Nuovocard Hacking Contest - Hack Us for $3000 (Bounty) - Phase 2 Started

[neha]

Challenge accepted, been looking for a place to hone my skills

Awesome, make sure you review the instructions of sending the email and communicating with the server. The only way you can reach the server is to send an email to hack@nuovocard.com with subject as 'transfer' and you will get a Testnet Transaction ID back.

Also, currently we have the server set to check mail every 30 seconds as we dont expect too much traffic. So please wait for 30 seconds to get a reply.

[neha]

Well, I'll give it a shot. I'm not a hacker, but I have lots of experience with MS paint. If a poorly drawn MS paint picture of goatse shows up on your site you know who did it.

Hey, remember the challenge is not to hack the webserver. If you are able to hack the app server...make sure you leave a text file in the home folder with you email address.

[deydod]

IP is: 64.233.166.121

Location:
City:   Mountain View
Country:   United States
State: California

Am I right?

[neha]

IP is: 64.233.166.121

Location:
City:   Mountain View
Country:   United States
State: California

Am I right?

Nope. Thats Google I think.

Update : Yeah that is google. http://64.233.166.121.ipaddress.com/.

Please check who does the IP belong to before you post. Our server currently is not on Google.

[BitCoinDream]

Hi Neha, HappY Independence Day

You have chosen a great day to kickstart the hackathon. As I understand, u dont want us to find where Nuovocard.com is running, i.e. the web server. U want us to find out the server IP from where the mail is originating. Am I wrong ?

[MakeBelieve]

Hi Neha, HappY Independence Day

You have chosen a great day to kickstart the hackathon. As I understand, u dont want us to find where Nuovocard.com is running, i.e. the web server. U want us to find out the server IP from where the mail is originating. Am I wrong ?

That's what he is asking you to do...I'm going to give this a shot!

[BitCoinDream]

Nothing is getting deposited to https://blockchain.info/address/mrm4AN6uAExNgXbRtqVL5tA4RmVxR2QtMa and blockchain.info is showing that the Tx hash u have sent does not exist. Is the App properly configured on your app server ?

[cooldgamer]

Nothing is getting deposited to https://blockchain.info/address/mrm4AN6uAExNgXbRtqVL5tA4RmVxR2QtMa and blockchain.info is showing that the Tx hash u have sent does not exist. Is the App properly configured on your app server ?

They are testnet transactions, so you need to use a testnet block explorer

http://blockexplorer.com/testnet/address/mrm4AN6uAExNgXbRtqVL5tA4RmVxR2QtMa

[BitCoinDream]

Nothing is getting deposited to https://blockchain.info/address/mrm4AN6uAExNgXbRtqVL5tA4RmVxR2QtMa and blockchain.info is showing that the Tx hash u have sent does not exist. Is the App properly configured on your app server ?

They are testnet transactions, so you need to use a testnet block explorer

http://blockexplorer.com/testnet/address/mrm4AN6uAExNgXbRtqVL5tA4RmVxR2QtMa

Oops ...sorry. Missed it. Feeling sleepy. By the way, they are most likely using Google server to sign mails, as it appears from the mail header. Can we get IP behind Google ? Most probably no by any known technology, but may be possible by social engineering.

[ForgottenPassword]

nuovocard.com is registered to use Google Apps. The emails are arriving into gmail and their server is SMTP'ing in and getting them.

Only way to get the IP would be to hack their Google Apps account.

[virtualx]

Is it 10.229.74.74 ?

[neha]

We Wish A Happy Independence Day to all Indians.

Is it 10.229.74.74 ?

Nope. Ill give a hint, the IP Address ends with 13.

nuovocard.com is registered to use Google Apps. The emails are arriving into gmail and their server is SMTP'ing in and getting them.

Only way to get the IP would be to hack their Google Apps account.

If thats what it takes, please try that too.

[Nico205]

I cannot view the transaction in the testnet blockchain explorer.

[neha]

I cannot view the transaction in the testnet blockchain explorer.

http://tbtc.blockr.io/tx/info/0077907e9eee7a211de25feef9997ba0c348b8aee85319f7c541ce635757bad4

[Nico205]

I cannot view the transaction in the testnet blockchain explorer.

http://tbtc.blockr.io/tx/info/0077907e9eee7a211de25feef9997ba0c348b8aee85319f7c541ce635757bad4

thx

[Nico205]

Is your server located by hetzner ?

[neha]

Nope...amazon. Already disclosed that earlier.

All the best.

[Nico205]

Can you please sent me the jar file of your application ?

[neha]

Can you please sent me the jar file of your application ?

There is still time for that part of the contest. There are atleast 23 people trying and it wont be fair to them. Also, I have discussed with the team and jar wont be necessary. We will post the instructions and server config later and you would be able to simulate our server. Lets give everyone the time promised. Who knows, someone might just hack our email address and get the IP.

You would not believe this but earlier this whole system was designed using a Web Interface with app and everything and then everything was scrapped by my partner as he thought that whatever we do, we cannot be as safe as Google and so he made us do everything again just to keep security as the highest concern. Moreover, he found 2fa on phone apps too cumbersome. I guess thats why most companies dont have 2fa on their mobile apps.

[neha]

Tor is used with Bitcoind.