Damn, not the clue I was looking for - I'd already got that far ;)
I've scoured the filesystem (well, /etc and /var mainly) and the 'localisation' postgres database, but can't find any trace of the bitcoind JSON-RPC credentials :(
I must be making this seem harder than it actually is..
Good luck to everyone else!
Topic: [ANN] h4xcomp - hack the server, get bitcoins - page 2. (Read 3336 times)
The first clue is up. Find it on the homepage http://www.h4xcomp.com/
Interesting entries so far, keep them coming. I look forward to writing the first report on the successful hack. There has been lots of interesting stuff coming in. Be sure that round 2 will be much much harder and the reward will reflect that (ie will be much bigger), so let's get this first one out of the way!
Interesting entries so far, keep them coming. I look forward to writing the first report on the successful hack. There has been lots of interesting stuff coming in. Be sure that round 2 will be much much harder and the reward will reflect that (ie will be much bigger), so let's get this first one out of the way!
Challenge accepted 
kind regards,
a nice guy
kind regards,
a nice guy
No - I don't see the point in brute force competitions, and I only plan to release competitions that are based on cleverness... ie anyone with any sort of computer+internet could get the prize if they have the smarts.
I will put up a guide with this kind of info as it comes to light, this is a good point that should be made clearer on the site. thanks for pointing it out.
I will put up a guide with this kind of info as it comes to light, this is a good point that should be made clearer on the site. thanks for pointing it out.
Is it necessary to brute force any credentials, or exploit a process running as root / suid root binary? If not, I'm stumped, so I guess I'm waiting for the first clue :)
Don't know any python, but listing directories and finding wallet.dat shouldn't be too difficult if you can upload and execute scripts.
Did find a hidden ssh server on port 55555, and that you already masked the Server: response header. Since this is a competition, kinda hints that there might be a possible server exploit as the next task?
Did find a hidden ssh server on port 55555, and that you already masked the Server: response header. Since this is a competition, kinda hints that there might be a possible server exploit as the next task?
There is definitely a hole in this site, I am waiting for it to be exploited... not necessarily easy to find, but clues will be released progressively since I want to see it compromised before I plug the hole and see the real nerds have a crack.
And thanks for this post whoever made it:
http://cnbtcnews.com/tag/h4xcomp
And thanks for this post whoever made it:
http://cnbtcnews.com/tag/h4xcomp
Absolutely. This project is as much for the community as it is for myself. If anyone has ideas for competitions I am happy to hear of them. Of course, being a side project, I cannot make any promises about when they will happen, but I consider this kind of information to be useful and important for people and businesses offering services surrounding bitcoin.
Are you interested in competitions for other, third party configurations?
For instance, if there was enough people that used the OSCommerce Bitcoin Payment Module who were to put together a bounty to learn if it had any vulnerabilities, would that be something you'ld consider offering?
For instance, if there was enough people that used the OSCommerce Bitcoin Payment Module who were to put together a bounty to learn if it had any vulnerabilities, would that be something you'ld consider offering?
UPDATE 27 Aug 2012
h4xcomp has been taken offline as there is no longer any reason for me to keep it running. I don't have the time to commit to it and have learned what I needed from it. Thanks to everyone who took part, it was great fun for me and I hope fun for you too.
---------
I'm pleased to announce a new project
http://www.h4xcomp.com/
The aim of the project is to increase my knowledge about running a well-secured website (especially one with bitcoin). I have included some novel and potentially security-breaking features which I plan to incorporate into a much larger project. Whilst the focus of the project is not purely bitcoin, I will be putting a fair bit of attention on the bitcoin side of things to start with. I am seeking data from this side-project to help make the larger project as secure and easily-managed as possible. I will make the knowledge I gain from h4xcomp available so that others can learn from the hacks that are (hopefully) perpetrated on the server.
I'm also using the site to fine-tune some of the novel techniques that are being used on my other project, such as the multi-lingual feature. If you notice that it seems a bit strange at times, I am only an English speaking person and have auto-translated all the other languages. As a result, the English is also on the more simple side of things to ensure that translations are least affected by grammatical complexity. I hope to trial some sort of 'give me human-translation for some reward' sometime in the future. There are so many things that I hope to experiment with on h4xcomp...
This project is only a couple of days old, however I hope over the next months it will provide a lot of interesting data and will be a useful resource for other developers who want to understand the additional security necessities when doing something a bit different with their servers.
The first prize is somewhat small as I have done very little to the server to secure it and expect that it will be hacked relatively easily. As the security improves and the difficulty increases, the prizes will become greater. I am funding this entirely from my own pocket for my own interest and learning.
More competitions are in the works. Hopefully this provides some geeky entertainment to the 1337 crews out there.
Feedback is welcome.
Edit:
I haven't tested the site on Internet Explorer cause I don't have a copy of it. I am about 100% sure it won't display as intended, however it should display at least the content since the site isn't that complex.
h4xcomp has been taken offline as there is no longer any reason for me to keep it running. I don't have the time to commit to it and have learned what I needed from it. Thanks to everyone who took part, it was great fun for me and I hope fun for you too.
---------
I'm pleased to announce a new project
http://www.h4xcomp.com/
The aim of the project is to increase my knowledge about running a well-secured website (especially one with bitcoin). I have included some novel and potentially security-breaking features which I plan to incorporate into a much larger project. Whilst the focus of the project is not purely bitcoin, I will be putting a fair bit of attention on the bitcoin side of things to start with. I am seeking data from this side-project to help make the larger project as secure and easily-managed as possible. I will make the knowledge I gain from h4xcomp available so that others can learn from the hacks that are (hopefully) perpetrated on the server.
I'm also using the site to fine-tune some of the novel techniques that are being used on my other project, such as the multi-lingual feature. If you notice that it seems a bit strange at times, I am only an English speaking person and have auto-translated all the other languages. As a result, the English is also on the more simple side of things to ensure that translations are least affected by grammatical complexity. I hope to trial some sort of 'give me human-translation for some reward' sometime in the future. There are so many things that I hope to experiment with on h4xcomp...
This project is only a couple of days old, however I hope over the next months it will provide a lot of interesting data and will be a useful resource for other developers who want to understand the additional security necessities when doing something a bit different with their servers.
The first prize is somewhat small as I have done very little to the server to secure it and expect that it will be hacked relatively easily. As the security improves and the difficulty increases, the prizes will become greater. I am funding this entirely from my own pocket for my own interest and learning.
More competitions are in the works. Hopefully this provides some geeky entertainment to the 1337 crews out there.
Feedback is welcome.
Edit:
I haven't tested the site on Internet Explorer cause I don't have a copy of it. I am about 100% sure it won't display as intended, however it should display at least the content since the site isn't that complex.
Jump to: