LOL! This is fucking great. Love ya @thrax

Cybersecurity 101 featuring BrandNewTube and boomer administrators.

1) Remove rewrite rules for the admin panel. After all, only staff know how to access this area.
2) Remove FFMPEG-injectable elements from the admin panel. AJAX requests have become self aware and stop working when UI elements are gone.
3) Run a prehistoric version of the already vulnerable CMS (and nulled). Dragging and dropping newer update files is too hard. What's the worse that can happen, anyway?
4) Use an AV that scans every set interval. Threat actors are slow and won't have enough time to do any damage!
 

(August 14, 2022, 06:26 PM)thekilob Wrote: LOL! This is fucking great. Love ya @thrax

Thanks  :heart:

(August 14, 2022, 06:44 PM)thrax Wrote: Cybersecurity 101 featuring BrandNewTube and boomer administrators.

1) Remove rewrite rules for the admin panel. After all, only staff know how to access this area.
2) Remove FFMPEG-injectable elements from the admin panel. AJAX requests have become self aware and stop working when UI elements are gone.
3) Run a prehistoric version of the already vulnerable CMS (and nulled). Dragging and dropping newer update files is too hard. What's the worse that can happen, anyway?
4) Use an AV that scans every set interval. Threat actors are slow and won't have enough time to do any damage!
 

(August 14, 2022, 06:26 PM)thekilob Wrote: LOL! This is fucking great. Love ya @thrax

Thanks  :heart:

What, you did it the same way you did two years ago? Get into an admin account and RCE via the stupid ffmpeg thing? How? How'd they even patch it last time?

(August 14, 2022, 07:07 PM)thekilob Wrote:

(August 14, 2022, 06:44 PM)thrax Wrote: Cybersecurity 101 featuring BrandNewTube and boomer administrators.

1) Remove rewrite rules for the admin panel. After all, only staff know how to access this area.
2) Remove FFMPEG-injectable elements from the admin panel. AJAX requests have become self aware and stop working when UI elements are gone.
3) Run a prehistoric version of the already vulnerable CMS (and nulled). Dragging and dropping newer update files is too hard. What's the worse that can happen, anyway?
4) Use an AV that scans every set interval. Threat actors are slow and won't have enough time to do any damage!
 

(August 14, 2022, 06:26 PM)thekilob Wrote: LOL! This is fucking great. Love ya @thrax

Thanks  :heart:

What, you did it the same way you did two years ago? Get into an admin account and RCE via the stupid ffmpeg thing? How? How'd they even patch it last time?

Yes, from what thrax told me it was literally the exact same way. They were running a super old version of the script that didn't even have a patch (and in all honesty, I don't know if the devs ever did patch it) - and BNT's "patch" consisted of removing the user interface to change the FFMPEG command via the admin panel without actually removing the AJAX component, along with the other things thrax mentioned.

(August 14, 2022, 07:07 PM)thekilob Wrote:

(August 14, 2022, 06:44 PM)thrax Wrote: Cybersecurity 101 featuring BrandNewTube and boomer administrators.

1) Remove rewrite rules for the admin panel. After all, only staff know how to access this area.
2) Remove FFMPEG-injectable elements from the admin panel. AJAX requests have become self aware and stop working when UI elements are gone.
3) Run a prehistoric version of the already vulnerable CMS (and nulled). Dragging and dropping newer update files is too hard. What's the worse that can happen, anyway?
4) Use an AV that scans every set interval. Threat actors are slow and won't have enough time to do any damage!
 

(August 14, 2022, 06:26 PM)thekilob Wrote: LOL! This is fucking great. Love ya @thrax

Thanks  :heart:

What, you did it the same way you did two years ago? Get into an admin account and RCE via the stupid ffmpeg thing? How? How'd they even patch it last time?

It's funny you suggest that as it appears they did the bare minimum. The issue with generating password reset codes with the administrator's email we acquired from another issue had not been resolved. So what was their ultimate mitigation to stop us from doing it again? Enabling 2FA on the account and disabling the ability to login to it. This turned out to be useless since resetting the password gives you a session.

OK, so we're in the admin account, now what? Exploring the admin panel seems like a good idea, but wait, it ceases to exist. After the last breach, they edited the rewrite rules to remove the /admin-cp/* route at /admincp.php?page=$1 - so of course this was easy to bypass. Lastly, along with "hiding" the admin panel, they also removed the section where you can set the FFMPEG path and at the same time left the AJAX part completely intact, so regardless of it being there or not, we still could change it.

On a side note, I handed some of this information off to another friend of mine so he could attempt to get it patched and claim a bounty on it at the same time. He contacted them over emails and Twitter (telling them that there's a big issue in their system and that they should check) They went unanswered and @SoniaPoulton (who seems to be one of the main people there) blocked him. To reiterate, this issue was completely preventable and they did just about everything wrong. They get brownie points for keeping the MySQL server privately facing.

(August 14, 2022, 07:26 PM)thrax Wrote:

(August 14, 2022, 07:07 PM)thekilob Wrote:

(August 14, 2022, 06:44 PM)thrax Wrote: Cybersecurity 101 featuring BrandNewTube and boomer administrators.

1) Remove rewrite rules for the admin panel. After all, only staff know how to access this area.
2) Remove FFMPEG-injectable elements from the admin panel. AJAX requests have become self aware and stop working when UI elements are gone.
3) Run a prehistoric version of the already vulnerable CMS (and nulled). Dragging and dropping newer update files is too hard. What's the worse that can happen, anyway?
4) Use an AV that scans every set interval. Threat actors are slow and won't have enough time to do any damage!
 

(August 14, 2022, 06:26 PM)thekilob Wrote: LOL! This is fucking great. Love ya @thrax

Thanks  :heart:

What, you did it the same way you did two years ago? Get into an admin account and RCE via the stupid ffmpeg thing? How? How'd they even patch it last time?

It's funny you suggest that as it appears they did the bare minimum. The issue with generating password reset codes with the administrator's email we acquired from another issue had not been resolved. So what was their ultimate mitigation to stop us from doing it again? Enabling 2FA on the account and disabling the ability to login to it. This turned out to be useless since resetting the password gives you a session.

OK, so we're in the admin account, now what? Exploring the admin panel seems like a good idea, but wait, it ceases to exist. After the last breach, they edited the rewrite rules to remove the /admin-cp/* route at /admincp.php?page=$1 - so of course this was easy to bypass. Lastly, along with "hiding" the admin panel, they also removed the section where you can set the FFMPEG path and at the same time left the AJAX part completely intact, so regardless of it being there or not, we still could change it.

On a side note, I handed some of this information off to another friend of mine so he could attempt to get it patched and claim a bounty on it at the same time. He contacted them over emails and Twitter (telling them that there's a big issue in their system and that they should check) They went unanswered and @SoniaPoulton (who seems to be one of the main people there) blocked him. To reiterate, this issue was completely preventable and they did just about everything wrong. They get brownie points for keeping the MySQL server privately facing.

What I don't understand is... how come it stayed untouched for two years? From what you're telling me, the same script you made two years ago should still work perfectly fine?

this is too good

(August 14, 2022, 07:28 PM)thekilob Wrote:

(August 14, 2022, 07:26 PM)thrax Wrote:

(August 14, 2022, 07:07 PM)thekilob Wrote:

(August 14, 2022, 06:44 PM)thrax Wrote: Cybersecurity 101 featuring BrandNewTube and boomer administrators.

1) Remove rewrite rules for the admin panel. After all, only staff know how to access this area.
2) Remove FFMPEG-injectable elements from the admin panel. AJAX requests have become self aware and stop working when UI elements are gone.
3) Run a prehistoric version of the already vulnerable CMS (and nulled). Dragging and dropping newer update files is too hard. What's the worse that can happen, anyway?
4) Use an AV that scans every set interval. Threat actors are slow and won't have enough time to do any damage!
 

(August 14, 2022, 06:26 PM)thekilob Wrote: LOL! This is fucking great. Love ya @thrax

Thanks  :heart:

What, you did it the same way you did two years ago? Get into an admin account and RCE via the stupid ffmpeg thing? How? How'd they even patch it last time?

It's funny you suggest that as it appears they did the bare minimum. The issue with generating password reset codes with the administrator's email we acquired from another issue had not been resolved. So what was their ultimate mitigation to stop us from doing it again? Enabling 2FA on the account and disabling the ability to login to it. This turned out to be useless since resetting the password gives you a session.

OK, so we're in the admin account, now what? Exploring the admin panel seems like a good idea, but wait, it ceases to exist. After the last breach, they edited the rewrite rules to remove the /admin-cp/* route at /admincp.php?page=$1 - so of course this was easy to bypass. Lastly, along with "hiding" the admin panel, they also removed the section where you can set the FFMPEG path and at the same time left the AJAX part completely intact, so regardless of it being there or not, we still could change it.

On a side note, I handed some of this information off to another friend of mine so he could attempt to get it patched and claim a bounty on it at the same time. He contacted them over emails and Twitter (telling them that there's a big issue in their system and that they should check) They went unanswered and @SoniaPoulton (who seems to be one of the main people there) blocked him. To reiterate, this issue was completely preventable and they did just about everything wrong. They get brownie points for keeping the MySQL server privately facing.

What I don't understand is... how come it stayed untouched for two years? From what you're telling me, the same script you made two years ago should still work perfectly fine?

No specific reason. Shortly after the initial breach, I did end up poking about in there a few times, handing off the shell to various people to see how much fun they can have with it, but I didn't see no point in dumping it again 1 / 2 / 6 / 12 weeks or months later, as not much would have changed. Or so we thought anyway, at some point they had some sort of explosion of users, which I assume is down to the rise of COVID skepticism and censorship on Twitter throughout 2020 and 2021. Plus, it's more exciting this way anyway.

Edit: The cherry on top? Sonia Poulton and the owner? "Mohammad Butt" are going through a legal battle in the UK relating to some content they've published on BrandNewTube. I didn't read it all, but you can find more here https://www.soniapoulton.co.uk/fighting-fund

W's are being taken today