I Accidentally Logged in as Admin to a Threat Actor Website

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://potato.id/en/posts/i-accidentally-logged-into-threat-actor-website
• Blog Title: I Accidentally Logged in as Admin to a Threat Actor Website
• Suggested Section: Pentesting Web -> Web Vulnerabilities Methodology, or a new subsection for Exposed Installers / Setup Wizard Abuse; could also be cross-referenced from Account Takeover and Login Bypass

🎯 Content Summary

Overview
The blog post documents an investigation into a live malware-distribution website that unexpectedly led to administrative access. The issue was not tied to a CVE; it was caused by insecure deployment of a PHP/MySQL web application where the production installer remained reachable after deployment. The exposed installer allowed the application to be reinitialized with attacker-controlled database settings, creating a path to administrative account creation, backend d...

🔧 Technical Details

Abusing exposed production installers
If a deployed PHP/MySQL application leaves an installation wizard accessible, an attacker may be able to rerun the setup workflow. When the installer accepts arbitrary database connection details and does not verify that the application is already initialized, the attacker can point the live application to an attacker-controlled MySQL server, let the application create its schema there, and create a new initial administrator account through the legitimate setup process. Useful discovery targets include paths such as /install/install.php, /admin/login.php, and exposed configuration locations like /config/database.php.

Turning database reconfiguration into takeover and denial of service
An installer that rewrites production database settings can become both an account-takeover primitive and a denial-of-service primitive. By hosting a MySQL server in Docker and e...

🤖 Agent Actions

Done.

Updated:

• src/pentesting-web/web-vulnerabilities-methodology.md

What I added:

• A new concise subsection on exposed installers / setup wizard / recovery leftovers
• Coverage for:
  • discovering reachable /install/, /setup/, /init/, config paths
  • abusing production reinstallation to point the app to an attacker-controlled DB
  • resulting admin creation, state disclosure, and DoS
  • checking whether old PHP sessions survive DB/config restoration
  • operational indicators like sudden 500 errors and unexpected outbound MySQL

Validation:

• git diff reviewed
• node --check theme/ht_searcher.js passed
• mdbook build could not be run because mdbook is not installed in this environment (/bin/bash: mdbook: command not found)

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://potato.id/en/posts/i-accidentally-logged-into-threat-actor-website

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Web Vulnerabilities Methodology, or a new subsection for Exposed Installers / Setup Wizard Abuse; could also be cross-referenced from Account Takeover and Login Bypass".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0