Not the one who got leaked with Carberp but the 'ISFB' package part (Core, Interceptor, ATS, VNC modules, etc...):
And the panel..
I've already took some screenshots of inside Rovnix, so let's skip about the screenshots part.
Just check this article if you want see pics from the Rovnix C&C:
The panel come with a sql dump, and a user/password is already defined inside.
The password look's like a MD5 hash and we know nothing about it.
By looking the hash on Google we have a correspondence with '21240':
A tool confirm also that the hash is good for '21240'
But.. there is a problem somewhere:
So we have to check the code to see what's going on.
admin/index.php use a function getMyHash()
We have a salt and they use md5() but we have a huge mistake here:
So if we try to hash a password composed only of numbers, we will have a obvious problem.
Like it's the case for the 'default password' found inside the sql dump.
If you want an example:
310dcbbf4cce62f762a2aaa148d556bd = getMyHash('123')
310dcbbf4cce62f762a2aaa148d556bd = md5('333')
'collision' with 2 algo.
We can obtain the password from the hash easily, PoC:
Output for the unknown hash:
So the unknown password for fbff791ef0770855e599ea6f87d41653 is in reality '21173'.