Bitcoin Forum

UPDATE 27 Aug 2012

h4xcomp has been taken offline as there is no longer any reason for me to keep it running. I don't have the time to commit to it and have learned what I needed from it. Thanks to everyone who took part, it was great fun for me and I hope fun for you too.

---------

I'm pleased to announce a new project

http://www.h4xcomp.com/ (http://www.h4xcomp.com/)

The aim of the project is to increase my knowledge about running a well-secured website (especially one with bitcoin). I have included some novel and potentially security-breaking features which I plan to incorporate into a much larger project. Whilst the focus of the project is not purely bitcoin, I will be putting a fair bit of attention on the bitcoin side of things to start with. I am seeking data from this side-project to help make the larger project as secure and easily-managed as possible. I will make the knowledge I gain from h4xcomp available so that others can learn from the hacks that are (hopefully) perpetrated on the server.

I'm also using the site to fine-tune some of the novel techniques that are being used on my other project, such as the multi-lingual feature. If you notice that it seems a bit strange at times, I am only an English speaking person and have auto-translated all the other languages. As a result, the English is also on the more simple side of things to ensure that translations are least affected by grammatical complexity. I hope to trial some sort of 'give me human-translation for some reward' sometime in the future. There are so many things that I hope to experiment with on h4xcomp...

This project is only a couple of days old, however I hope over the next months it will provide a lot of interesting data and will be a useful resource for other developers who want to understand the additional security necessities when doing something a bit different with their servers.

The first prize is somewhat small as I have done very little to the server to secure it and expect that it will be hacked relatively easily. As the security improves and the difficulty increases, the prizes will become greater. I am funding this entirely from my own pocket for my own interest and learning.

More competitions are in the works. Hopefully this provides some geeky entertainment to the 1337 crews out there.

Feedback is welcome.

Edit:
I haven't tested the site on Internet Explorer cause I don't have a copy of it. I am about 100% sure it won't display as intended, however it should display at least the content since the site isn't that complex.

Are you interested in competitions for other, third party configurations?

For instance, if there was enough people that used the OSCommerce Bitcoin Payment Module who were to put together a bounty to learn if it had any vulnerabilities, would that be something you'ld consider offering?

Absolutely. This project is as much for the community as it is for myself. If anyone has ideas for competitions I am happy to hear of them. Of course, being a side project, I cannot make any promises about when they will happen, but I consider this kind of information to be useful and important for people and businesses offering services surrounding bitcoin.

There is definitely a hole in this site, I am waiting for it to be exploited... not necessarily easy to find, but clues will be released progressively since I want to see it compromised before I plug the hole and see the real nerds have a crack.

And thanks for this post whoever made it:

http://cnbtcnews.com/tag/h4xcomp (http://cnbtcnews.com/tag/h4xcomp)

Don't know any python, but listing directories and finding wallet.dat shouldn't be too difficult if you can upload and execute scripts.

Did find a hidden ssh server on port 55555, and that you already masked the Server: response header. Since this is a competition, kinda hints that there might be a possible server exploit as the next task?

Is it necessary to brute force any credentials, or exploit a process running as root / suid root binary? If not, I'm stumped, so I guess I'm waiting for the first clue :)

No - I don't see the point in brute force competitions, and I only plan to release competitions that are based on cleverness... ie anyone with any sort of computer+internet could get the prize if they have the smarts.

I will put up a guide with this kind of info as it comes to light, this is a good point that should be made clearer on the site. thanks for pointing it out.

Challenge accepted ;)

kind regards,
a nice guy

The first clue is up. Find it on the homepage http://www.h4xcomp.com/ (http://www.h4xcomp.com/)

Interesting entries so far, keep them coming. I look forward to writing the first report on the successful hack. There has been lots of interesting stuff coming in. Be sure that round 2 will be much much harder and the reward will reflect that (ie will be much bigger), so let's get this first one out of the way!

Damn, not the clue I was looking for - I'd already got that far ;)

I've scoured the filesystem (well, /etc and /var mainly) and the 'localisation' postgres database, but can't find any trace of the bitcoind JSON-RPC credentials :(

I must be making this seem harder than it actually is..

Good luck to everyone else!

I can now see an accessible wallet, but it has no (testnet) money?

yeah sorry been dicking around with the server a bit in the past couple of hours... still getting my head around what I'm trying to achieve. looks like I've got it on track now.

Also I have confirmed the exploit, it wasn't easy but it's definitely there.

Wallet will have coins in 6 confirms from now...

Hehe. If OP is doing what I think he's doing, we're going to see another Linode-style hack here in a few months thanks to one of these "challenges".  ;)

Haha I'm actually learning how to prevent that happening, which is why I set the competition up; so I can learn from my sacrificial server being hacked. I hope very much not to repeat the problems faced by linode, or for that matter Mt Gox in the early days, or, dare I say it, bitscalper  ::)

Once I get past this initial competition being won (gotta provide some incentive) I'll ramp it up and am actually going to sink some decent money into it so I can try to get some solid hacks happening and hopefully learn how to prevent them in the future. The more I learn, the harder it gets to hack, the more the prize goes up.

mav: http://blockexplorer.com/testnet/tx/1cb46705abbf2b9add985c68ea78867a3f879a1e0efc9a231c607e4fd80be74c - 100 testnet BTC moved.


The server is on Linode; does that mean Linode will cheat using their backdoors? :)

I lol'ed.

More importantly, do they get declared winners if they do?  :P

The first competition has been successfully completed. Once the prize is awarded I'll post a report about the method and the fix, and start it off again with a bigger prize.

Reward is now 5 BTC for a successful hack. See the winner link on the homepage at http://www.h4xcomp.com/ for details on the successful tactic.

I was looking at the details page, and one conclusion you came to was that bitcoind running as root was more secure than bitcoind running as www-data. However, I don't think either is correct; bitcoind should run as its own user in its own group for the most ideal security. The reason is that if somehow it became possible to cause the bitcoind process to execute arbitrary code via some kind of exploit, it would be contained inside the dedicated user and group (theoretically), instead of being allowed to run rampant as root.

I am fairly sure it doesn't need root privileges to run, but if it does you can then use a chroot jail for the best security.

Good point, I will update it with this info. Sounds obvious now you say it, good to get these things sorted out now rather than later. Thanks for picking that up and posting.

http://www.h4xcomp.com/www.h4xcomp.com/1/winners/1 (http://www.h4xcomp.com/www.h4xcomp.com/1/winners/1)
winning script gives a 404 error

Thanks, fixed.

Nice one! I hope you'll have a lot of success, letting people hack your site is the best way to gain experience!

Also, I'll be watching it closely, I'm looking forward to another round (and looking around for other exploits silently :-))

The second round was a quick one - the server has been hacked. Once the prize is claimed, standby for round 3. This one was a bit of a giveaway, but glad to have done so.

Wow, that was really quick.
Sadly I'm no python developer :/

I hope there will be a general security bounty.

Thanks for this interesting stuff :)

kind regards,
a nice guy

Is there going to be another contest?

Yeah there will definitely be more comps, but probably not for at least a couple of months yet. I've been working like crazy on a product, one which will actually earn me money. For now h4xcomp has helped me learn what I needed, so unfortunately priorities means it has been put on the backburner until I have more time for it.

Trade crypto assets on a basis blockchain technologies has got for a long time already the daily form and for anybody does not cause surprise. Recently exists already more than 200 crypto stock exchanges. A considerable quantity reduces liquidity at small stock exchanges. It has led to a strong fragmentation of liquidity.
  The more low liquidity, the more low average volume of a trading position in comparison with other classical markets. Moreover, during the moments of sharp market movements it can appear insufficient even for trade with low volumes crypto assets.
 
LIQNET is crypto changes which allows to unite liquidity from different platforms and to solve a problem of dispersion of users, their trading inquiries and orders, it forms uniform base of orders with the best depth of the trading market and more favourable prices for private persons of legal bodies of different sphere.
 
  That does exchange LIQNET unique, is tool LEN (Liquidity Exchange Network) which allows to collect and combine orders of our clients from other trading platforms in a uniform package of orders and to do by their all clients LIQNET accessible to trade.
Owners LENtokens receive exclusive conditions.

Other advantages of platform LIQNET:
Desktop applications (own desktop application, MultiSharts, TradingView and MT5);
Completely functional mobile trading applications for Android and iOS;

The project online wallet which gives the chance to exchange crypto carrency and to fix money button click. Besides, it has an easy service for crypto carrency investments with the free and paid built in strategy; #LIQNET #Bounty