Huge shoutout to BuiltByBit for sponsoring this video, if you are interested in anything minecraft and server related, please check them out - builtbybit.com/themisterepic/

@thesharky

3 ай бұрын

ok

@TheWanderingTraderm

3 ай бұрын

you didnt do sponsors before

@oopomopoo

3 ай бұрын

April fools video, dupe on your server 😎

@Shin3y

3 ай бұрын

what's that sick ass dnb track that plays during the exploit of purple prison? nevermind, that's in the desc.

@taylorbesharah8

3 ай бұрын

please put an epilepsy warning if youre going to have things like 0:53

Players manage to bypass your servers spawn protection. What do they do with this newfound incredible power? Dig straight down

@Tenzhi

2 ай бұрын

Neuron activated

@dirtydan3029

Ай бұрын

Big brain

A scale so large, it won't happen again

@TheMisterEpic

3 ай бұрын

100%

@surge1229

3 ай бұрын

@@TheMisterEpic 99.99999999999999999999999999999999999999999% Lmao

@gameslikes0grolls

3 ай бұрын

@@surge1229 thats not how that works

@StuffJason437

3 ай бұрын

Biggest plugin(s) will contain at least 1 oversight.

@ANONYMOUS-vf2nn

3 ай бұрын

What if there is something even worse than that? Perhaps being able to absolutely remove the server from the existence? Time will tell, people are still unaware of potential possibilities that are still unknown for them

Today's Fact: In 2020, researchers used quantum entanglement to teleport information between two chips in a silicon-based system, a major step forward for quantum computing.

@S1mplyEuph0ria

3 ай бұрын

cool

@BasementStudi0s

3 ай бұрын

that sounds like fast internet speed

@TheMisterEpic

3 ай бұрын

Thank you facterino

@BallGrabber_

3 ай бұрын

Yeah…but the silicon-based system does have quantum crystals right

@ThisIsWizardsHandle

3 ай бұрын

Ant man did it first fr

“Once in a decade exploit” *remembers log4j error, a Java exploit that allows you to run code remotely on any computer through a string value, something far more powerful than a simple /op*

@TheMisterEpic

3 ай бұрын

Keep in mind, that's not a Minecraft exploit, that's a security vulnerability in java

@GuyKev

3 ай бұрын

@@TheMisterEpic still WAY more powerful than any other exploit has been yet

@TheMisterEpic

3 ай бұрын

Sure, but not a Minecraft exploit

@CuteistFox

3 ай бұрын

@@TheMisterEpicits actuly a exploit in one of minecraft dependencys

@lemon3389

3 ай бұрын

@@CuteistFox ain't cuz you can run it on minecraft that it's a minecraft exploit though...

It confuses me how it took so long for anyone to find this. Yeah, not everyone is going to think "maybe if I rename this chest to the name of a server UI chest, it will give me that UI," but the process is so simple in hindsight that I'm surprised that it wasn't tested sooner.

@tux_the_astronaut

3 ай бұрын

From idk how none of the devs did a check if you had the permissions or not. Its like if typing rm -f / on Linux never checked to see if you had root privileges and just ran the command anyway or if windows just let a guest account delete system 32 without checking if they were a admin like how does the biggest anticheat for Minecraft miss such a simple crucial check

@branard5748

3 ай бұрын

it probably wasn't found cause a good chunk of people who play don't really know how these plug ins work as it was a paid service, and if you are wantin to troll you don't exactly wanna put actual cash into learning how a plug in works to exploit it

@xXball_smasherXx

3 ай бұрын

@@tux_the_astronaut because it isn't the biggest anticheat for Minecraft, Grim is

@Jessicadoesstuff

3 ай бұрын

generally, the simpler the idea, the more likely people are to think it has already been tested

@Kuipurrr

3 ай бұрын

That goes for a lot of exploits, they just seem simple in hindsight but take a while to discover.

That ending took it from "Yeah this is powerful, but unless you're careful it can always be rolled back" to "Holy hell, this is a _deadly_ exploit."

this is... a very, very old and basic oversight that has been done (and will be done) by many plugin developers that want to use chest GUIs until bukkit/paper/whatever implement a standardised solution. ofcourse it's hardcore that this has happened to a big anticheat plugin and there's no checks whatsoever after opening the menu, but the ground principle of "opening renamed chest to get to GUI" has been around for a long while

@game_time1633

3 ай бұрын

There is already a standardised soloution for years, inventory view instances. The developers just used a decade old method.

@nwseooo

3 ай бұрын

there is, its called InventoryHolder

@SaschahiGG

3 ай бұрын

@@game_time1633 didn't know that, is that added from bukkit, spigot or paper?

@game_time1633

3 ай бұрын

@@SaschahiGG from what I remember Bukkit? Correct me if I’m wrong though, but yeah pretty sure that was bukkit.

@Suzumi-kun

3 ай бұрын

@@SaschahiGG InventoryHolder is years old, dates back to at the latest 2016, when I started plugin development, it was THE way to do inventories so to use the old method, in my opinion, you're just asking for problems

I recently found a 1.7 dupe: 1. Lock a hopper. 2. Open your inventory with e 3. Use q to drop items 4. Close your inventory 5. Right-click the hopper. This resets your inventory. 6. Go back to step 2. Repeat ad infinitum.

@toesus7346

3 ай бұрын

make a video.

@xfi6658

3 ай бұрын

stay safe there 1.7 servers, the 3 of them.

@FranticErrors

3 ай бұрын

lol@@xfi6658

@FranticErrors

3 ай бұрын

yes. the 2 defunct ones and that weird 1 anarchy 2b2t clone@@xfi6658

@torinmoore

3 ай бұрын

@@xfi6658yeah why would people use 1.7 when 1.8 exists

16:28 “this isn’t the most powerful forceop exploit ever, this is the only forceop exploit ever” We just gonna pretend bungeespoofing doesn’t exist

@fitmotheyap

3 ай бұрын

Yeah, he forgot the true biggest exploit, literally applied to any server with bungeecord

@Loading4U_

3 ай бұрын

im pretty sure there are different adaptable parent server exploits too

@xxGreenRoblox

3 ай бұрын

it's the most powerful and the least powerful

@AveryChow

3 ай бұрын

from what I understand, this was already well known for a long time and fixed in other proxies like velocity by design

@Axel-kr3gs

3 ай бұрын

or UUID lol

Man, when you were describing the hierarchy, I had an idea: I make a server donation plugin, one that has a built in dupe exploit. One the server owners have to buy- in other words, the explicit purpose of the plugin is to gank P2W assholes.

@maasnelsonhailey218

3 ай бұрын

probably wouldn't last long, but it would certainly be funny

@n1tal

3 ай бұрын

99% of servers use tebex/buycraft, wouldn't work

@truerandomchannel

3 ай бұрын

they all use tebex/buycraft, so there is no real way to make another donation plugin

@cheeseburgermonkey7104

3 ай бұрын

@@maasnelsonhailey218 It's not about the damage, it's about sending a message

@heyctf

3 ай бұрын

That idea is SO GOOD and so CRUEL... I love it,,

I would like to provide some insight into this as I am an amateur server dev, and this exploit came from a very large oversight. So server chest guis work by having inventories and using the event to detect when someone clicks an item (as you described) What likely happened here was that the developers of vulcan forgot to add proper item checks to what they were clicking, so the server just assumed that they had permissions. Yes, there should be permission checks there. However, it is (from what I've seen) standard practice to add checks to the item clicked such as it having lore (meaning the player couldn't have modified it to have that lore), so that you don't ever accidentally detect them clicking an item in their inventory. The oversight of not adding permission checks isn't as egregious as not having the proper item checks for the gui, as its the very first thing you HAVE to get right.

@roughlyunderscore

3 ай бұрын

You're on the right track, I'd also like to provide some insight as an experienced dev. A lot of (especially beginner) developers compare their inventories by title - this means that to check if a GUI opened by a player is the GUI that the plugin wants, it compares the title of the GUI. This is wrong on multiple levels - the video shows exactly why. You were correct about the lore-for-the-item thing, but also not 100%. From my experience, it's standard to use NBT data for an item (add a tag that identifies this item) - this way it's completely fool proof. On versions of 1.14.4 and above it's especially easy to implement with the PersistentDataContainer API.

@Omega-mr1jg

3 ай бұрын

I legitimately can not believe this even occured like this, NBT acts as a key, why did they feel the need to use the title which everyone can change?@@roughlyunderscore

@Omega-mr1jg

3 ай бұрын

beyond that, not even checks were present, leading to a fatal flaw

@roughlyunderscore

3 ай бұрын

@@Omega-mr1jg Yep. Basically a lot of rookie mistakes - overlooks that were done due to the sheer complexity of the rest of the plugin. The developer probably didn't put too much thought into the GUIs because those were not even close to being the main focus.

@larkyy6364

3 ай бұрын

why would even anyone use this old rookie method for custom menus, when you can make a menu by implementing InventoryHolder and don't have to care about permission checks 😭

In Insanity on 23:03, you actually got OP access. However, some permission plugins can override commands to use the permission system rather than op access. That's why you cannot use commands but can see spy messages, they configured that incorrectly so you can see.

"If you reinforce a door by making it impossible to break down they'll just destroy the door frame"

@renakunisaki

2 ай бұрын

Or climb in the open window.

This is so wild I'm writing a college level security report on CWE-94, I'm going to source this video as an example of injection code as it is loosely related to it! Great video!

As a professional developer who used to create hacked clients for Minecraft (this was 5 years ago at this point though), I can very much say this: It isn't impossible to find exploits like this, and if people with genuine cyber security backgrounds where to look at Minecraft, they could likely exploit it within the same week, it's just that they have better things to do than stare at a block game.

@BigTarb

Ай бұрын

People do it all the time. He’s a server owner himself so there’s clear bias (he actively defended and helped purple prison which promotes gambling to children)

@OR56

13 күн бұрын

2b2t players building malware that could pose a national security threat to fund 9 year olds bases in a block game: “you underestimate my power”

27:52 "Everyone's owner", now that is what I'd call an anarchy server

@ryan_765

3 ай бұрын

nice profile picture bro

@luketurner314

3 ай бұрын

@@ryan_765 Thanks, yours too

"what i dont like is unethical gambling" then proceeds to blow the server the fuck up in retaliation (w)

@BigTarb

Ай бұрын

He then helped them solve the problem so he effectively did nothing. If he were actually against it he would’ve done damage he said he could do

2:44 "Rare but not that uncommon" come on man just pick one

@invualidV2

3 ай бұрын

Lmao

@Jeremonkey90

3 ай бұрын

I head that too. Must be a mistake in the script

@RRareGaming

3 ай бұрын

theyre rare(hard*) to find but pretty common since they are frequently found anyway

@lachlantrescott5533

3 ай бұрын

Corny ass video and script lol, good video but my god these kind of youtubers just try so hard to make it super dramatic, it's minecraft ffs LOL

@invualidV2

2 ай бұрын

@@RRareGaming how?

I feel like your exploit scale is missing a tier, log4j was known as an RCE exploit, which should be far more powerful than forceop. For example, if multiple servers exist on a single machine, you'd only need to attack one. Or you could steal/modify sensitive data, or install malware/ransomware directly to their server hardware.

@JustVldKsh

3 ай бұрын

that's not a minecraft-specific exploit, it affected a lot of java-related stuff in general, not only minecraft

@kidscreativitys

3 ай бұрын

@@JustVldKsh Read the comment again. No where it said its a minecraft-specific exploit. They only wanted a new RCE exploit tier.

@SolTheIdiot

3 ай бұрын

​@@kidscreativitys The video was talking about Minecraft exploits, but yeah an RCE exploit tier would make some sense

@kidscreativitys

3 ай бұрын

@@SolTheIdiotIts still a exploit anyone could abuse nonetheless

@maxrburgess

3 ай бұрын

@@JustVldKshI mean the JNDI lookups were able to be turned off so the fact that Minecraft didn’t kind of makes it a Minecraft exploit.

To any aspiring plugin developers trying to avoid this happening to them: just use interfaces that extend from InventoryHolder and check the type of the inventory, don't bother with inventory titles or item names. Not only will it avoid this issue but your code is gonna be so much easier to read and maintain because you don't have to deal with strings and a complicated if/else tree

@fitmotheyap

3 ай бұрын

Thanks a lot Just checked a tutorial on it, it's much better than the usual ways people learn to make inventories

@iilwy

3 ай бұрын

you mean like extending the inventory class? wdym

@vytautaszygelis1106

3 ай бұрын

Or.... dont. Or just let some people enjoy something instead of patching shit out in mere hours. There is already enough fucking grinding and other bs in real life.

@iilwy

3 ай бұрын

@@vytautaszygelis1106 are you real?

@Shadowtrot

3 ай бұрын

@@iilwybots can cope and seethe too lmfao.

i think its crazy that people still find ways to terrorize servers

@bennyl9228

3 ай бұрын

On all pre-1.13 versions, by creating a piston with data value 6 (invalid rotation), it will crash the game whenever powered or whenever it recieves a block update. It is also an update suppressor and can get you block 36, half beds, half doors, floating blocks, piston heads, etc.

@RRareGaming

3 ай бұрын

its the one used in 2b2t right @@bennyl9228

@vytautaszygelis1106

3 ай бұрын

Terorize? I just want in on some fun. I keep trying to look for reliable dupes, but everything is so ''secure'' nowdays.

@SmokeFactory

2 ай бұрын

@@vytautaszygelis1106🫤 look for the dupes yourself

@okie9025

2 ай бұрын

@@vytautaszygelis1106 nothing more fun than ruining your own/others' experience and fun and reducing the entire game to a pentesting playground before promptly leaving the game until another exploit is found.

"This vulkon the worst exploit ever" Log4Shell: "Hold me beer."

@CDZ1309

3 ай бұрын

I saw some other people talking about this, could you explain it to me :P (and possibly how to do it ;))

@EmanuelLopesS2

3 ай бұрын

​@user-kz1zc7vm4l log4shell was a Java exploit that easly allowed you to execute remote commands to the players computer, is not even in the server, they could easly get all you information saved in your computer, crash it, infect with malware and a lot worst. It was a Java exploit and not a plugin one, they fix it very fast but some damage was done. Also it wasn't minecraft exclusive since a LOT OF THINGS works using Java, so just imagine the possible damage. Once in a life exploit, one of the most or the most powerful exploit ever

@Hagurmert

3 ай бұрын

​@@EmanuelLopesS2 this vulnerability existed for a very long time and it was not taken advantage of but when it did, it made playing Minecraft an actual security problem, especially on Minecraft servers and the ones where there are hackers around that can just remotely enter your computer and do anything they want to do. Log4j exploit is one if the most insane exploits to ever exist in digital computing

@SolTheIdiot

3 ай бұрын

​@@CDZ1309 person above me explains it

@lnee

3 ай бұрын

@@CDZ1309 kzread.info/dash/bejne/qWZ6mJmFkqjans4.html

25:04 Scott Buckley's music really works very well with this scene

@TheMisterEpic

3 ай бұрын

100%

man its okay to just say u wanted to mess with minecraft servers with a funny exploit idk y every channel like this acts like they r on some crazy moral highground

Very cool and detailed video about this Vulcan exploit and I think we may not see something like this again in the near future and I am still bothered that I was not able to actually use it myself as there was not enough time after the owners of Minemalia discovered that we were accessing their Vulcan menu and as I said we did not know that you could edit punishment commands which we found out afterwards when they had already alerted frep. One thing I would like to add is that there is a way to access the main GUI without knowing its name. In my case I used a feather and the chest title "Check Types" which allowed me to access GUIs without knowing the name of the main GUI.

@CCBlueX

3 ай бұрын

It is quite a mistake not to check for permissions on the GUIs, which should NEVER happen, but to be fair, frep handled it very well by releasing a free patch for everyone. But I think there will be a lot of servers vulnerable to this exploit for a long time to come. Also the video was unlisted, since I released another one right afterwards which included the aspect of Force-OP. :)

@TaxEvasionProfessional

3 ай бұрын

@@CCBlueXhi ccbluex. was fun trolling minemalia XD

@slackclient

3 ай бұрын

Hi

@prah7637

3 ай бұрын

Hi

@t.o.mirite

3 ай бұрын

Hi

as someone whos been making inventory guis and other various minecraft stuff, i can say that the statement at 18:20 is incorrect, it is *VERY EASY* to check if the inventory instance is correct, and check permissions accordingly. But even if it wasn't, if you're doing scripted events when clicking a gui button, that should 100% BE BEING CHECKED!

@tacticallemon7518

Ай бұрын

I can imagine an issue arising where players spam open inventories to lag servers If it needs to run a check *every time* anyone opens any inventory, imagine the lag from just 2 or 3 accounts just spamming e

@HungryFox02

Ай бұрын

@@tacticallemon7518 yeah except it does that check anyway, but for the container name Also opening an inventory and opening a container are entirely different operations, spamming e wouldnt even trigger that check

The panic server owners must have felt because of this is hilarious

at 28:33 that /save-all mustve felt SO GOOD hahahha

Tbh the funniest thing that you could do is add /stop to random flag and make staff wonder what the hell is happening

@TheMisterEpic

2 ай бұрын

That would have been hilarious ngl, especially if the exploit never ended up becoming known by many others

26:54 very nice dutch person in chat

@dunkiegaming

2 ай бұрын

iknow hahaha

@NotTheDotDot

2 ай бұрын

Comment I was looking for

Fun fact: you have been on a hungarian server it was the one with the ban reason being "hi fan, what are you doing?"

If that ever happend to me, i'd call my friend Micheal.

@erich_ika

3 ай бұрын

i think it'd be better to call saul

@xzempty_8387

3 ай бұрын

Thank god for michael

Idk about anyone else.. But seeing the sun SIDEWAYS at the start is cursed to hell.

24:40 You really did test it on a variety of servers... I love that you've showed a translation aswell. :D

@handleforsale

3 ай бұрын

rivalsnetwork my beloved

@karzanah

3 ай бұрын

"Le flight" tho instead of expiration

@definetly-not-real

3 ай бұрын

I like how the reason he got banned is just so Hungarian.

@tyronorxy5646

3 ай бұрын

@@definetly-not-real I also like how there's probably at least three Hungarian people in this comment thread, and we're all speaking in English. :D

@handleforsale

3 ай бұрын

@@definetly-not-real mennyire igaz

Log4J was the “Once in a decade exploit” for Minecraft servers, and many other things of course.

@brandon9172

3 ай бұрын

Log4J wasn't just a "once in a decade exploit" for Minecraft, it was a "once in a decade exploit" for literally the entire internet.

@theaviationbee

3 ай бұрын

​@@brandon9172original commenter alsp said "...and many other things"

@Tyresekyle

3 ай бұрын

@@brandon9172 Yeah, this exploit doesn't even come close to that.

27:00 that was so fucking fun to watch lmao, the background music and editing makes it so entertaining and epic

Still can't believe they were just checking the name of the inventory and not using `instanceof`. It's incredible that this is even possible. Wow.

@neonowlgery

3 ай бұрын

I think they should @Deprecated and @ForRemoval it. It truly is a bad option. Tho, I used it for years, it's time for a change.

@russianyoutube

3 ай бұрын

You shouldn't even instanceof them, you should check if it's a specific instance of the inventory

@Xnoob545

3 ай бұрын

​@@russianyoutube oh hi, I know you

@russianyoutube

3 ай бұрын

@@Xnoob545 oh hi, I know you too

Coming from someone that used to play on Purple Prison, this was amazing ❤️

What a lovely message on the bottom left at 6:54

@pewet123

3 ай бұрын

spotted that also

@Opprxssor666

Ай бұрын

I guess Mister Epic didnt notice that otherwise it would also be blurred out

Remote code execution exploits are even higher up on the exploit pyramid. You can literally edit files on the server.

That ending felt like I was watching Team Avolition again.

I just love the part when the music starts playing and EVERYTHING escalates COMPLETLY - I love how you cut you Videos Epic, thank you for making videos - I just love it!

As a developer that has worked on dozens of plugins involving hundreds of inventory GUIs, I take issue with the statement that it's difficult to check. One of my main go to methods of implementing chest UIs was to create a custom inventory container class similar to how all standard inventory types have their own class in the code. Internally in logic it would be identical to a chest UI, but I could then test the player's currently opened ui's class against my custom one. Opening a normal chest or player inventory would result in the currently opened inventory's class being PlayerInventory or DoubleChestInventory (or equivalent as the names have changed at various points in times) but they would not be the custom class. On top of that considering the UI is accessed via command and Spigot servers have events for opening and closing inventories in addition to just clicking in the inventories, it's not difficult to keep track of the current inventory of the player. All of that is then on top of basic permission checks, it's odd. And it's even stranger that the developer removed the UI entirely instead of just adding the checks to the code. The developer obviously knows what they're doing as making an Anti Cheat is not something someone does on a whim, especially one so well received, so it's baffling this got through.

I remember this happening to a small server, the exploit was dangerously abused on it; even going as far as leaking IP addressess and saying sensitive words using the broadcast command.

this is why exploits need to be fixed super quick so people don't destroy sevrers

@fatfurry

3 ай бұрын

This is why exploits don't need to be fixed because they are more fun to have than to not have

@ionisator1

3 ай бұрын

​@@fatfurryMinor exploits bugs and glitches can be fun, but fundamentally comprimising exploits are not

@fatfurry

3 ай бұрын

@@ionisator1 🤓

@lewdmilla

3 ай бұрын

​@@fatfurryok clown

@vytautaszygelis1106

3 ай бұрын

@@ionisator1 Dont care. I wanted to try this. Cant. Why? Because its fucking gone. Tried to find dupe exploits. Cant. Why? Cause fucking monkeys patched them out.

I love how whenever the character has to climb up to the very top of the hierarchy, he is always just out of reach of the top, but the video "glitches" and all of a sudden he is on the top. unexplicably. very poetically shown

This was absolutely insane. Last time I was involved in something like this was when iTristan gave me a 32k sword.

Wtf. I reported this to the Vulcan developer a while back and he fixed it within about an hour. I had no idea it was this big tho. The chest you click on in the inventory does not have to be named btw. Only the inventory name matters.

In Minecraft wiiu all your need to do is change some memory addresses and you can do basically anything you want with and make it impossible to be removed.

@MC_CN

3 ай бұрын

That's messing with console/disc code basically an equivalent to hacked clients/mods

@YouTubeName-hw1uk

3 ай бұрын

@@MC_CN Yeah you can edit the system memory in real time with a tool called TCP gecko, clients do exist for Minecraft though and at there core, they are simply modified versions of the minecraft.rpx (the core of the game) So no disc mods needed just some homebrew

@DorperSystems

3 ай бұрын

Yes if you have physical access to something you can do anything...

@YouTubeName-hw1uk

3 ай бұрын

@@MC_CN damn KZread deleted my previous reply to thsi

@YouTubeName-hw1uk

3 ай бұрын

@@DorperSystems I'm talking about modifying address on, _your own_ system to trick the game into thinking that your the host

The story telling in these videos is actually insane, keep it up!

@SmokeFactory

2 ай бұрын

🤖

@misiosz1983

Ай бұрын

Stop appearing everywhere you chicken

@misiosz1983

Ай бұрын

Kurczak is chicken

I absolutely loved watching this especially with good noise canceling headphones the choice of music was amazing

It’s actually amazing how far some of the community’s knowledge went, to actual force op exploits. As much damage as this has done, it’s actually baffling.

There is a force op in 1.2.5 and below that you didn't mention. Back then the Minecraft protocol wasn't encrypted. What this meant is that the connection between clients and servers were not secure and could be tampered by anyone in a MitM attack. The force op worked by getting an admin of the target server join an attacker controlled server. When joining the malicous server, the malicous server would then try and login to the target server and forward the handshake packet back to the admin's client allowing the malicous server to successfully login to the target server as that admin. The malicous server while logged in with the admin account could execute any command including op. The malicous server doesn't have to forward any other packets back to the admin so it can just kick the admin with an error message or have them join a fake server so it isn't suspicious.

Should have destroyed the hell out of purple prison, and cripple the server ENTIRELY. A once in a decade expliot could have gone to use and destroy this P2W server, and yet you choose to tell the staff of said server. SMH dude

It was noble of you to show restraint with this exploit. If another group discovered it, imagine the mayhem that could have been caused.

@CrioChamber

3 ай бұрын

Except Purple Prison. XD That poor spawn!

@qrae_qrae6629

2 ай бұрын

@@CrioChamber spawn is really easy to reverse, im 99% sure a server like purpleprison has their own build server where their builders can build then turn them into schematics to be pasted at the live server

@CrioChamber

2 ай бұрын

​@@qrae_qrae6629I mean, I didn't think they wouldn't have a backup somewhere, just before they rolled it back that spawn got oofed.

@qrae_qrae6629

2 ай бұрын

@@CrioChamber nonetheless, if purple prison didn't have a backup, fuck them LOL

Ah yes, the good men and women of Purple Prison's finest. The Purple Prison Moderator Team: Vigilant, but incompetent.

@juicesoapcontraptions8928

Ай бұрын

Half the mods on that server literally false ban you for the stupidest stuff. Like one auto hackusated then banned me just cause I so happen to run forge on 1.8.9 yeah OK but for OptiFine only! Effing tards.

My server which averages around 200 players got nuked by a competitor server and they deleted our saves causing us to have to remake some aspects of our server, it was not fun

@Sarah_Bragg

9 күн бұрын

How did they destroy saves? Wouldn’t those have been stored off of the internet?

such a well put together video. Hats off to you mr epic

ThatMisterEpic's final checkpoint everytime: Purple Prison 😂

In your exploit hierarchy, you missed a tier above ForceOP: Full server control. This is where Log4Shell sits.

@renakunisaki

2 ай бұрын

And even higher: total RCE. Being able to run code on other players' systems. I think log4j could do that?

@hertzwave8001

Ай бұрын

is there an exploit that allows you to goto anyones house irl

Those random flashing lights with no warning is crazy

As a skript developer myself I can confirm it is a major pain to do this, but it can be prevented by placing buffer characters like colored spaces after the text is finished like "GUI&a &r" this fixes all your problems and makes it virtually impossible for players to open this gui. I can confirm that like every skript I have seen doesn't check perms, but the all use colored text and that makes it impossible for players to get UI named this way. Third mistake most people missed is that Vulcan checks it based on the item clicked as opposed to a slot, which is kinda of a bummer

@yorik1006

3 ай бұрын

I allow players to put colours in anvil. Slot checking would have been even easier to exploit, just click the empty slot where Manage Checks was supposed to be.

This is actually insane. Kudos to finding it, I hope the purple prison devs didn't get too mad at you

This feels less like a permission issue and more like an input sanitization issue. Not sure if it has to do with Minecraft or the anti cheat but there should be an input sanitization process that should prevent just renaming something to get access to a console.

cant believe Vulcan used inventory titles to distinguish inventory GUIs LOL thats so terribly coded it is NOT difficult AT ALL to use a HashMap which maps the player to the inventory object when the inventory is opened and only handle click events on that GUI

man, i've been following zman since the unturned days. crazy to see him come so far

perfect end to the purple prison arc

I love how PurplePrizzon disolves into chaos in only a couple of minutes. It just goes to show how powerful this exploit is!!

The person who found this first was a german youtuber named Garkolym, he made a video about it on January 22

This video is on another level! Keep up the amazing work MrEpic ❤

"What a cool looking minecraft server! I wanna go play it." *Joins server and sees the chaos* " oh my "

mann it's crazy what people find out how to do

No way bro finally launched an effective attack on purple prison

It's funny that, to this day, many mods/plugins still use custom names of items to branch the behaviors of that item from the original implementations. I personally prefer going with the built-in NBT tags system. It works well along with the OOP concepts and cannot be easily tampered by players. Though in Vulcan's case they should've used controlled commands like what old-school NCP does in the first place.

My man let Purple Prison off like crazy, even helped them get back up.

the absolute misery you unleashed on purple prison brought me unspeakable joy

Haha, le classique demonstration of the first rule of networking - "Never trust the client"

I found something somewhat similar where there was a bug in the server perms setting where I just had access to “/op” in the main lobby when I first joined.

Literally The Purple Prison mods: "I don't get paid enough for this."

Related to the video, this is really both interesting and scary at the same time

Damn and they could've saved so many people money by stopping Purple Prison entirely.

One of the small to medium Smp that I am a mod/admin/co-owner for but got griefed by the "the mole group" or something like that via the Vulcan exploit on 31/01/2024 around 8:30 pm AEDT. We managed to recover within 1-3 ish days after it. One of the examples at the 10:24, 17:25 & 28:03 mark by the griefer who did this on the SMP I was on, plus it hits home but thx for covering this TheMisterEpic 💜 Edit: I've shared this with the owner of the server :p i know that you wont find this but good luck on the future of ur content

As someone who's tried running their own Minecraft server for me and a friend to play on, this is both terrifying but also interesting and amazing at how much had to go wrong for it to work.

Hacker: Lets use an exploit! TheMisterEpic: Lets use the only forceop exploit!

I like the glitchy transitions you have

Insane quality video bro ❤ love your work keep it up ❤

i remember finding some OP bugs years ago they were fun, my favourite was on modded servers that had the sponge wipe to edit signs, go to an admin shop and edit the sign to give @player op or whatever the syntax was. worked on a surprising amount of servers at the time but i'm sure it's fixed by now

The fact that /op is a thing makes situations like this dangerous. It's so straightforward to understand that gets you too many permissions. Why can't server developers just remove it and add a MFA for promoting anyone to moderator or higher level statuses?

@MasterBroNetwork

3 ай бұрын

Good point, Any permission past basic moderation should require MFA to give out properly, /op can literally be executed at any time.

Man imagine being gone for a second and everythings gone and everyone has op 😂

its very nice to know that the minecraft server community moves at lightning speed when it comes to some kind of danger to their servers

I'm not going to lie, when you use the exploit on Purple Prison, I could not help but laugh XD. I used to play on that server when I was younger but now me being an adult I understand what money is and what kind of a server Purple Prison is. I know that exploits can be harmful to servers but this one takes the cake and it really caught my eye. I am not an expert with technology or dupes or exploits and all that but I just like watching them and learning more about them. Keep making awesome videos!

With great power comes great responsibility ❌ with great power comes exceeding great rarity ✅

Skip to 10:10 to save 10mins of overdramatized buildup

24:24 HUNGARIAN SERVER MENTIONED RAAAAAAH, am szép vagy Exteron, szeretlek ❤

Way back in the day I was friends with the dev of Cicada (im pretty sure he told us) but basically he said that hub servers would leave the login port open so you could direct connect to the login port of the say survival server and since the hub was supposed to do the Minecraft verification then transfer you to the server you are trying to play by direct connecting you could bypass the minecraft verification. So with his client we were able to do 5 mins of research, find out who the owner/devs were, direct connect with their usernames spoofed, bypass the minecraft verification, and boom... you are logged in... on their server... with their username and all their OP/Rank powers... it was pretty nuts.

this kinda reminds me about a roblox bug naming your character lets say bosscampos, so boss camera position, so the game would get confused cause there are 2 files named the same thing so it would freeze and bug the game

@tntking55

3 ай бұрын

ik this isnt that relevant i just wanted to share some thing cool

I love how revalsnetwork just says: hello my fan what good are you doing? in Hungarian xd

@neonowlgery

3 ай бұрын

Még én is meglepődtem, hogy RivalsNetwork, mondom "Ez mit keres ezen a szerveren?" XDDD

Been a while since i messed with servers. But back in the days the better method was to somehow getting granted “ star permission / * permission. By doing that the server console would not give you a red name or make it show up in the console, also another bonus, smaller server owners would rarely know about * permission and not know how to remove it, making a player un-banable and no matter how Many times they de-opper the player would still have every permission on the server.

This was a great video, keep it up! ❤