novnc-based novel phishing site breakdown
This is a short guide to explain how to escape the kiosk mode browser in this novnc phishing site.
First, I try to use the real novnc client at https://novnc.com/noVNC/vnc so it doesn’t have certain controls hidden and will not automatically redirect you to amazon.
To be able to connect through novnc, you need to get a cookie. The cookie is generated by a post request, but it is easiest to load the page since that also generates a cookie. To first get to the phishing page you need to go to https://clo-20034.com/12/ and see if that redirects to the phishing page. If it doesn’t redirect you, you need to go to https://amazlon.net/static/?parametr=ys48mDO8IGgtKCIw5TQRKqhYciNK1YNTofiZNCps_VaGL2KlH0o= after visiting the redirect so that you can get to the phishing page. Once it connects through novnc, you can open devtools and grab the username cookie. This cookie is required to be able to connect with novnc.
You need a residential IP in the US (I think) to be able to view this scam. If the proxy is too slow, it might not handle novnc properly.
Once you grabbed the cookie, I use the chrome extension ModHeader (https://chrome.google.com/webstore/detail/modheader-modify-http-hea/idgpnmonknjnojddfkpgkljpfnnfcklj) to add this cookie to every request so I can use the real novnc client. Once I have done that I can go to the novnc client settings on the real novnc client and in the websocket settings set the host to amazlon.net or whatever the current domain they are using is. Sometimes they switch domains but the redirect (https://clo-20034.com/12/) seems to remain the same. Leave the rest of the novnc settings unchanged
Once you have done that click on connect in novnc. When it prompts you for a password, the password will be “password” (without quotes).
Now you should be connected to the novnc phishing thing.
Once you do this, you need to download a file to begin escaping this kiosk mode browser.
The easiest way I found to do this is to go to google first and download a file, I’ll explain.
Scroll down to the bottom of the amazon page, if not at the full amazon page then click on the amazon logo.
You should see links to other amazon websites at the very bottom of the page, you want to click on goodreads.
From there click on the continue with apple button and then on the apple logo on the top left of the page.
Now click on the search bar on the top of the main apple website and search for google.
Now click on the google logo on the top left corner and after that, click on the google text at the bottom left corner of the page.
Now you have reached google search, search for “test file download” (without quotes)
Click on the result from hetzner for test files. (any file would work, this is the fastest way I’ve found)
Click on the 100mb file and when chrome shows a download, click the show all button near the bottom right.
Now open the left sidebar flyout menu and then click the button to show extra keys. Now you can click on the windows button in novnc and use the left arrow key.
This switches workspace to the other window we opened and now we are partially out of the kiosk browser.
Disable or uninstall all the currently installed chrome extensions. There’s a keylogger and a few other things you don’t want to leave around.
Open a new tab and click on the chrome webstore or just get to the chrome webstore somehow.
Search for “switchyomega” (without quotes) in the chrome webstore and install this chrome extension. Once it’s installed click on the chrome extension icon and click direct.
This disables the residential proxy so chrome isn’t awfully slow at loading things anymore.
Now go back to the chrome web store and search for “text editor” and then install the first chrome extension that shows up.
Click on the icon for the text editor chrome extension to open it, and then open the start-vncserver.sh file.
Now you will see stuff for starting a vnc server, remove the line that has vncserver in it.
Now you will want to add the lines (without quotes) “apt update apt install xterm konsole gnome-terminal -y sleep 600” Once you have added those lines to the script, click the save as button in the text editor, choose the start-vncserver.sh file, and then click save and replace the file when prompted.
Now go back to the browser and open the url “127.0.0.1:9001” in chrome (without quotes).
Where the vncserver thing is on the supervisor page, click on the start button. This will start the installation of a terminal app.
Now, click on the vncserver text, you can see the output of the script as it installs the terminal and click refresh to see the latest output.
After you wait a few minutes for it to install, it should be fully installed.
You can now open a terminal by right-clicking on the black part of the screen and go to applications-shells-bash and the gnome terminal can open.
You are the root user, so you can do whatever you want in this, but this is some kind of container/vm thing. I think it’s docker since there is a .dockerenv file in the root folder.