|
mav (OP)
|
 |
May 07, 2012, 07:00:16 AM
Last edit: August 27, 2012, 05:10:39 AM by mav |
|
UPDATE 27 Aug 2012h4xcomp has been taken offline as there is no longer any reason for me to keep it running. I don't have the time to commit to it and have learned what I needed from it. Thanks to everyone who took part, it was great fun for me and I hope fun for you too. --------- I'm pleased to announce a new project http://www.h4xcomp.com/The aim of the project is to increase my knowledge about running a well-secured website (especially one with bitcoin). I have included some novel and potentially security-breaking features which I plan to incorporate into a much larger project. Whilst the focus of the project is not purely bitcoin, I will be putting a fair bit of attention on the bitcoin side of things to start with. I am seeking data from this side-project to help make the larger project as secure and easily-managed as possible. I will make the knowledge I gain from h4xcomp available so that others can learn from the hacks that are (hopefully) perpetrated on the server. I'm also using the site to fine-tune some of the novel techniques that are being used on my other project, such as the multi-lingual feature. If you notice that it seems a bit strange at times, I am only an English speaking person and have auto-translated all the other languages. As a result, the English is also on the more simple side of things to ensure that translations are least affected by grammatical complexity. I hope to trial some sort of 'give me human-translation for some reward' sometime in the future. There are so many things that I hope to experiment with on h4xcomp... This project is only a couple of days old, however I hope over the next months it will provide a lot of interesting data and will be a useful resource for other developers who want to understand the additional security necessities when doing something a bit different with their servers. The first prize is somewhat small as I have done very little to the server to secure it and expect that it will be hacked relatively easily. As the security improves and the difficulty increases, the prizes will become greater. I am funding this entirely from my own pocket for my own interest and learning. More competitions are in the works. Hopefully this provides some geeky entertainment to the 1337 crews out there. Feedback is welcome. Edit: I haven't tested the site on Internet Explorer cause I don't have a copy of it. I am about 100% sure it won't display as intended, however it should display at least the content since the site isn't that complex.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The Bitcoin network protocol was designed to be extremely flexible. It can be used to create timed transactions, escrow transactions, multi-signature transactions, etc. The current features of the client only hint at what will be possible in the future.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
Stephen Gornick
Legendary
 Offline
Activity: 2506
Merit: 1010
|
|
May 07, 2012, 09:21:12 AM |
|
Are you interested in competitions for other, third party configurations?
For instance, if there was enough people that used the OSCommerce Bitcoin Payment Module who were to put together a bounty to learn if it had any vulnerabilities, would that be something you'ld consider offering?
|
|
|
|
|
mav (OP)
|
|
May 07, 2012, 09:33:58 AM |
|
Absolutely. This project is as much for the community as it is for myself. If anyone has ideas for competitions I am happy to hear of them. Of course, being a side project, I cannot make any promises about when they will happen, but I consider this kind of information to be useful and important for people and businesses offering services surrounding bitcoin.
|
|
|
|
|
|
mav (OP)
|
|
May 08, 2012, 05:14:45 AM |
|
There is definitely a hole in this site, I am waiting for it to be exploited... not necessarily easy to find, but clues will be released progressively since I want to see it compromised before I plug the hole and see the real nerds have a crack. And thanks for this post whoever made it: http://cnbtcnews.com/tag/h4xcomp |
|
|
|
|
mb300sd
Legendary
Offline
Activity: 1260
Merit: 1000
Drunk Posts
|
|
May 08, 2012, 11:57:20 PM |
|
Don't know any python, but listing directories and finding wallet.dat shouldn't be too difficult if you can upload and execute scripts.
Did find a hidden ssh server on port 55555, and that you already masked the Server: response header. Since this is a competition, kinda hints that there might be a possible server exploit as the next task?
|
1D7FJWRzeKa4SLmTznd3JpeNU13L1ErEco
|
|
|
chsx3
Newbie
Offline
Activity: 7
Merit: 0
|
|
May 09, 2012, 07:46:57 AM |
|
Is it necessary to brute force any credentials, or exploit a process running as root / suid root binary? If not, I'm stumped, so I guess I'm waiting for the first clue :)
|
|
|
|
|
|
mav (OP)
|
|
May 09, 2012, 07:56:36 AM |
|
No - I don't see the point in brute force competitions, and I only plan to release competitions that are based on cleverness... ie anyone with any sort of computer+internet could get the prize if they have the smarts.
I will put up a guide with this kind of info as it comes to light, this is a good point that should be made clearer on the site. thanks for pointing it out.
|
|
|
|
|
a nice guy
Newbie
Offline
Activity: 27
Merit: 0
|
|
May 09, 2012, 06:35:45 PM |
|
Challenge accepted  kind regards, a nice guy |
|
|
|
|
|
mav (OP)
|
|
May 10, 2012, 10:47:42 AM |
|
The first clue is up. Find it on the homepage http://www.h4xcomp.com/Interesting entries so far, keep them coming. I look forward to writing the first report on the successful hack. There has been lots of interesting stuff coming in. Be sure that round 2 will be much much harder and the reward will reflect that (ie will be much bigger), so let's get this first one out of the way! |
|
|
|
|
chsx3
Newbie
Offline
Activity: 7
Merit: 0
|
|
May 10, 2012, 11:34:47 AM |
|
Damn, not the clue I was looking for - I'd already got that far ;)
I've scoured the filesystem (well, /etc and /var mainly) and the 'localisation' postgres database, but can't find any trace of the bitcoind JSON-RPC credentials :(
I must be making this seem harder than it actually is..
Good luck to everyone else!
|
|
|
|
|
chsx3
Newbie
Offline
Activity: 7
Merit: 0
|
|
May 10, 2012, 01:25:58 PM |
|
I can now see an accessible wallet, but it has no (testnet) money?
|
|
|
|
|
|
mav (OP)
|
|
May 10, 2012, 01:35:05 PM |
|
yeah sorry been dicking around with the server a bit in the past couple of hours... still getting my head around what I'm trying to achieve. looks like I've got it on track now.
Also I have confirmed the exploit, it wasn't easy but it's definitely there.
Wallet will have coins in 6 confirms from now...
|
|
|
|
|
Matthew N. Wright
Untrustworthy
Hero Member
Offline
Activity: 588
Merit: 500
Hero VIP ultra official trusted super staff puppet
|
|
May 10, 2012, 01:38:24 PM |
|
Hehe. If OP is doing what I think he's doing, we're going to see another Linode-style hack here in a few months thanks to one of these "challenges". |
|
|
|
|
mav (OP)
|
|
May 10, 2012, 01:47:47 PM |
|
Hehe. If OP is doing what I think he's doing, we're going to see another Linode-style hack here in a few months thanks to one of these "challenges". Haha I'm actually learning how to prevent that happening, which is why I set the competition up; so I can learn from my sacrificial server being hacked. I hope very much not to repeat the problems faced by linode, or for that matter Mt Gox in the early days, or, dare I say it, bitscalper  Once I get past this initial competition being won (gotta provide some incentive) I'll ramp it up and am actually going to sink some decent money into it so I can try to get some solid hacks happening and hopefully learn how to prevent them in the future. The more I learn, the harder it gets to hack, the more the prize goes up. |
|
|
|
|
|
|
Matthew N. Wright
Untrustworthy
Hero Member
Offline
Activity: 588
Merit: 500
Hero VIP ultra official trusted super staff puppet
|
|
May 10, 2012, 03:19:22 PM |
|
|
|
|
|
|
Shadow383
|
|
May 10, 2012, 09:08:33 PM |
|
More importantly, do they get declared winners if they do?  |
|
|
|
|
|
mav (OP)
|
|
May 11, 2012, 02:20:06 AM |
|
The first competition has been successfully completed. Once the prize is awarded I'll post a report about the method and the fix, and start it off again with a bigger prize.
|
|
|
|
|
|
mav (OP)
|
|
May 13, 2012, 02:56:31 AM |
|
Reward is now 5 BTC for a successful hack. See the winner link on the homepage at http://www.h4xcomp.com/ for details on the successful tactic. |
|
|
|
|
rjk
Sr. Member
Offline
Activity: 448
Merit: 250
1ngldh
|
|
May 13, 2012, 03:12:37 AM |
|
Reward is now 5 BTC for a successful hack. See the winner link on the homepage at http://www.h4xcomp.com/ for details on the successful tactic. I was looking at the details page, and one conclusion you came to was that bitcoind running as root was more secure than bitcoind running as www-data. However, I don't think either is correct; bitcoind should run as its own user in its own group for the most ideal security. The reason is that if somehow it became possible to cause the bitcoind process to execute arbitrary code via some kind of exploit, it would be contained inside the dedicated user and group (theoretically), instead of being allowed to run rampant as root. I am fairly sure it doesn't need root privileges to run, but if it does you can then use a chroot jail for the best security. |
|
|
|
|
