SPKZMC:Pentesting

Information from The State of Sarkhan Official Records

Royal Decree Episode ???+101lavacasted

🧠 "Hackerman Chronicles: The Accidental Pentest of Art3mis by ominachan3575"

All names, incidents, vulnerabilities, and chaotic energy are dramatized for comedic and educational purposes. Viewer discretion advised — unless you're a Chinese admin running AuthMeVelocity 4.1.1, in which case: get patched.


✨ Intro: When Hackerman Logs In

In the neon-drenched backrooms of NeoBangkok's ricefield cyberwarfare division, a new hero emerged — not with cape or crown, but with a clipboard full of exploits and a VPN that screamed "Thai detected!"

Enter ominachan3575, alias notallsystemaresafe[XNHB], a curious fellow with the soul of a pentester and the mischief level of a chaotic neutral bard. While most players joined the Art3mis server to build cities, raid basements, or worship GabeN, our protagonist logged in, looked around... and proceeded to log into other accounts.

With a polite “hello” and an image of him flexing his kick permissions, ominachan began what would become an accidental yet somehow educational penetration test on the very foundation of Art3mis’s authentication systems.


🛠️ The Exploit: A Tale of Trust Misplaced

Let’s get technical. For the unfortunate few still clinging to AuthMeVelocity v4.1.1, there existed a glorious oversight:

encoder.writeUTF("LOGIN");
                encoder.writeUTF(player.getUsername());
final boolean messageResult = server.sendPluginMessage(AuthMeVelocityPlugin.MODERN_CHANNEL, (encoder) -> {
                plugin.logDebug(() -> "ServerPostConnectEvent | " + player.getUsername() + " | Encoding LOGIN data");
                encoder.writeUTF("LOGIN");
                encoder.writeUTF(player.getUsername());
                plugin.logDebug(() -> "ServerPostConnectEvent | " + player.getUsername() + " | Sending LOGIN data");
            });"

And just like that — with the right sauce and a client that could abuse CustomPayload, the gates of Valhalla opened. All ominachan had to do was yell “LOGIN” into the void and the server said, “Yes, my liege.” No OTP. No MFA. Just vibes and vanilla packets.

This wasn't some zero-day revelation. It was publicly documented here, and patched in v4.1.2. But like many server admins living on the edge of RAM limits, MoNoRi-Chan hadn’t exactly checked for plugin updates between nightly ThinkPad sleeps in his Prius Cargress™.


🧪 Live Demonstration: Hackerman’s Masterclass

With peak curiosity and absolutely no malice (maybe), ominachan screenshared his masterstroke in real time. The full sequence:

  1. Log into the account of choice with trouserstreak addon (because of course).
  2. Bypass IP bans using VPNs and local Thai node hopping.
  3. Abuse the plugin message channel to fake login events.
  4. Become stats admin. Not real admin. Just the PowerPoint admin.
  5. Flex on the server owner with full transparency and request he "start the server again pls."

In response, MoNoRi-Chan, being the chaotic-neutral mayor of Art3mis, replied with the equivalent of "do it for the content," because free marketing is still marketing.


🔥 Griefing as Performance Art

Let’s not forget, ominachan could have burned everything. But instead of nuking the spawn into obsidian pasta, he chose… dialogue. This wasn’t a raid — it was a lecture. When told “we have backups,” his response was: “let grief backups.”

You don’t get that level of professionalism from your average 12-year-old with Wurst client. This was griefing with thesis, a critique of poor opsec disguised as chaos. An unsolicited bug bounty program, if you will.


🧠 Thai Anarchy Scene: Culture Shock Edition

In the post-game chatter, ominachan remarked how rare it was to see a real Thai anarchy server — most local servers mute or ban you for suggesting a better one. In retaliation, he had apparently crashed another server with the mighty bundle crash (yes, the one that makes your RAM beg for death). Because nothing says “your moderation sucks” like a recursive NBT packet.

His critique? Too many rules in anarchy servers. Too many feelings. Not enough lava.


🧬 Lessons for Server Admins

If you're reading this and still running:

  • Paper 1.20.X (update to 1.21),
  • Velocity without channel message filtering,
  • AuthMeVelocity v4.1.1 or older…

Then you might as well rename your server to pwnme.mc and post your RCON on Pastebin. Here’s your checklist for survival:

✅ Update to AuthMeVelocity v4.1.2+

✅ Sanitize incoming CustomPayload packets

✅ Restrict /plugins command access

✅ Monitor console logs (or do like MoNoRi-Chan and "scrub 'em weekly")

✅ Always assume VPN+Thai IP = Trickster God inbound


⚖️ Final Verdict

Was ominachan a villain? Nah. He was the unpaid QA department.

Was Art3mis compromised? Technically yes, spiritually no. All the data was intact. No lives were lost. Just some egos got lava-casted.

In the end, ominachan’s pentest served as a flaming billboard saying: “You are never truly safe.”

And in the realm of cyber-anarchy, that's the highest praise.


👑 Royal Decree:

Server laws will now include the ominachan clause: If you're going to break it, at least do it with style.

See Also