Hack This - Open Invitation

[timegrazer]

Inviting hackerz, crackerz, data hijackerz!!

Come hack our crypto exchange. Yes you read it correctly. After a preliminary testnet test - UI and operational test (in 2022), you all are invited to do a full blown penetration test. This is no longer a testnet exchange - it is on mainnet!! Both BTC and ETH mainnet. It holds a few coins. Finders, keepers! Since there is no official payment for this - the crackers and hackers can hack it and take what they can. If you hack this exchange, the coins it holds is your reward!! If you cannot do that, no problems, report me all major findings - but, no, please do not tell me there is an iframe in use, no CSP or SameSite cookies or that it does not obey OWASP Web Top 10, if you think that is a concern then please exploit it and give a PoC shell or something similar that is critical. This is not a vulnerability assessment request, so webscanner results won't cut it - There are no made up CTF baby flags - the flag is real - real mainnet coins! Interested people are invited to test this and report back if interested - PM me. End of the test will be announced here in this thread.

Thank you.

2022 forum post - https://bitcointalk.org/index.php?topic=5378976.0

Link to the exchange - Hack this -  https://blot3d-36601.portmap.host:36601/







SHA256 of the certificate:

Code:

D0:86:2F:0C:D4:3F:81:7C:D1:12:DD:E4:05:6A:52:F8:DD:12:F1:D9:B1:1C:74:02:46:85:8B:EF:D5:CE:EA:2E

Full blot3d-36601-portmap-host.crt certificate:

Code:

-----BEGIN CERTIFICATE-----
MIIEITCCAwmgAwIBAgIUO30z4tXx4+Lx4d7KVbnBn3tKxWEwDQYJKoZIhvcNAQEL
BQAwgZ8xCzAJBgNVBAYTAklSMRAwDgYDVQQIDAdNdW5zdGVyMQ0wCwYDVQQHDARD
b3JrMQ0wCwYDVQQKDARTUEVYMQwwCgYDVQQLDANDQ1gxIjAgBgNVBAMMGWJsb3Qz
ZC0zNjYwMS5wb3J0bWFwLmhvc3QxLjAsBgkqhkiG9w0BCQEWH2FkbWluQGJsb3Qz
ZC0zNjYwMS5wb3J0bWFwLmhvc3QwHhcNMjQwNDA2MjIwMjIzWhcNMjUwNDA2MjIw
MjIzWjCBnzELMAkGA1UEBhMCSVIxEDAOBgNVBAgMB011bnN0ZXIxDTALBgNVBAcM
BENvcmsxDTALBgNVBAoMBFNQRVgxDDAKBgNVBAsMA0NDWDEiMCAGA1UEAwwZYmxv
dDNkLTM2NjAxLnBvcnRtYXAuaG9zdDEuMCwGCSqGSIb3DQEJARYfYWRtaW5AYmxv
dDNkLTM2NjAxLnBvcnRtYXAuaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMQCPYGkcy3LAlpCQqnD6fMjROqRvMDBC4LioV801VAqhsWoj9zLlCYo
4WMgj2SIzwhhosXdMS6ESpjOna+JCd643BkyOgWpEP9m3NHoSWbzPuoabvudslRi
mznaud/XGNJ3yAm7mLpTUFEUlAGl4I12x4+8SdTMpJTSAHmJRYh3b6Wmg9rpxHp2
Dr3Ezr1fG5kBFCnDdw31Q4ReriWMhZ7tdRXusdgnu82qpYL0yYGB9n4xJg9H2hmh
JIKNI+wmEN2QQP8YsGv/w4M7mNZWgp9QhKa5ATDKXSKG/XFoN6qVhyq0R7nxLTNj
brBb3lirqpetC4vZLOQeCvdrX4099WECAwEAAaNTMFEwHQYDVR0OBBYEFIsikKIv
frS0KFDQRRro6sxZ08yyMB8GA1UdIwQYMBaAFIsikKIvfrS0KFDQRRro6sxZ08yy
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADhsHJTpXgNwPm0h
uEqXa3WslUFBSGqbid2g4Io/MOJOgCTXU7QrZA1DqHrSDFprvkU/CbmmXK9zvZHa
p9QFOczMB4PN1Wa9XiYT24/zlvzgNUR6ZaAUfUUgN2v/J6ER3X1hVgrx36GfxEHy
v5omFyLu0L5kNvNQ+xS9M8cVlpPCuWjcNNuMgcvNwC7MUrEEqNLK6WCOaBfd74ap
On4976yGgkxlxzCoiTnohtnYjmt9A4QqmSAN5zz+R59o+NV4iv5rvj+TaUjf5uSL
JffhVrqhtpFm33242rjIWYRCx22SH6V+7ku7kFbAPKP+TrFlBQvG11VNDa1+856N
aNu8GCk=
-----END CERTIFICATE-----

[1714472853]

1714472853

[1714472853]

1714472853

[1714472853]

1714472853

[Vod]

https://blot3d-36601.portmap.host:36601/[/color]

Page is not secure. 

[timegrazer]

I have now provided the hash and the self signed certificate in the original post for your reference.

[Vod]

I have now provided the hash and the self signed certificate in the original post for your reference.

You have support from one of the biggest scammers on the forum.
https://bitcointalk.org/index.php?topic=5378976.0

Even visiting your insecure page will probably lead to BTC loss. 

[examplens]

I have now provided the hash and the self signed certificate in the original post for your reference.

First, you need to prove that there are some coins behind everything. Why would someone spend time proving anything to you, when you have, for example, only 0.001BTC in your wallet?
Proof that at least 50 Bitcoins are there will stimulate anyone to try the hack.

Also, who even considers this serious and worth any effort?

Code:

https://blot3d-36601.portmap.host:36601/

[Vod]

Also, who even considers this serious and worth any effort?

Code:

[b]https[/b]://blot3d-36601.portmap.host:36601/

Is the SSL working for you?  it shows insecure to me.

[examplens]

Is the SSL working for you?  it shows insecure to me.

Yes, I also have a no-certificate alert.
If you decide to ignore the warning, there are pages behind it that look like they were designed in the '95.
index page, which contains a frame with an index1 page... It seems that some kids found a very old tutorial, on how to make the first website.

[timegrazer]

You have support from one of the biggest scammers on the forum.

Pardon me but I do not understand? I ran a test run 2 years ago and participants tested it and were able to withdraw their coins.  Who is a scammer on the previous thread and how do you know that?

Proof that at least 50 Bitcoins are there will stimulate anyone to try the hack.

This is a new endeavour. If the website had 50 BTC, nobody would invite it to be hacked, would rather get it professionally tested from experts.
Asking for proof of 2.5 millions USD is a fool's errand - think about it. I can provide a screenshot or a BTC address but that does not mean the coins are on the website. I can only prove that the coins exist and that I have the private key, how would that make you believe that you will get access to it after hacking the website?

It seems that some kids found a very old tutorial, on how to make the first website.

Haha I appreciate good humour. Indeed - MS Frontpage 2.0 for the win. But this was written using nano.

This is not a cool and good looking website with the latest UX/UI tech implemented by any means.
The website is intentionally basic and without javascript. It will be accessible via an anonymous network layer - an overlay network.. which are usually slower than websites on surface web, so the UI is needs to be light and simple.
The redirection service I am using does not issue SSL certs based for subdomains. Where it will be finally hosted might not need a certificate since it would already be on an encrypted network overlay.



To everyone who has responded:
It is very easy to tear things down and mock people's work, if you don't consider testing this worth the effort, then thank you for stopping by. I have invested lots of years in this project.
I appreciate your time. You may move on.


To anyone about to reply:

Criticism is welcome, but please don't make that your only goal.
Thank you. Happy cracking.

[Vod]

This is a new endeavour. If the website had 50 BTC, nobody would invite it to be hacked, would rather get it professionally tested from experts.

Isn't your goal to prove your code is secure?  What is wrong with professional testers?

Prove you have the 50 BTC or no one will take you seriously.

[timegrazer]

This is a new endeavour. If the website had 50 BTC, nobody would invite it to be hacked, would rather get it professionally tested from experts.

Isn't your goal to prove your code is secure?  What is wrong with professional testers?

Prove you have the 50 BTC or no one will take you seriously.

You are clearly not reading my response well.. Nothing is wrong with professional testers. It seems, you are neither a professional nor a tester.  I never claimed to have 50 BTC. You are conjuring up this number. If anything, nobody is taking you seriously.  I will now stop feeding the trolls.

Criticism is welcome, but please don't make that your only goal.
Thank you. Happy cracking.

[examplens]

You are clearly not reading my response well.. Nothing is wrong with professional testers. It seems, you are neither a professional nor a tester.  I never claimed to have 50 BTC. You are conjuring up this number. If anything, nobody is taking you seriously.  I will now stop feeding the trolls.

Criticism is welcome, but please don't make that your only goal.
Thank you. Happy cracking.

Ok, you don't have 50BTC, but you should provide some proof that there are any funds as a reward for this challenge you are offering. Claiming that you have private keys from some address means nothing.
No one is trolling you here, they are just pointing out the shortcomings in your offer.
It would be even better if you leave certain funds in escrow so that the potential tester ^hacker knows that in case of success, there is a guaranteed reward

[timegrazer]

I clearly mentioned not to report regarding iframes, etc. yet you did. Either you are a troll or did not read my OP.


The objective is to penetrate and steal the coins and then give me a PoC so that the issue/s are fixed.. rather than me depositing coins in escrow. Think about it, if I invite attackers, they break in and find no coins, do you think they will report me how they did it? It will serve me no purpose.  If you do not have faith, it is fine, move on.

Criticism is welcome, but please don't make that your only goal.
Thank you. Happy cracking.

[Vod]

I never claimed to have 50 BTC. You are conjuring up this number. If anything, nobody is taking you seriously.  I will now stop feeding the trolls.

Tis true, I did imagine that number of imaginary bitcoin you have.   That is my bad.

But until you prove you have x bitcoin, where int(x)>0, no one will take you seriously. 

[timegrazer]

I never claimed to have 50 BTC. You are conjuring up this number. If anything, nobody is taking you seriously.  I will now stop feeding the trolls.

Tis true, I did imagine that number of imaginary bitcoin you have.   That is my bad.

But until you prove you have x bitcoin, where int(x)>0, no one will take you seriously.  

I don't see how you can speak for everyone or what is on everyone's minds. You may move on to imagine newer things. Thank you for stopping by.

[Bitcoin_Arena]

The objective is to penetrate and steal the coins and then give me a PoC so that the issue/s are fixed.. rather than me depositing coins in escrow.

Have you also thought about the hacker breaking in, stealing the coins and going quiet without showing you how he did it?

Think about it, if I invite attackers, they break in and find no coins, do you think they will report me how they did it? It will serve me no purpose.  If you do not have faith, it is fine, move on.

Also, without any form of guarantee that they will find coins in there once they break in, there is going to be close to zero motivation that someone will even attempt to hack your site. @examplens' idea is actually good. Leave very little funds in the addresses and then send most of it to an escrow. Whoever finds the funds in some addresses, will receive a percentage of the funds from the escrow service. This will also ensure that the hacker will meet his end of the bargain by reporting to you how he cracked into the service.

People should also be able to track and know if someone has already cracked everything or not so that they may not waste time hacking into a service who accounts have already been drained thus receiving no reward,

[timegrazer]

hacker breaking in, stealing the coins and going quiet without showing you how he did it?

They are welcome to do that. That would be real bad ass. At least we will know that a vulnerability exists. If they can do that they deserve the loot!

zero motivation that someone will even attempt to hack your site

Fine, don't be.. move on. I have already received PMs. So your point is disproved.

@examplens' idea is actually good

LOL sure buddy, gang up on me. Ally or an alias of the previous poster?

Leave very little funds in the addresses and then send most of it to an escrow.

Apply your own argument, why should I trust that escrow when you are yourself not ready to have faith at the first place. We are an exchange, we do not need escrows.

People should also be able to track and know if someone has already cracked everything

I agree with you here, but, there can be more than one way to break in. Also, we have mentioned in the OP "End of the test will be announced here in this thread." So everyone will be updated. As soon as the funds are stolen, it will be announced here. If nothing happens, after a few days, the test will still be concluded - probably will invite a separate batch of crackers/hackers elsewhere.

I appreciate you taking time to respond. If you do not agree to the terms, it is fine. I respect your PoV.  I will focus on those who have sent me messages and are already onto it. Thank you.

[lampofdog]

I've tried a few things. No serious finding but I won't post here. In case someone else is also trying. Please check your DM.

[lampofdog]

Please respond to my messages. I have shared the details.

[timegrazer]

As you already mentioned, the findings were not critical, still I appreciate you taking time for meticulously reporting whatever you thought was essential. Let me know if you received the payment.
Good job. Thank you.

[lampofdog]

$$ Thank you. Very generous. Received! $$
 

Let me know if you need more security testing done. Good Luck.