Slapping Mr Beast 100 Million times – Exploiting Local Storage

Slapping Mr Beast 100 Million times

Exploiting local storage


This was reported to Mr. Beast’s team on August 15, 2022 immediately after this was posted.

Also – Big Thank You to CaliD – couldn’t have done it without ya.

Background

Mr. Beast is a man who needs no introduction; he is most known for his videos which show him giving away a lot of money, and he is one of a very very select few who have hit 100,000,000 subscribers on YouTube. In celebration of hitting this 100M milestone, his merchandise shop (www.shopmrbeast.com) sold special shirts and he had a give away where you could unlock different items by ‘slapping’ Mr. Beast’s face.

Slap-To-Win

The giveaway was ‘Slap-to-win’ – if you ‘slapped’ (clicked) the face a certain number of times, you could unlock different items. The ‘grand’ prize was if you clicked 20,000 times, you could unlock a hat (that would ship with the purchase one of the special shirts). Other prizes you could unlock included stickers, lanyard, and keyring if you clicked 500, 2,000, and 5,000 times respectively.

After actually clicking 20,000 times to get my free hat, I wondered if it would be possible to game the system. Was there a limit on how high you could actually click? 

Local Storage

In Chrome, if you right click and ‘inspect’, there’s a menu called Application. In here, you can find the locally stored variables. You can see in the above photo, you can see the variable ‘mr-beast-slapper-face-selected’. This selects the ‘face’ which you slap. See the selection menu here:

On the left is Mr. Beast, however simply by changing the variable in local storage to “Karl”, for example, and refreshing the page, you can select one of the other faces as seen below. Other faces include Chandler, Chris, and Nolan – members of Mr. Beast’s crew.

Hash’n’Salt

My first step was to look into how the number is stored. 

1 = “U2FsdGVkX19rgaUdun86lNM=”

2 = “U2FsdGVkX18oneybblCfyWQ=”

3 = “U2FsdGVkX1+dBh6eq5NE45Y=”

Each of them start with the same set of characters “U2FsdGVkX1” – which in base64 is “Salted__”. The only information this provides is that it was likely encrypted using OpenSSL, which unfortunately is a bit of a dead end. If anyone knows another way to figure out the encryption algorithm, I’d love to hear about it!

What I next noticed is that you could replace the hash with any of the previous ones – so if you saved “U2FsdGVkX1+dBh6eq5NE45Y=” in the local storage variable, it will always show ‘3’ slaps next time the page is refreshed.

Unfortunately this means I can only insert numbers I already knew the hash for…


Gathering More Intel

Next step was trying to learn more by changing the data in the ‘mr-beast-slapper-score’ field. Thanks to CaliD for helping with these next steps.

First, I started with a known value:
60 = “U2FsdGVkX18fUr/ONk3C/9Ok”

Then changed the last letter from ‘k’ to ‘j’, and this
successfully changed the number from 60 to 67:

67 = “U2FsdGVkX18fUr/ONk3C/9Oj”

But, the previous character from ‘O’ to ‘P’ yielded ‘NAN’

NAN = “U2FsdGVkX18fUr/ONk3C/9Pk”

We them realized the page wouldn’t load with random data. Putting something random, like “nsjkdf” would yield an application error, and the page would not load. More so, the console gave a ‘TypeError”, which led us to some interesting functions.

By clicking on the Object.decrypt, it led us to the encrypt and decrypt functions.

Next step was adding a breakpoint on line 319.


Counting to 100,000,000 

On the right, you can set variables, and we noticed that variable ‘e’ was our slapper score. With my limited understanding – it takes the value in the local storage, decrypts it, updates the slapper score, and then encrypts it again. By updating the value halfway through this process, it allowed us a small window to slap Mr. Beast as many times as we wish.

So I changed the value from 11, to 100,000,000, refreshed the page, and….

And this is how I slapped Mr. Beast one time for every subscriber he has! Many congratulations to Mr. Beast for hitting this incredible milestone!

How High?

And… just for fun….

Well – after putting in some stupidly big numbers, I was curious how high it actually went.

Once you get high enough, it goes into scientific notation..

But… is there a limit? Turns out yes: “1e+308”

If you put in “1e+309”, it says “Infinity” and actually changes the variable to infinity.

Creating Evil – Testing Network Defenses

If you have a homelab and want to test out your defenses, check out a few of these projects to help you “Create Evil” to find with Security Onion or other defensive tools.

https://github.com/guardicore/monkey
The Infection Monkey is an open source security tool for testing a data
center’s resiliency to perimeter breaches and internal server
infection. The Monkey uses various methods to self propagate across a
data center and reports success to a centralized Monkey Island server.

https://github.com/redcanaryco/atomic-red-team
Atomic Red Team™ is a library of tests mapped to the MITRE ATT&CK®
framework. Security teams can use Atomic Red Team to quickly, portably,
and reproducibly test their environments.

https://detectionlab.network/
DetectionLab is a repository containing a variety of Packer, Vagrant,
Powershell, Ansible, and Terraform scripts that allow you to automate
the process of bringing an ActiveDirectory environment online complete
with logging and security tooling using a variety of different
platforms.

https://github.com/NextronSystems/APTSimulator
APT Simulator is a Windows Batch script that uses a set of tools and
output files to make a system look as if it was compromised. In contrast
to other adversary simulation tools, APT Simulator is designed to make
the application as simple as possible. You don’t need to run a web
server, database or any agents on set of virtual machines. Just download
the prepared archive, extract and run the contained Batch file as
Administrator. Running APT Simulator takes less than a minute of your
time.

https://github.com/TryCatchHCF/DumpsterFire
The DumpsterFire Toolset is a modular, menu-driven, cross-platform tool
for building repeatable, time-delayed, distributed security events.
Easily create custom event chains for Blue Team drills and sensor /
alert mapping. Red Teams can create decoy incidents, distractions, and
lures to support and scale their operations. Turn paper tabletop
exercises into controlled “live fire” range events. Build event
sequences (“narratives”) to simulate realistic scenarios and generate
corresponding network and filesystem artifacts.

Subdomain Enumeration

Was just messing around with subdomain enumeration and wanted to give a quick overview of a few tools I find useful: hakrawler, gau, theHarvester, sublist3r, gobuster, and recon-ng.

For the most part, they fall into two categories – passive and active enumeration. Passive enumeration will not interact with the target itself, instead finding information in places like web archives and search engine databases (gau, for example, uses AlienVault’s Open Threat Exchange, the Wayback Machine, Common Crawl, and URLScan). Active enumeration will interact with the target directly (hakrawler, for example, will find the URLs that respond to http(s) and crawl them all). For recon-ng, it can do both.

This is just a very quick overview of these tools – each of them is a lot more powerful than I can get into here. They were all run from the Kali Linux terminal.

Part 1: Docker based tools – these are run as a docker container from the command line.

For the two tools in this section below, hakrawler and gau, require docker to be set up before using. This is as easy as running: ‘sudo apt install docker.io’ (without the quotes). 

In the commands below, you can see that there are two docker flags in each: ‘–rm’ is to automatically clean up the container and remove the file system when the container exits; ‘-i’ allows you to send commands to the container via standard input (“STDIN”).

hakrawler

    Active Enumeration

    Website: https://github.com/hakluke/hakrawler

    Commands: 

        sudo docker run –rm -i hakluke/hakrawler –help

    This will bring up the help file.

        echo https://www.google.com | sudo docker run –rm -i hakluke/hakrawler -subs

            A typical enumeration command for google. ‘-subs’ will include subdomains for crawling.

    Notes: This is a really nice tool and works very well. Pros are: that it will find a lot of currently used URLs. Cons are: it will directly interact with the target.


gau

    Passive Enumeration

    Website: https://github.com/lc/gau

    Commands:

        sudo docker run –rm sxcurity/gau:latest –help

            Brings up the help file

        sudo docker run –rm -i sxcurity/gau google.com

            A typical enumeration command for google.

    Notes: works really well – might be my favorite tool for quickly gathering information passively.


Part 2: Command line based tools – these are run directly from the command line 

theharvester

    Passive Enumeration

    Website: https://www.kali.org/tools/theharvester/ or https://github.com/laramies/theHarvester

    Commands:

        theHarvester -d indeed.com -l 1000 -b all

        theHarvester -d indeed.com -l 1000 -b duckduckgo

            ‘-d’ is domain; ‘-l’ is limit; and ‘-b’ is source. Source can be ‘all’ which has a list of a couple dozen search engines, but also could be ‘google’, ‘duckduckgo’, or ‘virustotal’. There is a full list on the kali harvester page.

    Notes: In addition to subdomain enumeration, this tool can be used for enumerating email addresses and mentions across the web. When running it, I had some issues with some sites because google blocked my IP address – you can get around this by using a different search engine, but this doesn’t always work.


sublist3r

    Passive Enumeration

    Website: https://www.kali.org/tools/sublist3r/
    Commands:
        python3 sublist3r.py -d yahoo.com -b -t 50 -p 80,443,21,22 
        python3 sublist3r -v -d kali.org -t 5 -e bing 
        sublist3r -v -d kali.org -t 5 -e bing
    
            -d is domain, -b enables brute force mode, -t is the number of threads, -p is the ports, and -e is the engines
        
    Notes: This package contains a Python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS.

gobuster

    Passive Enumeration

    Website: https://github.com/OJ/gobuster or https://www.kali.org/tools/gobuster/

    Commands: 

        gobuster dns -q -r 8.8.8.8 -d example.com -w wordlists/Discovery/DNS/subdomains-top1million-5000.txt -t 4 –delay 1s -o results.txt

    dns mode, -q –quiet, -r –resolver string, -d –domain string, -w –wordlist string (path to the wordlist),  -t –threads, –delay (duration),  -o –output string (output file to write results to)

    Notes: Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains. For a lot of the enumeration, it will use a word list, external to the program – pros is that it’s easy to update, con is that you need it for gobuster to be most effective. 

Good news is that one can be found here: https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-5000.txt

Part 3: Program based tools – after running the initial command, it will bring up a program

recon-ng 

    Both Passive and Active depending on how it’s used

    Website: https://www.kali.org/tools/recon-ng/ or https://github.com/lanmaster53/recon-ng

    Commands: This works a bit differently from the tools above. First, in the command line, run ‘recon-ng’ – this will pull up the program. Once in there, to quickly enumerate a domain run the following (without the numbers):

    1. modules load hacker target

    2. options set source google.com

    3. info

    4. run

    5. show hosts

    If you want to choose another source, just replace google.com with the target of your choosing.

    Notes:  It has the look and feel of Metasploit, so if you’re familiar with that, this will be second nature – if not, there is a learning curve to get it working. Some of the modules may not be installed initially, so they need to be added via the marketplace. This can be done by installing them individually or just running ‘marketplace install all’.

This is a very powerful tool – perhaps the most powerful of all here. It can run scripts, use API keys, interact with databases… it’s incredibly versatile, and subdomain enumeration is an incredibly small subset of what it can do. It’s worth looking more into it at the website above.

While recon-ng requires more in depth knowledge to get going, it can perhaps be the most rewarding.

Some notes on the NIST Risk Management Framework

This is a brief summary about the basics of the NIST 800-37 Rev 2 – Risk Management Framework (RMF). Link to the course I took is at the bottom of this post. Included are the main points from the course (in chronological order); the most important section is perhaps the last part which describes in detail the seven steps of the RMF.

_____________________________________________________________________

Background: 

Each federal agency is required to develop, document, and implement an agency wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor or other source. Part of FISMA (Federal Information Security Modernization Act – 2002, and 2014)

FISMA requires federal organizations to: Provide information security protections commensurate with assessed risk; Ensure senior leaders provide information security for assets under their control; Ensure the organization has trained personnel to assist in complying with FISMA and related policies; Provide annual reports on the adequacy and effectiveness of information security, policies, procedures, and practices; Develop, document and implement an information security program; Develop and maintain an inventory of systems under the control of the organization; Develop security awareness training to inform personnel of information security risks; Perform an independent evaluation of the information security program and practices to determine program and practices effectiveness.

_____________________________________________________________________

Purpose:

NIST SP800-37 Purpose is to: Promote an organization-wide risk management process to include privacy and information security risk; Manage privacy and information security risk consistent with mission/business objectives and the overall risk strategy; Ensure consistent risk posture throughout organization; Integrate security and privacy requirements into the organization’s enterprise architecture; Establish who is accepting risk for the system and organization; Provide senior leaders the necessary information about organization’s risk posture to make informed decisions.

Each step/task of the RMF is aligned with existing system security engineering processes (where applicable). 

_____________________________________________________________________

Fundamentals:

Organization wide Risk Management – 

Level 1 – Organization
Level 2 – Mission/ Business Process
Level 3 – System (Environment of Operation)

Level 1 is more strategic focus, where level 3 is granular/tactical approach to risk. There should be bi-directional information flows between the different levels of the organization. 

Risk Management is a comprehensive process that requires:

    Framing Risk – establish a risk context by describing the decision making environment
    Assessing Risk – identify threat sources and vulnerabilities, potential impact, and likelihood
    Responding to Risk – provide consistent response – developing and evaluating courses of action
    Monitoring Risk – verify risk response measures are implemented and determine effectiveness

_____________________________________________________________________

Steps and Structure:

Steps
There are seven steps in the RMF:
Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor
These are detailed in the following section.
Each step in the RMF has a purpose statement, set of outcomes, and tasks that are carried out to achieve those outcomes captured in the Step Summary
Executing the RMF requires close collaboration between security and privacy programs. While these programs have different objectives, they overlap.

Authorization
Authorization Boundaries – Establish the scope of protection for systems; Defines the scope of the authorizing official’s responsibility and accountability for protecting information resources and individuals’ privacy. Organizations have flexibility in determining this boundary. Considerations for determining authorization boundaries may include systems under same direct management, similar mission/business functions, requirements, security/privacy concerns, cost. Systems can be broken into sub-systems which have their own boundaries, all under the umbrella of the grander Authorization Boundary.

Authorization Types: Type, Facility, Traditional, Joint
Type – Single for a common system, often in conjunction with facility
Facility – Authorizes common controls provided in a specific environment
Traditional – Single official in senior leadership responsible/accountable for common controls
Joint – Multiple officials having a shared interest in authorizing a system
Initial – Based on a complete zero-based review of the system
Ongoing – Subsequent risk determinations, and risk decisions
Re-Authorization – Static point in time risk determination/acceptance that occurs after initial
What authorization decisions are there? Authorization to Operate, Common Control, Authorization to use, Denial of Authorization
Risk management roles and responsibilities
Everyone has a role. These can include Authorizing Official, C-Suite Officials, Enterprise Architect, Information Owner, Risk Executive, Security/Privacy Architect, System Owner, etc.
The Authorizing Official is a senior executive with responsibility to Authorize a system. They Consult with multiple organizational personnel and other parties. For Federal agencies, this role is a US Government function and is assigned to government personnel only.

_____________________________________________________________________

Summary:
-Managing risk is a complex multifaceted activity that requires the involvement of the entire organization

-Privacy, security and supply chain risk management is not a static process
-Authorization boundary defines the system for RMF execution to facilitate risk management and accountability, define for an account for flow of information through the system
-Security and privacy programs require close collaboration, defining roles and responsibilities allows an organization to effectively accomplish specific tasks, manage security and privacy risks, and clarify expectations
-Authorizing officials should not feel pressures into accepting risk that is not consistent with the organizational risk tolerance
-The RMF describes the roles and responsibilities of key participants involved in an organization’s risk management process. Across organizations, there may be differences in naming conventions and how responsibilities are allocated among personnel.

_____________________________________________________________________

Risk Management Framework:

Provides organizations with:
-A structured/flexible process for managing risk
-Guidance for determining the appropriate risk mitigation
-A repeatable methodology that balances mission/business goals with security requirements and policy guidance
-A process for continuous monitoring resulting in improvement of security posture
-A technology-neutral methodology that can be applied to any type of information system without modification
Seven Steps of the RMF:
Prepare – 
Organizational level = P1-P7
System level = P8-P18
Help an organization be more efficient and cost effective in managing risk.
Organizational: Roles, strategy, risk assessment (organization), common control identification, etc.
System: Stakeholders, asset ID, authorization boundary, information life cycle, risk assessment (system), requirements, etc.
Categorize
Inform organizational risk management process and tasks by determining the adverse impact of the loss of confidentiality, integrity, and availability of organizational systems and information to the organization.
C1-C3
Document characteristics of the system, security categorization, and review/approve
Select – 
Select tailor, and document the controls necessary to protect the system and organization commensurate with risk to organizational operations and assets, individuals, and the Nation.
S1-S6
Control selection, Tailoring, Allocation, Document, Monitor, Plan Review/Approval

Implement 
Implement the controls identified in the system security plan
I1, I2
Implement the controls as specified in the security and privacy plan, Document changes to planned control implementations based on as-built.

Assess –  
Once controls are implemented, they should be assessed for effectiveness. Determine the extent to which the controls are implemented correctly, operating as intended, and producing the required outcome with respect to meeting the security requirements of the system.
A1-A6
Select an assessor/assessment team, make an assessment plan, assess the security controls, report, develop remediation actions, plan of action/milestones

Authorize – 
Provide accountability by requiring a senior management official to determine if the security and privacy risk to the organizational operations and assets, individuals, other organizations, or the Nation of operating a system or the use of common controls, is acceptable. 
R1-R5
Authorization package (security/privacy plan, assessment reports, action/milestones, executive summary), risk analysis, risk response, authorization decision, reporting

Monitor
Maintain an ongoing situational awareness about the security and privacy posture of the system and risk management decision-making process
M1-M7
System and environment changes, ongoing assessments, ongoing risk response, authorization package updates, security and privacy reporting, ongoing authorization, system disposal.

_____________________________________________________________________

Link to the course (3 hours)

https://csrc.nist.gov/CSRC/media/Projects/risk-management/images-media/rmf-training/intro-course-v2_0/index.html