hpr-knowledge-base/hpr_transcripts/hpr0517.txt

Episode: 517
Title: HPR0517: Interview with a blackhat  2 - CC
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0517/hpr0517.mp3
Transcribed: 2025-10-07 22:18:04

---

So
The views expressed here on my own and not that of my university, I do not condone any
reactions within this interview and would like to make aware that this was done for educational
purposes only. I condemn any of the actions that this hacker has done or illegal and any
comments made by myself that may seem to condone or agree with them is just the way that
I speak and act. I again must stress that this was done for educational purposes only
and I do not condone and I condemn the actions spoken about today.
Okay and see see if you just tell the listeners a little bit about yourself.
Well,
basically
got my first computer when I was about twelve
boarded off my dad
and
I've been interested in computers, technology, security
stuff like that
and
I'm sorry
Yeah, you're current
Where obviously like to become a hacker a black cat, you obviously needed to learn the skills
that you possess today. How did you go about learning and what you do now and what is it that you do now?
Well, basically when I was twelve I got key logged and I was just so interested in how
that stuff worked, how it how it managed to sort of manipulate the keyboard and how it managed to like find
ways of finding out what you were typing. So ever since then I was interested in security and how
stuff worked on there. So I started programming when I was twelve. I started off with pill,
it's more script and language which I soon ditched to called C-shop but I've quite frankly grew sick
of the dot net framework and I moved on to see when I was early fourteen and started,
I also started hacking around then when I was thirteen, started getting in this.
It all started with basic RFI which is just shit basically,
XSS and RFI which is a bit more complicated but still pretty basic and then SQL injection and remote code.
Did you find people to teach you that or do that all yourself or that all like self talk online?
No, I did get in with a couple of friends whose names I'll not mention but we basically,
one of the guys helped me out quite a bit and he taught me, he taught me most of the things that I know
and I still have contact with him today, years on but he basically showed us where to look,
like where to find the information to learn it but then from then he never actually taught me how to do it.
He just pumped me in the direction and then I'd have to go and research it and study it which is basically
what my summer holiday was when I was thirteen, it was learning to program pearl and get research
on different hacking techniques, different means of exploitation.
Said that you've started with programming pearl and went to C-sharp and then went back to C.
What you said around the same time there is that's when you started hacking.
What started your, I'd say like hacking career, what was it that made you decide,
okay I'm going to start hacking now.
Well, it was actually kind of the other way around.
I was interested in hacking but I also knew that I would have to learn how to program to be able to,
you can't really hack when you don't know how to program because there's so many different situations
where you need the program and you need the knowledge to actually accomplish the hack within like,
to be in source code, auditing it and stuff like that, you do need programming skills.
So it went on from that and as I grew up with programming and my knowledge sort of became more expertise,
if you will, then I got better at hacking.
What do you remember back if you want to talk about it?
Do you remember right back when you first started, what was the first thing you ever did hack?
That's a tough question.
I think it was, well, it was all basically just little sites where we wrote a script to just go out and find sites which were vulnerable to RFI
and it was a little pearl script that made a friend work down which joined the IRC channel
and it just, you'd give it a list of websites and it would just go through them all and spider the website
and it would just try everything that it could to find an RFI.
It was cool back then but when you look at it now it's like what the fuck it's just...
I mean, quite a few shells.
If you ever, that was around when you were 13, 14, I'm guessing.
Have you ever tried to go back to any of them websites and see if the shells are still alive?
Actually, that's quite a funny fact.
Funny question because yeah, I noticed two sites out there where when I first started hacking,
everybody starts to face and because it's like, oh, I want to get my name out there, I want to be known.
Kind of thing, you want everybody to know who you are.
But now, I don't really do face, but yeah, I think there's two sites out there which still show hacked by my handle.
But apart from that, I have quite regular sites which are hacked and I checked my logs from about two years ago the other day
most of them still have shells on and most of them still have root access to them.
Okay. Why is it CC that you hack? What motivates you to do that?
Well, to me, I'm the kind of kid that if you've got a red button and it says, danger, don't push.
I won't give a toss, I'll push the button because I want to know what is behind that button.
I will, I'll just, it's just the thrill of cracking in the servers at like two in the morning with some of your friends who you've known for years and really trust.
And it's just the adrenaline junky kind of thing, I guess.
It's great.
Does it never bother you about getting caught or do you ever, do you ever go, do you ever feel morally wrong to the people that you're doing it against?
There's, there's a few times where I've actually, in the recent years and the recent last two years, I've started emailing admins because I feel like I don't really want to see such a good site be destroyed by some other little kid who gains access.
So there's probably about 10 or 20 assault sites where I've emailed them with it.
There was British energy, I emailed British energy, I emailed ultimate guitar, which is in the top 250 on Alexa that I've been replied to that one.
We've, I've emailed a religious website, I've emailed a small bound website and many others are teaching website for like students.
And stuff like that.
If it's a big site and you can see that they've done a lot of hard work and they really don't want it messed up.
Then yeah, I respect that fact that they've put hard work into it and I emailed an admin to make sure that the whole is patched.
Just a little, just a little point for myself is that we, do you remember back in, what year it is, but do you remember the tsunami, yeah?
Yeah, well, there was a guy there who, yeah, I think it was 2005.
There was a guy there who he was, I think he was donating some money to that charity online.
He was a security consultant and he found a vulnerability and he actually exploited the vulnerability within the website to check that if it works.
Didn't see him any money on anything, but you know, he made sure it was there.
He got in touch with the people, said, well, people could be stealing money from the charity.
And the charity literally splits on him and they, they took him to court, had him convicted.
He lost his job.
Obviously that, that's kind of thing you're doing.
I mean, just, just from an ethical standpoint, you know, you can still get caught and still get into trouble.
I mean, is there anything you'd ever do, is there a job?
Yeah, I do it as a job, yeah, but that's what I want to go into.
But I do what you mean with him.
I mean, I've only ever had two replies out of about 20 sites that I've emailed.
I got a reply from Ultimate Guitar and I got a reply from the small band website and they didn't take any charges.
They just said, look, thank you.
I had you pointed it out because if it had been anybody else, they probably would have fucked it over.
Okay, and before you email the admin, do you do anything before that?
Do you upload a share or do you use it to hide yourself for something bigger?
It depends.
Usually we do usually leave a proxy on the server.
I've got to say that that's always one of the key benefits to having servers.
We usually just run a proxy on it and then from there, we'll email the admin.
But we won't keep access.
If it's a decent website, we'll just let them know and we'll just provide proof that we've gained access.
And then we'll email them saying that, look, we're not bad hackers.
We want to help you fix your site so that they don't kind of kick off.
But there's been a few times when I've been caught, yeah.
Okay, and when you say you've been caught, what would the consequences of that?
Well, when I was 13, I remember there being an old VB DOS exploit out there.
And there was a guy at my school and he ran a phone and I quite frankly, I fucking hated him and I hated the phone.
So I used to exploit on that and the hosting company decided to take action on that but in the end it was dropped.
So it never really got taken to the police, which was lucky.
There was a second time when I had the rapid share site.
It was a rapid share sort of wearer site with lots of accounts.
And back then, rapid shares you could sell quite easily and shift off hundreds of the time for quite a generous amount of money.
But I got caught on that and in the end, actually, the admin emailed me and he said,
I've noticed you broke into my site.
The only way you can help me hack into this site.
So I managed to get all of that one by hacking into the site front.
And then the first two times weren't really that big.
It was more just like the admin email and the last time I hacked into a phone company and managed to get access on the box.
And I also got access to that SMS gateway.
So I can send free text to the world from any number to any number.
And stupidly, I thought, oh, let's test it.
And I sent a message after message to my personal phone number.
And it ended up with the admin's colony and I got quite a bell icon for that.
And I haven't touched it since, but I still have access.
I'll tell you just to talk about the phone company.
Take it, is that the biggest thing you've ever hacked?
It's in the top four, yeah, definitely.
And that's one of the things where I'm going to have access.
Yeah.
Going back to this phone, the hacks and stuff, you've sent me a file that you said I can pop on the website.
Along with the six of you, right now I could did with a screen.
It's named bench2.php, if you want to just talk us through that.
Yeah, let me just bring up the file.
There we go.
Well, you can see in the header that it was coded in 2009.
It was coded at the beginning of last year, roughly around May time for a site that I hacked in April of last year.
It was the phone site.
And it was, it's basically the vulnerability that was on the website was a blind SQL injection.
But it wasn't just any normal blind.
It was benchmark, which means that it in no way, it gives you no way, no output to let you know.
But the actual query has probably submitted.
So you use benchmark to lag the server and you determine the response time from the server to the script from your computer to the server.
And that's how you can judge whether you've got the correct SQL statement and stuff.
So basically, the argument is the site that you're going to inject is the first argument.
The second is the actual injection that you're going to do.
So the actual injection, the SQL injection.
And the third one is the average time of the server for the response to it.
So basically, it uses curl.
So it initializes curl.
It sets the cookie, sets the post field, and also sets the user agent.
And then it tests whether the site is vulnerable.
So it'll do just a basic test.
It's just testing against the string.
You have an actual error, basically.
And then if it returns that, then it's vulnerable.
It goes on just sort of do a little test and finds the normal response time,
which will be roughly about one second, possibly earlier, depending on the bandwidth.
The second one then tests against the lag.
So the lag, it'll probably execute, say, 1,000 MD5 routines,
which will obviously lag the server.
So usually, if it executes about 1,000, it'll lag for about 10, 15 seconds
when the normal response time should be under 5 seconds.
So that's how we can gauge whether it's injectable and stuff.
Next pose to my SQL version.
Next pose to my SQL version.
I just, it's just a simple loop.
Just go some 3 to 5 and test if it's correct once it's found it.
Let's know.
And then it actually goes on to the actual injection of your query.
Now that we've determined it's vulnerable, determined the version of it,
it'll go on and execute your query.
So it's just a, it's in a function, and it does a basic loop.
It finds up a length of the result, so it'll just do the injection.
And it'll use the clause length to return how big the string is that we're going to get.
So what they will loop in the max, the max string can be 150 characters.
You can edit the script and bump it up, but I'm sure you don't want to.
If the length is 0, then obviously the query failed.
So it doesn't move on from there.
And once it's on there, it'll try and execute.
So it goes through from the first character to the last character.
So they will loop for the length, and then for each character slot,
it'll go through the ASAII table, the ASCII table,
so it'll go through from A to Z, which is 45 to 122.
And it'll just pull each character.
Now this takes some time, when I hacked the website,
it took an average of 15 to 20 minutes for each one,
and it was just over 1000 queries each time.
So you can imagine doing it by hand.
You'd be there for a week.
And then to find out that it's not vulnerable or, you know,
there's no way of access.
And then you know, you're pretty much just wasting time.
Yeah, I mean, you're saying thousands of queries.
What's the chance of being caught?
Well, as you can imagine, executing well over 1000 queries
is going to make a lot in the Apache logs.
So the chances, if you don't get root,
and you don't find a way to clean the logs,
then you know, if you've got a switched on Admin,
then you know, he's going to fuck you.
Most likely.
But of course, you can always pull ground, curl to use a proxy.
So I guess there is a way out of that.
But yeah, it does generate a lot of logs.
Okay, cool. Thanks for going through that now.
You talked about rapid share earlier in the rapid share website
and selling accounts on the top of your head.
Since you've been 14, 13, 14, how much money do you reckon you've made from hacking?
Well, I know I paid for my Xbox elite back when there were about 300 on quid.
So I've given the money for that, and she went and got that.
There was times where I saw programs like the odd fraudging,
key lover and stuff when I was first starting out.
The general newbie shit that you don't kind of code now.
But I don't condone fraud.
To me, fraud is not hacking.
It's not, it's not ethical in no means.
I would never ever do fraud.
Fraud is different. Basically, I would, I'd call this simple tool,
see a key lover, which people can install on the mom computer,
other dads, I'd say 10 pounds a pop,
and you could sell a source corn for about 300.
Well, maybe not 300.
Back then, it would be 300, but now,
now I release everything open source now, so.
Two, two questions has just come to my mind.
You've mentioned a couple of times, I've said the word newbie or new,
or wouldn't you do that kind of thing anymore.
From what point would you have classed yourself,
would you have ever have classed yourself a script, Kitty?
And if so, how long ago would that have been?
Yeah, definitely.
Everybody starts off as a script, Kitty.
You don't, whoever calls themselves a hacker
and then says that they were never a script, Kitty,
is not a hacker, they're still script, Kitty,
because everybody's script, Kitty, at one point.
But probably until,
until I was about 40 and a half,
I would class myself as a script, Kitty.
Yeah, that just means anything.
Yeah.
Well, we see from there,
you've learned your programming and stuff.
Yeah, from then on, I really started to gain knowledge.
Okay, and the second one is,
the last interview that we did was with a guy called No Good,
and he was part of like an underground group.
Yeah.
Have you ever been part of an underground group,
or have you only ever had a couple of friends from school
or college or whatever?
Many, yeah, many groups.
I've been invited to loads.
There was Cypher Crew.
I used to be part of them.
There is a website which I will not name,
but I was, I was hype and the rank then.
And I was part of nine people who were invited
into the Elite section,
out of about 40,000 on the website.
The website is now offline now,
the community broke up,
but the IRC channel still there.
There was another group which I will not name,
but we hacked some pretty big websites with them,
which I will also not name,
because they are far too big.
But we still have access to them.
Yeah, some, we've had some pretty good friends.
I'm still in contact with most of them,
and the majority of them are still hacking.
So we do hack the website every now and then for all times.
Now, how obviously I'm studying ethical hacking?
Yeah.
What's, obviously, coming from a standpoint arm,
I come from a standpoint of ethics and morals,
and I obviously disagree with the things that you're doing.
What, yeah, what, what's your viewpoints towards ethical hacking?
Do you think it works?
In my opinion, it's not a waste of time.
I see it as a way for a hacker to hack legally.
Right.
When, I see it as, when you're a black-hat like me,
well, I wouldn't call myself black-hat or call myself grey-hat,
but when, when you sort of black-hat,
you hack for the front of the adrenaline rushes
and stuff like that to break into websites
and find the means of getting access to data
that you shouldn't be able to do.
I mean, that is what hacking is all about.
It's getting access to information and data
that you shouldn't really generally be able to.
But I still think that applies for when you write that.
I mean, you're still going to get the same buzz
when you're broken into the website with Paying You.
It's basically hacking but getting paid
and not using it for bad reasons, I guess.
I mean, before we do any testing,
we have to sign contracts.
We have to, you know, go through a lot of different means and stuff.
I mean, do you know much about the computer misuse act yourself?
I don't know.
All I know is that I do is illegal.
What you're doing is illegal under the computer misuse act.
So I would definitely recommend that you have a look
at the computer misuse act just for your own knowledge of,
you know, knowing what you're doing and how it is illegal.
It wouldn't be a misuse act, but yeah.
I mean, is there anything that would stop you?
Oh, yeah, totally.
I mean, I think you did get stopped.
Yeah, if I got, if that phone company managed to get one over on us,
then yeah, I probably would stop or I'd try and go into the ethical side of things.
Which I am now, but yeah.
Oh, so you go in onto the ethical side of things, though.
What's your plans for this future, though?
Well, my plans are to, yeah, go into the ethical side of things.
Just, I recently, like I said, I recently started emailing Admin and stuff
like letting them know their vulnerabilities.
And I find it, now I find hacking is teaching other people how not to make mistakes.
I mean, we're all humans, we all make mistakes.
But, you know, knowledge is priceless.
You can't really share this kind of knowledge.
So I just want to try and let people know and be wary of it.
Okay. Now, the last question really is away from hacking.
I mean, apart from your computer and what you do on your computer,
what are the hobbies that you have just so that people don't get the idea that you're just sitting
from your computer every day?
Yeah.
Oh, I play guitar.
I play drums.
I also do a bit of reversing on the computer, of course, and programming is a hobby.
But that programming isn't always for hacking.
I don't always use it for hacking reasons.
Xbox, PC games.
I like to spend time out with my friends.
Generally, sort of stuff like that.
Cool. All right, then Mo, thank you very much for your time, CC.
Like I said to know, good before.
If you ever want to do a blog post on the website, I guess blog post, I'd be more than happy.
I have that posted up for you as long as it wasn't illegal.
Yeah, that's really anything.
Do you have any questions for me before we go?
Not really, just a good look on the course and a good look with the blog.
Thank you.
And again, I've talked about before, but if you do ever find anybody who would be interested
in doing this interview, do get them in touch with me.
All right, and thank you very much.
Bye, bye now.
Thank you for listening to Hack with Public Radio.
HPR is sponsored by Carol.net.
She'll head on over to C-A-R-O dot E-T for all of her students.
Thank you very much.
Thank you.