timegrazer (OP)
Jr. Member
Offline
Activity: 47
Merit: 1
|
|
April 06, 2024, 10:58:07 PM Last edit: April 07, 2024, 10:34:09 PM by timegrazer |
|
Inviting hackerz, crackerz, data hijackerz!! Come hack our crypto exchange. Yes you read it correctly. After a preliminary testnet test - UI and operational test (in 2022), you all are invited to do a full blown penetration test. This is no longer a testnet exchange - it is on mainnet!! Both BTC and ETH mainnet. It holds a few coins. Finders, keepers! Since there is no official payment for this - the crackers and hackers can hack it and take what they can. If you hack this exchange, the coins it holds is your reward!! If you cannot do that, no problems, report me all major findings - but, no, please do not tell me there is an iframe in use, no CSP or SameSite cookies or that it does not obey OWASP Web Top 10, if you think that is a concern then please exploit it and give a PoC shell or something similar that is critical. This is not a vulnerability assessment request, so webscanner results won't cut it - There are no made up CTF baby flags - the flag is real - real mainnet coins! Interested people are invited to test this and report back if interested - PM me. End of the test will be announced here in this thread. Thank you. 2022 forum post - https://bitcointalk.org/index.php?topic=5378976.0Link to the exchange - Hack this - https://blot3d-36601.portmap.host:36601/
SHA256 of the certificate: D0:86:2F:0C:D4:3F:81:7C:D1:12:DD:E4:05:6A:52:F8:DD:12:F1:D9:B1:1C:74:02:46:85:8B:EF:D5:CE:EA:2E
Full blot3d-36601-portmap-host.crt certificate: -----BEGIN CERTIFICATE----- MIIEITCCAwmgAwIBAgIUO30z4tXx4+Lx4d7KVbnBn3tKxWEwDQYJKoZIhvcNAQEL BQAwgZ8xCzAJBgNVBAYTAklSMRAwDgYDVQQIDAdNdW5zdGVyMQ0wCwYDVQQHDARD b3JrMQ0wCwYDVQQKDARTUEVYMQwwCgYDVQQLDANDQ1gxIjAgBgNVBAMMGWJsb3Qz ZC0zNjYwMS5wb3J0bWFwLmhvc3QxLjAsBgkqhkiG9w0BCQEWH2FkbWluQGJsb3Qz ZC0zNjYwMS5wb3J0bWFwLmhvc3QwHhcNMjQwNDA2MjIwMjIzWhcNMjUwNDA2MjIw MjIzWjCBnzELMAkGA1UEBhMCSVIxEDAOBgNVBAgMB011bnN0ZXIxDTALBgNVBAcM BENvcmsxDTALBgNVBAoMBFNQRVgxDDAKBgNVBAsMA0NDWDEiMCAGA1UEAwwZYmxv dDNkLTM2NjAxLnBvcnRtYXAuaG9zdDEuMCwGCSqGSIb3DQEJARYfYWRtaW5AYmxv dDNkLTM2NjAxLnBvcnRtYXAuaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAMQCPYGkcy3LAlpCQqnD6fMjROqRvMDBC4LioV801VAqhsWoj9zLlCYo 4WMgj2SIzwhhosXdMS6ESpjOna+JCd643BkyOgWpEP9m3NHoSWbzPuoabvudslRi mznaud/XGNJ3yAm7mLpTUFEUlAGl4I12x4+8SdTMpJTSAHmJRYh3b6Wmg9rpxHp2 Dr3Ezr1fG5kBFCnDdw31Q4ReriWMhZ7tdRXusdgnu82qpYL0yYGB9n4xJg9H2hmh JIKNI+wmEN2QQP8YsGv/w4M7mNZWgp9QhKa5ATDKXSKG/XFoN6qVhyq0R7nxLTNj brBb3lirqpetC4vZLOQeCvdrX4099WECAwEAAaNTMFEwHQYDVR0OBBYEFIsikKIv frS0KFDQRRro6sxZ08yyMB8GA1UdIwQYMBaAFIsikKIvfrS0KFDQRRro6sxZ08yy MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADhsHJTpXgNwPm0h uEqXa3WslUFBSGqbid2g4Io/MOJOgCTXU7QrZA1DqHrSDFprvkU/CbmmXK9zvZHa p9QFOczMB4PN1Wa9XiYT24/zlvzgNUR6ZaAUfUUgN2v/J6ER3X1hVgrx36GfxEHy v5omFyLu0L5kNvNQ+xS9M8cVlpPCuWjcNNuMgcvNwC7MUrEEqNLK6WCOaBfd74ap On4976yGgkxlxzCoiTnohtnYjmt9A4QqmSAN5zz+R59o+NV4iv5rvj+TaUjf5uSL JffhVrqhtpFm33242rjIWYRCx22SH6V+7ku7kFbAPKP+TrFlBQvG11VNDa1+856N aNu8GCk= -----END CERTIFICATE-----
|
|
|
|
Vod
Legendary
Offline
Activity: 3822
Merit: 3122
Licking my boob since 1970
|
|
April 07, 2024, 03:49:25 PM |
|
|
https://nastyscam.com - featuring 13 years of OGNasty bitcoin scams https://vod.fan - fast/free image sharing - cleaning it up! (240905) Will Theymos finish his $100,000,000 forum before this one shuts down?
|
|
|
timegrazer (OP)
Jr. Member
Offline
Activity: 47
Merit: 1
|
|
April 07, 2024, 10:33:49 PM |
|
I have now provided the hash and the self signed certificate in the original post for your reference.
|
|
|
|
Vod
Legendary
Offline
Activity: 3822
Merit: 3122
Licking my boob since 1970
|
|
April 08, 2024, 04:08:22 AM |
|
I have now provided the hash and the self signed certificate in the original post for your reference.
You have support from one of the biggest scammers on the forum. https://bitcointalk.org/index.php?topic=5378976.0Even visiting your insecure page will probably lead to BTC loss.
|
https://nastyscam.com - featuring 13 years of OGNasty bitcoin scams https://vod.fan - fast/free image sharing - cleaning it up! (240905) Will Theymos finish his $100,000,000 forum before this one shuts down?
|
|
|
examplens
Legendary
Offline
Activity: 3402
Merit: 3409
Crypto Swap Exchange
|
|
April 08, 2024, 01:59:14 PM |
|
I have now provided the hash and the self signed certificate in the original post for your reference.
First, you need to prove that there are some coins behind everything. Why would someone spend time proving anything to you, when you have, for example, only 0.001BTC in your wallet? Proof that at least 50 Bitcoins are there will stimulate anyone to try the hack. Also, who even considers this serious and worth any effort? https://blot3d-36601.portmap.host:36601/
|
|
|
|
Vod
Legendary
Offline
Activity: 3822
Merit: 3122
Licking my boob since 1970
|
|
April 08, 2024, 03:18:20 PM |
|
Also, who even considers this serious and worth any effort? [b]https[/b]://blot3d-36601.portmap.host:36601/ Is the SSL working for you? it shows insecure to me.
|
https://nastyscam.com - featuring 13 years of OGNasty bitcoin scams https://vod.fan - fast/free image sharing - cleaning it up! (240905) Will Theymos finish his $100,000,000 forum before this one shuts down?
|
|
|
examplens
Legendary
Offline
Activity: 3402
Merit: 3409
Crypto Swap Exchange
|
|
April 08, 2024, 06:04:55 PM |
|
Is the SSL working for you? it shows insecure to me.
Yes, I also have a no-certificate alert. If you decide to ignore the warning, there are pages behind it that look like they were designed in the '95. index page, which contains a frame with an index1 page... It seems that some kids found a very old tutorial, on how to make the first website.
|
|
|
|
timegrazer (OP)
Jr. Member
Offline
Activity: 47
Merit: 1
|
|
April 08, 2024, 06:45:03 PM Last edit: April 08, 2024, 09:03:41 PM by timegrazer |
|
You have support from one of the biggest scammers on the forum.
Pardon me but I do not understand? I ran a test run 2 years ago and participants tested it and were able to withdraw their coins. Who is a scammer on the previous thread and how do you know that? Proof that at least 50 Bitcoins are there will stimulate anyone to try the hack.
This is a new endeavour. If the website had 50 BTC, nobody would invite it to be hacked, would rather get it professionally tested from experts. Asking for proof of 2.5 millions USD is a fool's errand - think about it. I can provide a screenshot or a BTC address but that does not mean the coins are on the website. I can only prove that the coins exist and that I have the private key, how would that make you believe that you will get access to it after hacking the website? It seems that some kids found a very old tutorial, on how to make the first website.
Haha I appreciate good humour. Indeed - MS Frontpage 2.0 for the win. But this was written using nano. This is not a cool and good looking website with the latest UX/UI tech implemented by any means. The website is intentionally basic and without javascript. It will be accessible via an anonymous network layer - an overlay network.. which are usually slower than websites on surface web, so the UI is needs to be light and simple. The redirection service I am using does not issue SSL certs based for subdomains. Where it will be finally hosted might not need a certificate since it would already be on an encrypted network overlay. To everyone who has responded: It is very easy to tear things down and mock people's work, if you don't consider testing this worth the effort, then thank you for stopping by. I have invested lots of years in this project. I appreciate your time. You may move on. To anyone about to reply: Criticism is welcome, but please don't make that your only goal. Thank you. Happy cracking.
|
|
|
|
Vod
Legendary
Offline
Activity: 3822
Merit: 3122
Licking my boob since 1970
|
|
April 08, 2024, 07:38:07 PM |
|
This is a new endeavour. If the website had 50 BTC, nobody would invite it to be hacked, would rather get it professionally tested from experts.
Isn't your goal to prove your code is secure? What is wrong with professional testers? Prove you have the 50 BTC or no one will take you seriously.
|
https://nastyscam.com - featuring 13 years of OGNasty bitcoin scams https://vod.fan - fast/free image sharing - cleaning it up! (240905) Will Theymos finish his $100,000,000 forum before this one shuts down?
|
|
|
timegrazer (OP)
Jr. Member
Offline
Activity: 47
Merit: 1
|
|
April 08, 2024, 08:48:36 PM Last edit: April 08, 2024, 09:03:54 PM by timegrazer |
|
This is a new endeavour. If the website had 50 BTC, nobody would invite it to be hacked, would rather get it professionally tested from experts.
Isn't your goal to prove your code is secure? What is wrong with professional testers? Prove you have the 50 BTC or no one will take you seriously. You are clearly not reading my response well.. Nothing is wrong with professional testers. It seems, you are neither a professional nor a tester. I never claimed to have 50 BTC. You are conjuring up this number. If anything, nobody is taking you seriously. I will now stop feeding the trolls. Criticism is welcome, but please don't make that your only goal. Thank you. Happy cracking.
|
|
|
|
examplens
Legendary
Offline
Activity: 3402
Merit: 3409
Crypto Swap Exchange
|
|
April 08, 2024, 09:33:49 PM |
|
You are clearly not reading my response well.. Nothing is wrong with professional testers. It seems, you are neither a professional nor a tester. I never claimed to have 50 BTC. You are conjuring up this number. If anything, nobody is taking you seriously. I will now stop feeding the trolls.
Criticism is welcome, but please don't make that your only goal. Thank you. Happy cracking.
Ok, you don't have 50BTC, but you should provide some proof that there are any funds as a reward for this challenge you are offering. Claiming that you have private keys from some address means nothing. No one is trolling you here, they are just pointing out the shortcomings in your offer. It would be even better if you leave certain funds in escrow so that the potential tester hacker knows that in case of success, there is a guaranteed reward
|
|
|
|
timegrazer (OP)
Jr. Member
Offline
Activity: 47
Merit: 1
|
|
April 08, 2024, 09:42:12 PM |
|
I clearly mentioned not to report regarding iframes, etc. yet you did. Either you are a troll or did not read my OP.
The objective is to penetrate and steal the coins and then give me a PoC so that the issue/s are fixed.. rather than me depositing coins in escrow. Think about it, if I invite attackers, they break in and find no coins, do you think they will report me how they did it? It will serve me no purpose. If you do not have faith, it is fine, move on.
Criticism is welcome, but please don't make that your only goal. Thank you. Happy cracking.
|
|
|
|
Vod
Legendary
Offline
Activity: 3822
Merit: 3122
Licking my boob since 1970
|
|
April 09, 2024, 03:17:35 AM |
|
I never claimed to have 50 BTC. You are conjuring up this number. If anything, nobody is taking you seriously. I will now stop feeding the trolls.
Tis true, I did imagine that number of imaginary bitcoin you have. That is my bad. But until you prove you have x bitcoin, where int(x)>0, no one will take you seriously.
|
https://nastyscam.com - featuring 13 years of OGNasty bitcoin scams https://vod.fan - fast/free image sharing - cleaning it up! (240905) Will Theymos finish his $100,000,000 forum before this one shuts down?
|
|
|
timegrazer (OP)
Jr. Member
Offline
Activity: 47
Merit: 1
|
|
April 09, 2024, 10:53:15 AM Last edit: April 09, 2024, 11:06:38 AM by timegrazer |
|
I never claimed to have 50 BTC. You are conjuring up this number. If anything, nobody is taking you seriously. I will now stop feeding the trolls.
Tis true, I did imagine that number of imaginary bitcoin you have. That is my bad. But until you prove you have x bitcoin, where int(x)>0, no one will take you seriously. I don't see how you can speak for everyone or what is on everyone's minds. You may move on to imagine newer things. Thank you for stopping by.
|
|
|
|
Bitcoin_Arena
Copper Member
Legendary
Offline
Activity: 2114
Merit: 1813
฿itcoin for all, All for ฿itcoin.
|
|
April 09, 2024, 02:27:48 PM |
|
The objective is to penetrate and steal the coins and then give me a PoC so that the issue/s are fixed.. rather than me depositing coins in escrow. Have you also thought about the hacker breaking in, stealing the coins and going quiet without showing you how he did it? Think about it, if I invite attackers, they break in and find no coins, do you think they will report me how they did it? It will serve me no purpose. If you do not have faith, it is fine, move on.
Also, without any form of guarantee that they will find coins in there once they break in, there is going to be close to zero motivation that someone will even attempt to hack your site. @examplens' idea is actually good. Leave very little funds in the addresses and then send most of it to an escrow. Whoever finds the funds in some addresses, will receive a percentage of the funds from the escrow service. This will also ensure that the hacker will meet his end of the bargain by reporting to you how he cracked into the service. People should also be able to track and know if someone has already cracked everything or not so that they may not waste time hacking into a service who accounts have already been drained thus receiving no reward,
|
|
|
|
timegrazer (OP)
Jr. Member
Offline
Activity: 47
Merit: 1
|
|
April 10, 2024, 12:22:16 AM |
|
hacker breaking in, stealing the coins and going quiet without showing you how he did it? They are welcome to do that. That would be real bad ass. At least we will know that a vulnerability exists. If they can do that they deserve the loot! zero motivation that someone will even attempt to hack your site Fine, don't be.. move on. I have already received PMs. So your point is disproved. @examplens' idea is actually good LOL sure buddy, gang up on me. Ally or an alias of the previous poster? Leave very little funds in the addresses and then send most of it to an escrow. Apply your own argument, why should I trust that escrow when you are yourself not ready to have faith at the first place. We are an exchange, we do not need escrows. People should also be able to track and know if someone has already cracked everything I agree with you here, but, there can be more than one way to break in. Also, we have mentioned in the OP "End of the test will be announced here in this thread." So everyone will be updated. As soon as the funds are stolen, it will be announced here. If nothing happens, after a few days, the test will still be concluded - probably will invite a separate batch of crackers/hackers elsewhere. I appreciate you taking time to respond. If you do not agree to the terms, it is fine. I respect your PoV. I will focus on those who have sent me messages and are already onto it. Thank you.
|
|
|
|
lampofdog
Newbie
Offline
Activity: 9
Merit: 0
|
|
April 15, 2024, 12:26:07 AM |
|
I've tried a few things. No serious finding but I won't post here. In case someone else is also trying. Please check your DM.
|
|
|
|
lampofdog
Newbie
Offline
Activity: 9
Merit: 0
|
|
April 17, 2024, 01:12:42 AM |
|
Please respond to my messages. I have shared the details.
|
|
|
|
timegrazer (OP)
Jr. Member
Offline
Activity: 47
Merit: 1
|
|
April 17, 2024, 01:39:41 AM |
|
As you already mentioned, the findings were not critical, still I appreciate you taking time for meticulously reporting whatever you thought was essential. Let me know if you received the payment. Good job. Thank you.
|
|
|
|
lampofdog
Newbie
Offline
Activity: 9
Merit: 0
|
|
April 17, 2024, 02:50:05 PM |
|
|
|
|
|
|