|
Title: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started Post by: neha on August 11, 2014, 04:32:53 AM Hack Our Application Server for $3000 The challenge starts on 15th of August, 2014 and ends on 10th September, 2014 http://www.nuovocard.com/wp-content/uploads/2013/10/card-stack1.png http://www.nuovocard.com/wp-content/uploads/2013/10/Nuovopay.gif CONTEST DETAILS Server Parameters Our Server is Running a Java Application which is communicating with Google Server via API's. Also, it is running Bitcoin Armoryd and Bitcoind. To communicate with the server and check if its running or not, send an email to hack@nuovocard.com with Subject 'Transfer'. The server will send you an email back with a transaction hash for an instant transaction in the amount of 0.0001 BTC to mrm4AN6uAExNgXbRtqVL5tA4RmVxR2QtMa. Find the IP address of the server. If no one is able to find the IP address in the first 5 days, we will disclose the IP address and no one will be able to claim this bounty further. If you are able to find the IP address, please disclose it on this thread. Objective 2 (Bounty $2800) - STARTED Try and hack into the server using any means necessary. If successful, send out a transaction to your Bitcoin Testnet Address. Sign a Message and email us the Message to verify. The Bitcoin Wallet on the server is a testnet wallet and has been left unlocked for you to make a transaction upon gaining access. For more information about Nuovocard, visit www.nuovocard.com (http://www.nuovocard.com). Nuovocard will be launching a Bitcoin Debit Card and Point of Sale App at the end of September, 2014. Please ask if you have any questions. THIS CHALLENGE IS NOT TO HACK OUR WEBSERVER BUT THE APPLICATION SERVER Do Not Perform a DOS Attack PLEASE SEND ME A PM TO GET THE IP. ALSO, PLEASE DONT RUN MORE THAN A COUPLE THREADS/CONNECTIONS TO THE SERVER. UPDATE : If you are successful in hacking the server, you must share with us the complete steps of the hack and we must be able to replicate the same. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) Post by: neha on August 11, 2014, 04:56:50 AM VERY IMPORTANT, the webserver is a different server and we are looking to get the application server hacked. PLEASE DO NOT HACK THE WEBSERVER AS THAT IS NOT PART OF THE BOUNTY. Also, 104.28.2.120 is not the IP address of the webserver also as I got a couple of PM's saying this is the IP. Again, the BOUNTY is not for the WEBSERVER. APPLICATION SERVER AND WEBSERVER are Seperate.
Also, feel free to post in public as we dont want to hide even if we get hacked. The idea behind the contest is to prove to ourselves that the platform that we have designed is possible very difficult to hack. Moreover, the $3000 bounty has been decided because it is the amount of bitcoins we will have in our hot wallet, so even if we get hacked, this is the max you can get. Although, we are saying 97% on our website, we dont plan to keep anything more than $3000 which will keep getting refilled manually. Thanks. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) Post by: Equinoxx on August 11, 2014, 05:30:25 AM The IP that everyone seems to be picking up is Cloudflares,
I have the location of the site but not the IP. If you like me to PM you the address or post it publicly, let me know. Thanks! Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) Post by: neha on August 11, 2014, 05:36:00 AM The IP that everyone seems to be picking up is Cloudflares, I have the location of the site but not the IP. If you like me to PM you the address or post it publicly, let me know. Thanks! Guys, again that is the webserver and the webserver is located on Amazon and so is the primary and database server. The idea is to only hack the replica of the primary server and when the contest starts, you will be able to send an email to hack@nuovocard.com and get a reply from the server that is supposed to be hacked. It will reply you with a transaction hash for a testnet transaction which it will make upon receiving your email. I hope this clears it. Thanks. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) Post by: Equinoxx on August 11, 2014, 06:32:23 AM I have the adress is for the website,
not of the Cloudflare although the Cloudflare is in Arizona. Your host is in India. I have the full adress if you would like me to email it. Thanks Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) Post by: neha on August 11, 2014, 06:46:23 AM Did you ever stop to think that best way to find the hidden server is to hack the one that is known since it is a clone? You called down the thunder, now you got it. Deal with it. ~BCX~ Well, the server that we will be providing to hack is an exactly replica with one difference i.e. it will only have one application running which will do all the aspects of multiple applications that are supposed to handle traffic. It will read email, reply, transact and talk to the database server. There are multiple different servers involved in the system we have designed and it is designed to handle upto a million users and webserver has no link to the primary server. Also, we seriously mean 'by any means necessary'. We would love to see how it gets hacked as it will ensure more security in future for our users. Also, when this challenge is over, based on the results, we will probably extend the challenge. The only difference would be that we will never disclose the IP like we are doing here and moreover it will be programmed to get a new IP daily. Questions??? Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) Post by: hardshot on August 11, 2014, 07:08:12 AM My IP guess: 199.241.30.125
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) Post by: 🏰 TradeFortress 🏰 on August 11, 2014, 07:42:20 AM VERY IMPORTANT, the webserver is a different server and we are looking to get the application server hacked. PLEASE DO NOT HACK THE WEBSERVER AS THAT IS NOT PART OF THE BOUNTY. Also, 104.28.2.120 is not the IP address of the webserver also as I got a couple of PM's saying this is the IP. Again, the BOUNTY is not for the WEBSERVER. APPLICATION SERVER AND WEBSERVER are Seperate. To be absolutely correct, your bitcoind is on application server?Also, feel free to post in public as we dont want to hide even if we get hacked. The idea behind the contest is to prove to ourselves that the platform that we have designed is possible very difficult to hack. Moreover, the $3000 bounty has been decided because it is the amount of bitcoins we will have in our hot wallet, so even if we get hacked, this is the max you can get. Although, we are saying 97% on our website, we dont plan to keep anything more than $3000 which will keep getting refilled manually. Thanks. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) Post by: neha on August 11, 2014, 07:55:40 AM My IP guess: 199.241.30.125 This is not the IP. To be absolutely correct, your bitcoind is on application server? Yes. The Application Server will have:- 1. Bitcoind 2. Armoryd 3. Java App 4. Tor Client Database Server - Mysql 5.6 Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) Post by: Jags2ooo on August 11, 2014, 09:33:05 AM 173.194.68.26
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) Post by: neha on August 11, 2014, 09:47:24 AM The challenge is announced 3 days before just to answer all the queries so that people can get to work on the day it starts.
1. How you describe the task is not in any case clearly and therefore a bit confusing. The first reactions in form of posts already shows it. 2. I have strong legal concerns about this "promotional campaign" especially regarding my 1. point. People may try to hack the wrong infrastructure despite the fact if the try itself is legal or not in their country. In germany for example I doubt that it is possible to take part without breaking the law. If someone now probably tries to hack Amazon then and gets jailed because of taking part in your contest you are probably also responsible for that. I guess you don't own an own datacenter. Is the datacenter informed about this? -> I don't feel this contest is very well prepared at the moment and I would not start it under these circumstances. First, this is completely legal and there is no threat to anyone hacking as Amazon will not go after them, its the company who has rented the server goes after people who hack. In this case, we are the company. Secondly, I made it very clear on how to communicate with the server To communicate with the server and check if its running or not, send an email to hack@nuovocard.com with Subject 'Transfer'. The server will send you an email back with a transaction hash for an instant transaction in the amount of 0.0001 BTC to mrm4AN6uAExNgXbRtqVL5tA4RmVxR2QtMa. This is the only way to communicate and try to find the IP which is the first step. After this, its upto you. Doing a DOS attack does not make sense as you need to get into the server and its not like we are trying to prevent you that you need to block our access. Also, all ports are closed other than the ports that the app opens and closes automatically. Just to help everyone out, that port range is 32768-61000. If you wish to try without using our server, I would advise you to setup your own server and I will provide a simple Jar that can talk to gmail. You can do this in your own house and then send us instructions on how to hack and if it works, you win. Also, there are a couple of firewalls in place before the server, we will test your method with the firewalls and without your firewalls and award you full amount if you break with the firewalls. If your instruction leads to a hack without the firewalls, we will award you $1000. If you anyone wants to try it this way, let me know and I will reveal the server configuration after the part 1 is over. Questions? Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) Post by: Jags2ooo on August 11, 2014, 10:01:45 AM hack@nuovocard.com
Doesn't reply. tried on normal email app, and telnet .. nothing Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) Post by: neha on August 11, 2014, 10:12:05 AM hack@nuovocard.com Doesn't reply. tried on normal email app, and telnet .. nothing Yeah...will reply on 15th when the contest starts. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) Post by: dKingston on August 11, 2014, 10:15:33 AM Are you willing to escrow the prize?
First, this is completely legal and there is no threat to anyone hacking as Amazon will not go after them, its the company who has rented the server goes after people who hack. In this case, we are the company. Its not that easy in every country. In the act of hacking you also use other infrastructure than just your server. Furthermore: Who knows you maybe just hacked their email and now start such a contest that others hack their server? I don't say you guys are bad. Its just not well prepared to rule out all concerns and problems. 1/3 of the bounty for a lawyer starting that contest and 2/3 as a price would also have been a good choice. He already have control of the website. http://www.nuovocard.com/hacking-challenge/ Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) Post by: neha on August 11, 2014, 10:24:54 AM Furthermore: Who knows you maybe just hacked their email and now start such a contest that others hack their server? The Contest is on our website also. Be rest assured that we are not hacked yet on this forum and also an official press release is going out today. Are you willing to escrow the prize? Regarding escrow, Escrow would make sense if we want to hide our identity or if we are an individual. We are a part of a big group. Moreover, the first part of the challenge is $200. Do you want me to put $200 in escrow? Moreover, we will not destroy our reputation for only $3000 when we have alot more invested in this venture. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - LIVE Post by: neha on August 14, 2014, 08:12:40 PM Hello Guys. Just to inform everyone that the contest is now Live. We wish all the testers good luck.
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 14, 2014, 08:49:47 PM $3000 is a lot of money, no doubt someone here is gonna hack your server to pieces ;) Only thing I don't understand is why you would do this, unless you're a mult-millionare or 100% confident it won't be hacked. Could hire a security expert for $3000 to make your site rock solid instead. We hope someone hacks the server and tells us exactly. We have even made it easy for people as if no one is able to find the IP address of the server, we will give it away. Theoretically, if no one finds the IP, they cant hack but in the worst case scenario that someone finds the IP and tries to hack, we are simulating that event by giving away the IP. And ofcourse we are confident and ofcourse we had pen test done and ofcourse to your other comment. Moreover who says that hackers are not security consultants specially when we can have multiple for only $3000??? Also, shouldn't we do everything possible to ensure that customer funds are always safe with us??? Do you really want another example of a Bitcoin Service getting Hacked? Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: howzar on August 14, 2014, 08:55:41 PM Is it 104.28.3.120 ??
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 14, 2014, 08:58:45 PM Nope. You are trying to find the IP of the Webserver where as the contest is about the App Server. They are on completely different networks and they dont communicate with each other.
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: cooldgamer on August 14, 2014, 08:59:28 PM Challenge accepted, been looking for a place to hone my skills :D
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 14, 2014, 09:00:30 PM Challenge accepted, been looking for a place to hone my skills :D Awesome, make sure you review the instructions of sending the email and communicating with the server. The only way you can reach the server is to send an email to hack@nuovocard.com with subject as 'transfer' and you will get a Testnet Transaction ID back. Also, currently we have the server set to check mail every 30 seconds as we dont expect too much traffic. So please wait for 30 seconds to get a reply. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 14, 2014, 09:21:05 PM Well, I'll give it a shot. I'm not a hacker, but I have lots of experience with MS paint. If a poorly drawn MS paint picture of goatse shows up on your site you know who did it. Hey, remember the challenge is not to hack the webserver. If you are able to hack the app server...make sure you leave a text file in the home folder with you email address. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: deydod on August 14, 2014, 09:42:30 PM IP is: 64.233.166.121
Location: City: Mountain View Country: United States State: California Am I right? Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 14, 2014, 09:47:21 PM IP is: 64.233.166.121 Location: City: Mountain View Country: United States State: California Am I right? Nope. Thats Google I think. Update : Yeah that is google. http://64.233.166.121.ipaddress.com/. Please check who does the IP belong to before you post. Our server currently is not on Google. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: BitCoinDream on August 14, 2014, 10:29:10 PM Hi Neha, HappY Independence Day :)
You have chosen a great day to kickstart the hackathon. As I understand, u dont want us to find where Nuovocard.com is running, i.e. the web server. U want us to find out the server IP from where the mail is originating. Am I wrong ? Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: MakeBelieve on August 14, 2014, 10:45:39 PM Hi Neha, HappY Independence Day :) You have chosen a great day to kickstart the hackathon. As I understand, u dont want us to find where Nuovocard.com is running, i.e. the web server. U want us to find out the server IP from where the mail is originating. Am I wrong ? That's what he is asking you to do...I'm going to give this a shot! Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: BitCoinDream on August 14, 2014, 10:50:28 PM Nothing is getting deposited to https://blockchain.info/address/mrm4AN6uAExNgXbRtqVL5tA4RmVxR2QtMa and blockchain.info is showing that the Tx hash u have sent does not exist. Is the App properly configured on your app server ?
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: cooldgamer on August 14, 2014, 10:52:27 PM Nothing is getting deposited to https://blockchain.info/address/mrm4AN6uAExNgXbRtqVL5tA4RmVxR2QtMa and blockchain.info is showing that the Tx hash u have sent does not exist. Is the App properly configured on your app server ? They are testnet transactions, so you need to use a testnet block explorerhttp://blockexplorer.com/testnet/address/mrm4AN6uAExNgXbRtqVL5tA4RmVxR2QtMa Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: BitCoinDream on August 14, 2014, 11:00:55 PM Nothing is getting deposited to https://blockchain.info/address/mrm4AN6uAExNgXbRtqVL5tA4RmVxR2QtMa and blockchain.info is showing that the Tx hash u have sent does not exist. Is the App properly configured on your app server ? They are testnet transactions, so you need to use a testnet block explorerhttp://blockexplorer.com/testnet/address/mrm4AN6uAExNgXbRtqVL5tA4RmVxR2QtMa Oops ...sorry. Missed it. Feeling sleepy. By the way, they are most likely using Google server to sign mails, as it appears from the mail header. Can we get IP behind Google ? Most probably no by any known technology, but may be possible by social engineering. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: ForgottenPassword on August 14, 2014, 11:22:25 PM nuovocard.com is registered to use Google Apps. The emails are arriving into gmail and their server is SMTP'ing in and getting them.
Only way to get the IP would be to hack their Google Apps account. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: virtualx on August 14, 2014, 11:48:07 PM Is it 10.229.74.74 ?
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 15, 2014, 07:30:01 AM We Wish A Happy Independence Day to all Indians.
Is it 10.229.74.74 ? Nope. Ill give a hint, the IP Address ends with 13. nuovocard.com is registered to use Google Apps. The emails are arriving into gmail and their server is SMTP'ing in and getting them. If thats what it takes, please try that too. Only way to get the IP would be to hack their Google Apps account. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: Nico205 on August 15, 2014, 11:35:21 AM I cannot view the transaction in the testnet blockchain explorer.
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 15, 2014, 11:41:53 AM I cannot view the transaction in the testnet blockchain explorer. http://tbtc.blockr.io/tx/info/0077907e9eee7a211de25feef9997ba0c348b8aee85319f7c541ce635757bad4 Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: Nico205 on August 15, 2014, 11:42:17 AM I cannot view the transaction in the testnet blockchain explorer. http://tbtc.blockr.io/tx/info/0077907e9eee7a211de25feef9997ba0c348b8aee85319f7c541ce635757bad4 thx ;) Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: Nico205 on August 15, 2014, 11:56:07 AM Is your server located by hetzner ?
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 15, 2014, 11:58:02 AM Nope...amazon. Already disclosed that earlier.
All the best. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: Nico205 on August 15, 2014, 12:27:01 PM Can you please sent me the jar file of your application ?
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 15, 2014, 12:33:05 PM Can you please sent me the jar file of your application ? There is still time for that part of the contest. There are atleast 23 people trying and it wont be fair to them. Also, I have discussed with the team and jar wont be necessary. We will post the instructions and server config later and you would be able to simulate our server. Lets give everyone the time promised. Who knows, someone might just hack our email address ;) and get the IP. You would not believe this but earlier this whole system was designed using a Web Interface with app and everything and then everything was scrapped by my partner as he thought that whatever we do, we cannot be as safe as Google and so he made us do everything again just to keep security as the highest concern. Moreover, he found 2fa on phone apps too cumbersome. I guess thats why most companies dont have 2fa on their mobile apps. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 15, 2014, 05:22:05 PM Tor is used with Bitcoind.
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: BitCoinDream on August 15, 2014, 05:41:40 PM Can you please sent me the jar file of your application ? There is still time for that part of the contest. There are atleast 23 people trying and it wont be fair to them. Also, I have discussed with the team and jar wont be necessary. We will post the instructions and server config later and you would be able to simulate our server. Lets give everyone the time promised. Who knows, someone might just hack our email address ;) and get the IP. You would not believe this but earlier this whole system was designed using a Web Interface with app and everything and then everything was scrapped by my partner as he thought that whatever we do, we cannot be as safe as Google and so he made us do everything again just to keep security as the highest concern. Moreover, he found 2fa on phone apps too cumbersome. I guess thats why most companies dont have 2fa on their mobile apps. Partner: Ramesh Saho ? Is he at Rajasthan ? Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 15, 2014, 05:51:28 PM Partner: Ramesh Saho ? Is he at Rajasthan ? He is not a partner and he is from Bhubaneswar itself. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: TheNewAnon135246 on August 15, 2014, 05:51:37 PM IP address: 104.28.2.120
Server Location: United States ISP: CloudFlare Ramesh Saho Nuovocard International The Cosmopolis Near NH-5 Bhubaneswar, Orissa 750103 INDIA Telephone: 91969***** (I censored the telephone number). Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: ForgottenPassword on August 15, 2014, 05:52:39 PM IP address: 104.28.2.120 Server Location: United States ISP: CloudFlare Ramesh Saho Nuovocard International The Cosmopolis Near NH-5 Bhubaneswar, Orissa 750103 INDIA Telephone: 91969***** (I censored the telephone number). Thats the WEB SERVER. Thats not what we are after. We've been through this already... Not only that you didn't even realize that cloudflare is a CDN, so thats not even the IP of the webserver. What we need to find out is the IP of the server that is logging into Google Apps and pushing out those emails. They have cleaned the email headers, so the only way (well there are potentially others) to find it out is to hack their GApps account. They already told us the IP ends with 13 too. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 15, 2014, 05:58:15 PM IP address: 104.28.2.120 Server Location: United States ISP: CloudFlare Ramesh Saho Nuovocard International The Cosmopolis Near NH-5 Bhubaneswar, Orissa 750103 INDIA Telephone: 91969***** (I censored the telephone number). Thats the WEB SERVER. Thats not what we are after. We've been through this already... Not only that you didn't even realize that cloudflare is a CDN, so thats not even the IP of the webserver. What we need to find out is the IP of the server that is logging into Google Apps and pushing out those emails. They have cleaned the email headers, so the only way (well there are potentially others) to find it out is to hack their GApps account. They already told us the IP ends with 13 too. IP Ends with 13 and thanks for pointing the above out. Also, if were to use TOR with java apps, it would have become impossible to find even if you would have hacked into our gapps account. By impossible, I mean would cost way more than the return. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: ForgottenPassword on August 15, 2014, 06:00:02 PM Does the server running bitcoind listen on port 8333?
Also someone could potentially run a couple of Tor nodes and find out which amazon IP's connect to them that end in 13, I would doubt there are many. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: vit1988 on August 15, 2014, 06:05:19 PM Nope. Ill give a hint, the IP Address ends with 13. 10.4.16.13 or 192.168.0.13 Does it even have a public IP? And if so, why does it have one if the architecture is designed to not expose it anyways? Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: ForgottenPassword on August 15, 2014, 06:08:10 PM I know you said it ends in 13, but was that a trick question? Is it xxx.xxx.xxx.13 Or xxx.xxx.xxx.x13?
Does it even have a public IP? And if so, why does it have one if the architecture is designed to not expose it anyways? How would it talk to Google Apps without a public IP? Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 15, 2014, 06:10:36 PM Does the server running bitcoind listen on port 8333? Also someone could potentially run a couple of Tor nodes and find out which amazon IP's connect to them that end in 13, I would doubt there are many. Thats actually a brilliant idea considering I told you the last two digits. Also, about your 8333, technically I think its 18332 but that irrelevant with TOR. Giving you 2 outputs from netstat below:- tcp 0 0 localhost:9050 localhost:38319 ESTABLISHED tcp 0 0 localhost:38319 localhost:9050 ESTABLISHED Hope this helps somehow. Nope. Ill give a hint, the IP Address ends with 13. 10.4.16.13 or 192.168.0.13 Does it even have a public IP? And if so, why does it have one if the architecture is designed to not expose it anyways? Ofcourse it has a public IP otherwise how else would it talk to the bitcoin network and check emails and how else will we connect to it if we need to? I know you said it ends in 13, but was that a trick question? Is it xxx.xxx.xxx.13 Or xxx.xxx.xxx.x13? Nope thats not the IP.Here is my guess: 54.194.115.213 Does it even have a public IP? And if so, why does it have one if the architecture is designed to not expose it anyways? How would it talk to Google Apps without a public IP? Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: Nico205 on August 15, 2014, 06:22:49 PM I guess we need a team to do this ... IRC ? ^^
Regards Nico Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: vit1988 on August 15, 2014, 06:23:39 PM Ofcourse it has a public IP otherwise how else would it talk to the bitcoin network and check emails and how else will we connect to it if we need to? Internal network, vpn, relays, proxies, firewalls, you name it... Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: Equinoxx on August 15, 2014, 06:25:51 PM 62.115.13.13
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: BitCoinDream on August 15, 2014, 06:26:05 PM Does the server running bitcoind listen on port 8333? Also someone could potentially run a couple of Tor nodes and find out which amazon IP's connect to them that end in 13, I would doubt there are many. Can there be a way to decrypt it ? Anyone ? Code: 584262684250-52kri9btcso7bk6ohs3u8j0ur8dicmf4.apps.googleusercontent.com Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: Nico205 on August 15, 2014, 06:33:20 PM Does the server running bitcoind listen on port 8333? Also someone could potentially run a couple of Tor nodes and find out which amazon IP's connect to them that end in 13, I would doubt there are many. Can there be a way to decrypt it ? Anyone ? Code: 584262684250-52kri9btcso7bk6ohs3u8j0ur8dicmf4.apps.googleusercontent.com Resolves to: de-cix20.net.google.com ------------------------ 80.81.193.108 Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 15, 2014, 06:33:35 PM Ofcourse it has a public IP otherwise how else would it talk to the bitcoin network and check emails and how else will we connect to it if we need to? Internal network, vpn, relays, proxies, firewalls, you name it... I am not sure if you familiar with amazon architecture, see below. This will give you an idea(It was two servers, assume one):- http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/images/security-diagram.png So there are enough firewalls. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: Nico205 on August 15, 2014, 06:35:09 PM Ofcourse it has a public IP otherwise how else would it talk to the bitcoin network and check emails and how else will we connect to it if we need to? Internal network, vpn, relays, proxies, firewalls, you name it... I am not sure if you familiar with amazon architecture, see below. This will give you an idea(It was two servers, assume one):- http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/images/security-diagram.png So there are enough firewalls. Does the ip start with 10 ? Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: vit1988 on August 15, 2014, 06:38:51 PM Let's summarise this:
- Webserver is behind cloudflare - Application server runs bitcoind over tor - Find the IP challenge is like "find my office in tokyo by sending a letter to my anonymous p/o box in panama which will trigger some street lights in london but" I'm out. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 15, 2014, 06:41:43 PM Does the ip start with 10 ? 10 is internal network ip. I guess we need a team to do this ... IRC ? ^^ Regards Nico I'd have, if she escrowed 6+ BTC, i.e. the equivalent of 3000 USD at current market rate. Currently I dont feel the charm to hack her because the prize is uncertain. She is giving petty statements of reputation and bla bla. Let her launch and we'll see ;) Find the IP, I will escrow 2800 instantly. If no one finds the IP, there is no point. Its not like the hard part is over as soon as the IP is discovered. There are 2 layers of firewalls before reaching the server firewall and all the ports are closed. Let's summarise this: - Webserver is behind cloudflare - Application server runs bitcoind over tor - Find the IP challenge is like "find my office in tokyo by sending a letter to my anonymous p/o box in panama which will trigger some street lights in london but" I'm out. I like your analogy but we wouldnt be offering money if it was easy. Moreover, we wouldn't be offering money if we knew for sure that its one of the most challenging hacks...way more than any other bitcoin service providers currently out there. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: Nico205 on August 15, 2014, 06:44:34 PM Maybe it helps someone: https://forums.aws.amazon.com/ann.jspa?annID=1701 All Amazon public ip range from 8th Aug. 2014
Regards Nico Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: Nico205 on August 15, 2014, 06:53:11 PM If anyone want to join #hack_challenge on freenode irc :)
Regards Nico Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: ForgottenPassword on August 15, 2014, 07:09:02 PM Hey guys, I'd recommend you read ALL of Neha's posts. Clearly most of you have missed all the details/hints provided.
BTW it isn't as hard as you guys think. Initially I thought that, but there are PLENTY of ways to get the IP of that server. You can do it by gaining access to GApps (I don't think it uses Tor to fetch mail), and there are literally hundreds of ways to do that. I have found a number of "potentially dangerous" things that nuovocard has done and I'll disclose them to them privately once I've given up and leave it up to them if they want to post them here in order to help you guys. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: ForgottenPassword on August 15, 2014, 07:21:24 PM U are telling the hacker what route he'll take to hack u ? Your request is not to hack the web server, but the app server and that is also by finding IP ? :D Your whois details are not yet protected :P Let us know once u gather some money from your customer. U'll see the real hunters then. Good Luck ;) Yeah that is one thing I found funny. OP seems to think we actually need the IP to hack the server when we really don't. That is not how most modern hackers work. I don't know if he'll pay up or not, I doubt he will tbh. The owners PayPal account is permanently suspended (not frozen, suspended indicates breach of TOS), I wonder why... But that doesn't make it less fun. Not everything is about money. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 15, 2014, 07:29:08 PM Who said the Whois details are for our office and which Paypal account is suspended??? Please share.
Moreover, finding us is not difficult at all(Read the About Us). I guess we need a team to do this ... IRC ? ^^ Regards Nico I'd have, if she escrowed 6+ BTC, i.e. the equivalent of 3000 USD at current market rate. Currently I dont feel the charm to hack her because the prize is uncertain. She is giving petty statements of reputation and bla bla. Let her launch and we'll see ;) Find the IP, I will escrow 2800 instantly. If no one finds the IP, there is no point. Its not like the hard part is over as soon as the IP is discovered. There are 2 layers of firewalls before reaching the server firewall and all the ports are closed. U are telling the hacker what route he'll take to hack u ? Your request is not to hack the web server, but the app server and that is also by finding IP ? :D Your whois details are not yet protected :P Let us know once u gather some money from your customer. U'll see the real hunters then. Good Luck ;) You cant even find the IP right now....forget find, guess it. I gave the last two digits so that every second someone doesnt post and did I ever say that this server is the actual server? Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: ForgottenPassword on August 15, 2014, 07:36:26 PM Who said the Whois details are for our office and which Paypal account is suspended??? Please share. Moreover, finding us is not difficult at all(Read the About Us). The problem with the WHOIS issue is that everyone knows that the email address for your Godaddy account is: harshjaiswal@gmail.com Additionally when transferring a domain to another registrar it sends the verification email to that address, so if someone compromises your EPP code (or if you were using a registrar tht didn't use EPP) then they'd be able to transfer away the domain by hacking that email account. So the main problem is if that account gets compromised they can steal your domain, or reset your Gapps account by verifying ownership using the DNS method. The PayPal account for: harshjaiswal@gmail.com is the one that is suspended: http://i58.tinypic.com/1041an5.png PS. If you know what you are doing you can trick PayPal into giving you information on the account holder (such as last 4 digits of your credit card which can be used to reset accounts for Apple and other services). Thats why I was poking around in there, sorry! they didn't give me any information anyway. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 15, 2014, 07:46:56 PM Interesting. That account is like 11 years old I think. but anyways good find. FYI, godaddy account is not that one and the actual paypal account works just fine.
And ya to remove confusion, Ill get the privacy added tomorrow. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: BitCoinDream on August 15, 2014, 07:52:58 PM Interesting. That account is like 11 years old I think. but anyways good find. FYI, godaddy account is not that one and the actual paypal account works just fine. And ya to remove confusion, Ill get the privacy added tomorrow. Adding privacy wont work anymore. The information is already out in the open. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 15, 2014, 07:55:35 PM Can I guess more than one? You can guess as many as you want but you have to say how you got it if you got it right. You cant just list all the possible IP's of amazon and say its one of them. Interesting. That account is like 11 years old I think. but anyways good find. FYI, godaddy account is not that one and the actual paypal account works just fine. And ya to remove confusion, Ill get the privacy added tomorrow. Adding privacy wont work anymore. The information is already out in the open. Yeah but thats not the right info. Thats the info of our PR guy. Wont help anyone. Moreover, its not like we wont give our office address or phone numbers to concerned people. In a business you cant really hide your place of work. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: ForgottenPassword on August 15, 2014, 08:17:03 PM Part 1 with 1698 entries of a global ipv4 scan of the complete ipv4 space of all currently available online servers worldwide that are listen on port 18333 right at the moment http://dustri.org/p/47d511 (Paste will be deleted after 1 week automatically for privacy reasons) Part 2 should be ready soon after the scan is complete. So if your ip ends with 13 and is listening on port 18333 the chances are not that bad. Um... the guy already said that he was using bitcoind over tor. I was planning to do what you did, but that won't work. The server does not listen on any port according to the OP. Additionally the default bitcoind listening port is 8333 not 18333. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 15, 2014, 08:18:27 PM Part 1 with 1698 entries of a global ipv4 scan of the complete ipv4 space of all currently available online servers worldwide that are listen on port 18333 right at the moment http://dustri.org/p/47d511 (Paste will be deleted after 1 week automatically for privacy reasons) Part 2 should be ready soon after the scan is complete. So if your ip ends with 13 and is listening on port 18333 the chances are not that bad. Guys I highly suggest you read what I have written. I have given enough hints till now and now I am not going to correct anyone as that also seems waste to alot of you. Last advice - read what I have written so you dont waste your time. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: Nico205 on August 15, 2014, 08:22:32 PM Part 1 with 1698 entries of a global ipv4 scan of the complete ipv4 space of all currently available online servers worldwide that are listen on port 18333 right at the moment http://dustri.org/p/47d511 (Paste will be deleted after 1 week automatically for privacy reasons) Part 2 should be ready soon after the scan is complete. So if your ip ends with 13 and is listening on port 18333 the chances are not that bad. Guys I highly suggest you read what I have written. I have given enough hints till now and now I am not going to correct anyone as that also seems waste to alot of you. Last advice - read what I have written so you dont waste your time. If I understood it right, you wrote that the IP isn´t findable at the Moment ?! Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 15, 2014, 08:27:08 PM Man, I even gave you guys a netstat example. If you know TOR, you should know default port is 9050. and bitcoind listens to 9050 and that 9050 listens to something else. How will you guys find it if you cant understand something that is already given???
Anyways, done for the night. All replies tomorrow. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: Nico205 on August 15, 2014, 08:31:47 PM Is 184.169.16.113 the ip ?
Is on amazon (should) Has open testnet port Has open tor port Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: virtualx on August 15, 2014, 08:35:22 PM don't have much time, so I'll just guess .. the probability is higher than zero when you guess :D
184.169.16.13 Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: Nico205 on August 15, 2014, 08:36:40 PM LoL just used from: http://dustri.org/p/47d511 Gitju and https://forums.aws.amazon.com/ann.jspa?annID=1701 and used CRTL+F and copy & paste ;)
Regards Nico Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 15, 2014, 08:37:21 PM Nope.
Latest netstat example:- tcp 0 0 localhost:9050 localhost:47342 ESTABLISHED tcp 0 0 localhost:46330 localhost:9050 ESTABLISHED tcp 0 0 localhost:47342 localhost:9050 ESTABLISHED tcp 0 0 localhost:9050 localhost:46330 ESTABLISHED tcp 0 0 localhost:9050 localhost:38319 ESTABLISHED tcp 0 0 localhost:38319 localhost:9050 ESTABLISHED Hope this helps. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: Nico205 on August 15, 2014, 08:50:42 PM Nope. Latest netstat example:- tcp 0 0 localhost:9050 localhost:47342 ESTABLISHED tcp 0 0 localhost:46330 localhost:9050 ESTABLISHED tcp 0 0 localhost:47342 localhost:9050 ESTABLISHED tcp 0 0 localhost:9050 localhost:46330 ESTABLISHED tcp 0 0 localhost:9050 localhost:38319 ESTABLISHED tcp 0 0 localhost:38319 localhost:9050 ESTABLISHED Hope this helps. Will see it ;) Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: BitCoinDream on August 15, 2014, 08:57:50 PM Nope. Latest netstat example:- tcp 0 0 localhost:9050 localhost:47342 ESTABLISHED tcp 0 0 localhost:46330 localhost:9050 ESTABLISHED tcp 0 0 localhost:47342 localhost:9050 ESTABLISHED tcp 0 0 localhost:9050 localhost:46330 ESTABLISHED tcp 0 0 localhost:9050 localhost:38319 ESTABLISHED tcp 0 0 localhost:38319 localhost:9050 ESTABLISHED Hope this helps. Get off to sleep Neha. It must be midnight at your end :) Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: Nico205 on August 15, 2014, 09:16:51 PM Only to make sure your application server which should get hacked is located at Amazon =?
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: vit1988 on August 16, 2014, 12:32:54 AM Man, I even gave you guys a netstat example. If you know TOR, you should know default port is 9050. and bitcoind listens to 9050 and that 9050 listens to something else. How will you guys find it if you cant understand something that is already given??? My curiosity brought me back... can't wait to see the solution on how to utilize this "already given" facts. Or is the bitcoind publicly listening on 9050 and all we are supposed to do is portscan the amazon network to find a bitcoind on port 9050? Your netstat only reveals that what happens on localhost stays on localhost 8) I'm not a tor expert but isn't the idea of a hidden tor service to be hidden? And any way to trace a hidden service would be a serious major flaw in tor? Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 16, 2014, 03:39:20 AM U are telling the hacker what route he'll take to hack u ? Your request is not to hack the web server, but the app server and that is also by finding IP ? :D Your whois details are not yet protected :P Let us know once u gather some money from your customer. U'll see the real hunters then. Good Luck ;) Comment from my partner : "The whois details are designed to be displayed but the domain transfer is locked and the DNS is maintained by cloudflare. Nothing can be done on that aspect. The idea to leave it open was that we will adding further business information instead of making it private. Further, this whole hacking challenge has been designed around an assumption that some senior level staff member tries to hack into the server in future who got to see the IP address of the server on our computers. Otherwise, if we didnt give the IP, this hacking challenge would not go any further because hacking into gmail would take quite some time assuming its even possible. Moreover, goodluck trying to transfer funds out of our wallet when the actual server is up as the wallet will be locked and the key will be in RAM and not stored anywhere. Same goes for the encryption key too. Like everyone is already noticing, there is almost no way to find the IP but because we dont know everything, we figured one of you will be able to find a way and this is the reason we are trying to help as much as we can." Only to make sure your application server which should get hacked is located at Amazon =? Yes it is on Amazon. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: NLNico on August 16, 2014, 04:21:59 AM I assume in theory there are currently 3 ways to find the IP:
1. Through the e-mails, but obviously we "cannot". 2. Connect to as many bitcoin (testnet) nodes as possible and see who relays the transaction as first. But I guess this is not possible because you guys use bitcoin through TOR. 3. Guess which server :) Considering you know: 1) it's from Amazon 2) we know exactly which ports are open 3) we know the (test) IP ends with .13 - we have some parameters to search on, but still it will be a long lucky search, I guess :P And the production application server would be basically 256 times more difficult. To be honest I was more interested in that mobile phone app.. I assume that also has to communicate to the application server (through that Java app I guess)? Or we will just get more info about that in "the second part"? Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 16, 2014, 04:29:39 AM I assume in theory there are currently 3 ways to find the IP: 1. Through the e-mails, but obviously we "cannot". 2. Connect to as many bitcoin (testnet) nodes as possible and see who relays the transaction as first. But I guess this is not possible because you guys use bitcoin through TOR. 3. Guess which server :) Considering you know: 1) it's from Amazon 2) we know exactly which ports are open 3) we know the (test) IP ends with .13 - we have some parameters to search on, but still it will be a long lucky search, I guess :P And the production application server would be basically 256 times more difficult. To be honest I was more interested in that mobile phone app.. I assume that also has to communicate to the application server (through that Java app I guess)? Or we will just get more info about that in "the second part"? That aspect of testing will be in the next bounty. Nothing goes inside the app server without an email or without the server itself going and fetching data. After this challenge is over, we will go for the bug finding challenge but the bounties will be less as it will be only for bugs and then maybe another challenge to hack the webserver. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: seoincorporation on August 16, 2014, 05:18:43 AM I have fun with this.
first i get the ips from amazone: Code: 72.44.32.0/19 (72.44.32.0 - 72.44.63.255) Then i use this code to make the a big ip data base by range: Code: #!/bin/bash Whit that i got 90,000 ip's... *.*.*.13, *.*.*.113, *.*.*.213 For find up/down servers i use "Angry IP Scanner"... And i found 13,500 up servers ip's... If i discard the *.compute.amazonaws.com ips, i got 1,519 ip's The problem its if i make a scan for that 1,519 ip's searching for port 9050, i dont found any ip with that port open. I make a scan for the 13,500 ips, and they dont have TOR service with that 9050 port open. I realy enjoy this chalenge, but the info you give us are incorrect, i got all the Amazon ips ending with 13, 113, 213. and it doen't use TOR. Maybe my Angry IP Scanner fail with that port. But i can publish that ip list and if your server have an amazon ip, it must be on the list. This is how to find the ip. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 16, 2014, 06:15:56 AM Bitcoin connects to TOR on ip 9050. TOR connects 9050 to its network using higher ports. see:-
tcp 0 0 localhost:9050 localhost:47342 ESTABLISHED tcp 0 0 localhost:46330 localhost:9050 ESTABLISHED tcp 0 0 localhost:47342 localhost:9050 ESTABLISHED tcp 0 0 localhost:9050 localhost:46330 ESTABLISHED tcp 0 0 localhost:9050 localhost:38319 ESTABLISHED tcp 0 0 localhost:38319 localhost:9050 ESTABLISHED 9050 - 47342 ; 47342 - 9050 Thus its not the 9050 that you should be looking for, it should be higher ports. Firewall will block 9050 but not the higher port. Current netstat (This is ofcourse not the complete list). I really dont know if these ports can be scanned. Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:49210 localhost:9050 ESTABLISHED tcp 0 0 localhost:9050 localhost:49210 ESTABLISHED tcp 0 0 localhost:50715 localhost:9050 ESTABLISHED tcp 0 0 localhost:9050 localhost:50715 ESTABLISHED tcp 0 0 localhost:9050 localhost:38319 ESTABLISHED tcp 0 0 localhost:38319 localhost:9050 ESTABLISHED There could furthermore be other special actions be taken like the application server is behind a firewall and directly connected with one special tor entry node that was extra setup for this purpose and their application server just communicates with this one special tor entry node and their firewall blocks all other external accesses that do not come from their tor entry node. This would work for us but we intend to get a new IP every so many hours/days. If there was one partcular TOR node that we connect to, it would become little easier to trace. Regarding the java app, it doesnt use TOR as the bandwidth requirement is huge. Consider checking email and replying in less than a second forever. It wont be beneficial to burden the TOR network with useless bandwidth when only google will be able to see the IP. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: Benjig on August 16, 2014, 06:28:24 AM Just post or write this on the anonymous irc channel and you will get your site down in a matter of hours/ minutes..
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 16, 2014, 06:56:12 AM Just post or write this on the anonymous irc channel and you will get your site down in a matter of hours/ minutes.. I dont know which channel but if you post it for me, Ill give you 10$(Paypal). Max 2 members in 2 separate IRC's.Thanks. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 16, 2014, 08:08:49 AM I posted it on AnonOps irc #hacker. The more work on it the better. I got an idea on how to get the ip and will try it. Then this competition will end for me as the second part can't be done in my country without a written legitimacy. Dont worry. Will tell you exactly how to configure the server locally and test it. This way you can try, and let us know the steps and we will perform it. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: neha on August 16, 2014, 10:33:39 AM One of my servers was actually shut down for doing penetration tests on getting the ip. So everybody should think about if even this is possible to try or allowed. In light of the above happening, I would be releasing the IP tomorrow so that you dont have to go and search for the IP and maybe attack other servers. Will be releasing the IP tomorrow around the same time and would consider that everyone is informed by then. I would also like to modify the challenge a little bit to prevent this from happening again. 1. Please submit your IP to become a part of the next phase. You will only perform the test from that IP and now the hack will be closed event. The IP will only be released to the group of people who submit their IP addresses. 2. Maximum number of threads/connections to the server should be 1 per IP. If someone can come up with other rules, please advice me and I will add. Sorry to Gitju for the trouble. Thanks. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - NOW LIVE Post by: Nico205 on August 16, 2014, 10:35:43 AM I posted it on AnonOps irc #hacker. The more work on it the better. I got an idea on how to get the ip and will try it. Then this competition will end for me as the second part can't be done in my country without a written legitimacy. Dont worry. Will tell you exactly how to configure the server locally and test it. This way you can try, and let us know the steps and we will perform it. One of my servers was actually shut down for doing penetration tests on getting the ip. So everybody should think about if even this is possible to try or allowed. Same here ;( Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: neha on August 16, 2014, 10:42:33 AM Guys, whoever wants to be a part of the next phase, please submit the IP address from where you will be performing the test to ensure that this doesnt happen to anyone anymore.
Thanks. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: Nico205 on August 16, 2014, 10:48:56 AM I´ve tried to scan all ips where port 9050 is opened. But in the German Laws it isn´t allowed to hack a server. How can I take a part of the challenge if the law doesn´t allow me that ?
Regards Nico Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: neha on August 16, 2014, 10:52:20 AM I´ve tried to scan all ips where port 9050 is opened. But in the German Laws it isn´t allowed to hack a server. How can I take a part of the challenge if the law doesn´t allow me that ? Regards Nico Sign a pen test agreement with us. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: neha on August 16, 2014, 11:12:55 AM Sign up for a free server at Amazon. I am assuming and we will get the IP's approved by Amazon. I would then the German Laws wont apply and nor us nor Amazon will complain.
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: ForgottenPassword on August 16, 2014, 11:33:12 AM I´ve tried to scan all ips where port 9050 is opened. But in the German Laws it isn´t allowed to hack a server. How can I take a part of the challenge if the law doesn´t allow me that ? Regards Nico You guys are misunderstanding. The server DOES NOT LISTEN on port 9050. This is the Tor port that APPLICATIONS on the server use to connect each other. It is something that happens only locally. You will not find the server doing this. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: ForgottenPassword on August 16, 2014, 11:35:31 AM I´ve tried to scan all ips where port 9050 is opened. But in the German Laws it isn´t allowed to hack a server. How can I take a part of the challenge if the law doesn´t allow me that ? Regards Nico Just so you know, it is technically illegal to possess "hacking tools" in Germany. That includes port scanning tools. This was a problem for the developers of NMap as they were German. https://www.schneier.com/blog/archives/2007/08/new_german_hack.html Quite a stupid law if you ask me considering most hacks are carried out using an unmodified browser (things like SQL injection, XSS etc). I don't think you can take part unless maybe if you get the train to Belgium/Holland or another country and do it there ;D Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: neha on August 16, 2014, 11:43:03 AM Guys, I think we should move onto phase 2 as I dont think you will be able to find the IP. Tomorrow, around this time I will give the IP but it will be distributed on the condition that you agree to use a single connection thread to the server. Also, the IP wont be publically disclosed. Please send me a PM if you want to be part of the next phase. However, you will be free to discuss all your results except the IP publically and the status will be changed to PRIVATE from HALTED upon releasing the IP.
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: seoincorporation on August 16, 2014, 02:44:25 PM Your ip must be on this list:
Code: 107.20.165.13 128 ms xena.xcweather.co.uk [n/s] From 90,000 ip to 130, i was ready to check this servers one by one, but you change the game rules. Sorry i cant join the next part of Contest for 2 reasons; 1.- I have a dinamic IP, 2.- I dont trust in people who change the game rules. Game Over for me. Was fun and i wish you good luck with that proyect, a bitcoin debit card its a awesome idea. ;) Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: neha on August 16, 2014, 02:54:23 PM Your ip must be on this list: Code: 107.20.165.13 128 ms xena.xcweather.co.uk [n/s] From 90,000 ip to 130, i was ready to check this servers one by one, but you change the game rules. Sorry i cant join the next part of Contest for 2 reasons; 1.- I have a dinamic IP, 2.- I dont trust in people who change the game rules. Game Over for me. Was fun and i wish you good luck with that proyect, a bitcoin debit card its a awesome idea. ;) Its still on till tomorrow. And you dont need to give your IP but you do need to send me a PM if you want to do Phase 2 and Ill send you the IP. Also, changed the rule because people got in problem. Moreover, the IP is not in your list. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: seoincorporation on August 16, 2014, 03:06:21 PM Hi, the ip is on this list?
http://m.uploadedit.com/b038/1408201498660.txt Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: neha on August 16, 2014, 03:10:58 PM Hi, the ip is on this list? http://m.uploadedit.com/b038/1408201498660.txt This is gonna make things fairly easy I guess but no, the IP is not on your list. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: seoincorporation on August 16, 2014, 03:40:13 PM Well, that list is all ip end with 13 from Amazon up servers.
If your IP is not there i dont know where is. But at last we are searching the IP for the info you give us: ·IP end with 13 ·IP its on Amazone And with that info we start searching. and now when i show you all servers list you say your server its not there, lol. that list has 13,000 ip's, i have a total of 90,000 ips, but 77,000 ip's has the server down. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: vit1988 on August 16, 2014, 03:41:53 PM Thats by law nothing worth without an authorized german notary. The circumstances does not allow it to take part here. germans... never use a crosswalk with a red light cause it's against the law even when there is nobody to see them ;D Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: neha on August 16, 2014, 03:47:23 PM Well, that list is all ip end with 13 from Amazon up servers. If your IP is not there i dont know where is. But at last we are searching the IP for the info you give us: ·IP end with 13 ·IP its on Amazone And with that info we start searching. and now when i show you all servers list you say your server its not there, lol. that list has 13,000 ip's, i have a total of 90,000 ips, but 77,000 ip's has the server down. Just because a Server doesnt Ping you assume the server is down??? I am seriously advising to give up because it is actually not possible. Easiest way would be to hack........hack@nuovocard.com. Also, remember you are only do this for 3k and not 100k. For 3k, its just not worth it to find the IP and there will never be more than 3k on the server and like I said, as soon as someone logs in, the keys will be wiped. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: seoincorporation on August 16, 2014, 04:09:33 PM Well, that list is all ip end with 13 from Amazon up servers. If your IP is not there i dont know where is. But at last we are searching the IP for the info you give us: ·IP end with 13 ·IP its on Amazone And with that info we start searching. and now when i show you all servers list you say your server its not there, lol. that list has 13,000 ip's, i have a total of 90,000 ips, but 77,000 ip's has the server down. Just because a Server doesnt Ping you assume the server is down??? I am seriously advising to give up because it is actually not possible. Easiest way would be to hack........hack@nuovocard.com. Also, remember you are only do this for 3k and not 100k. For 3k, its just not worth it to find the IP and there will never be more than 3k on the server and like I said, as soon as someone logs in, the keys will be wiped. Just to be sure... Its the ip on next list? http://m.uploadedit.com/b038/1408205271298.txt Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: neha on August 16, 2014, 04:37:28 PM Just to be sure... Its the ip on next list? http://m.uploadedit.com/b038/1408205271298.txt YES. You have time until tomorrow. That list is too big. Ill shorten it for all of you. Just remember, without all these hints, I highly doubt you would even get down to these 1999 IP's. Dont go and do pen test on all the IP's for all the ports as you will probably get in trouble and I can guarantee you that pen test will also not reveal the IP. Atleast OpenVas doesnt because I just performed that today again to confirm. All the best. Code: 54.191.168.213 Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: seoincorporation on August 16, 2014, 05:22:37 PM Ports 9050, 46330, 47342, 38319, are closed on that IP list :-\
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: neha on August 16, 2014, 05:40:46 PM Ports 9050, 46330, 47342, 38319, are closed on that IP list :-\ Latest Netstat:- Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:9050 localhost:59007 ESTABLISHED tcp 0 0 localhost:59007 localhost:9050 ESTABLISHED tcp 0 0 localhost:9050 localhost:58998 ESTABLISHED tcp 0 0 localhost:18332 localhost:54527 TIME_WAIT tcp 0 0 localhost:58998 localhost:9050 ESTABLISHED Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: Nico205 on August 16, 2014, 08:38:19 PM Is it allowed to spam the email: hack@nuovocard.com ?
Regards Nico Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: Stery on August 16, 2014, 08:50:15 PM Really nice contest someone paying to hack their application server.
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: Nico205 on August 16, 2014, 09:01:10 PM Can you give us the last netstat please =?
Regards Nico Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: neha on August 16, 2014, 09:03:57 PM Is it allowed to spam the email: hack@nuovocard.com ? Regards Nico Yes ofcourse. I am giving you permission to hack this email address, ofcourse you can spam it as much as you like. Latest netstat:- Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:58623 localhost:9050 ESTABLISHED tcp 0 0 localhost:9050 localhost:58600 ESTABLISHED tcp 0 0 localhost:9050 localhost:58605 ESTABLISHED tcp 0 0 localhost:9050 localhost:58623 ESTABLISHED tcp 0 0 localhost:58600 localhost:9050 ESTABLISHED tcp 0 0 localhost:58605 localhost:9050 ESTABLISHED Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: seoincorporation on August 16, 2014, 11:09:00 PM something its wired, if that ports are open, why i dont see it when i scan the 2000 ip's list?
Any way, i found in your page, in the contact page you dont have a Captcha. http://www.nuovocard.com/contact-page/ Its important implement a captcha there, because with the next iMacros code i cand send you an automate contact message: Code: TAB T=1 If i use a "while" in that code i can send you more than 1000 msg in les than 5 min. I give up with the IP, if i cant recognize the server from the port, i dont know what im seaching. By the way, congrat, you hide very well that IP. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: hardcode on August 17, 2014, 02:29:43 AM Why do you only offer a email which interacts with the API? If your mobile app is released and is communicating with your appserver, getting the IP is easy..
If your server IP is only interacting with the API and the bitcoin network, its not like people will find your server, without guessing. Also, why would you use email? If its not going to be used anyway in the future... So confusing, just like the thread and the site content. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Halted Post by: neha on August 17, 2014, 06:08:32 AM something its wired, if that ports are open, why i dont see it when i scan the 2000 ip's list? If i use a "while" in that code i can send you more than 1000 msg in les than 5 min. I give up with the IP, if i cant recognize the server from the port, i dont know what im seaching. By the way, congrat, you hide very well that IP. Yeah the initial pentesting for the site revealed that but we have not strengthened the security of the webserver yet. Will do it once we get down to the Mobile API's. Thanks for pointing it out though. Why do you only offer a email which interacts with the API? If your mobile app is released and is communicating with your appserver, getting the IP is easy.. If your server IP is only interacting with the API and the bitcoin network, its not like people will find your server, without guessing. Also, why would you use email? If its not going to be used anyway in the future... So confusing, just like the thread and the site content. hardcode - no-one can access the app server unless it is through email or unless the app server goes and looks for the data itself. I really dont want to give more info about the architecture but to sum it up, the webserver i.e. the api server will never be able to manipulate data in the actual database because it wont have and write/update or any sort of permission to change data. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started Post by: neha on August 17, 2014, 06:36:22 AM PHASE 2 STARTS. TO GET THE IP, PM ME.
ONE REQUEST : DO NOT RUN MORE THAN A COUPLE OF THREADS/CONNECTIONS TO THE SERVER AND TO CHECK WHETHER THE SERVER IS UP OR NOT, SEND AN EMAIL. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started Post by: NLNico on August 17, 2014, 06:42:09 AM To be honest I didn't completely read what your company is about. But if I understand it correctly you can pay at a store with a card through some mobile application. There must be communication in some way there? How can it not write something to any server? How will it save transactions then?
So basically I agree with 'hardcode' that I would like to know more about the API or whatever. And I cannot imagine it's a "read only" API, but even if it is, shouldn't we focus on trying to hack that (too)? Trying to hack the server is great, but IMO a lot of times the vulnerabilities are in the actual API or site interaction. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started Post by: neha on August 17, 2014, 07:20:20 AM To be honest I didn't completely read what your company is about. But if I understand it correctly you can pay at a store with a card through some mobile application. There must be communication in some way there? How can it not write something to any server? How will it save transactions then? So basically I agree with 'hardcode' that I would like to know more about the API or whatever. And I cannot imagine it's a "read only" API, but even if it is, shouldn't we focus on trying to hack that (too)? Trying to hack the server is great, but IMO a lot of times the vulnerabilities are in the actual API or site interaction. You will get that opportunity in very near future also. But like I said, the app server goes and fetches data from the database which the api server has entered. Then processes the transaction, and puts it in a different database which the api server queries to get the transaction approval or denial. No interaction between the API Server and the APP Server at all. There is a RDS SERVER in the MIDDLE. YOU REALLY CANT GET TO THE ACTUAL DATABASE OR CHANGE A TRANSACTION. ALSO, Everytime you swipe, the OTP with the Amount goes in your EMAIL, so MITM attack is also difficult if not impossible. ANY TAKERS FOR THE IP??? Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started Post by: vit1988 on August 18, 2014, 10:36:40 PM ANY TAKERS FOR THE IP??? No. Chance to find a vulnerability is too low to waste time on that. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started Post by: neha on August 19, 2014, 01:20:22 AM ANY TAKERS FOR THE IP??? No. Chance to find a vulnerability is too low to waste time on that. She has made an iron door for her bamboo cottage and asking everyone not to brute force the bamboo wall, but to break in the iron door. Once people fail to do that, she'll boast it everywhere that how secured her system is. I feel pity for her customers, as they're gonna lose everything so fast !!! You talk too much. If you have any sort of skills, prove it. Help me not boast it. Otherwise....let it be. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started Post by: neha on August 19, 2014, 01:05:57 PM How their system is designed makes it difficult to attack but for sure its not impossible. The first bounty: Has shown how difficulty it is to find the application server. I have an experiment running in form of a tor entry node where I get an email once someone would use my tor entry node to connect to the global tor network and who would got an ip starting 5 (could even be 54 accordingly to the list) and would ending up with 13. So far this did not happened but this also can be because of the huge amount of servers and per default a new circuit is just created every 10 minutes which leads to ~ 6 connections/hour or 144/day. For sure if they have made a special setup things can be different here. This shows how difficulty it is to find the application server also knowing some parts of the ip. In case of not knowing this information it becomes really worse. You then would need some thousand tor nodes (entry, middle, exit) and probably a couple of weeks/months to find them. The 2nd bounty: Here you need for example some kind of exploit either an already existing one or you would inject one by a successfully malicious pull request to bitcoin/armoryd or you need to directly work for amazon or the state with the right access levels for sure. But these are just theoretical principles. In general I can congratulate you. A successfull hack in the future would probably be based on human errors like someone would hack you personally or some other guys of your company and then install some kind of trojan. Thats probably much more easier than to get directly into the server. Therefore you should have the same cold/hot wallet policy that also exchanges have got. Thanks Gitju for your remarks. We already have designed the service around Armory Cold Wallet and all the deposits will come to an armory address(cold) and we will transfer it to hot wallet as per demand. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started Post by: neha on September 07, 2014, 12:29:26 PM Hey Guys, last couple of days left. I was wondering if anyone is still working on this. Please let me know. Thanks.
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started Post by: Sinecoin on September 07, 2014, 09:34:58 PM lol need to learn how to hack, seems to be a high paying hobby.
Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started Post by: Superhitech on September 08, 2014, 12:38:19 AM lol need to learn how to hack, seems to be a high paying hobby. haha I agree Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started Post by: neha on September 10, 2014, 11:10:42 AM Hey Guys, The contest is finally over and we are happy to announce that there were no winners.
We will be starting a bounty program soon to test our complete platform soon. We are adding a couple of new features in our platform which no one in the crypto world is currently providing and hope to launch a test platform soon. For all the people who took part in our contest, please pm us your email address and if and when you sign up for Nuovocard, as a thank you we will give you a credit of $100 which can be utilized against any transaction and withdrawal fee on our platform. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started Post by: seoincorporation on September 15, 2014, 05:28:12 PM The funny thing, is you believe you have a secure server because it's behind a firewall.
In some point, you will need to change that firewall configuration, because if the people cant ping the server there will be null comunication. In that moment you will need to expose some ports for comunication, but expose a port is not always a vuln. I wish you the best with this project, and i will wait that Nuovocards to prove you it can be hacked. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started Post by: neha on September 15, 2014, 05:43:59 PM The funny thing, is you believe you have a secure server because it's behind a firewall. In some point, you will need to change that firewall configuration, because if the people cant ping the server there will be null comunication. In that moment you will need to expose some ports for comunication, but expose a port is not always a vuln. I wish you the best with this project, and i will wait that Nuovocards to prove you it can be hacked. We will start another challenge soon and you can try to hack then but yes, all ports in our app server will be closed. The first challenge would always be to find the IP of the server. Will announce the new challenge soon. Thanks for your wishes. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started Post by: seoincorporation on September 15, 2014, 06:13:22 PM The funny thing, is you believe you have a secure server because it's behind a firewall. In some point, you will need to change that firewall configuration, because if the people cant ping the server there will be null comunication. In that moment you will need to expose some ports for comunication, but expose a port is not always a vuln. I wish you the best with this project, and i will wait that Nuovocards to prove you it can be hacked. We will start another challenge soon and you can try to hack then but yes, all ports in our app server will be closed. The first challenge would always be to find the IP of the server. Will announce the new challenge soon. Thanks for your wishes. If ports will be closed how the customers will make the comunication between the App and the server? All this security test, has no sense. Because you are not using the real configuration on the server that you will use to comunicate the app with the server. And now you will start another challenge, again to search a "No-ping" IP... please let me LOL hard. You realy know what are you playing? Have fun with this, at last this will not proof if your app its secure or not, this only will proof the comunication between the app and server its null with the current configuration. Title: Re: Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started Post by: neha on September 15, 2014, 07:00:57 PM The funny thing, is you believe you have a secure server because it's behind a firewall. In some point, you will need to change that firewall configuration, because if the people cant ping the server there will be null comunication. In that moment you will need to expose some ports for comunication, but expose a port is not always a vuln. I wish you the best with this project, and i will wait that Nuovocards to prove you it can be hacked. We will start another challenge soon and you can try to hack then but yes, all ports in our app server will be closed. The first challenge would always be to find the IP of the server. Will announce the new challenge soon. Thanks for your wishes. If ports will be closed how the customers will make the comunication between the App and the server? All this security test, has no sense. Because you are not using the real configuration on the server that you will use to comunicate the app with the server. And now you will start another challenge, again to search a "No-ping" IP... please let me LOL hard. You realy know what are you playing? Have fun with this, at last this will not proof if your app its secure or not, this only will proof the comunication between the app and server its null with the current configuration. |
