Max - Part 1
DescriptionA teenager's journey into hacking
|This writing has not yet been rated and therefore this information is not yet available.|
Max looked over at his clock, 2:14 AM. The light from the blue numbers mixed with the glow from his computer monitor and backlit keyboard. He should have been asleep. He should have been asleep hours ago. School tomorrow would be painful now that he’d be so tired. It didn’t matter. Not tonight. Tonight was special. He continued to type away at his keyboard. The rhythmic click and clack of his keys seemed to almost match in time to the beat of the music which came from his speakers. He sat there, alone, in his dark bedroom. An oscillating fan struggled to move the humid air around, doing very little to cool the room. The air was thick, Max’s head and eyes hurt from straining in the dark, and his back was sore from sitting in his chair that he got on clearance from Office Max. None of these things were enough alone or in concert to stop him. He was a few lines of code away from writing his first script, just a few keystrokes short of exploiting his first vulnerability. He was hacking for the first time. A knot tightened in his stomach. What if he got caught? What would his parents say? Could he get arrested? He’d seen news reports of hackers getting hauled off by the FBI. The feds would cut the power and gas to your house first so that their flash bangs and concussion grenades wouldn’t trigger an explosion or start a fire, then they’d lob a few in through your windows, wait for the “bang” and then bust in your door with their breaching ram, and flood in with screams and smoke and lights and the wrath of God about them. “I’m going to end up on the evening news,” Max thought as he paused in his code writing, his hands now trembled a little. “I should stop this.” The thought brought a moment of comfort to his troubled conscience. But the sound of keys pressing and releasing resumed, the characters continued to appear on his screen. Being his first time, Max was no where near the skill level of an actual hacker, neither was his target the likes of some critical infrastructure, something that would warrant such an arrest as depicted in his fearful imagination. Still, for a kid in high school, this was both terrifying and thrilling. This wasn’t Mr. Robot, this was real, these were his fingers typing, his will manifesting as code. The target site was a community forum for aspiring photographers. A user would post a picture that they had taken, and the other users on the site would rate and comment. Featured photos would be selected based on user ratings, and you could get a little bit of fame and praise if you were good enough. The website even made a big deal about how they had helped a number of amateurs become professionals, and get real jobs. The site didn’t offer and proof of this claim, but it sure was a nice selling point. Max wasn’t a photographer, aspiring or otherwise. He wasn’t a hacker for that matter, at best he was a script kiddie. But here he was, about to run his malicious code against this website. Some people hack for profit or gain, others for knowledge or out of curiosity, and then there are those who do it for fun or to show off. Not Max. He was doing this for the one reason any boy has ever done anything in the history of the human race. He was hacking this site, for a girl. Not just any girl, but for Sophie Weston. It was study hall, the only class Max shared with Sophie other than algebra. She was sitting there, crying, and yet still effortlessly looking beautiful as usual. Two of her friends were with her, comforting her. “They said they were doing everything they can,” she sobbed quietly to her sympathizers. That is what they said, so it would seem. Sophie was an aspiring photographer, and quite good as far as Max was concerned. She had been using this site for some time now, the one Max was trying to hack. She’d been an active member for a little over a year, and even had a couple of her photos featured on the site, still no job offers though. A few weeks ago someone started to harass her through posting comments on her photos and sending her direct messages. At first she dismissed them, but it kept happening. She reported the user to the site admins. One account would stop, and a new one would start up, posting the same crude and sometimes abusively vulgar comments. Max sat there, trying not to stare at Sophie in her time of pain. He wanted to get up, to go over to her, to hold her, to tell her that everything was going to be okay. He wanted to find out who was doing this to her and make them stop. She was crying, and he was angry. But, like most times in life when he was angry, when someone stronger was hurting someone weaker, Max just sat there, doing nothing, saying nothing. That was Friday afternoon. Now, as the minutes ticked by into early morning Monday, Max sat just as silent, and almost as motionless as he had then, but for once, he was doing something. He was going to do something about this. He had spent all Friday afternoon after school, into the night and into Saturday, researching how hackers actually hack. He created an account on the photography site and started looking around. He had some familiarity with how web applications worked, since he had written a crude one for his computer lit class, it got him a B+, well deserved he thought. Saturday was quite revolutionary for Max. After pouring over blog posts and watching YouTube videos for almost a day, he still found himself completely at a loss. Everything he looked at on the website, every feature and function, it all just looked fine, it seemed secure. He began to get frustrated. That feeling of helplessness started to creep up. He pushed it down. By Saturday afternoon something changed. A simple thought occurred to him, simple yet profound. “I have to think like a hacker.” He had been going about this the wrong way. He looked at the site and saw what the creators wanted him to see, clicked the buttons they wanted him to click, used the features the way they wanted him to use them. He was quietly doing what the people in control wanted him to do, the same timid, Little Max. He sat back in his chair and just looked at the site on his screen. “I’m just using this site. How can I abuse this site?” And with that thought he started over, from the beginning of the entire process. He went back and went over every page again. Earlier in his research, he had come across something known as the Top 10 web app vulnerabilities. It’s a list published which ranks the most common issues found in modern web applications. Max decided to start from the top of the list and work his way down, trying to see if any of these flaws existed and could be found in this site. The first and most common flaw was something called an SQL Injection. He wasn’t completely sure what that was or meant or how it worked, so after some online searching he learned that it had something to do with databases. He knew what a database was, “it’s like an advanced spreadsheet” his computer lit teacher had explained to him once. To Max’s surprise there was a lot of information on this sort of attack. So much so that there were specific tutorials and write-ups, and there were even step-by-step courses for free that not only explained how to perform this attack, but even gave you your own sandbox web application to test against. That was Saturday. Researching and learning and practicing SQL injection attacks. Max got so caught up in learning about this attack that he forgot to even check for it in the photograph site. Maybe he just wasted a whole day. It was a lot of fun though. This feeling that you know something forbidden, like some dark magic that would have gotten you burned alive generations ago. It was power, this knowledge truly was power. He cursed his history teacher for being right about that stupid phrase. From what he learned about the SQL attack was that you exploit it through user input, either in the address bar or from a form field on the page. He checked all the different pages addresses and none of them looked like he could do anything to them, he tried, but didn’t get anywhere. So he started looking for forms in the site. He knew a little bit about how web forms worked from his computer lit project, which was reassuring to him. There were only a few, the account creation, then account login, there was the picture upload, the comment and chat forms, then the profile editing form. He tried them all, one at a time, field by field, over and over. Nothing. Frustration set in. Perhaps there was nothing vulnerable, or perhaps there was and he was just too inexperienced, no, too stupid to figure it out. He tensed up, his throat tightened, he felt like he was going to cry. Little Max, crying again. Tears welled up in his tired eyes and his vision blurred. Try Harder. He had seen that on some forum earlier that day. How corny. But so was knowledge being power and all, and that turned out to be sound advice. He blinked away the tears, squeezed his eyes tight, the salty drops ran down his face. When he had opened his eyes again, his vision had cleared. Max then found himself staring at the profile editing form. It was the last one he found, and he had just tested for the last field. A field takes user input, it’s something into which you type data, letters and numbers, like your name, or your clever little profile quote from your favorite movie or book, or your date of birth. Except, not here, this form had a little calendar feature that you clicked on and just clicked the year and month and day for your birth date. “Don’t use the site, Max, abuse the site.” He had told himself. “They want you to use that little calendar thing, but what is it really?” It was just another form field he realized. But he couldn’t change what it submitted using the form. He had learned about a program that would let you do just that though, he found a whole bunch of tutorials that used it, and so he had installed it when he was doing his research. He used it to intercept what was being sent to the website from that form, and he looked at the date field. It was just simple text. So he replaced it with something that would trigger a vulnerability if it was there, he sent it along, and nothing happened. Strange. Nothing happened. Something should have happened. He refreshed the page and it was just blank. Had it worked? Nothing for once was something. It worked. Max jumped up, his discount office chair sailed backwards away from him as he cried out. Quickly he cupped both hands over his mouth. What time was it? What day was it? Were his parents home? He checked the clock and paused for much longer than one should have to in order to answer such a simple question. His mother worked second shift, twelve hour shifts, four on and three off. His father worked third shift Monday through Friday, and sometime overtime on Saturdays. After a few moments, realizing that no one was rushing to his room to check on him, he figured that either they weren’t home, or they were asleep. After all of that, he found himself here and now, writing what would be his first exploit. Hours had gone by after he discovered the SQL injection flaw in the date field. Hours of testing and more research. Max decided that the best thing to do would be to get all the data out of the database, then he could dig through it all for anything that would tell him who was messing with Sophie. He figured this would work since during his time looking over the site, page by page, ‘reconnaissance’ they call it, or ‘recon’ Max joked to himself, sounding like some special forces operative, he had noticed that after you login, there’s a little message at the bottom of the welcome page, that tells you the last time you logged in, and from which IP address. He knew about IP addresses from when he was trying to setup a gaming server for his friends to join. Max had volunteered to host the server, and then spent almost a week trying to figure out how you go about doing that. He learned that his house had an IP address on the Internet, and that his friends could connect to his computer if they had that address, this was after he figured out what a firewall was and port forwarding rules were. Yet another painful learning experience, but at least this kind of pain and frustration ended with Max feeling stronger, not weaker. It was this knowledge of IP addresses and how they could be used to locate you in the physical world that also caused him to look into and start using something called Tor for this weekend’s activities. It was a special network that hid your real address, so that a website wouldn’t know where you were. He had been using this special web browser to do all his work on this site as well, but he hoped that the person going after Sophie wouldn’t be that smart. If he could get the whole database, then he might be able to find the accounts that were being used to hurt Sophie, and if he could find the accounts, then maybe he could find that IP addresses that showed up on login. What he would do with that information was beyond him. Max found himself daydreaming about finding who was doing these things to Sophie, and going over to their house, and kicking in their door to grab and drag them outside into the street. Their neighbors would walk out during the commotion as Max would start threatening and pushing this horrible person. Everyone gathered would be cheering him on since no one liked the person anyway. Max would be a hero and Sophie would hug him in the hallway at school, in front of everyone, and she’d kiss him as a way of saying thanks. The boys would clap and whistle and the girls would swoon. The last line was written. He had been poking at this site to test things as he went, but in his mind, he hadn’t really done anything yet. He was still just looking. Now, if he ran this script he just wrote, this crudely thrown together Frankenstein’s monster of a script, he would actually be doing something. Something that could get him in trouble. Up until now, he was curious, but if he ran this, he’d be hacking. He had gotten this far, but couldn’t finish. Max was scared. Little Max was scared. He suddenly became aware of his stiflingly hot room, the ache in his back, the abrasive fabric of his chair, the pain in his head right behind his eyes. “Who am I kidding? I’m no hacker.” He whispered these words, which got caught in his throat. He didn’t need to be bullied, he didn’t need to be picked on, he didn’t need to be made fun of, all by someone else, he could do all those things himself. He deserved it. “I’m sorry Sophie,” he choked out his apology to the diminishing darkness, “I tried.” There would be no hug, no kiss, no cheers, and no swooning. The sun had started to come up, he could tell through the spaces between his windows shades. His alarm would be going off soon. He would be going to school soon. “Such a failure.” He sat there in silence. “I hate you so much Mr. Peters,” Max spoke with a chuckle. Again, Max cursed his history teacher for being right. ‘how can you fail if you never try?’ What a stupid thought, and how much more stupid it is that it actually worked. Max pressed ‘Enter’.