Bitcoin Forum
December 10, 2016, 11:14:21 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: [ANN] h4xcomp - hack the server, get bitcoins  (Read 2917 times)
mav
Full Member
***
Offline Offline

Activity: 168


View Profile
May 07, 2012, 07:00:16 AM
 #1

UPDATE 27 Aug 2012

h4xcomp has been taken offline as there is no longer any reason for me to keep it running. I don't have the time to commit to it and have learned what I needed from it. Thanks to everyone who took part, it was great fun for me and I hope fun for you too.

---------

I'm pleased to announce a new project

http://www.h4xcomp.com/

The aim of the project is to increase my knowledge about running a well-secured website (especially one with bitcoin). I have included some novel and potentially security-breaking features which I plan to incorporate into a much larger project. Whilst the focus of the project is not purely bitcoin, I will be putting a fair bit of attention on the bitcoin side of things to start with. I am seeking data from this side-project to help make the larger project as secure and easily-managed as possible. I will make the knowledge I gain from h4xcomp available so that others can learn from the hacks that are (hopefully) perpetrated on the server.

I'm also using the site to fine-tune some of the novel techniques that are being used on my other project, such as the multi-lingual feature. If you notice that it seems a bit strange at times, I am only an English speaking person and have auto-translated all the other languages. As a result, the English is also on the more simple side of things to ensure that translations are least affected by grammatical complexity. I hope to trial some sort of 'give me human-translation for some reward' sometime in the future. There are so many things that I hope to experiment with on h4xcomp...

This project is only a couple of days old, however I hope over the next months it will provide a lot of interesting data and will be a useful resource for other developers who want to understand the additional security necessities when doing something a bit different with their servers.

The first prize is somewhat small as I have done very little to the server to secure it and expect that it will be hacked relatively easily. As the security improves and the difficulty increases, the prizes will become greater. I am funding this entirely from my own pocket for my own interest and learning.

More competitions are in the works. Hopefully this provides some geeky entertainment to the 1337 crews out there.

Feedback is welcome.

Edit:
I haven't tested the site on Internet Explorer cause I don't have a copy of it. I am about 100% sure it won't display as intended, however it should display at least the content since the site isn't that complex.
1481368461
Hero Member
*
Offline Offline

Posts: 1481368461

View Profile Personal Message (Offline)

Ignore
1481368461
Reply with quote  #2

1481368461
Report to moderator
1481368461
Hero Member
*
Offline Offline

Posts: 1481368461

View Profile Personal Message (Offline)

Ignore
1481368461
Reply with quote  #2

1481368461
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481368461
Hero Member
*
Offline Offline

Posts: 1481368461

View Profile Personal Message (Offline)

Ignore
1481368461
Reply with quote  #2

1481368461
Report to moderator
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2002



View Profile
May 07, 2012, 09:21:12 AM
 #2

Are you interested in competitions for other, third party configurations?

For instance, if there was enough people that used the OSCommerce Bitcoin Payment Module who were to put together a bounty to learn if it had any vulnerabilities, would that be something you'ld consider offering?

mav
Full Member
***
Offline Offline

Activity: 168


View Profile
May 07, 2012, 09:33:58 AM
 #3

Absolutely. This project is as much for the community as it is for myself. If anyone has ideas for competitions I am happy to hear of them. Of course, being a side project, I cannot make any promises about when they will happen, but I consider this kind of information to be useful and important for people and businesses offering services surrounding bitcoin.
mav
Full Member
***
Offline Offline

Activity: 168


View Profile
May 08, 2012, 05:14:45 AM
 #4

There is definitely a hole in this site, I am waiting for it to be exploited... not necessarily easy to find, but clues will be released progressively since I want to see it compromised before I plug the hole and see the real nerds have a crack.

And thanks for this post whoever made it:

http://cnbtcnews.com/tag/h4xcomp
mb300sd
Legendary
*
Offline Offline

Activity: 1232

Drunk Posts


View Profile WWW
May 08, 2012, 11:57:20 PM
 #5

Don't know any python, but listing directories and finding wallet.dat shouldn't be too difficult if you can upload and execute scripts.

Did find a hidden ssh server on port 55555, and that you already masked the Server: response header. Since this is a competition, kinda hints that there might be a possible server exploit as the next task?

1D7FJWRzeKa4SLmTznd3JpeNU13L1ErEco
chsx3
Newbie
*
Offline Offline

Activity: 7


View Profile
May 09, 2012, 07:46:57 AM
 #6

Is it necessary to brute force any credentials, or exploit a process running as root / suid root binary? If not, I'm stumped, so I guess I'm waiting for the first clue :)
mav
Full Member
***
Offline Offline

Activity: 168


View Profile
May 09, 2012, 07:56:36 AM
 #7

No - I don't see the point in brute force competitions, and I only plan to release competitions that are based on cleverness... ie anyone with any sort of computer+internet could get the prize if they have the smarts.

I will put up a guide with this kind of info as it comes to light, this is a good point that should be made clearer on the site. thanks for pointing it out.
a nice guy
Newbie
*
Offline Offline

Activity: 27


View Profile
May 09, 2012, 06:35:45 PM
 #8

Challenge accepted Wink

kind regards,
a nice guy

1PqBH6NWFBhbVF7Srw5ZYGtmLcya1aaw9g
security audits (http://bitcointalk.org/index.php?topic=75684)
pgp: 0x77DA3A9A @ pgp.mit.edu (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x83F5BD9E77DA3A9A)
mav
Full Member
***
Offline Offline

Activity: 168


View Profile
May 10, 2012, 10:47:42 AM
 #9

The first clue is up. Find it on the homepage http://www.h4xcomp.com/

Interesting entries so far, keep them coming. I look forward to writing the first report on the successful hack. There has been lots of interesting stuff coming in. Be sure that round 2 will be much much harder and the reward will reflect that (ie will be much bigger), so let's get this first one out of the way!
chsx3
Newbie
*
Offline Offline

Activity: 7


View Profile
May 10, 2012, 11:34:47 AM
 #10

Damn, not the clue I was looking for - I'd already got that far ;)

I've scoured the filesystem (well, /etc and /var mainly) and the 'localisation' postgres database, but can't find any trace of the bitcoind JSON-RPC credentials :(

I must be making this seem harder than it actually is..

Good luck to everyone else!
chsx3
Newbie
*
Offline Offline

Activity: 7


View Profile
May 10, 2012, 01:25:58 PM
 #11

I can now see an accessible wallet, but it has no (testnet) money?
mav
Full Member
***
Offline Offline

Activity: 168


View Profile
May 10, 2012, 01:35:05 PM
 #12

yeah sorry been dicking around with the server a bit in the past couple of hours... still getting my head around what I'm trying to achieve. looks like I've got it on track now.

Also I have confirmed the exploit, it wasn't easy but it's definitely there.

Wallet will have coins in 6 confirms from now...
Matthew N. Wright
Untrustworthy
Hero Member
*****
Offline Offline

Activity: 588


Hero VIP ultra official trusted super staff puppet


View Profile
May 10, 2012, 01:38:24 PM
 #13

Hehe. If OP is doing what I think he's doing, we're going to see another Linode-style hack here in a few months thanks to one of these "challenges".  Wink

mav
Full Member
***
Offline Offline

Activity: 168


View Profile
May 10, 2012, 01:47:47 PM
 #14

Hehe. If OP is doing what I think he's doing, we're going to see another Linode-style hack here in a few months thanks to one of these "challenges".  Wink

Haha I'm actually learning how to prevent that happening, which is why I set the competition up; so I can learn from my sacrificial server being hacked. I hope very much not to repeat the problems faced by linode, or for that matter Mt Gox in the early days, or, dare I say it, bitscalper  Roll Eyes

Once I get past this initial competition being won (gotta provide some incentive) I'll ramp it up and am actually going to sink some decent money into it so I can try to get some solid hacks happening and hopefully learn how to prevent them in the future. The more I learn, the harder it gets to hack, the more the prize goes up.
chsx3
Newbie
*
Offline Offline

Activity: 7


View Profile
May 10, 2012, 02:04:49 PM
 #15

mav: http://blockexplorer.com/testnet/tx/1cb46705abbf2b9add985c68ea78867a3f879a1e0efc9a231c607e4fd80be74c - 100 testnet BTC moved.

Hehe. If OP is doing what I think he's doing, we're going to see another Linode-style hack here in a few months thanks to one of these "challenges".  ;)

The server is on Linode; does that mean Linode will cheat using their backdoors? :)
Matthew N. Wright
Untrustworthy
Hero Member
*****
Offline Offline

Activity: 588


Hero VIP ultra official trusted super staff puppet


View Profile
May 10, 2012, 03:19:22 PM
 #16

mav: http://blockexplorer.com/testnet/tx/1cb46705abbf2b9add985c68ea78867a3f879a1e0efc9a231c607e4fd80be74c - 100 testnet BTC moved.

Hehe. If OP is doing what I think he's doing, we're going to see another Linode-style hack here in a few months thanks to one of these "challenges".  Wink

The server is on Linode; does that mean Linode will cheat using their backdoors? Smiley

I lol'ed.

Shadow383
Sr. Member
****
Offline Offline

Activity: 336


View Profile
May 10, 2012, 09:08:33 PM
 #17

mav: http://blockexplorer.com/testnet/tx/1cb46705abbf2b9add985c68ea78867a3f879a1e0efc9a231c607e4fd80be74c - 100 testnet BTC moved.

Hehe. If OP is doing what I think he's doing, we're going to see another Linode-style hack here in a few months thanks to one of these "challenges".  Wink

The server is on Linode; does that mean Linode will cheat using their backdoors? Smiley
More importantly, do they get declared winners if they do?  Tongue
mav
Full Member
***
Offline Offline

Activity: 168


View Profile
May 11, 2012, 02:20:06 AM
 #18

The first competition has been successfully completed. Once the prize is awarded I'll post a report about the method and the fix, and start it off again with a bigger prize.
mav
Full Member
***
Offline Offline

Activity: 168


View Profile
May 13, 2012, 02:56:31 AM
 #19

Reward is now 5 BTC for a successful hack. See the winner link on the homepage at http://www.h4xcomp.com/ for details on the successful tactic.
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
May 13, 2012, 03:12:37 AM
 #20

Reward is now 5 BTC for a successful hack. See the winner link on the homepage at http://www.h4xcomp.com/ for details on the successful tactic.
I was looking at the details page, and one conclusion you came to was that bitcoind running as root was more secure than bitcoind running as www-data. However, I don't think either is correct; bitcoind should run as its own user in its own group for the most ideal security. The reason is that if somehow it became possible to cause the bitcoind process to execute arbitrary code via some kind of exploit, it would be contained inside the dedicated user and group (theoretically), instead of being allowed to run rampant as root.

I am fairly sure it doesn't need root privileges to run, but if it does you can then use a chroot jail for the best security.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!