the day!

I used to print a lot of tutorials. I went online, got some PDFs and went to the print shop to put them on paper.

Open Tibia Server

There I also met Tibia, learned how to play with them, and so on. One day, I saw them setting up their own private Tibia server (OpenTibia Project). I was amazed and asked them to share the software with me.

I put the server on my MP3 player (yes, it was the only thumbdrive I had) and set up my own private server at home, offline.

Then the stuff evolved: I got more sophisticated software with a website and database. I learned LUA, PHP, and MySQL as a result of this.

I made some online friends and also met some of the best Brazilian Open Tibia Server (I don't recall the name of it). I was very lucky to find a PHP SHELL in the server website. With that I started chaos. Made myself a Game Master (Tibia players used to call it GOD) and devasted the server. Spawned a lot of Morgaroths in front of the Thais DP and much more...

So I waited until the server's owner to login and scared him. Took his access and stuff like that. After a conversation, I was kindaof invited to join his team. There I learned much more.

The mess was so extreme that a reset wasn't enough. They had to change the server name!

Conquer Online

My elder brother had a Conquer Online installer. My other brother and I would sit and stare at the splash screen, imagining what the game would be like. Until the day we finally got an internet connection and started playing!

It didn't take too long for me to start my own Conquer Online Private Server. I also made a lot of friends from my city with it.

Cybercafe job

I got my first job in tech at a cool cybercafe. There I managed to take care of the computers. I also had more time to learn and kind of got paid for it.

Hardware repairs

My elder brother and I learned how to fix our own computer at home as it was expensive to pay a repair shop to do so, and we usually managed to break it. Besides that, we wanted to make the computer work in our way.

I remember the first time we tried to reinstall Windows on our machine... It erased everything because it was one of the CDs from the manufacturer and not a regular installation media from Microsoft. We were eating soup with our parents at the table close to the computer when the installation finished. We stared at each other's faces and dashed to the computer to see that all of our data (including family's pics) had been completely wiped out. 😬

The experience came and I started offering computer repair services at my high school and also to the neighbors and some acquaintances. Some of my teachers used to hire me to fix their computers and so on. I never ever hacked any of them. I swear. My father always offered my services to their coworkers, and I started fixing mobile phones as well.

Laptop

My mother gifted me with a laptop. JUST FOR MYSELF! It was a great step changer in my life, because I didn't have to share and wait my time to access the internet and do my stuff.

With this, I had more time and more privacy, so I started a few projects and went to the "DeepWeb", where I learned a LOT of cool stuff.

High School

At high school, we had a nice computer room. At the beginning, it was Windows machines.

Fighting censorship

Facebook was forbidden by the director, but the students didn't care. Until they started blocking it. As the good rebel I was, I didn't like that and started to investigate what they did. I saw that they didn't use Proxy, so it would be easier. I figured out that someone had set something like:

file C:\Windows\System32\Drivers\etc\hosts

127.0.0.1 facebook.com

I started spreading the word! I taught everybody how to bypass the censorship and freely browse the internet back!

But something strange started to happen: some of the students who used the school lab to access their Facebook began to lose their accounts.

Then I investigated what was going on. TADA! Found keyloggers on every lab computer. Here I must confess that I owned some accounts of people who I didn't like. But I didn't own the keyloggers; I just took advantage. After that, I uninstalled every keylogger.

The school management then gave up on trying to censor the internet 😎

Being a 4ssh0le

A government program distributed Linux computers to our school. What a nice stuff! The issue is that every machine had SSH enabled by default. It doesn't took too long for me to get root.

When my school class used the computer lab, I used to log into every machine via SSH and mess around without my colleagues' knowledge (and permission). Once there, I killed some processes, like the internet browser or text editor, or even worse, made some files (hours of handwriting) simply disappear. I was never caught.

There's a case that happened there that I'm not sure if I can disclose here. So maybe in the future...

Being a snitch

Back in those days, there was a website called "AskFM". It was a page where you received some questions from your followers / visitors and answered them publicly.

Some guy had a brilliant idea to start an anonymous defamation page. People went there and asked about some students, and the answers were usually acidic, toxic and defamatory.

The victims became upset and started a manhunt. One guy reached me and offered me BRL 50,00 if I managed to get the anon. I accepted the offer, not for the money, but for the challenge itself.

I will not disclose here how I did it, but I went to confront the guy (he was almost a friend), and he, knowing that someone paid me to investigate, confessed to me and almost begged to keep it secret. I didn't.

The end of the story is that he was almost lynched by the whole school, had to call the police to leave, and was bullied by everyone. Also, I almost got beat up by his friend who claimed to be part of the joke. And... I'm still waiting for my fifty bucks.

ShareIT facebook school group

As I was learning the hacking philosophy, I saw that it would be nice if I could:

  • learn how to code
  • share my knowledge

I came up with a very efficient way to accomplish both, and I decided to start a study group at my school because you learn as you teach, and learning means earning!

But, unfortunately, that idea never evolved. 😓

ShareIT Facebook group

ShareIT Facebook group

furthermore...

The rest of my history I'll publish in a few days. Don't lose it!