https://spear.cx/ Sat, 23 May 2026 04:49:22 +0000 MyBB https://spear.cx/Thread-MatrixRAT-Pivoting-C2-from-Tor-to-Lokinet Mon, 18 May 2026 06:23:15 +0200 Neo]]> https://spear.cx/Thread-MatrixRAT-Pivoting-C2-from-Tor-to-Lokinet
I've spent the past few months building MatrixRAT—a web-based remote administration framework written primarily in C++ and Python, delivered as a MaaS offering with full operator control through a centralized web panel. Client-side architecture and backend hardening have been my main focus, and I just wrapped a two-week security sprint locking the panel down ahead of a forum launch.

Right now, the C2 backend is hosted as a Tor hidden service. Tor handles heartbeat check-ins and command dispatch fine, but the latency and throughput constraints are crippling real-time features. Webcam streams, live microphone exfiltration, and remote screen capture are essentially unusable—the round-trip delay and circuit congestion turn interactive sessions into a slideshow. Even static images push unacceptable load times.

After weighing alternatives, I'm looking seriously at Lokinet (lokinet.org)—the same network layer powering Session messenger, built on the Oxen Service Node infrastructure. Here's what stands out from an operational perspective:

Performance: Lokinet is engineered for low-latency traffic. It handles streaming, VoIP, and gaming loads significantly better than Tor, which matches my requirements for real-time operator sessions.
SNApps: Lokinet hidden services (SNApps) are free to host. The only OXEN cost comes if you want a human-readable .loki domain instead of the raw address hash.
Deployment: Straightforward to spin up on a VPS, similar to a Tor hidden service.
The migration isn't entirely plug-and-play. Currently, the client bootstrapper silently installs Tor, registers it for silent auto-start, and masks the process under a system-level name (e.g., svchost.exe rather than tor.exe). Moving to Lokinet means retooling that install chain to bootstrap the Lokinet daemon with the same stealth and persistence profile. It's definitely doable—just needs more R&D on the payload side.

My question to anyone running production infrastructure: Have you deployed C2 over Lokinet in the wild? How does it compare to Tor or I2P under sustained load? I'm particularly interested in session stability during large-file exfiltration or prolonged remote desktop use.

Mods, feel free to relocate this if it belongs elsewhere. I figured the Security section was the best fit given the infrastructure focus.]]>
I've spent the past few months building MatrixRAT—a web-based remote administration framework written primarily in C++ and Python, delivered as a MaaS offering with full operator control through a centralized web panel. Client-side architecture and backend hardening have been my main focus, and I just wrapped a two-week security sprint locking the panel down ahead of a forum launch.

Right now, the C2 backend is hosted as a Tor hidden service. Tor handles heartbeat check-ins and command dispatch fine, but the latency and throughput constraints are crippling real-time features. Webcam streams, live microphone exfiltration, and remote screen capture are essentially unusable—the round-trip delay and circuit congestion turn interactive sessions into a slideshow. Even static images push unacceptable load times.

After weighing alternatives, I'm looking seriously at Lokinet (lokinet.org)—the same network layer powering Session messenger, built on the Oxen Service Node infrastructure. Here's what stands out from an operational perspective:

Performance: Lokinet is engineered for low-latency traffic. It handles streaming, VoIP, and gaming loads significantly better than Tor, which matches my requirements for real-time operator sessions.
SNApps: Lokinet hidden services (SNApps) are free to host. The only OXEN cost comes if you want a human-readable .loki domain instead of the raw address hash.
Deployment: Straightforward to spin up on a VPS, similar to a Tor hidden service.
The migration isn't entirely plug-and-play. Currently, the client bootstrapper silently installs Tor, registers it for silent auto-start, and masks the process under a system-level name (e.g., svchost.exe rather than tor.exe). Moving to Lokinet means retooling that install chain to bootstrap the Lokinet daemon with the same stealth and persistence profile. It's definitely doable—just needs more R&D on the payload side.

My question to anyone running production infrastructure: Have you deployed C2 over Lokinet in the wild? How does it compare to Tor or I2P under sustained load? I'm particularly interested in session stability during large-file exfiltration or prolonged remote desktop use.

Mods, feel free to relocate this if it belongs elsewhere. I figured the Security section was the best fit given the infrastructure focus.]]> https://spear.cx/Thread-Com-Boss-Write-UP-How-i-breached-editgpt-app Sat, 04 Apr 2026 05:04:13 +0200 303]]> https://spear.cx/Thread-Com-Boss-Write-UP-How-i-breached-editgpt-app
Today im gonna explain how i breached editgpt.app.


## Executive Summary

This Write-Up provides a comprehensive analysis of the `sensitive_data_extractor.py` tool, detailing its functionality, attack methodology, and the results obtained from testing against editgpt.app.

### Target Information
- **Target Domain**: editgpt.app
- **Total Vulnerabilities Found**: 69 critical/high severity issues
- **Sensitive Data Extracted**: Credit cards, emails, IP addresses, and geographic data

--

### Core Components
The tool is built around the `SensitiveDataExtractor` class with the following key capabilities:

1. **Stealth Mode Operations**
- Randomized user-agent rotation
- Intelligent request delays (0.5-2 seconds)
- Browser fingerprint mimicking
- Header manipulation to avoid detection

2. **Multi-Vector Attack Surface**
- Access control bypass testing
- IDOR (Insecure Direct Object Reference) scanning
- HTTP method tampering
- Header injection attacks
- Parameter pollution
- Path traversal attempts

3. **Data Extraction Engine**
- Pattern-based sensitive data detection
- Luhn algorithm validation for credit cards
- IBAN validation for bank accounts
- Routing number verification
- JSON/HTML content parsing
---


## Attack Methodology

### Phase 1: Reconnaissance & Discovery
The tool begins by:
- Scanning common administrative endpoints
- Discovering JavaScript and configuration files
- Mapping API structure
- Identifying potential GraphQL endpoints

### Phase 2: Access Control Testing

#### 2.1 Vertical Privilege Escalation
The tool attempts to access administrative functions without proper authorization:
**Tested Endpoints:**
- `/api/admin/users`
- `/api/admin/dashboard`
- `/api/admin/settings`
- `/admin`
- `/admin/panel`
- `/admin/users`


**Results**: All 6 endpoints were accessible without authentication, returning HTTP 200 responses with sensitive data.


#### 2.2 Header-Based Bypass Attacks
The tool systematically tests 16 different HTTP headers to bypass authentication:
```python
Bypass Headers Tested:
- X-Original-URL: /admin
- X-Rewrite-URL: /admin
- X-Forwarded-For: 127.0.0.1
- X-Forwarded-Host: localhost
- X-Custom-IP-Authorization: 127.0.0.1
- X-Originating-IP: 127.0.0.1
- X-Remote-IP: 127.0.0.1
- X-Client-IP: 127.0.0.1
- X-Real-IP: 127.0.0.1
- X-Admin: true
- X-Is-Admin: true
- X-Role: admin
- X-User-Role: admin
- X-Privilege: admin
- isAdmin: true
- admin: true
```
**Success Rate**: 32 successful bypasses across `/api/admin/users` and `/admin` endpoints.


#### 2.3 Parameter Pollution Attacks
The tool injects authorization parameters into legitimate requests:


**Tested Parameters:**
```python
- admin=true
- isAdmin=true
- role=admin
- user_role=admin
- privilege=admin
- access_level=admin
- debug=true
- test=true
- dev=true
```

**Vulnerable Endpoints:**
- `/api/user/settings` - 9 successful bypasses
- `/api/dashboard` - 9 successful bypasses


#### 2.4 HTTP Method Tampering
The tool tests alternative HTTP methods to bypass restrictions:
**Methods Tested**: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS
**Results:**
- `/api/admin` - OPTIONS method returned 204
- `/api/user/delete` - All 7 methods accessible (should be restricted)
- `/api/settings` - All 7 methods accessible


---


## Sensitive Data Extraction Results


### Data Categories Extracted
#### 1. Payment Card Information
**Total Found**: 3 valid credit card numbers




**Validation**: All cards passed Luhn algorithm validation, indicating they are potentially valid card numbers.
**Risk Level**: CRITICAL - PCI-DSS violation


#### 2. Email Addresses
**Total Found**: 1
```
```

**Context**: Found in administrative endpoints, potentially exposing internal communication channels.


#### 3. Geographic Data
**Total Found**: 44 ZIP codes across multiple countries
**Distribution**:
- United States: 30 locations
- Germany: 5 locations
- Mexico: 2 locations
- Other countries: 7 locations (Romania, Malaysia, New Caledonia, Philippines, Poland, Spain, El Salvador, Japan)


---


## Vulnerability Breakdown

### Critical Severity (69 findings)
1. **Vertical Privilege Escalation** (6 instances)
- Direct access to admin functions without authentication
- Exposure of user data, settings, and dashboard information



2. **Authentication Bypass via Headers** (32 instances)


- IP spoofing headers accepted
- Role-based headers trusted without validation
- URL rewriting headers processed incorrectly


3. **Authentication Bypass via Parameters** (18 instances)
- Query parameters override access controls
- Debug/test modes accessible in production
- Role parameters accepted from client-side


4. **HTTP Method Tampering** (13 instances)
- Destructive operations accessible via GET
- OPTIONS method reveals sensitive information
- No method-based access control
---
## Attack Flow Diagram
```
[1] Initial Scan
?
[2] Endpoint Discovery
? Admin Endpoints
? API Endpoints
? Static Files
?
[3] Access Control Testing
? Direct Access Attempts
? Header Manipulation
? Parameter Injection
? Method Tampering
?
[4] Data Extraction
? Pattern Matching
? Validation (Luhn, IBAN)
? JSON Parsing
?
[5] Export Results
? CSV Format
? JSON Format
? TXT Report
```
---

### Pattern Recognition


The tool uses regex patterns to identify:
- Credit card numbers (Visa, Mastercard, Amex, Discover)
- Email addresses
- Phone numbers (multiple international formats)
- Social Security Numbers
- IP addresses
- API keys and tokens
- Bank account numbers
- Passport numbers
- Driver's licenses
- Medical record numbers
---]]>
Today im gonna explain how i breached editgpt.app.


## Executive Summary

This Write-Up provides a comprehensive analysis of the `sensitive_data_extractor.py` tool, detailing its functionality, attack methodology, and the results obtained from testing against editgpt.app.

### Target Information
- **Target Domain**: editgpt.app
- **Total Vulnerabilities Found**: 69 critical/high severity issues
- **Sensitive Data Extracted**: Credit cards, emails, IP addresses, and geographic data

--

### Core Components
The tool is built around the `SensitiveDataExtractor` class with the following key capabilities:

1. **Stealth Mode Operations**
- Randomized user-agent rotation
- Intelligent request delays (0.5-2 seconds)
- Browser fingerprint mimicking
- Header manipulation to avoid detection

2. **Multi-Vector Attack Surface**
- Access control bypass testing
- IDOR (Insecure Direct Object Reference) scanning
- HTTP method tampering
- Header injection attacks
- Parameter pollution
- Path traversal attempts

3. **Data Extraction Engine**
- Pattern-based sensitive data detection
- Luhn algorithm validation for credit cards
- IBAN validation for bank accounts
- Routing number verification
- JSON/HTML content parsing
---


## Attack Methodology

### Phase 1: Reconnaissance & Discovery
The tool begins by:
- Scanning common administrative endpoints
- Discovering JavaScript and configuration files
- Mapping API structure
- Identifying potential GraphQL endpoints

### Phase 2: Access Control Testing

#### 2.1 Vertical Privilege Escalation
The tool attempts to access administrative functions without proper authorization:
**Tested Endpoints:**
- `/api/admin/users`
- `/api/admin/dashboard`
- `/api/admin/settings`
- `/admin`
- `/admin/panel`
- `/admin/users`


**Results**: All 6 endpoints were accessible without authentication, returning HTTP 200 responses with sensitive data.


#### 2.2 Header-Based Bypass Attacks
The tool systematically tests 16 different HTTP headers to bypass authentication:
```python
Bypass Headers Tested:
- X-Original-URL: /admin
- X-Rewrite-URL: /admin
- X-Forwarded-For: 127.0.0.1
- X-Forwarded-Host: localhost
- X-Custom-IP-Authorization: 127.0.0.1
- X-Originating-IP: 127.0.0.1
- X-Remote-IP: 127.0.0.1
- X-Client-IP: 127.0.0.1
- X-Real-IP: 127.0.0.1
- X-Admin: true
- X-Is-Admin: true
- X-Role: admin
- X-User-Role: admin
- X-Privilege: admin
- isAdmin: true
- admin: true
```
**Success Rate**: 32 successful bypasses across `/api/admin/users` and `/admin` endpoints.


#### 2.3 Parameter Pollution Attacks
The tool injects authorization parameters into legitimate requests:


**Tested Parameters:**
```python
- admin=true
- isAdmin=true
- role=admin
- user_role=admin
- privilege=admin
- access_level=admin
- debug=true
- test=true
- dev=true
```

**Vulnerable Endpoints:**
- `/api/user/settings` - 9 successful bypasses
- `/api/dashboard` - 9 successful bypasses


#### 2.4 HTTP Method Tampering
The tool tests alternative HTTP methods to bypass restrictions:
**Methods Tested**: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS
**Results:**
- `/api/admin` - OPTIONS method returned 204
- `/api/user/delete` - All 7 methods accessible (should be restricted)
- `/api/settings` - All 7 methods accessible


---


## Sensitive Data Extraction Results


### Data Categories Extracted
#### 1. Payment Card Information
**Total Found**: 3 valid credit card numbers




**Validation**: All cards passed Luhn algorithm validation, indicating they are potentially valid card numbers.
**Risk Level**: CRITICAL - PCI-DSS violation


#### 2. Email Addresses
**Total Found**: 1
```
```

**Context**: Found in administrative endpoints, potentially exposing internal communication channels.


#### 3. Geographic Data
**Total Found**: 44 ZIP codes across multiple countries
**Distribution**:
- United States: 30 locations
- Germany: 5 locations
- Mexico: 2 locations
- Other countries: 7 locations (Romania, Malaysia, New Caledonia, Philippines, Poland, Spain, El Salvador, Japan)


---


## Vulnerability Breakdown

### Critical Severity (69 findings)
1. **Vertical Privilege Escalation** (6 instances)
- Direct access to admin functions without authentication
- Exposure of user data, settings, and dashboard information



2. **Authentication Bypass via Headers** (32 instances)


- IP spoofing headers accepted
- Role-based headers trusted without validation
- URL rewriting headers processed incorrectly


3. **Authentication Bypass via Parameters** (18 instances)
- Query parameters override access controls
- Debug/test modes accessible in production
- Role parameters accepted from client-side


4. **HTTP Method Tampering** (13 instances)
- Destructive operations accessible via GET
- OPTIONS method reveals sensitive information
- No method-based access control
---
## Attack Flow Diagram
```
[1] Initial Scan
?
[2] Endpoint Discovery
? Admin Endpoints
? API Endpoints
? Static Files
?
[3] Access Control Testing
? Direct Access Attempts
? Header Manipulation
? Parameter Injection
? Method Tampering
?
[4] Data Extraction
? Pattern Matching
? Validation (Luhn, IBAN)
? JSON Parsing
?
[5] Export Results
? CSV Format
? JSON Format
? TXT Report
```
---

### Pattern Recognition


The tool uses regex patterns to identify:
- Credit card numbers (Visa, Mastercard, Amex, Discover)
- Email addresses
- Phone numbers (multiple international formats)
- Social Security Numbers
- IP addresses
- API keys and tokens
- Bank account numbers
- Passport numbers
- Driver's licenses
- Medical record numbers
---]]>