Hacking into unsecured servers

· river's blog

legally..?

# If you're reading this, protect your machine!

Seriously! I was able to get access with nothing but an IP address and a port. Didn't even need a password. I'm not the smartest person but others can exploit this vulnerability to cause harm to others. Do yourself a favor, please!

# How did I get here?

It all started with one boring math class. I had nothing to do, and found a website that I assume is a database of open VNC servers. Downloaded first available VNC viewer program and started my search. A big chunk of these servers were added back in January, and I assumed that most of them were already passworded. I was so wrong.

# My favorites

# Firefox container

One of the first servers I found was this thing that only ran Firefox, nothing else. By using about:profiles trick to open file manager, I confirmed that this was nothing but a container. Pretty boring, but useful if you want to test sites outside of your machine. voidpine@neocities worked perfectly, though there were some color issues.

# German(?) Blender machine

On my first log on, I saw Blender open with the default cube staring into my soul. Being a smartass, I thought I could access terminal through file manager through File menu. No dice, but I found a bunch of folders named "guest#" with their respective number, going all the way up to 50 or so. Okay, I'll try a direct method - through a desktop. Black screen. Right click yields no result whatsoever, other keys don't work either, so I gave up.

Few days later I tried again, and was amazed:

The cursor was still moving around on its own, so obviously someone was still working on it. I have 0 knowledge in Blender, so to me this looks impressive, being able to shape up some humanoid figure from a cube is mindblowing. However I was kicked off few seconds later, so I logged off for the night. Next day I found a way to open a browser window and put my "please set a password!!" message up. Hopefully they noticed it.

# Turkish weed farm

Saved the best for last. The thing with these servers is that literally anything can be running on those machines, and you'll be surprised every time.

Introducing Turkish weed farm.

I have no clue what it says, though according to my friend (thank you!) it's a "program to automate farming tools like the temp of the environment, water system, etc". Makes sense, alright. There's a menu screen that lists some kinds of graphs, something else, and screen settings. I'm thinking to myself, "okay, so it will show some settings in the program, probably not exploitable". I click on it, and I end up on XFCE desktop. Holy hell.

Not so long after I found a terminal, and quickly wrote up a piece in vim and named it "IMPORTANT":

Hello!

Your VNC server is open and unsecure.

I was able to log in with your IP/port, no password.

Please consider securing it!

It can get into hands of malicious actors.

4/17/24

  • dwqlxqvm@vmwkqbqma

It was probably a mistake to leave a signature, but whatever; I saved it, and then went snooping around the files. Then a script named "DeleteProject" caught my eye. Out of curiosity, I clicked on it. This is what I was greeted with:

1echo "password" | sudo -S rm -r /some/directory

Absolutely horrendous. Not only they left a password in plaintext form, their script structure is also horrible. Bad opsec too. But surely, this is just a honeypot, surely they wouldn't be that stupid-

Yeah.

I added something to my note to let them know of their crucial mistake. The next day I've checked that my "IMPORTANT" note was gone, and a day after I wasn't able to access the server anymore. Maybe they've learned their lesson, or they got rm -rf'd by someone else, the world will never know.

# Honorable mention - shaw tank

I don't know if any commentary is needed at all. This is a shaw tank located somewhere in Alabama. There are only 2 buttons, Main Screen and Test Alarm. The latter does the obvious, however the former just reveals the exact address where this shaw tank is and a phone number. The existence of this solidifies my point of literally anything being open on the web.

# Having full access to some machines, why didn't you just do whatever you wanted?

I just feel like it's mean. The urge is always there but it feels unethical to cause harm to innocent people; in my opinion it's not the best way to teach people an important lesson. I love feeling useful, so helping people is right up my alley, not the opposite.