Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started

[neha]

Hack Our Application Server for $3000

The challenge starts on 15th of August, 2014 and ends on 10th September, 2014

             

CONTEST DETAILS

Server Parameters

Our Server is Running a Java Application which is communicating with Google Server via API's. Also, it is running Bitcoin Armoryd and Bitcoind.

To communicate with the server and check if its running or not, send an email to hack@nuovocard.com with Subject 'Transfer'. The server will send you an email back with a transaction hash for an instant transaction in the amount of 0.0001 BTC to mrm4AN6uAExNgXbRtqVL5tA4RmVxR2QtMa.

Objective 1 (Bounty $200)

Find the IP address of the server. If no one is able to find the IP address in the first 5 days, we will disclose the IP address and no one will be able to claim this bounty further.

If you are able to find the IP address, please disclose it on this thread.


Objective 2 (Bounty $2800) - STARTED

Try and hack into the server using any means necessary. If successful, send out a transaction to your Bitcoin Testnet Address. Sign a Message and email us the Message to verify.

The Bitcoin Wallet on the server is a testnet wallet and has been left unlocked for you to make a transaction upon gaining access.

For more information about Nuovocard, visit www.nuovocard.com.

Nuovocard will be launching a Bitcoin Debit Card and Point of Sale App at the end of September, 2014. Please ask if you have any questions.

THIS CHALLENGE IS NOT TO HACK OUR WEBSERVER BUT THE APPLICATION SERVER

Do Not Perform a DOS Attack

PLEASE SEND ME A PM TO GET THE IP. ALSO, PLEASE DONT RUN MORE THAN A COUPLE THREADS/CONNECTIONS TO THE SERVER.

UPDATE : If you are successful in hacking the server, you must share with us the complete steps of the hack and we must be able to replicate the same.

[1714669368]

1714669368

[1714669368]

1714669368

[1714669368]

1714669368

[neha]

VERY IMPORTANT, the webserver is a different server and we are looking to get the application server hacked. PLEASE DO NOT HACK THE WEBSERVER AS THAT IS NOT PART OF THE BOUNTY. Also, 104.28.2.120 is not the IP address of the webserver also as I got a couple of PM's saying this is the IP. Again, the BOUNTY is not for the WEBSERVER. APPLICATION SERVER AND WEBSERVER are Seperate.

Also, feel free to post in public as we dont want to hide even if we get hacked. The idea behind the contest is to prove to ourselves that the platform that we have designed is possible very difficult to hack. Moreover, the $3000 bounty has been decided because it is the amount of bitcoins we will have in our hot wallet, so even if we get hacked, this is the max you can get. Although, we are saying 97% on our website, we dont plan to keep anything more than $3000 which will keep getting refilled manually.

Thanks.

[Equinoxx]

The IP that everyone seems to be picking up is Cloudflares,
I have the location of the site but not the IP.
If you like me to PM you the address or post it publicly,
let me know.
Thanks!

[neha]

The IP that everyone seems to be picking up is Cloudflares,
I have the location of the site but not the IP.
If you like me to PM you the address or post it publicly,
let me know.
Thanks!

Guys, again that is the webserver and the webserver is located on Amazon and so is the primary and database server. The idea is to only hack the replica of the primary server and when the contest starts, you will be able to send an email to hack@nuovocard.com and get a reply from the server that is supposed to be hacked. It will reply you with a transaction hash for a testnet transaction which it will make upon receiving your email.

I hope this clears it.

Thanks.

[Equinoxx]

I have the adress is for the website,
not of the Cloudflare although the Cloudflare is in Arizona.
Your host is in India.
I have the full adress if you would like me to email it.
Thanks

[neha]

Did you ever stop to think that best way to find the hidden server is to hack the one that is known since it is a clone?

You called down the thunder, now you got it.

Deal with it.


~BCX~

Well, the server that we will be providing to hack is an exactly replica with one difference i.e. it will only have one application running which will do all the aspects of multiple applications that are supposed to handle traffic. It will read email, reply, transact and talk to the database server. There are multiple different servers involved in the system we have designed and it is designed to handle upto a million users and webserver has no link to the primary server.

Also, we seriously mean 'by any means necessary'. We would love to see how it gets hacked as it will ensure more security in future for our users. Also, when this challenge is over, based on the results, we will probably extend the challenge. The only difference would be that we will never disclose the IP like we are doing here and moreover it will be programmed to get a new IP daily.

Questions???

[hardshot]

My IP guess: 199.241.30.125

[🏰 TradeFortress 🏰]

VERY IMPORTANT, the webserver is a different server and we are looking to get the application server hacked. PLEASE DO NOT HACK THE WEBSERVER AS THAT IS NOT PART OF THE BOUNTY. Also, 104.28.2.120 is not the IP address of the webserver also as I got a couple of PM's saying this is the IP. Again, the BOUNTY is not for the WEBSERVER. APPLICATION SERVER AND WEBSERVER are Seperate.

Also, feel free to post in public as we dont want to hide even if we get hacked. The idea behind the contest is to prove to ourselves that the platform that we have designed is possible very difficult to hack. Moreover, the $3000 bounty has been decided because it is the amount of bitcoins we will have in our hot wallet, so even if we get hacked, this is the max you can get. Although, we are saying 97% on our website, we dont plan to keep anything more than $3000 which will keep getting refilled manually.

Thanks.

To be absolutely correct, your bitcoind is on application server?

[neha]

My IP guess: 199.241.30.125

This is not the IP.

To be absolutely correct, your bitcoind is on application server?

Yes. The Application Server will have:-

1. Bitcoind
2. Armoryd
3. Java App
4. Tor Client

Database Server - Mysql 5.6

[Jags2ooo]

173.194.68.26

[neha]

The challenge is announced 3 days before just to answer all the queries so that people can get to work on the day it starts.

1. How you describe the task is not in any case clearly and therefore a bit confusing.
The first reactions in form of posts already shows it.

2. I have strong legal concerns about this "promotional campaign" especially regarding my 1. point.
People may try to hack the wrong infrastructure despite the fact if the try itself is legal or not in their country.
In germany for example I doubt that it is possible to take part without breaking the law.
If someone now probably tries to hack Amazon then and gets jailed because of taking part in your contest you are probably also responsible for that.
I guess you don't own an own datacenter. Is the datacenter informed about this?

-> I don't feel this contest is very well prepared at the moment and I would not start it under these circumstances.

First, this is completely legal and there is no threat to anyone hacking as Amazon will not go after them, its the company who has rented the server goes after people who hack. In this case, we are the company.

Secondly, I made it very clear on how to communicate with the server

To communicate with the server and check if its running or not, send an email to hack@nuovocard.com with Subject 'Transfer'. The server will send you an email back with a transaction hash for an instant transaction in the amount of 0.0001 BTC to mrm4AN6uAExNgXbRtqVL5tA4RmVxR2QtMa.

This is the only way to communicate and try to find the IP which is the first step. After this, its upto you. Doing a DOS attack does not make sense as you need to get into the server and its not like we are trying to prevent you that you need to block our access. Also, all ports are closed other than the ports that the app opens and closes automatically. Just to help everyone out, that port range is 32768-61000.

If you wish to try without using our server, I would advise you to setup your own server and I will provide a simple Jar that can talk to gmail. You can do this in your own house and then send us instructions on how to hack and if it works, you win.

Also, there are a couple of firewalls in place before the server, we will test your method with the firewalls and without your firewalls and award you full amount if you break with the firewalls. If your instruction leads to a hack without the firewalls, we will award you $1000. If you anyone wants to try it this way, let me know and I will reveal the server configuration after the part 1 is over.

Questions?

[Jags2ooo]

hack@nuovocard.com

Doesn't reply.  tried on normal email app, and telnet .. nothing

[neha]

hack@nuovocard.com

Doesn't reply.  tried on normal email app, and telnet .. nothing

Yeah...will reply on 15th when the contest starts.

[dKingston]

Are you willing to escrow the prize?

First, this is completely legal and there is no threat to anyone hacking as Amazon will not go after them, its the company who has rented the server goes after people who hack. In this case, we are the company.

Its not that easy in every country.
In the act of hacking you also use other infrastructure than just your server.

Furthermore:
Who knows you maybe just hacked their email and now start such a contest that others hack their server?

I don't say you guys are bad.
Its just not well prepared to rule out all concerns and problems.
1/3 of the bounty for a lawyer starting that contest and 2/3 as a price would also have been a good choice.

He already have control of the website. http://www.nuovocard.com/hacking-challenge/

[neha]

Furthermore:
Who knows you maybe just hacked their email and now start such a contest that others hack their server?

The Contest is on our website also. Be rest assured that we are not hacked yet on this forum and also an official press release is going out today.

Are you willing to escrow the prize?

Regarding escrow, Escrow would make sense if we want to hide our identity or if we are an individual. We are a part of a big group. Moreover, the first part of the challenge is $200. Do you want me to put $200 in escrow? Moreover, we will not destroy our reputation for only $3000 when we have alot more invested in this venture.

[neha]

Hello Guys. Just to inform everyone that the contest is now Live. We wish all the testers good luck.

[neha]

$3000 is a lot of money, no doubt someone here is gonna hack your server to pieces

Only thing I don't understand is why you would do this, unless you're a mult-millionare or 100% confident it won't be hacked. Could hire a security expert for $3000 to make your site rock solid instead.

We hope someone hacks the server and tells us exactly. We have even made it easy for people as if no one is able to find the IP address of the server, we will give it away. Theoretically, if no one finds the IP, they cant hack but in the worst case scenario that someone finds the IP and tries to hack, we are simulating that event by giving away the IP. And ofcourse we are confident and ofcourse we had pen test done and ofcourse to your other comment.

Moreover who says that hackers are not security consultants specially when we can have multiple for only $3000???

Also, shouldn't we do everything possible to ensure that customer funds are always safe with us??? Do you really want another example of a Bitcoin Service getting Hacked?

[howzar]

Is it 104.28.3.120 ??

[neha]

Nope. You are trying to find the IP of the Webserver where as the contest is about the App Server. They are on completely different networks and they dont communicate with each other.

[cooldgamer]

Challenge accepted, been looking for a place to hone my skills