Poa.st / Chudbuds.lol General Discussion Thread - !! Poa.st and Bae.st have been compromised, all direct messages have been leaked. !!

  • 🐕 I am attempting to get the site runnning as fast as possible. If you are experiencing slow page load times, please report it.
babaisyou said:
Here's a decrypted string dump of a.class:

Code: 
SELECT origin_url, username_value, password_value FROM logins
file_roots
FILE_ROOTS
file_info
aix
path
dQw4w9WgXcQ:
\AppData\Local
PROXY_DEAD
proxy_send
Local State
FILE_INFO
encrypted_key
\discordcanary
os_crypt
209.141.40.241
host_key
FILE_ROOTS
\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\
darwin
chromium_cookie
os.name
KIT_STATE
\Google(x86)\Chrome
user.name
APPDATA
chromium_pass
encrypted_key
origin_url
\Microsoft\Edge
file_list
user.name
\Chromium
mac
kit
SHA-256
PROXY_DEAD
\User Data\Local State
\Epic Privacy Browser
FILE_LIST
.log
C:\Users\
sessions
SESSIONS
username_value
nix
C:\Users\
PASSWORDS
jdbc:sqlite:
encrypted_value
nux
SELECT * FROM cookies
\Google\Chrome
TEMP_LGN_
.ldb
COOKIES
\BraveSoftware\Brave-Browser
\User Data\Default\Login Data
file_download
File
org.sqlite.JDBC
Folder
Local Storage\leveldb
dQw4w9WgXcQ:[^.*\\['(.*)'\\].*$][^"]*
password_value
APPDATA
os_crypt
\discord
BAD
proxy_tunnel
image_capture
KIT_STATE
\User Data\Default\Network\Cookies
TEMP_CKE_
jdbc:sqlite:
\User Data\Local State
\AppData\Local

Still having look at it but it seems to also access some Chrome databases (probably passwords and bookmarks) also seems to make some Win32 API calls.
Click to expand...
I distinctly remember Claire mentioning the Brave Browser's integrated password manager, which all you need to copy is to get the user profile's seed words, then you can sync it on any other computer and get all the password, bookmarks, search history, even cookies I believe.

So if they got access to that and she was using it to store her passwords, that's game over at that point.
 
  • Like
  • Informative
  • Agree
Reactions: Autistic Joe, supremeautismo, Vanquished Phoenix and 6 others
Null said:
I cannot even begin to imagine why you would not do this on an isolated device.
Click to expand...
I am doing it on my lab Mac that doesn't have Java installed.

Telemeter said:
I distinctly remember Claire mentioning the Brave Browser's integrated password manager, which all you need to copy is to get the user profile's seed words, then you can sync it on any other computer and get all the password, bookmarks, search history, even cookies I believe.

So if they got access to that and she was using it to store her passwords, that's game over at that point.
Click to expand...
The strings imply info stealer so going after session cookies and browser stored passwords. But I'd be worried the malmod dropped something too, maybe in AppData. It's unlikely but it did but should be ruled out (if Claire is reading). In fact.. just reimage your computer.
 
  • Agree
  • Thunk-Provoking
  • Like
Reactions: Autistic Joe, Vanquished Phoenix, Neo-Nazi Rich Evans and 7 others
Telemeter said:
I distinctly remember Claire mentioning the Brave Browser's integrated password manager, which all you need to copy is to get the user profile's seed words, then you can sync it on any other computer and get all the password, bookmarks, search history, even cookies I believe.

So if they got access to that and she was using it to store her passwords, that's game over at that point.
Click to expand...
so the strings are pretty shotgun; I wonder if this was customized for her or if was an off-the-shelf exploit. I see Edge, Epik Privacy Browser, Chrome, Brave all listed, and some other standard windows locations that could contain COOKIES and shit

firefox not listed, firefox btfo

SELECT origin_url, username_value, password_value FROM logins
Click to expand...

this looks like an attempt to pull passwords out of a password database, not sure which one has that schema
Cad an Hell said:
The strings imply info stealer so going after session cookies and browser stored passwords. But I'd be worried the malmod dropped something too, maybe in AppData. It's unlikely but it did but should be ruled out (if Claire is reading). In fact.. just reimage your computer.
Click to expand...
you ALWAYS reimage - reinstall from original OS media and do NOT use ANY backups that you cannot be guaranteed are safe

having a actual time of hack can be helpful but any online backups should be suspected corrupted

remove computer from internet completely

remove hard drive or make an image of it for later

buy new computer or completely wipe existing (there is a minor change that the UEFI is infected, so if you have ANY suspicion it is a state-level actor, just shoot the computer)

rethink your entire life
 
  • Informative
  • Like
  • Winner
Reactions: Autistic Joe, Francis York Morgan, Vanquished Phoenix and 11 others
babaisyou said:
Here's a decrypted string dump of a.class:
Click to expand...

Completely possible to deobfuscate the code itself, looks like spaghetti I used to write to create my own silly "algorithms". It may be a tool to deobfuscate it too. I'm too lazy to peep the source code myself but I'm handing the key to anyone interested.

The string dump alone though gives enough hints nonetheless. Content is being uploaded to http://209.141.40.241/, but pinging that doesn't seem to give any results. There's snippets of regex that's "[^.*\\['(.*)'\\].*$][^"]*", but I can't tell what it's being used for and playing with it doesn't deem anything other than being intentionally obfuscated. There's also Youtube Rickroll links, which I wonder if there was code to open a Rickroll in the browser or something upon loading the modpack. Cannot tell otherwise.
 
  • Informative
  • Thunk-Provoking
  • Like
Reactions: Autistic Joe, supremeautismo, Justa Grata Honoria and 17 others
nekobit said:
Completely possible to deobfuscate the code itself, looks like spaghetti I used to write to create my own silly "algorithms". It may be a tool to deobfuscate it too. I'm too lazy to peep the source code myself but I'm handing the key to anyone interested.

The string dump alone though gives enough hints nonetheless. Content is being uploaded to http://209.141.40.241/, but pinging that doesn't seem to give any results. There's snippets of regex that's "[^.*\\['(.*)'\\].*$][^"]*", but I can't tell what it's being used for and playing with it doesn't deem anything other than being intentionally obfuscated. There's also Youtube Rickroll links, which I wonder if there was code to open a Rickroll in the browser or something upon loading the modpack. Cannot tell otherwise.
Click to expand...
1678204585858.png

apparently a VPN endpoint? hmmm
 
  • Thunk-Provoking
  • Informative
  • Like
Reactions: Pimozide, Autistic Joe, supremeautismo and 12 others
nekobit said:
Completely possible to deobfuscate the code itself, looks like spaghetti I used to write to create my own silly "algorithms". It may be a tool to deobfuscate it too. I'm too lazy to peep the source code myself but I'm handing the key to anyone interested.

The string dump alone though gives enough hints nonetheless. Content is being uploaded to http://209.141.40.241/, but pinging that doesn't seem to give any results. There's snippets of regex that's "[^.*\\['(.*)'\\].*$][^"]*", but I can't tell what it's being used for and playing with it doesn't deem anything other than being intentionally obfuscated. There's also Youtube Rickroll links, which I wonder if there was code to open a Rickroll in the browser or something upon loading the modpack. Cannot tell otherwise.
Click to expand...
Per DNS records, storage.thehormanns.net is hosted at that IP. Looks like some boomers running a severely out of date hobby website got hacked and used as deniable infra. But the http://thehormanns.net resolves to 50.116.60.82, weird.

Eg. check out http://thehormanns.net/new/

Edit: Or that's just a red herring if the boomers forgot to update their DNS records after moving hosts. All we really know is that someone spun up a BuyVM server, used it to dump the data, presumably downloaded it somewhere else, and then deleted the VM.
 
Last edited:
  • Informative
  • Thunk-Provoking
  • Like
Reactions: Autistic Joe, Vanquished Phoenix, AStupidMonkey and 6 others
Stabmaster Arson II said:
Password manager bros, you got too cocky!
Click to expand...
Imagine not keeping your passwords in your autistic brain (or, failing that, an inconspicuous .ini file in SysWOW64 folder on a machine that is not connected to the Internet)
smh
Null said:
I cannot even begin to imagine why you would not do this on an isolated device.
Click to expand...
Always test any .exe you just downloaded from some randy in an isolated VM. Any shitposter worth their salt should know this.
This truly was a woman moment.
 
  • Agree
  • Like
  • Dumb
Reactions: Autistic Joe, keke, Ragnarlodbrok and 8 others

Nick Rekieta chiming trying to get a win even though he's got his facts wrong (big surprise there). You can tell he's trying hard to contain the smug which makes it all the better that he's wrong about what happen. He think she was sending nudes out and that makes her a hypocrite for criticizing his locals chat wine moms for posting lewds. Fact is though Clair didn't send nudes out, her PC was hacked and the nudes stolen.
 
  • Agree
  • Informative
  • Like
Reactions: Captain Manning, Autistic Joe, supremeautismo and 42 others
IamnottheNSA said:
Always test any .exe you just downloaded from some randy in an isolated VM. Any shitposter worth their salt should know this.
This truly was a woman moment.
Click to expand...

Run every aspect of your life on the same box, signed in with local admin credentials, the password to your PW manager saved in your browser, no VPN, on a static IP and probably keep local copies of your nudes while you're at it.

dur.gif
 
  • Like
  • Agree
  • DRINK!
Reactions: Autistic Joe, supremeautismo, darkprince56 and 22 others
Telemeter said:
If you are referring to Claire, I think she just didn't know any better, she was apparently learning as she went.
Click to expand...
This is likely what happened. I also think it's worth pointing out that she "never imagined someone would be so dedicated to attacking the site, me, my husband and our children to go to the lengths that these people have". Like...really? I genuinely do not understand how she could have underestimated the power of autism so much.

It's not like she's some average person asking "what the heck is a kiwi farms?" She 100% should have known better than that.
 
  • Agree
  • Winner
  • Like
Reactions: Pimozide, Autistic Joe, supremeautismo and 17 others
You must log in or register to reply here.
Back