Topic: [ANN] h4xcomp - hack the server, get bitcoins (Read 3336 times)

Announcing MyEtherWallet v3.24.00: Difficulty Bomb&Updating blockchain

Due to the complexity of the Bomb and the increased risk of hacking, we pushed a rather drastic update that implements a number of changes and improvements, including enhancement of efficiency and scalability of the blockchain, acceleration of transaction speed, and additional security in the form new formats private keys which will help protect users against hacking.
If you are using private key or UTC, then you need to go into the wallet and update manually, otherwise they risk being unprotected.

How do i update my Ethereum wallet?

1. Go to our website MyEtherWallet.com
2. Unlock your wallet using your Keystore File (UTC / JSON) or simply use your private key.
3. Click Unlock and wait for the update.

Please note that you need to manually update your wallet, failure to do so may result in funds being lost.

We are taking these measures to protect both you and our network from phishing and malicious attacks.

Thank you for your cooperation and understanding!
MyEtherWallet Security Team.

If you use other methods, then ignore this message.

Trade crypto assets on a basis blockchain technologies has got for a long time already the daily form and for anybody does not cause surprise. Recently exists already more than 200 crypto stock exchanges. A considerable quantity reduces liquidity at small stock exchanges. It has led to a strong fragmentation of liquidity.
  The more low liquidity, the more low average volume of a trading position in comparison with other classical markets. Moreover, during the moments of sharp market movements it can appear insufficient even for trade with low volumes crypto assets.
 
LIQNET is crypto changes which allows to unite liquidity from different platforms and to solve a problem of dispersion of users, their trading inquiries and orders, it forms uniform base of orders with the best depth of the trading market and more favourable prices for private persons of legal bodies of different sphere.
 
  That does exchange LIQNET unique, is tool LEN (Liquidity Exchange Network) which allows to collect and combine orders of our clients from other trading platforms in a uniform package of orders and to do by their all clients LIQNET accessible to trade.
Owners LENtokens receive exclusive conditions.

Other advantages of platform LIQNET:
Desktop applications (own desktop application, MultiSharts, TradingView and MT5);
Completely functional mobile trading applications for Android and iOS;

The project online wallet which gives the chance to exchange crypto carrency and to fix money button click. Besides, it has an easy service for crypto carrency investments with the free and paid built in strategy; #LIQNET #Bounty

Yeah there will definitely be more comps, but probably not for at least a couple of months yet. I've been working like crazy on a product, one which will actually earn me money. For now h4xcomp has helped me learn what I needed, so unfortunately priorities means it has been put on the backburner until I have more time for it.

Is there going to be another contest?

Wow, that was really quick.
Sadly I'm no python developer :/

I hope there will be a general security bounty.

Thanks for this interesting stuff

kind regards,
a nice guy

The second round was a quick one - the server has been hacked. Once the prize is claimed, standby for round 3. This one was a bit of a giveaway, but glad to have done so.

Nice one! I hope you'll have a lot of success, letting people hack your site is the best way to gain experience!

Also, I'll be watching it closely, I'm looking forward to another round (and looking around for other exploits silently :-))

Thanks, fixed.

http://www.h4xcomp.com/www.h4xcomp.com/1/winners/1
winning script gives a 404 error

Good point, I will update it with this info. Sounds obvious now you say it, good to get these things sorted out now rather than later. Thanks for picking that up and posting.

I was looking at the details page, and one conclusion you came to was that bitcoind running as root was more secure than bitcoind running as www-data. However, I don't think either is correct; bitcoind should run as its own user in its own group for the most ideal security. The reason is that if somehow it became possible to cause the bitcoind process to execute arbitrary code via some kind of exploit, it would be contained inside the dedicated user and group (theoretically), instead of being allowed to run rampant as root.

I am fairly sure it doesn't need root privileges to run, but if it does you can then use a chroot jail for the best security.

Reward is now 5 BTC for a successful hack. See the winner link on the homepage at http://www.h4xcomp.com/ for details on the successful tactic.

The first competition has been successfully completed. Once the prize is awarded I'll post a report about the method and the fix, and start it off again with a bigger prize.

More importantly, do they get declared winners if they do? 

I lol'ed.

mav: http://blockexplorer.com/testnet/tx/1cb46705abbf2b9add985c68ea78867a3f879a1e0efc9a231c607e4fd80be74c - 100 testnet BTC moved.


The server is on Linode; does that mean Linode will cheat using their backdoors? :)

Haha I'm actually learning how to prevent that happening, which is why I set the competition up; so I can learn from my sacrificial server being hacked. I hope very much not to repeat the problems faced by linode, or for that matter Mt Gox in the early days, or, dare I say it, bitscalper 

Once I get past this initial competition being won (gotta provide some incentive) I'll ramp it up and am actually going to sink some decent money into it so I can try to get some solid hacks happening and hopefully learn how to prevent them in the future. The more I learn, the harder it gets to hack, the more the prize goes up.

Hehe. If OP is doing what I think he's doing, we're going to see another Linode-style hack here in a few months thanks to one of these "challenges". 

yeah sorry been dicking around with the server a bit in the past couple of hours... still getting my head around what I'm trying to achieve. looks like I've got it on track now.

Also I have confirmed the exploit, it wasn't easy but it's definitely there.

Wallet will have coins in 6 confirms from now...

I can now see an accessible wallet, but it has no (testnet) money?